The notion of Shadow IT as an expression of the mismatch between supply and demand of remains fascinating to me as it pits the abundance of what’s possible with technology against the scarcity of making it available, with a backdrop of people picking up IT by its scrappy bootstraps . I’ve written before about Lisa-in-accounting’s Access databases and Jason’s customer data spreadsheet held together by crafty macros.. SaaS applications adopted on a credit card because the procurement process would take longer than the actual project. My take was to not stamp it out but to get smarter about it. Enlightened Shadow IT, I called it. Optimistically. Create guardrails, not roadblocks.
Well, three years later, Shadow IT grew up. It got a job title. It’s now called citizen development and it comes with a platform, a governance model, and a seat at the architecture table. Sort of.
The Low-Code Land Grab
The low-code/no-code market has exploded. Microsoft’s Power Platform is everywhere, largely because it ships with enterprise licenses that organizations are already paying for. Some other platforms have similar appeal, say, Salesforce, or ServiceNow. Pure-play solution, such as Appian, Mendix, or OutSystems, make inroads too. The pitch is compelling: empower business users to build their own applications without waiting for IT. Democratize development. Close the app gap.
And it’s working. I’m seeing business analysts build workflow automations in Power Automate that would have been an IT project three years ago. Operations teams are spinning up internal tools in days. HR departments are building onboarding portals without writing a line of code.
This is genuinely exciting. The demand for digital solutions has always outstripped IT’s capacity to deliver. That gap was the root cause of Shadow IT in the first place. Low-code platforms are the first credible attempt to close it at scale.
So what’s the problem?
Same Movie, Better Customs
It shouldn’t come as a huge surprise that the citizen development movement seems to recreate many of the same problems that Shadow IT created, just with better tooling and executive sponsorship.
A consumer goods client recently discovered they had over 200 Power Apps built by business users across the organization. Some were brilliant. A field team had built an inventory tracking app that genuinely solved a supply chain problem nobody in IT knew existed. But many were duplicative. Three different teams built three different customer lookup tools, each connecting to a different data source, each returning slightly different results. Good enough to solve their immediate challenge and adopted enough to lead to inconsistent data and interpretations downstream.
Nobody had a complete inventory of what was built and used. Sound familiar?
The underlying issues haven’t changed:
- Data governance is bypassed. Low-code platforms make it trivially easy to connect to data sources. That’s a feature and a risk at the same time. When a business user builds an app that pulls customer data from whatever source exposes it, applies some logic, and shares the output with a partner, who’s responsible for data quality? For privacy compliance? For making sure the data isn’t stale? The platform didn’t ask those questions, and neither did the builder.
- Integration explodes. Every app that connects to a backend system is an integration point. When IT builds integrations, there’s usually some architectural oversight, perhaps API mediation layer, a middleware pattern, and ideally some kind of data lineage. When citizen developers connect directly to databases or bypass the API to scrape data from screens, the result is a web of dependencies that nobody can see until something breaks.
- Knowledge walks out the door. When Lisa-in-accounting built that Access database, at least she was there to maintain it. Now Lisa has built a Power App, automated three workflows, and connected them to SharePoint, Dynamics, and a third-party API. Then Lisa gets promoted. Or leaves. Who maintains it now? Who’s the lucky one to excavate undocumented logic that’s solidly embedded in a visual workflow and works some of the time?
What Enlightenment Looks Like in 2021
It looks suspiciously like 2018, just more sophisticated. You don’t kill citizen development. You cultivate it. But cultivation requires structure, and structure requires honest conversations about where the boundaries are.
- Define the sandbox. Not every use case belongs on a low-code platform. Internal productivity tools? Great. Customer-facing applications that handle sensitive data? Probably not. The organizations getting this right have published clear criteria for what can and can’t be built by citizen developers. This doesn’t require a 40-page policy document, a simple decision tree will do. Does it touch customer data? Does it integrate with a system of record? Will more than 50 people use it? If yes to any of these, it needs architectural review. Which also doesn’t have to be cumbersome, but does need to consider the core risks.
- Build the on-ramp. Handing someone a Power Platform license and saying “go build” is like giving someone a circular saw and saying “go renovate.” The tools are powerful and they can do real damage in inexperienced hands. Successful programs pair platform access with lightweight training, reusable templates, and access to a “toolsmith” who can help citizen developers avoid the pitfalls they don’t know exist.
- Create visibility. Organizations making citizen development work have built catalogs of what’s been created, by whom, connected to what, and used by how many people. It doesn’t have to be heavy, capital G Governance. But it has to exist. When the inventory app that three teams depend on was built by someone who left six months ago, you need to know that before it breaks, not after.
- Establish a graduation path. Some citizen-developed apps will outgrow the sandbox. They’ll become critical, they’ll need to scale, they’ll need proper engineering. To build on successes, craft a clear path for promoting a citizen-built app into IT’s portfolio when it’s earned it. The worst outcome is an app that’s too important to ignore and too fragile to trust.
The Real Opportunity
A few years ago, shadow IT typical y meant business users were working around IT. With citizen development, we can create a model where business users work alongside IT. The business brings the problem knowledge. IT brings the guardrails. The platform sits in between.
It’s not perfect and it’s still messy. It requires constant negotiation, and someone will inevitably build something terrifying. But technology demand has a habit of outpacing supply. Business needs will be met one way or another. So you might as well embrace it, shape it, and make sure the guardrails are strong enough to keep away from the Dark Side.
