Our biggest fear is that employees will build hundreds of apps that don't talk to each other, don't follow GDPR, and have no security oversight. How do you create a Governance Framework that provides "guardrails" instead of "roadblocks"?
3 answers
The key is moving from Shadow IT to Sanctioned IT. Provide an IT-managed platform (like Microsoft Power Platform) where data connections are pre-approved. An LCCoE (Center of Excellence) should be a joint task force that sets the rules: which data can be accessed and what the UI standards are.
We use "Sandbox Environments." Developers can build anything in their sandbox, but to go live, the app must pass an automated scan for security. This keeps the "Wild West" feeling at bay while maintaining speed.
Don't forget Lifecycle Management. What happens when a Citizen Developer leaves? The LCCoE must ensure every app has a co-owner and documented logic, or you'll end up with "Zombie Apps" that no one knows how to fix.
We've started implementing "App Expiration Dates." If an app isn't used for 90 days, the owner gets a ping to renew it or it gets archived automatically.
The automated scan is a lifesaver. It checks for common vulnerabilities like hardcoded credentials or open API endpoints before the "Publish" button even becomes active.