Abstract

The rapid adoption of generative artificial intelligence (GenAI), such as ChatGPT and Google Gemini, poses a paradox for organizations. While GenAI offers productivity and innovation gains, public, externally hosted models introduce risks including data leakage, regulatory noncompliance, and ethical concerns. Organizations increasingly respond by transitioning from public GenAI tools to private, internally controlled systems. This “public-to-private” shift is becoming common across industries, including technology, finance, healthcare, and higher education. However, it remains underexplored in the literature, often treated as a purely technical or risk-management choice rather than a theoretically organizational behavior. We argue that this behavior can be better understood through a legitimacy-based lens. Drawing on legitimacy theory, we propose that the use of public GenAI exposes organizations to multidimensional legitimacy threats. Pragmatic legitimacy risks arise when key stakeholders, such as clients, employees, or regulators, perceive that their interests are compromised by insecure AI practices. Moral legitimacy risks emerge from societal and professional expectations regarding the ethical use of AI, including fairness, transparency, and responsible deployment. Regulatory legitimacy risks reflect the growing legal and compliance pressures, such as data protection and intellectual property regulations. These threats generate a legitimacy gap between organizational practices and stakeholder expectations, which can compromise an organization’s social license to operate. In response, firms adopt what we term a legitimacy-preserving technological reconfiguration: they internalize GenAI capabilities by deploying private, enterprise-controlled systems. This approach enables firms to sustain innovation-oriented legitimacy while simultaneously restoring compliance- and trust-based legitimacy among stakeholders. We develop a conceptual model in which external scrutiny (e.g., media attention, regulatory pressure) and organizational sensitivity (e.g., industry regulation, data intensity) increase perceived legitimacy threats associated with public GenAI. These perceived threats drive the transition toward private GenAI, moderated by governance capability (e.g., IT control mechanisms) and stakeholder salience. The model also considers outcomes, including enhanced legitimacy perceptions and reduced risk exposure, alongside potential trade-offs such as reduced flexibility. To empirically investigate the model, we propose a multi-method research design. First, we will conduct archival analyses of organizational GenAI governance actions, including public announcements of tool restrictions, adoption of private AI systems, and internal policy communications. These data will allow longitudinal tracking of the adoption trajectory and the antecedents of the public-to-private shift. Second, we will employ a scenario-based experiment that manipulates legitimacy threats—such as data breach risk and regulatory scrutiny—to examine causal effects on managerial preferences for public versus private GenAI adoption. This combination of methods provides both external validity and causal identification. By framing organizational GenAI deployment decisions as a legitimacy management strategy rather than purely technical optimization, this study contributes to the literature in three ways. It identifies GenAI internalization as a distinct, observable organizational behavior, extends legitimacy theory to emerging digital technologies, and provides a nuanced account of how organizations strategically reconfigure technological architectures to balance competing institutional demands.

Share

COinS