Thesis Kris Coremans

Subject: Information System Science

Title: Organizing for Autonomy: How Agentic AI Reshapes Governance in Large Enterprises

Abstract: 

Large organizations are increasingly experimenting with and deploying new AI systems with Agentic capabilities or fully agentic systems. These systems consist of autonomous capabilities which decide and act within organizational workflows. Whilst this development entails, traditional IT and AI governance frameworks are founded on the assumption that these systems are stable, the frameworks consider decision rights, compliance, oversight, and accountability at the level of individual systems. This creates a gap between the characteristics and capabilities of agentic AI systems and current governance approaches. Where non-human identities, delegated autonomy, runtime action, and platform-based orchestration become central governance concerns. 

This thesis examines the research question: “How does agentic AI reshape AI governance within large organizations, and what governance adaptations does this require?.” A qualitative research approach has been adopted which is based on a literature review, semi-structured expert interviews, and case studies. Eight interviews were conducted to gather empirical data among experts with roles in strategy, responsible AI, technical architecture, platform development, and business management. The scope of this thesis is to large organizations and focuses on governance challenges, risks and requirements linked to the deployment of agentic AI. 

The findings indicated the reforming of AI governance through agentic AI by distancing itself from ex-ante approval of limited systems and shifting towards a continuous governance approach. The agentic systems operate through delegation, tool use, and platform-controlled execution. The emergent governance domains in this thesis are non-human identity governance, delegated autonomy governance, runtime action governance, forensic auditability, and platform-based governance. This thesis further proposes layered architecture and continuous approach of agentic governance. Additionally, this thesis proposes the theoretical contribution of the Agentic Governance Control Plane (AGCP). 

Keywords: Artificial Intelligence, Agentic AI, (AI) Governance, Large organizations, AI compliance, Human-AI workforce / hybrid workforce, AI Adoption, AI Governance Frameworks 

Thesis Daphine Vorstenbosch

Subject: Information System Science

Title: Organisational Culture, Human Factors and NIS2 Readiness: How Can IT Auditors Diagnose the Non-Technical Dimensions of Cybersecurity Compliance?

Abstract: 

The NIS2 Directive represents a qualitative shift in European cybersecurity governance, elevating compliance from a framework concentrated on technical controls to one that explicitly requires board-level responsibility for cybersecurity culture, risk management, and incident reporting. Despite this shift, many organisations struggle to translate NIS2’s obligations into operational practice. Research consistently demonstrates that human and cultural factors, rather than technical deficiencies, account for most cybersecurity failures, yet existing IT audit methodologies remain predominantly artefact-oriented and provide limited systematic insight into the cultural and behavioural substrates that NIS2 compliance most urgently demands.

This thesis investigates how organisational culture and human factors affect NIS2 readiness in client organisations, and how IT auditors can better diagnose these dimensions. The main research question is: How do organisational culture and human factors influence NIS2 readiness in client organisations, and how can auditors effectively diagnose these factors? Three sub-questions address cultural determinants of cybersecurity behaviour (RQ1), barriers to NIS2 compliance (RQ2), and the translation of Protection Motivation Theory and Technology Threat Avoidance Theory into a practical diagnostic approach for IT auditors (RQ3).

A qualitative research design was adopted. Twelve semi-structured expert interviews were conducted with EY IT auditors and cybersecurity consultants. These professionals had direct or indirect experience with NIS2-relevant client engagements across diverse sectors. Interview data were analysed using an inductive-deductive thematic analysis approach, generating 37 codes across eleven thematic groupings anchored in PMT, TTAT, Schein’s three-level culture model, and safety science principles.

Three principal findings emerge. First, sector-driven compliance culture is the dominant organisational determinant of NIS2 readiness: historically regulated sectors have embedded security governance as a basic assumption, while newly in-scope organisations face a qualitatively different cultural challenge. Second, the most consistent non-technical barriers to NIS2 compliance,  scope uncertainty, the policy-practice gap, resource constraints, diffuse accountability, and underreporting inhibitors, are culturally produced and cannot be addressed through technical controls alone. Third, current IT audit practice exhibits a structural diagnostic gap: artefact-based indicators measure inputs to the awareness-behaviour chain without capturing the culturally significant transitions within it. In response, a five-domain diagnostic framework is proposed to aid IT auditors in assessing the human side of NIS2 readiness.

Keywords: NIS2 Directive, organisational culture, human factors, information security governance, IT auditing, cybersecurity culture, Protection Motivation Theory, Technology Threat Avoidance Theory, diagnostic framework

Thesis Paul Vignes

Subject: Information System Science

Title: The categorical Cliff : Influence of non-realistic labels on users perceived experience

Abstract: 

This thesis investigates the psychological impact of discrete categorical labels on user satisfaction within specialized information systems and non-transactional digital platforms. Grounded in Expectation Disconfirmation Theory (EDT), the research examines how the cognitive gap between pre-consumption expectations, established by operator-assigned quality labels, and perceived experiential reality influences consumer behaviour. 

Using a quantitative methodology, the study analyses user-generated content and evaluation data from the bouldering database Bleau.info, applying multiple linear regression and conditional mean calculations to a filtered dataset of 567 climbing routes. 

The empirical results propose challenges traditional EDT models within the Information Systems literature, which typically associate inflated expectations with eroded trust and a negative “disappointment effect”. Instead, the findings propose an inversion of this theory in effortbased contexts, revealing that the initial over-evaluation, or overgrading, of a stimulus can enhances user satisfaction. Earning a higher categorical label while expending less anticipated efforts acts as a psychological reward that triggers positive disconfirmation, while specific stylistic attributes function as independent drivers that amplify perceived value. Finally, this research provides notable theoretical expansions to EDT regarding experiential goods and offers actionable insights for platform design, suggesting that digital interfaces can strategically uses inflated categorical labels to maximize consumer satisfaction and long-term adoption.

Keywords: Information Systems, Expectation-Disconfirmation, Labels, Users Satisfaction, Effort Based, Platforms, Rating.

Thesis Noah Spierings

Subject: Information System Science

Title: Sharing is Caring: Trust, Information Sharing, and Intelligence for Digital Supply Chain Cyber Threats

Abstract: 

The digital age has introduced new forms of supply chains, namely digital supply chains. These chains are characterised by intertwined organisations using cloud services and software ecosystems that introduce new forms of cyber risks, threats and uncertainties regarding security objectives. Due to the distance of these services and the underlying structures underneath, organisations may depend more on cyber threat intelligence, inter-organisational information sharing between industry-peers and trust in information quality to improve awareness of cyber threats affecting their external digital dependencies. However, empirical evidence on how these factors jointly contribute to digital supply chain cyber threat awareness remains limited.

As such, this preliminary study investigates how cyber threat intelligence capability, inter-organisational cyber threat information sharing and information quality trust are associated with digital supply chain cyber threat awareness. It further explores whether differences exist between public and private organisations in terms of these constructs. The study is guided by Information Processing Theory, which conceptualises how organisations reduce uncertainty by acquiring and processing relevant (external) information. 

A quantitative survey design was employed resulting in 31 usable responses (n = 31) from information security professionals, including CISOs, information security managers and -officers, amongst others. The data were analysed using reliability analysis (Cronbach’s alpha), descriptive statistics, and Spearman correlation analysis. In addition, exploratory group comparison between public and private organisations were conducted using MANOVA, ANOVA and non-parametric Wilcoxon rank-sum tests. 

The results suggest that cyber threat intelligence, inter-organisational cyber threat information sharing, and information quality trust are all positively associated with digital supply chain cyber threat awareness. The strongest associations were found for cyber threat intelligence capability and information quality trust, while information sharing showed weaker but still statistically significant relationship. Exploratory analysis suggests that public organisations reported higher levels of information sharing compared to private organisations, although overall awareness was reported comparable across. Due to the limited sample size, the findings should be interpreted as preliminary and exploratory, providing a foundation for future research in relation to the field of cyber supply chain risk management. The discussion was enhanced by an expert consultation session.

Keywords: Digital Supply Chains, Cyber Supply Chain Risk Management, Cyber Threat Information Sharing, Threat Intelligence Capability, Cyber Threat Awareness and Information Quality Trust.

Thesis Stella Peignier

Subject: Information System Science

Title: Beyond Adoption: A Case Study of a Mobile E-Learning Information System for Frontline Competency Development in Retail

Abstract: 

The value an enterprise information system ultimately delivers depends less on its initial adoption than on whether users continue to engage with it meaningfully once it has entered routine operation (Bhattacherjee, 2001). In retail, mobile e-learning applications have become a primary means by which dispersed sales associates develop the product knowledge and relational competencies that underpin commercial performance, yet engagement with such systems characteristically erodes after initial use. Post-adoption research has seldom examined corporate e-learning systems operating at scale among frontline employees, leaving it unclear whether the way such a system is used, perceived and intended to function converge upon a shared reality or diverge.

This thesis asks how usage behaviour, user perception and management intent converge or diverge around an e-learning information system deployed for frontline competency development in a retail organisation. It is conducted as a single case study of the European retail operations of a large international beauty company, treated anonymously, which has operated a mobile e-learning application since 2018. Adopting a pragmatist, mixed-method design, it triangulates back-office behavioural data, a user perception survey, and semistructured interviews with headquarters stakeholders.

The system proves technically adopted and nominally performing, yet structurally misaligned with the conditions of its use: users attribute a high intrinsic value to the application while reporting markedly low operational integration into their daily work, engagement remaining brief and fragmented in the absence of protected training time. The three dimensions converge in recognising the platform’s informational value but diverge on the organisational conditions required to realise it. The thesis thereby qualifies the relationship between perceived usefulness and continued use that is central to post-adoption theory, showing that perceived usefulness can remain high while effective integration stays structurally constrained, and derives managerial implications for content governance, diagnostic monitoring, and the treatment of protected training time as a governance decision.

Keywords: post-adoption, information systems continuance, e-learning, mobile learning, retail sales associates, competency development, mixed-methods case study, user perception

Thesis Thibaud Martin-Gibiard

Subject: Information System Science

Title: Strategic Alignment and Performance Measurement: Designing an Integrated Dashboard Framework for a Hybrid Hospital IT and Biomedical Engineering Directorate

Abstract: 

This thesis investigates how the integration and automation of key performance indicators can support strategic alignment between technical operations and strategic decision-making in a hybrid hospital directorate. The empirical context is the Direction des Resources Informationnelles, de la Stratégie Numérique et du Génie Biomédical at CHU Sainte-Justine, where IT service management, biomedical engineering, cybersecurity and infrastructure activities produce performance data through heterogeneous tools and routines.

Building on Henderson and Venkatraman’s strategic alignment model and on Design Science Research, the study analyses fourteen Microsoft Forms questionnaires completed by managers and operational staff. Thirteen questionnaires are substantively exploitable for thematic analysis, while one incomplete operational response is retained only in the corpus description. The findings show that fragmentation, manual consolidation, uneven data quality, heterogeneous ITSM maturity and concerns about adoption shape the usefulness of any integrated dashboard.

The thesis argues that an integrated dashboard can become an alignment artefact only if it is supported by reliable data pipelines, explicit governance rules, differentiated views for executive, sectoral and operational users, and a concrete Power BI-oriented data architecture. The contribution is both theoretical, by adapting strategic alignment to a hybrid technical hospital directorate, and practical, by translating empirical findings into dashboard design requirements and a first dashboard instantiation.

Keywords: strategic alignment; hospital dashboards; ITSM; biomedical engineering; design science research; key performance indicators.

Thesis Vincent Leung

Subject: Information System Science

Title: Quantifying the Intangible: A Design Science Approach Measuring and Mitigating Tacit Knowledge Loss in IT Outsourcing and Managed Service Providers.

Abstract: 

Tacit knowledge is knowledge that stems from experiential and judgement-based know-how, which is difficult to articulate or codify. This knowledge plays a critical role in the continuity, quality, and governance of IT operations. During IT outsourcing or Managed Service Provider (MSP) transitions, this tacit knowledge is particularly vulnerable to loss and/or erosion which increases the operational risk, knowledge asymmetry and vendor lock-in. Despite its strategic importance, organizations currently lack the structure to assess or manage tacit knowledge loss, relying on indirect or subjective indicators such as service disruptions or cost metrics. 

This thesis addresses the gap by adopting the Design Science Research (DSR) methodology, developing and evaluating the artifact which approximates the tacit knowledge loss during IT outsourcing and/or MSP transitions. This research draws on knowledge management literature, IT outsourcing governance, and empirical insights from Technology Risk, IT Auditors, Consultants, Clients-side Management and Vendor context. Triangulation was used to address both quantitative and qualitative data collection including an exploratory survey, semi-structured interviews, secondary data analysis, and  a 2-round Delphi Study with human experts identifying, validating, and refining measurable indicators within the Tacit Knowledge Loss Quantification Model (TKLQM) assessment/dashboard. 

The result of this research is an artifact “TKLQM” which approximates using observable indicator insights such as undocumented routines, expert dependency, incomplete knowledge transfer, and knowledge ownership weakness and its importance in weights per scenario/story/engagement. These indicators are aggregated into a composite score that provides an early-warning signal of tacit knowledge exposure and vendor dependency risk. This artifact was evaluated through expert-based Delphi validation and scenariobased demonstration, which confirmed usability and usefulness for IT Auditors and consultants in assessing tacit knowledge loss risk, while enabling client organizations to take ownership and recommended actions.

It demonstrated that tacit knowledge still can’t be measured directly, but the loss or erosion of can be approximated through a structured and transparent artifact such as the TKLQM. Practically, it supports organizations in improving transition readiness, improves outsourcing governance, and mitigating long-term vendor lock-in. 

Keywords: Tacit Knowledge, Knowledge Transfer, IT Outsourcing, Managed Service Providers (MSP), Quantification Model, Knowledge Asymmetry, Vendor Lock-In, Knowledge Asymmetry.

Thesis Finne Küstner

Subject: Information System Science

Title: Cross-Level Stakeholder Alignment in Data Platform Management – A Case Study of Strategic, Tactical, and Operational Perspectives

Abstract: 

Since data platforms gain importance as organizational enablers for data driven-decision making and shift from purely technical to socio-technical systems involving multiple stakeholders with differing interests and needs, this thesis focuses on examining the challenges faced by organizations when aligning business objectives, technical capabilities and operational realities. 

Especially misalignment issues between strategic, tactical and operational organizational levels are investigated and an alignment strategy that helps eliminating avoidable and managing unavoidable tensions is suggested. By answering the three research questions, this study aims to gain an understanding of how stakeholder needs and priorities are translated into decisions, what types of misalignments occur, and which practices contribute to sustained alignment.

This thesis follows a qualitative, exploratory methodology based on a case study, which allows to identify patterns of stakeholder interaction as well as alignment and its failure. Data is collected through semistructured interviews with stakeholders from different organizational levels and analysed following an inductive coding and categorization approach. 

Alignment is found to be a dynamic process that is driven by communication and interaction across different levels. A data platforms technology is found to support and shape alignment based on the utilization of its potential. The biggest threat to alignment is an inconsistent understanding of the strategic vision, unclear governance structures, and limited transparency in the integration and communication of feedback. To counteract the occurrence of misalignment, transparency, continuous communication, and structured stakeholder involvement are suggested.

Keywords: Data Platforms, Stakeholder Alignment, Cross-Level Coordination, IT Governance, Roadmap, Decision-Making, Socio-Technology, Qualitative Case Study

Thesis Arnaud Fournier

Subject: Information System Science

Title: AI-Augmented Data Stewardship: Evaluating a Supervised GenAI Workflow and Diagnosing Master Data Inconsistencies in the FMCG context

Abstract: 

Multinational enterprises in the Fast-Moving Consumer Goods (FMCG) sector increasingly manage product master data across heterogeneous enterprise systems. Structural differences across these fragmented environments produce incompatible records, creating a manual reconciliation burden that is slow and difficult to scale. Recurring inconsistencies persist because the underlying organizational and process conditions remain structurally unchanged.

This study investigates whether a supervised Generative AI (GenAI)-assisted workflow improves reconciliation efficiency and representational consistency over manual processes, and examines the root factors causing recurring data errors. Task-Technology Fit (TTF) and data quality research and frameworks provide the interpretive lens.

Using an embedded mixed-method single-case design, the quantitative component applies a quasi-experimental comparison of two workflow conditions across a dataset of product records from a real operational harmonization project. The qualitative component draws on eight semi-structured stakeholder interviews analyzed through thematic analysis.

The findings reveal that the supervised GenAI workflow substantially reduced total processing time and improved structured output quality, while achieving near-equivalent attribute-level correctness to manual methods. Human review remained central to the design, with the majority of model outputs accepted without modification. The qualitative component identified four upstream themes, covering governance fragmentation, manual transfer dependencies, data entry disconnection from downstream consequences, and structural inheritance from legacy system decisions, that explain why similar inconsistencies reoccur regardless of downstream efficiency gains.

Taken together, the study demonstrates that supervised GenAI augmentation improves the efficiency and structural consistency of stewardship work, but operates entirely at the correction layer. Addressing recurrence requires upstream governance intervention that the workflow alone cannot provide. The study extends TTF to a performance-diagnostic application in governance-constrained enterprise stewardship and offers transferable insights for FMCG organizations operating in comparable multi-system environments.

Keywords: master data management, data stewardship, generative AI, Task-Technology Fit, human-in-the-loop, data quality, prompt engineering, FMCG, information quality, data governance.

Thesis Brieuc Ernot

Subject: Information System Science

Title: Transitioning to Zero-Touch Edge Networks: An Architectural and Strategic Roadmap for a Telecom Connectivity Management Platform

Abstract: 

Telecommunications operators managing the residential network edge face a structural mismatch: the proliferation of connected devices has made reactive, manual troubleshooting economically unsustainable, while incumbent Cloud Monitoring Solutions remain observational by design — able to surface service degradations but not to resolve them autonomously. This thesis asks what architectural, data, and operational capabilities such a platform must acquire to move from reactive, human-in-the-loop troubleshooting toward proactive, Zero-Touch management aligned with the ETSI Zero-touch network and Service Management (ZSM) Level 4 autonomy criteria.

The research adopts a hybrid Design Science strategy that combines an embedded single-case study of a commercial connectivity-management platform with the design and evaluation of a concrete artefact. Its empirical basis comprises two interview phases with five expert informants, a technical analysis of the platform’s telemetry pipeline, and a supervised-classification feasibility probe testing whether fault detection is extractable from the constrained data substrate the platform currently retains.

The probe established that fault detection is technically feasible from the existing telemetry, at performance consistent with operational use. On this basis the thesis designs a six-block Target Architecture, traced to ETSI GS ZSM 002, and sequences it into a three-horizon Maturity Roadmap evaluated by the same informants.

The central finding is that the binding constraints on Level 4 autonomy are organisational and regulatory rather than technical, and that the realised autonomy ceiling is co-determined by operators — and even by client devices — outside the platform’s control. The architecture reconciles this through a supervised-autonomy posture: it provides full closed-loop capability while exposing the closing of the loop as a policy-governed, progressively widening authority. Level 4 is thus reached as a capability and approached as a behaviour — a qualification offered as a transferable design pattern for autonomy adoption under trust and accountability constraints.

Keywords: Cloud Monitoring System, AIOps, ETSI ZSM, Zero-Touch Networks, TR-369 USP, Design Science Research, Operational Maturity, Cloud Deployment Models