Digital Responsibility in the Use of Large Language Models: How Organizations Perceive, Accept, and Govern Risk

Adoption first, governance later: how regulated Swiss organizations handle the risks of commercial language models.

Topic Organizations are adopting commercial large language models such as ChatGPT, Microsoft Copilot, and Google Gemini faster than they can govern the risks these tools introduce. This study examines how Swiss organizations in regulated industries, with a focus on the energy sector, perceive, evaluate, and manage the risks of using externally operated language models, known as LLMs as a Service. It asks whether and how these organizations translate the principles of digital responsibility into everyday governance practice once they hand control over their data and over model behavior to an external provider.

Relevance Every organization now faces the same tension. The productivity gains of language models are immediate and visible, while the risks around data privacy, vendor dependency, and unreliable outputs are diffuse and easy to defer. Decision-makers in IT, compliance, and legal functions must decide which risks to accept, often without established frameworks to guide them. This study gives practitioners an empirically grounded map of how peers in regulated industries actually handle these decisions, showing where their governance works and where it quietly falls short.

Results Organizations perceive five risk categories: unreliable outputs, data privacy and sovereignty concerns amplified by the US CLOUD Act, loss of control over external vendors, an emerging horizon of agentic AI risks, and a tendency to downplay all of these as nothing fundamentally new. Risk awareness depends strongly on a person's role, and adoption consistently outpaces the awareness needed to govern it. Governance is pragmatic but rarely guided by explicit ethical principles, and digital responsibility as a concept is largely absent, usually reduced to IT governance. One organization showed genuine integration is achievable through sustained cultural investment.

Implications for practitioners

• Differentiate awareness programs by role and seniority, because risk understanding is distributed far more unevenly than organization-wide training assumes.
• Provide approved, high-quality LLM tools, since restrictive policies predictably push employees toward unsanctioned shadow IT.
• Reassess LLM risks on a regular cycle, as model capabilities and provider terms change faster than annual governance reviews.
• Treat vendor opacity, not model opacity, as the core problem. The decisive question is whether you can verify what a provider actually does, not how the model works internally.
• Anchor digital responsibility institutionally, for example through board-level accountability, so it is not crowded out by short-term efficiency gains.

Methods The study is based on ten in-depth interviews with practitioners responsible for IT, compliance, data protection, and governance in large Swiss organizations. Seven came from the energy sector, with banking, telecommunications, and insurance added to compare patterns across industries. The interviews were analyzed with an established qualitative method, the Gioia approach, which works systematically from the participants' own words up to broader themes and overarching dimensions. This kept every conclusion traceable back to concrete statements and produced a clear structure of recurring concepts, themes, and four overarching dimensions that organize the findings.