Citizen developers are redefining enterprise AI development

The rise of the AI-powered citizen developer

Historically, citizen developers were business users working within low-code/no-code environments to build relatively simple applications. These tools were typically confined to structured platforms and predefined templates, often supporting functions in HR, finance or operations. While they accelerated delivery for routine use cases, users still depended heavily on IT for complex integrations, architecture and governance.

Today, generative AI is rapidly widening the scope of what these users can build. Instead of working only within structured templates, employees can now describe desired outcomes in natural language and generate functional applications with minimal technical input. In turn, the barrier to entry is shifting, from knowing how to code to understanding the problem itself.

GenAI has lowered the fluency bar from 'can you code' to 'can you reason about the problem.'

Aleks Bass, chief product and technology officer at Typeform, an interactive form builder and automation platform, described this shift as a change in fluency. "GenAI has lowered the fluency bar from 'can you code' to 'can you reason about the problem,'" she said.

Matt Kunkel, CEO and co-founder of LogicGate, a SaaS-based governance, risk and compliance company, similarly emphasized how broad this shift has become. "The prevalence of AI means any employee can be a 'typical citizen developer,'" he said, underscoring how software creation is no longer limited to technical teams.

Why enterprises are embracing development beyond IT

A combination of technological progress and enterprise pressures is accelerating this shift.

On the technology side, GenAI has lowered the barrier to entry, while enterprise-grade, no-code/low-code platforms, such as Microsoft Power Platform, ServiceNow and Salesforce Flow now include AI-assisted development features that make application building more accessible than ever.

Beyond technological advancements, longstanding inefficiencies in traditional development models are also driving this shift.

"The traditional development process is very long, from ideation to validation, testing and architecture decisions," said Hugo Huang, product director at Canonical, a company that builds and maintains the open source Ubuntu platform. "By the time an application is delivered, requirements might have already changed," he added.

Organizational pressures are playing an equally important role as enterprises face persistent IT backlogs and developer shortages. In an August 2025 employment report, the U.S. Bureau of Labor Statistics projected ongoing demand for software developers to grow faster than the supply of qualified talent, creating pressure that IT teams can't always absorb. As a result, business units are increasingly building their own tools.

The biggest driver is not just generative AI; it's the combination of AI lowering the barrier to entry and persistent IT backlogs.

"The biggest driver is not just generative AI; it's the combination of AI lowering the barrier to entry and persistent IT backlogs," said Sonu Kapoor, senior Angular consultant at Solid Software Solutions, a company that builds bespoke mobile and web applications. He explained that both improved access to tools and longstanding operational bottlenecks are fueling the shift. "Business teams have always had ideas that couldn't get prioritized. What's changed is that now they can act on those ideas," he added.

As this shift accelerates, some organizations are starting to respond more deliberately. Rather than leaving informal experimentation to continue unchecked, some are treating citizen development as a structured capability. At Typeform, for example, this shift is being operationalized with clear guardrails and oversight.

"We define citizen development as non-engineers safely shipping real production changes using AI coding tools, within clearly bounded domains and with engineering review in the loop," said Typeform's Bass.

Taken together, these trends reflect a broader convergence of more accessible tools and rising business demand. By enabling nontechnical employees to build their own tools, organizations can extend development capacity, accelerate innovation and respond more quickly to evolving business needs without significantly scaling centralized IT teams.

What citizen developers are building across the business

Across business units, citizen developers are building a wide range of tools that previously required months of engineering effort. Common examples include internal dashboards for tracking performance metrics, workflow automation tools that streamline approvals and data entry, and AI-powered assistants that support customer service, knowledge access and routine decision-making. These use cases span various functions such as sales, operations, HR, legal and finance, underscoring how broadly citizen development is spreading across the enterprise.

LogicGate's Kunkel noted that this shift is ultimately driven by productivity gains at the edge of the organization. In finance teams, for example, AI-enabled tools are helping accelerate processes like financial close, giving leadership access to critical information sooner and improving decision-making speed. "If they can close the books in one week instead of two, that means leadership gets important financial information a full week sooner," he explained.

As adoption grows, however, most organizations are intentionally defining boundaries to balance speed with safety. Rather than leaving development entirely open-ended, they encourage teams to start small and expand gradually as confidence builds.

"We deliberately start with high-leverage, low-risk tasks such as copy updates, UI tweaks and small configuration changes in well-tested areas," Bass explained. She added that the teams slowly expand into more complex work, including UX improvements, integrations and small feature flows, but always within defined guardrails and clear review processes. These changes, she noted, are executed in controlled environments, such as feature flags and sandboxes, to ensure they remain safe, observable and easy to roll back if needed.

This controlled progression is key to scaling citizen development safely. It helps organizations move quickly without sacrificing oversight, while also shifting problem-solving closer to the point of need.

The growing risks of distributed AI development

While decentralized development brings clear benefits, it also adds new layers of complexity that make systems harder to track, govern and scale consistently over time. As a result, risks are emerging alongside gains in speed and flexibility.

Some of the most common challenges organizations face include the following:

Lack of visibility

As business users build and deploy applications across multiple platforms, IT teams can lose visibility into the full application landscape. This creates what is often referred to as shadow AI -- tools and automations created outside formal governance structures.

This lack of visibility is further compounded by the speed of AI innovation. "The pace of AI development is so fast that policies alone can't keep up," said Canonical's Huang.

He also pointed to a deeper shift in how modern systems operate, noting that in agentic AI-driven environments, software increasingly behaves like a continuous flow of data, making it much harder to observe, govern and control in a structured way.

Data security concerns

One of the most significant risks in citizen development is unintended exposure of sensitive data. Employees often connect applications directly to enterprise systems without full awareness of data classification rules or access constraints. This can result in overly permissive access, weak controls or unintended exposure of sensitive information.

It's one thing to allow access to data, but connecting AI to business-critical systems might exceed the risk tolerance for some organizations.

Kunkel emphasized that governance must clearly define how AI interacts with enterprise systems. "It's one thing to allow access to data, but connecting AI to business-critical systems might exceed the risk tolerance for some organizations."

In some cases, this can lead to more serious risks. For example, poorly governed applications could inadvertently expose sensitive data, such as PII, or send business data to external AI tools without employees fully understanding where that data goes, how it's stored or whether it's reused.

The risk doesn't stop there. Sensitive data can also appear in system logs or AI-generated outputs, creating additional exposure. In regulated industries, this raises concerns around compliance, data residency and auditability.

Vibe coding risks

As generative AI becomes more widely available, some employees are adopting informal vibe coding approaches -- building and deploying applications through AI-generated code without fully understanding the underlying logic.

While this accelerates experimentation, it often bypasses critical engineering practices such as peer review, structured testing and security validation.

Many nontechnical employees are now building applications with AI tools without formal training in data handling or software engineering practices, which can increase the risk of insecure or poorly governed implementations.

"Many nontechnical employees are now building applications with AI tools without formal training in data handling or software engineering practices, which can increase the risk of insecure or poorly governed implementations," Huang said. He added that without a clear understanding of how these systems handle data, authentication or integrations, even simple applications can introduce unintended security gaps.

Over time, this can lead to hidden vulnerabilities, fragile dependencies and applications that are difficult to maintain, audit or scale, especially when AI-generated code is deployed without visibility or oversight.

Inconsistent standards

In many organizations, citizen development is happening in parallel across multiple business units, often using different tools, frameworks and levels of oversight. Without shared visibility into what others are building, teams can unknowingly duplicate work or develop similar tools for the same problems.

This can eventually lead to fragmented systems that are difficult to integrate with core infrastructure and contribute to a growing technical debt. Organizations might find themselves managing a loosely governed ecosystem of applications that no single team fully understands.

Solid Software Solutions' Kapoor noted that the scale of AI-driven development is creating challenges not just of control, but of coordination -- especially as the volume of applications grows beyond traditional review capacity.

Regaining control: Enterprise governance and enablement

Most of the challenges associated with decentralized application development are not caused by AI or citizen development itself. Instead, they stem from how quickly these tools are being adopted, often outpacing the governance frameworks enterprises have in place to manage them.

Kunkel emphasized that successful organizations start with clearly defined AI governance frameworks that specify which tools are permitted, what data they can access and why those boundaries exist. "Safe and successful AI adoption requires a holistic, proactive risk and governance approach," he noted, especially as organizations often lack full visibility into where AI is being used.

To regain control, a growing number of enterprises are adopting approved platform models, limiting citizen development to vetted low-code and AI-enabled environments. This ensures stronger oversight while still enabling innovation.

Beyond specific platform choices, a key principle emerging across organizations is that governance should be risk-based, not role-based.

"The line should not be drawn around tools; it should be drawn around risk," Kapoor said. "Business users can safely build low-risk applications, but anything touching sensitive data or core systems should remain under engineering oversight."

Bass described a similar approach. Her company uses structured categories to determine what level of oversight is required for different types of development work. "We've formalized this into green, amber and red categories," Bass said, adding that more people can contribute to building software, but the rules for what can be released still stay the same. The company has also introduced formal programs that pair nontechnical employees with engineers, while limiting what systems they can access and establishing clear guardrails around what they can build.

Many enterprises are also establishing centers of excellence that bring together IT, security and business stakeholders to support citizen developers, review higher-risk applications and define standards.

These structures also reflect a broader change in how IT functions within the organization. More broadly, IT is shifting from gatekeeper to enabler -- building secure foundations, enforcing guardrails and maintaining visibility across distributed development environments.

The shift to distributed development models

Citizen development is also reshaping longstanding assumptions about build-versus-buy decisions. In some cases, internally built tools are beginning to outperform SaaS offerings for highly specific workflows such as reporting dashboards, approval systems and internal automation tools.

This isn't necessarily because internally built tools are more advanced, but because they are designed with a deeper understanding of the exact workflows they support and can be iterated on directly by the teams using them.

As Bass noted, this shift also changes how organizations innovate in practice. "When non-engineers can adjust flows and experiences directly, you can avoid buying point solutions and run more experiments in-product," she said.

This reflects a broader shift toward distributed development, where software creation is no longer centralized within IT but spread across the organization. In this model, IT's role does not disappear but evolves. Rather than owning and building all applications, IT teams increasingly focus on infrastructure, security, architecture, platform engineering and governance, while day-to-day development moves closer to the business.

At the same time, Kunkel noted that SaaS itself might evolve in response. Some categories of standardized software could be partly replaced by internal AI-driven tools, especially for narrow, specific use cases. He added that SaaS providers that succeed will likely be those that build AI deeply into their products and offer more flexible platforms.

Balancing speed, autonomy and control

While citizen development helps build tools closer to business needs, it also brings challenges around governance, autonomy and control. For CIOs, the challenge is not to stop this shift but to manage it effectively.

Huang emphasized the importance of clarity and communication in doing so. "A key part of the role is translating complex technical risks into simple, understandable language for executives."

This need for clarity is becoming more urgent as organizations face pressure to accelerate delivery without compromising security or long-term system integrity.

A successful model strikes a balance between empowering employees and communicating the importance of protecting the organization.

As Kunkel explained, this requires treating governance not as a constraint, but as a design principle. "A successful model strikes a balance between empowering employees and communicating the importance of protecting the organization," he said.

Increasingly, organizations that are succeeding with citizen development are intentionally designing for this balance rather than reacting to it. In practice, this means building operating models where speed and control are not competing priorities, but outcomes shaped by governance, tooling and clear guardrails from the start.

Kinza Yasar is a technical writer for Informa TechTarget's AI and Emerging Tech group and has a background in computer networking.