Home

Everybody’s a developer now. What does this mean for IT?

Rose de Fremery Rose de Fremery Writer, lowercase d
September 8, 2025
AI tools mean anyone can code. What does that mean for keeping your software stack in check?
(Credits: Gus syam/Shutterstock)

First, marketing deployed a customer analytics dashboard, then sales built a forecasting tool on top of it. IT found out when the CRM API update broke everything last Tuesday. This scenario would have sounded downright ridiculous a year or two ago, but it’s becoming increasingly plausible.

By 2026, developers outside formal IT departments will account for at least 80% of the user baseOpens a new window for low-code development tools. Now, anybody with a great idea has a reasonable shot at coding it and shipping it. Vibe coding is a thing now, including among your IT peers.

I’d argue that this is ultimately a positive change. Gatekeeping technical knowledge holds organizations back in the end. But now that everybody’s a developer, IT needs to ask itself some difficult questions about how to protect the business without stifling progress.

Shadow IT evolves into shadow development

Remember shadow IT? I do. Employees started signing up for unsanctioned Software-as-a-Service (SaaS) applications without looping in the tech team, who of course had to weigh in on the practical and security implications of using those tools. That said, at least those SaaS apps usually came from software companies that had security teams and some level of compliance.

Shadow development is a whole other animal. Now, your accounting manager might be building payment processing workflows, your HR coordinator could be creating employee data integrations, or your marketing team might be deploying customer-facing applications.

At first, it might be tempting to just tell your non-technical coworkers they’re not allowed to create their own apps. Just like with the first wave of shadow IT, though, it won’t work.

This difference matters. When someone signs up for Dropbox without permission, you lose control of data storage. When someone builds an application that connects Salesforce to your payment systems using low-code tools, you simultaneously lose control of business logic, data flow, and security boundaries.

Vibe coding accelerates this shift. Platforms like Replit, Base44, Bolt.new, and Google’s Opal enable application creation through natural language descriptions. Users can simply describe what they want in plain English, and AI generates the code on the spot. They don’t need much programming knowledge.

Security risks multiply with every departmental app

Let’s talk about what happens when AI writes the code instead of trained professionals. Veracode’s 2025 GenAI Code Security ReportOpens a new window tested AI models against coding tasks. In 45% of those tasks, the models introduced a known security flaw into the code. Java implementations were riskier, failing security requirements 71% of the time. What’s more, the AI models consistently failed to prevent cross-site scripting and log injection vulnerabilities.

If you’ve got users building apps at your company (and you probably do), chances are very high that they heavily rely on AI assistance. Non-technical app developers trust the code these platforms generate, but they typically only understand the business benefits of what they’re creating—not the practical implications or the risks.

Security experts have pointed out several critical issues with AI-generated codeOpens a new window , such as questionable code quality without review, outdated and vulnerable dependencies, and unpredictable behavior that can inadvertently expose data or alter production environments.

The 2025 Verizon Data Breach Investigations ReportOpens a new window highlights a related concern: exposed secrets in code repositories. Organizations take a median of 94 days to remediate leaked secrets. Unlike software engineers, lay developers don’t understand secure credential management. They can easily hardcode passwords, commit API keys, and expose authentication tokens without realizing the danger. This isn’t their fault, but it is creating a new category of business risk you need to proactively address.

Technical debt silently accumulates

Beyond the immediate security problems, there’s the long-term issue of mounting technical debt. Every vibe-coded application becomes another piece of the puzzle that doesn’t quite fit. Business users aren’t trying to break things—they simply don’t know coding standards exist or why they matter. The platforms handle errors automatically (mostly), and centralized monitoring isn’t on their radar when they’re just trying to solve problems quickly

When these apps begin talking to each other, you’ve got an invisible web of dependencies that nobody’s tracking. Update one API for routine maintenance, watch five applications mysteriously stop working—applications you didn’t even know existed until angry users start calling you.

As if that wasn’t troubling enough, each low-code platform speaks its own language and locks your data in its own special way. Say someone built a genuinely beneficial solution in Platform A? You might be in for a world of hurt trying to move it to Platform B when the licensing costs triple next year. Your business logic could end up scattered across a dozen different platforms, held hostage by vendor lock-in.

Building guardrails without building walls

At first, it might be tempting to just tell your non-technical coworkers they’re not allowed to create their own apps. Just like with the first wave of shadow IT, though, it won’t work. The business need exists, the tools are available, and your users are motivated. Fighting this trend wastes energy and damages your partnership with the business.

Forward-thinking IT departments are already adapting to this trend by providing sanctioned low-code environments with built-in governance. When security controls, compliance features, and integration standards come configured by default, you remove the friction that motivates people to work around the system. Making the right way the easy way actually works—it’s the path of least resistance that people naturally follow.

  1. Start with discovery. You can’t secure what you can’t see. Modern cloud access security brokers (CASBs) can identify unauthorized applications across your environment, while API management platforms spot rogue integrations that might otherwise fly under the radar. Once you know what’s out there, you can systematically address the risks rather than playing an endless game of whack-a-mole.
  2. Create fusion teams where IT professionals directly work with vibe coders, turning potential adversaries into partners. Establish centers of excellence that provide templates, components, and best practices—essentially giving people the building blocks they need to create safely. When you run training sessions, skip the OWASP Top 10Opens a new window lecture that puts everyone to sleep and instead explain why hardcoding passwords causes the kind of breaches that end up in the news.
  3. Implement graduated governance. Base your controls on actual risk rather than applying blanket policies. Personal productivity tools can operate with minimal oversight, while department-level applications should go through architecture review to ensure they won’t create integration nightmares down the road. Customer-facing systems, on the other hand, need the full security assessment treatment—these are the ones that could land you in the headlines if something goes wrong.

Your new IT reality (yes, your job is changing again)

Everybody’s a developer now, even if they haven’t realized it yet (though they soon will). As this transition takes place, IT’s role is shifting yet again. Now, your team isn’t just building or supporting business applications. You’re providing app development platforms and proper guidance on how to properly balance opportunity and risk.

Your action items are clear, even if the path ahead isn’t always smooth. Start by inventorying the vibe coding that’s already happening across your organization, then establish governance frameworks that protect your company without blocking innovation. Give your users secure platforms that actually meet business needs while enabling safe innovation through practical education and ongoing assistance.

By embracing AI and adapting to this reality, you can turn vibe coding from a risk into a competitive advantage. The alternative—resisting the inevitable—means you’ll keep fighting fires you never see coming, always playing catch-up instead of leading the charge.

AI
Rose de Fremery
Rose de Fremery

Writer, lowercase d

Former IT Director turned tech writer, Rose de Fremery built an IT department from scratch; she led it through years of head-spinning digital transformation at an international human rights organization. Rose creates content for major tech brands and is delighted to return to the Spiceworks community that once supported her own IT career.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

Your cloud provider will fail. Here’s how to prepare
Software

Your cloud provider will fail. Here’s how to prepare

Spiceworks Community Digest: Windows 12 wishlist
Software

Spiceworks Community Digest: Windows 12 wishlist

Major Cloudflare outage hits ChatGPT, Uber, Spotify
Software

Major Cloudflare outage hits ChatGPT, Uber, Spotify

How to recruit and motivate citizen developers
Software

How to recruit and motivate citizen developers

How to tackle AI sprawl
Software

How to tackle AI sprawl

10 Days of Windows: The Spiceworks Community looks back
Software

10 Days of Windows: The Spiceworks Community looks back