With so many non-technical employees using Low-Code tools like Power Apps to automate their workflows, I’m worried about "Shadow IT." Is 2026 seeing a rise in data leaks because "Citizen Developers" don't understand API security or data encryption? How are enterprise SRE teams managing this without killing the productivity benefits?
3 answers
This is the #1 challenge for "Governance" this year. In our firm, we’ve moved to a "Sandboxed Low-Code" environment. We provide the Citizen Developers with "Certified Data Connectors." They can build whatever they want, but they can only pull data from approved, pre-secured sources. We’ve also implemented "Automated Security Linting" for Low-Code. If an app tries to make a public API call without an encrypted header, the system automatically flags it for an SRE review. It’s about creating "Guardrails" rather than "Gatekeepers." You want to empower the business side without giving them the keys to the entire server room.
Do these "Guardrails" end up making the Low-Code tools so restricted that employees just go back to using unapproved spreadsheets anyway?
Security education is the only real fix. You can't patch human error with just software. We run "Low-Code Security" workshops every quarter now.
Well said, Sean. Diana, it’s a cultural shift. We have to treat Citizen Developers like junior members of the engineering team, not just "users."
Lucas, that's the "Shadow IT" trap. We solve that by making the "Secure Path" the "Easy Path." If our internal app store has a 1-click template for what they need, they won't go looking for a risky third-party workaround. It’s a UX challenge for the IT department as much as a security one.