Low-code platforms promised faster delivery without the traditional bottlenecks of professional development teams. Business users gained the ability to build apps, automate workflows, and even embed AI agents directly. Adoption surged. Yet the same speed that solves backlogs now creates visibility gaps that IT departments struggle to close.
Spiceworks reported in June 2026 that AI-powered low-code growth is outpacing governance. Without early guardrails, organizations risk creating shadow IT and losing visibility over critical applications. The article noted that growth in these tools allows temporary solutions to become permanent faster than before, with accountability and documentation often missing even on approved platforms.
Microsoft Power Platform alone counts 56 million monthly active users, up 27 percent year-over-year, according to company earnings data referenced in the Spiceworks piece. Gartner forecasts worldwide spending on low-code development technologies will reach $58.2 billion by 2029, with more than 80 percent of new business applications developed using AI-powered low-code and no-code platforms by then, up from 20 percent in 2024.
Early wins appear in departmental workflows, approval processes, and internal forms. Teams reduce IT backlogs. IT leaders focus on complex projects. Arnal Dayaratna, research vice president for software development at IDC, told Spiceworks that low-code and no-code have become the primary way companies build and run AI agents at scale.
Jithin Bhasker, GVP and GM of Creator Workflows and App Engine at ServiceNow, added that low-code works best when security, compliance, audit trails, and lifecycle management sit on the same platform. Ravi Teja, a senior developer at Humana, observed that proper governance and oversight allow most organizations to manage adoption effectively without slowing innovation.
Problems surface later. Governance rarely fails with a handful of applications. Challenges emerge at scale—hundreds of apps, thousands of makers, and business-critical processes. Microsoft data cited in the Spiceworks article points to issues such as undocumented automations, duplicate workflows, and limited visibility into ownership once usage spreads across units.
A freelance Power Platform consultant quoted anonymously described how solutions started without governance planning fail before they reach production. Small businesses often view governance as overhead until applications become essential and adoption expands.
Shadow IT evolves in this environment. Applications built on sanctioned platforms still lack clear ownership or documentation. Data connections multiply without consistent oversight. AI capabilities compound the issue. Business users now create agents that make decisions, shifting the discussion from productivity to infrastructure governance, Dayaratna noted.
Zenity’s State of Enterprise Copilots & Low-Code Development report found organizations use an average of seven different copilots and low-code platforms, resulting in roughly 80,000 apps per enterprise compared to about 500 SaaS apps at similar organizations. Risks tie directly to the OWASP Top 10 for low-code/no-code security risks, with authorization misuse, authentication failures, and data and secrets handling as the top three.
Kissflow’s June 2026 guide on low-code AI platforms emphasized that governance has become the primary enterprise purchase criterion. Platforms chosen purely for speed create the shadow IT problem leaders hoped to avoid. IT administrators need full control over what gets built, what data is accessed, and what reaches production.
A new IBM Institute for Business Value study released June 8, 2026, surveyed 2,000 C-level technology executives across 33 geographies. Two-thirds of CIOs and CTOs report being held accountable for AI systems they do not fully control. Seventy percent say teams deploy technology faster than IT can track. Seventy-seven percent indicate AI adoption already outpaces current governance capabilities. Only 11 percent feel fully prepared for the scale of AI agent deployment expected in the next year.
The IBM study found organizations that embed control into AI systems experience 25 percent fewer incidents. They deploy 16 times more agents and deliver 18 percent higher operating margins. Those relying on manual governance face rising risk as adoption scales. Surveyed organizations averaged 54 AI agent incidents last year, with 17 percent high severity and 37 percent resulting in data exposure or security breaches.
Successful programs place guardrails early. Microsoft guidance in the Spiceworks article recommends dedicated development environments, approved templates and connectors, clear paths from experimentation to production, and regular reviews. Bhasker stressed grounding tools in existing data models, workflows, and permissions so teams solve fragmentation rather than accelerate it.
Teja at Humana and the anonymous consultant both stressed starting governance conversations at the outset—who gets access, to what, and why—and maintaining them as projects evolve. Treating every app as a living asset rather than a one-time delivery helps prevent sprawl, Bhasker said.
OutSystems, Mendix, Appian, and others in the Kissflow comparison highlight built-in governance features, audit logging, role-based access, and compliance certifications such as SOC 2 Type II, ISO 27001, and FedRAMP authorization for regulated industries. Deployment flexibility, including on-premise or private cloud options, separates enterprise-ready options from lighter tools.
Recent X posts from enterprise leaders echo the pattern. Discussions at OutSystems events and comments from CIOs highlight the shift from experimentation to governed execution at scale. One post referenced 97 percent of enterprises running AI agents per an OutSystems 2026 report, yet only 21 percent with governance models according to Deloitte data.
The pattern repeats across sources. Speed without structure multiplies apps and agents. Visibility erodes. Accountability fragments. Organizations that redesign control into platforms and processes from the start scale further with fewer incidents and better financial outcomes, per the IBM analysis.
IT leaders face a practical choice. They can retrofit oversight after sprawl appears, or they can embed it in the platforms and policies that citizen developers already use. The data from Spiceworks, Zenity, Kissflow, and IBM shows the latter approach delivers measurable advantages in security, compliance, and operational results.
WebProNews is an iEntry Publication