Not long ago, software development followed a well-lit path, clear and predictable. Developers wrote code, tested it, and shipped it. Security followed: protect the app, secure the perimeter, check the boxes.
That world is gone.
As the Global Head of Information Security for CloudBees, I’ve been part of this ongoing transformation and see where today’s risks are emerging.
Today, development is fast-moving, decentralized, and shaped by an explosion of tools, teams, and AI. What was once a linear assembly line is now a sprawling, interconnected ecosystem: pipelines, runners, containers, and orchestrators scattered across teams and environments.
Governance hasn’t kept up. Unknown assets multiply. Rogue pipelines and misconfigured workflows persist. “Just make me admin” requests go unrevoked. All stitched together by secrets no one knew existed. This isn’t an edge case. It’s the new normal. And much of it grows in the shadows.
Securing applications, cloud, and data is table stakes. But what about the factory that builds and ships your software? Secure software can’t come from insecure systems.
Most security teams are chasing what they can see, but the real risk lies in what they can’t - and attackers know it. They’re no longer just targeting apps; they’re targeting sprawl.
Sprawl isn’t only technical. It’s cultural, human, and increasingly AI-driven.
AI hasn’t just accelerated development; it’s changed who develops. A marketing manager can now generate a Python script with a prompt and deploy it directly into a production analytics tool. An HR coordinator can spin up an onboarding bot in Slack that pulls from payroll APIs.
That’s progress, but often outside secure paths. These AI-generated workflows don’t live in source control, don’t appear in CI/CD dashboards, and can run inside trusted SaaS environments. Structured pipelines and gated reviews have been replaced by instant execution at the prompt. Quality checks are skipped, dependencies unchecked, and code unvetted. All invisible to traditional security tools and often created by people unaware they’re part of the software development lifecycle.
This isn’t the shadow IT of the past. It’s shadow development: AI-led, toolchain-free, governance-blind, and increasingly beyond the reach of traditional security.
The tradeoff is familiar. Velocity and access have grown, but guardrails, ownership, and accountability haven’t. Organizations risk becoming misaligned. Vendors struggle to explain the new risks they introduce, teams don’t always know what’s running, and leadership lacks the visibility needed for data-driven decisions.
Mapping this end-to-end is nearly impossible. Securing it is even harder. You can’t protect what you can’t see.
Applying yesterday’s solutions to today’s problems only adds friction. Tearing everything down and starting over isn’t realistic; it’s costly, disruptive, and often drives more shadow usage. Scanners help, but only if you know where to look. Compliance attestations show yesterday, not what’s exposed today.
Organizations moving forward aren’t ignoring the sprawl. They’re learning to lead through it, accepting complexity as the new baseline and focusing on the challenges where they actually operate. To do this, they:
Start with visibility: a real-time, end-to-end view of the software factory through a unified source of truth
Rethink strategy: understanding how the factory runs, what’s working, what’s not, and what must change to close the gaps
Align teams: upskilling, collaborating across functions, clarifying ownership, and driving shared outcomes
Reframe threat models: recognizing that code ownership no longer maps to job titles
Modernize controls: shaping them to how teams actually work, not how traditional governance assumes they should
Pave secure paths: embedding secure defaults and automation to reduce friction and keep development moving fast
Validate security: integrating vulnerability scanning, code analysis, and pen testing for a proactive security posture
Flag risk early: continuous monitoring and dynamically enforcing policy in real time to catch issues before they spread
This isn’t an overnight fix. Progress is a continuous journey of learning, iteration, and adaptation in a constantly changing landscape. Those moving forward make their sprawl visible, manageable, and aligned, partnering with their teams to put guardrails in place that accelerate innovation, improve delivery efficiency, and drive business growth.
Miss the sprawl, and you miss the risk. That’s exactly what attackers are counting on.
Leaders getting ahead aren’t waiting for perfect solutions; they’re rethinking how platform teams can maintain control without slowing innovation.
The first step is visibility. Get our quick 5-step guide to uncovering and eliminating shadow code.