Harnessing AI Enabled Citizen Developer Potential: A Balancing Act Between Innovation and Governance

Ashleigh Green — 1 November, 2023

In the thick of digital transformation, Microsoft’s Power Platform is standing out as a potent catalyst, democratising development with its low-code environment. It has never been easier for staff to create their own bespoke applications and productivity tools. With the official release of Copilot on 1 November, the platform is championing a new generation of citizen developers, enabling them to design applications and automate workflows through simple text and image commands.

While this democratisation propels organisational innovation, it simultaneously introduces significant governance considerations:

  • How do you prevent application sprawl similar to what was experienced with Access databases and Excel macros?
  • Are critical business processes becoming dependent on applications made by an individual that no one else knows about or has access to?
  • What information is accessible to these applications and where is it being sent?
  • How can you determine if an application created by an individual has become integral across the organisation and is now critical to multiple departments?

 Paying close attention to these challenges is crucial to safeguard data and ensure controlled application management.

Empowering Citizen Developers

The Power Platform began its journey in 2015 with a preview of Power BI. In its latest iteration, Power Platform is aiming to equip developers with AI-enhanced experiences. For example, Power Apps, one of the pioneering products to utilise GPT technology, lets developers convert sketches, images, and Figma files into app interfaces¹. Power Automate allows citizen developers to describe workflows and approval processes through a conversational interface. With Copilot’s impending launch, this AI-backed development is set to soar, further assisting citizen developers in creating more intricate, intelligent automations. The ease and enhanced capabilities brought by Copilot will inevitably lead to a surge in application creation and automation workflows, putting a spotlight on the governance frameworks in place. The advent of Copilot underscores the urgency of having robust governance strategies to manage the potential explosion of citizen-developed applications and ensure data integrity.

Governance Challenges

However, this blessing of democratised development isn’t without its governance obstacles. As Gartner highlighted, poor governance is a primary concern, with problems like application misuse, sprawl, data breaches, and abandoned solutions being top concerns². The potential access to confidential data, especially with the widespread adoption of programming, makes a robust data governance strategy paramount³. Imagine a scenario where an application, initially created for a minor task with Copilot, evolves into a vital tool for multiple departments but lacks the necessary governance structures. The implications of such an application going offline or experiencing data breaches could be detrimental.

Strategies for Navigating the Terrain

  1. Foster a Community of Practice: A Community of Practice (CoP) can exhibit admin and governance capabilities, offering a structured space for citizen developers to engage, grasp best practices, and understand the application lifecycle management (ALM) approach⁴. 
  2. Establish a Centre of Excellence (CoE): The Power Platform CoE Starter Kit offers a structured approach, with tools for cataloging resources, DLP strategy visibility, and even encouraging adoption through an App Catalog¹ ⁴.
  3. Enforce Data Categorisation and Labelling: Implementing a solid data categorisation and labelling system is essential to ensure that sensitive or crucial data is managed responsibly³
  4. Offer Tiered Environments: Utilise the concept of multiple environments within a tenant to provide controlled access. Designate the default environment for personal productivity, restricting critical app development to non-default environments. This strategy aligns with the practice of using development, sandbox, and production environments in Dynamics 365¹ ⁴.
  5. Strengthen Data Exfiltration Protocols: Microsoft has progressed in countering governance challenges by bolstering data exfiltration measures and establishing cross-tenant restrictions for Power Platform connectors, using Azure AD-based authentication.
  6. Oversee and Control Applications: Contemporary citizen development platforms like Power Platform offer settings where app creation can be supervised, and automation added with vetted technologies.
  7. Establish a Team Structure for Environments: Assign roles like Power Platform service admin to designated administrators and restrict the creation of new environments to these administrators. This aids in establishing clear boundaries and responsibilities¹ ⁴.
  8. Set Up Data Loss Prevention Policies: Implement DLP policies to control which connectors have access to important business data, thus safeguarding against data breaches¹ ⁴.
  9. Leverage Out-of-the-Box Activity Logs and Analytics: Utilise the Office 365 Security & Compliance Center for audit logs and records. These tools provide insights into app and flow usage, aiding in identifying apps with high or multi-department usage¹ ⁴.
  10. Automate Audit Processes: Use Power Automate to create workflows that align with DLP policies, ensuring automated compliance and monitoring¹ ⁴.

Establish Monitoring for Oversight

  • Implement Monitoring Mechanisms: Establishing monitoring to gain an understanding of who is creating applications and how they are being used is essential. Identifying applications with high usage or multi-departmental usage as candidates to be promoted can ensure more comprehensive governance.
  • Address Risks of Lack of Version Control: There’s a significant risk with applications that attain high importance or usage not being under version control or change control practices. The impact of these applications going offline could be detrimental to business processes. Ensuring that as applications grow in importance, they are brought under formal version and change control processes is crucial.

AI will undoubtedly accelerate the pace at which applications are developed and deployed, making the strategies outlined above not just advisable, but essential. The strategies for navigating the terrain of citizen development are not merely to keep pace with the innovation but to stay ahead, ensuring a controlled yet fertile ground for citizen developers to flourish without compromising organisational data integrity.

By integrating these strategies, organisations can navigate the terrain of citizen development with confidence, striking a balance between innovation and governance, and transforming the democratisation of development into a sustainable competitive advantage.


¹ Microsoft Cloud Blogs. “Power Platform is leading a new era of AI-generated low-code app.” (Accessed October 2023).

² Gartner. “30 Best Practices for Governing Microsoft Power Apps and Power Automate.” (Accessed October 2023).

³ Hitachi Solutions. “6 Steps to Better Governance for Microsoft’s Power Platform.” (Accessed October 2023).

⁴ Microsoft Cloud Blogs. “Solve IT governance and admin challenges with new features for Power.” (Accessed October 2023).