Enable javascript in your browser for better experience. Need to know to enable it? Go here.

Software governance in the age of GenAI and citizen developers

As listed in our Macro Trends in the Tech Industry September 2023 blog post, the governance of citizen developer created apps is something to pay attention to before things get out of hand within the enterprises leveraging these new tools. Building your own solutions to speed up your work has never been easier - yet never with more risks involved.


Let’s start with a story


When I was taking my first steps into a more professional direction in the IT sector (around about the year 2000),  I was taught in school how to build simple apps with Visual Basic and how to create forms with Microsoft Access to enable efficient input of business critical data into your fancy desktop database.


As I entered the workforce, sure enough I was greeted with these tools and learned that the world runs on top of Excel macros and Windows Scheduler. These perform very important tasks, of course —  tasks which might have involved money or making sure companies were in compliance with the law.


I also learned that in most cases, nobody knew how any of that worked. The people who configured the business logic had either retired or left the company. Nobody dared to touch anything because it could (and would) break something because there was no documentation.


Technologies have evolved, but the governance models for these types of citizen developer created apps haven’t seen much development. And here I am, saying things are about to get even worse.


A new wave of self-help tools powered by low-code & GenAI


With the introduction of more low-code/no-code (LCNC) tools, such as Microsoft Power Platform (which may be accessible to many enterprise users), we are looking at a new era of employee-driven app development but with a more productized approach. Power Automate is the Task Scheduler of the 2020s. With these tools, you usually need at least a license to access them, so there’s some level of control (which doesn’t automatically translate to governance).


However, employees are now also equipped with GenAI tools like ChatGPT, which can be used to generate some python code you can run in Excel. Microsoft tools in general are getting Copilot abilities, bringing these new capabilities to most employees' desktops with zero effort.


When you go beyond apps for your personal use, there are more things to consider; things people without a technical background might not even think about.


Who can (or should) access the app and use its data? Are you creating new dependencies to existing processes? Are there already similar apps used within the company? Would a colleague be able to fix something if you are on a holiday when things break? And what if the low-code platform you use goes out of business, taking everything down?


Mitigating the risks while enabling exploration


While legacy IT governance models might not support citizen developers, the core principles of governance — ensuring reliability, security and compliance — remain critical. The key is to adapt these models to the new landscape, rather than dismissing them outright.


As with the democratization of data and enabling organization-wide use of data assets through approaches like the Data Mesh, citizen developer-created apps require transparency by, for example, setting up your own app catalog and encouraging its use. This approach should give employees the confidence to experiment and will reduce the risk of duplicate solutions being created.


These app catalogs (or developer portals) are also perfect places to host how-to instructions, development best practices, and introduce non-technical people to application security practices like threat modeling. Making citizen developers aware of what kind of support is available and how they should approach things like credential management or privacy regulations such as the GDPR is immensely valuable. You should also raise awareness of things like OWASP Low-Code/No-Code Top 10.


How to ensure success


Ease of use is the key to success. Nobody likes to write documentation, let alone fill some complex templates describing the experimental app they made on a lunch break. The important thing is to get these apps documented on some level and be clear who their respective owners are. Details can be added later through targeted nudges.


When apps are being registered, it’s possible to have automated checks to identify if owners are leaving the organization or if the app’s information hasn’t been updated in a while. This facilitates ownership transfers and allows for the cleanup of unused apps.


Thoughtworks has experience from building our own NEO platform to advocate for internal app development and discovering what others have been building. We’re also collaborating with Spotify to implement their open source Backstage developer portal to companies looking to boost their developer experience. 


While these tools are focused for more complex environments, the principles are the same. As a “starter pack”, companies might as well utilize existing solutions like Sharepoint or Confluence before migrating to more dedicated portals.


Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.