Ever since ChatGPT captured our imaginations, people have been contemplating its pending impact on the business world. This week these thoughts became a reality, with Google and Microsoft embedding artificial reality (AI) features into their business productivity suites.

Microsoft took another major step by releasing AI Copilot for Power Apps, Microsoft's low-code platform. Power Apps can connect far and beyond the Microsoft ecosystem, with almost 1,000 built-in connectors to everything from Salesforce to on-prem and Amazon Web Services. With one swift move, AI has been integrated into the day-to-day workflows of the world's largest organizations.

This is an amazing achievement, and other low-code/no-code platforms will surely try to catch up quickly. But ask yourself: Who will make the decision to integrate data with AI? Who will grant access? The answer: Every business user, and you won't even know because they'll let AI impersonate their accounts.

AI + Low-Code/No-Code = A Perfect Storm

In recent years, low-code/no-code has given business users newfound freedom. They were granted developer-level power that enabled them to customize their digital experiences with the technical skills they already had rather than having to learn new ones. Business users have started building applications that solve the problems that hurt most, on top of their day-to-day business data, without relying on IT or waiting for resources. After just a few years of low-code/no-code, many enterprises find themselves with tens or hundreds of thousands of applications, built outside of IT with no oversight or control.

Forget about continuous integration and continuous delivery (CI/CD) or security reviews — most of these applications follow the "push save to deploy to production" model instead. Quickly and quietly, applications developed outside of IT without the software development life cycle (SDLC) have become a significant portion of enterprise business applications. This has already become a major concern for enterprise security.

Enter AI. Imagine that every conversation you had with ChatGPT involved you giving it access to business data and left behind a nice little application you could play around with and share with others. Have a long business email? Let AI shorten it for you. Need to find relevant customers in your CRM? Let AI generate statistics for you. Need to analyze user behavior over product telemetry? Let AI query the database for you. Don't stop there! Create mini-applications to allow answering those questions repeatedly, and share them with your co-workers! Every application requires access — your access. Low-code has lowered the barrier for non-developers to create applications. AI, however, will completely eliminate it.

Low-code/no-code provides ease of connectivity to business data by removing the difficult hurdles around authentication, and it provides a host of widgets business users can combine creatively to address their needs. AI brings power to everyone, allowing them to create by simply asking for what they want. The two techniques fit together like hand in glove. Superpowered by AI, low-code/no-code expands from "everyone can build an application" to "everyone builds an application for everything they think of, all of the time."

You Are Not in Control

Who decides what data the AI can access? You might be thinking this would be IT or the security team, but you would be wrong. Business users are making those decisions. But how?

Imagine a scenario where every business user in a large enterprise starts to build their own applications. Setting aside the skill gap, the No. 1 hurdle to progress would be identity and access. Provisioning an application identity and granting the right permissions to it would require approval, which would trigger questions and perhaps even a security review. You won't get to tens of thousands of applications in a large enterprise this way.

To circumvent this hurdle, low-code/no-code platforms made a significant compromise: Applications can — and mostly do — impersonate users rather than have their own identities. This completely negates the permission issue. As a low-code/no-code developer, I can embed my own identity within my newly created application. I can even share my credentials with others, so they'll be able to build their own applications with my access to data or perform operations on my behalf. No more waiting for approval — we have a green light to create!

The problem with this credentials-sharing-as-a-service is that it completely negates the enterprise permission model. If users are sharing their credentials with each other, there's no easy way to distinguish them. Moreover, an application can leverage credentials across your organizational boundary — say, an employee's personal email account — in combination with a business account. To add a cherry on top, moving data between one account and another is done by automated copy and paste on the low-code/no-code platform's cloud. No data gets transmitted, so there is no opportunity to block data leaking out.

Credential sharing and data leakage have been a major issue with low-code/no-code applications. AI doesn't change that, but it magnifies the scale of the problem. When AI is plugged into a low-code/no-code platform, the AI gains potential access to everything the platform can access. The transition between potential and in-practice access is up to whoever prompts the AI to build a low-code/no-code application for them. We are trusting our business users with making the right choice without any guardrails or guidance.

Business Users Build Enterprise Applications

More than a specific technology, low-code/no-code is an idea — a strong push into IT decentralization and business empowerment. It has already brought tremendous productivity benefits to the world's largest organizations because the employees who know best how to impact the business are the business users.

For professionals in IT and security, this is a paradigm shift. No longer can we rely on the security savviness of developers or official security mandates. We must embrace business users and help guide them in the right direction. If we fail to do so, the forces of productivity and data-hungry AI will surely be glad to do that for us.