Much of the IS literature focuses on the positive impacts of the institutionalisation of IT in business routines; that is it assumes that it is good for IT to become embedded within an organisation. In this paper, however, we explore the 'dark side' of such institutionalisation, demonstrating how a technology once institutionalised can become invisible to management so that its strategic potential is under-exploited while at the same time business risks associated with the IT are ignored. We demonstrate this through an in-depth longitudinal case study which follows the development of an intranet in a bank in the UK over a period of 5 years. By following changes to the management of the intranet and its continuous embedding in work practices, the paper identifies six characteristics of institutionalised systems and highlights five risks for a business. The paper contributes to the literature in IS by exploring the impact for businesses from the apparent paradox between institutionalisation and awareness of the strategic value of technology in organisations.