Executive summary
“Vibe coding”—prompting AI to “just make it work”—delivers quick wins and real risk. Without a graduation path, weekend apps become production liabilities. Leaders can maintain speed while adding safety through paved roads, clearly defined non-functional requirements upfront, and a clear handoff from citizen prototype to engineered product.
Day One is the demo. Day Two is operations.
Citizen development delivers undeniable speed. However, speed without structure can lead to shadow IT, systems created outside governance that struggle under real-world load, compliance, and maintenance. The goal isn’t to stop building—it’s to standardise how successful builds grow up.
A useful framing from The New Stack: “vibe coding”—code generated by conversational prompts and accepted at face value—feels magical but can bypass design intent, security controls, and documentation. In small teams, that’s manageable. In an enterprise, it’s a liability.
What breaks on Day Two
- Missing non-functional requirements: auth, auditability, observability, error handling
- Architecture by accretion: iterative agent rewrites without ownership or testing strategy
- Compliance gaps: unclear data lineage, permissions, and retention
- Support risk: adopted tool with no owner, no runbooks, and no on-call path
A pragmatic operating model
- Treat early builds as prototypes – validate value, flow, and data — don’t promise permanence.
- Define a graduation pipeline – Source control and code review (even for low-code exports). Test coverage (unit + basic integration) and security scans (SAST/DAST where feasible). Minimum bars: authentication, role-based access, logging, and metrics.
- Provide paved roads – Reusable components for identity, data access, messaging, secrets, and telemetry. Make the secure path the easiest path.
- Clarify ownership – Citizen owner: problem definition, success metrics, and user engagement. Platform/engineering owner: reliability, scalability, security posture.
- Decide the venue – Team automations/internal dashboards: stay in Citizen Space. Customer data, PII, regulated workflows, core processes: graduate to platform.
- Measure what matters – Time-to-value, adoption, error rates, time-to-recover, and cost-to-serve.
External perspectives (short quotes)
- “Vibe coding—the practice of accepting AI-generated code at face value—has become the shadow IT problem no one saw coming.” — The New Stack, Aug 6, 2025
- “Democratizing AI requires widening access while establishing guardrails that ensure responsible and trustworthy outcomes.” — IBM Think, Nov 2024
- “Enterprises must balance speed with risk by embedding security, compliance, and scalability into AI adoption from the start.” — Intellias, May 20, 2025
Leadership takeaways
- Don’t block the channel. Provide approved tools, templates, and review lanes.
- Invest in enablement. Upskill citizen developers with short courses and starter kits.
- Align incentives. Recognise teams that graduate prototypes responsibly.
Call to action
Keep the door open—and keep it safe. Pair the energy of citizen developers with a platform team that multiplies their impact.
Sources (quoted/attributed)
- The New Stack: “Vibe Coding: The Shadow IT Problem No One Saw Coming”, Aug 6, 2025.
- IBM: “Democratizing AI“, Nov 2024.
- Intellias: “How the Democratisation of AI Impacts Enterprise IT”, May 2025.
BMK 