Generative AI Empowers Users but Challenges Security

In recent years low-code/no-code has been empowering business users to address their needs on their own, without waiting for IT, by intuitively building applications and automations. Generative AI, which has captured the imaginations and mindshare of the enterprise and customers, both increases that power and reduces the barrier to entry to practically zero. Embedding generative AI in low-code/no-code turbocharges the business' capability to move forward independently. Now, without a shadow of a doubt, everyone is a developer. Are we ready for the security risk that follows?

As soon as ChatGPT was released, business professionals started using it and other generative AI tools in an enterprise setting to get their jobs done quicker and better. Generative AI writes PR pitches for marketing directors, prospecting emails for sales reps, and many more use cases. While data governance and legal issues have emerged as inhibitors for official enterprise adoption, business users aren't waiting for approval and have already integrated it into their daily operations.

Meanwhile, developers have been using generative AI to write and improve code with tools like GitHub Copilot. A developer specifies a software component in natural language, and the AI generates working code that fits within the developer's context. The developer's role in this workflow is crucial: They must ask the right technical questions, be able to evaluate the generated software, and integrate it with the rest of the code base. These tasks require software engineering expertise.

Note that there's a clear distinction between the business professional and developer use cases specified above; the developer produces software that can be shared and reused, and can act on behalf of users, while the business professional answers a specific question or need, one example at a time. The limiting factor for business professionals to generate their own applications is their ability to reason about software produced by the AI without having the technical expertise of a developer. This is exactly where low-code/no-code comes into play.

Code Generation for Business Professionals

Low-code/no-code is, more than anything, an intuitive language that allows anyone to reason about software without having a technical background. This makes it the perfect candidate to act as a translator between generative AI and business users. Instead of generating software code that requires technical expertise to evaluate, generative AI generates low-code/no-code applications and automations that business users can easily evaluate and adjust. Low-code/no-code and AI are the perfect match to empower business professionals.

Major low-code/no-code vendors have already announced AI copilots that generate applications based on text inputs. Analysts are forecasting a five- to 10-times growth in low-code/no-code application development following the introduction of AI-assisted development. Low-code/no-code platforms also allow the AI to easily integrate across the enterprise environment, gaining access to enterprise data and operations. We are getting closer to a reality where every conversation with the AI can leave behind an application. That application would plug into business data, be shared with other business users, and get integrated into business workflows.

Accept and Manage the Security Risk

Security teams have traditionally focused on the applications that their development organizations create. We still often fall prey to thinking about business platforms as ready-made solutions, when in reality they have become application development platforms that power many of our business-critical applications. We have only just begun to make progress in bringing citizen developers under the security umbrella.

With the introduction of generative AI, even more business users are going to create even more applications. Business users are already making decisions about where data is stored, how it is processed by their applications, and who can gain access to it. If we leave these choices up to them without any guidance, mistakes are bound to happen.

Some organizations will try to ban citizen development or ask for business users to get approval for any application or data access. While that is a reasonable reaction, I find it difficult to believe it would succeed in face of the massive productivity payoffs for the business. A better approach would be to provide a safe way for business users to leverage generative AI with low-code/no-code, installing automated guardrails that silently handle security issues and leave business users to do what they do best: push the business forward.