Feeling the Vibe: Navigating the new generation of low-code tools
Imagine a world where every trader, finance analyst, HR administrator, customer service agent and IT helpdesk agent has the tools and permission to develop and deploy new business applications directly to customer facing processes. What does that mean for governance, controls and resilience risk?
The art of the possible
The world of software development is undergoing a dramatic transformation, fuelled by the rapid advancement of generative AI tools. This new era is marked by the rise of new tooling collectively referred to as low-code and no-code services, empowering business users to create applications with unprecedented speed and ease.
The use of low-code solutions to experiment and develop microservices, business applications and complex data models is generally referred to as vibe-coding, representing a trend towards amateur users with access to powerful AI tools creating working solutions without the rigour involved in formal software development.
This shift is disrupting traditional IT and change development and presents both exciting opportunities and significant challenges.
Key features
Actions to mitigate the risks of low code development
Enhance control environment: Auditors should recommend strengthening governance, enterprise access, and release controls, including restricting access to critical systems. Clear prompt documentation, security training, regular platform assessments, and human oversight should be implemented.
Security and Compliance: Auditors must verify that appropriate security controls are in place and that applications comply with relevant regulations and organizational policies, regardless of the development method used.
Data Integrity and Reliability: Auditors must evaluate data management controls, access restrictions, and validation processes to ensure the information used for decision-making is reliable and consistent.
Evolved Audit Scope: The increase of applications developed using new development technologies often sits outside the IT Control environment, which significantly expands the scope of audits. Traditional, periodic audits may be insufficient. Continuous monitoring, automated audit procedures, and real-time risk assessments become essential to keep pace with rapid development cycles.
Deeper Skillsets: Auditors need to adapt their skills to effectively audit applications developed using diverse approaches and analytic capability. Understanding the specific platforms, the security implications of AI-generated code, the integration points between systems, and the inherent limitations of each approach are crucial.
Conclusion
Momentum is building behind the adoption of low-code tools and use of AI driven development will be the new normal for all businesses. Being aware of the risks, ensuring that management are controlling the use of these solutions, and users understand the implications of misuse are critical focus areas for all Risk and Assurance teams.
