Not long ago, software development followed a well-lit path, clear and predictable. Developers wrote code, tested it, and shipped it. Security followed: protect the app, secure the perimeter, check the boxes.
That world is gone.
As Global Head of Information Security for CloudBees, I've watched this transformation firsthand, and I've seen where the real risks now hide.
Today, development is fast-moving, decentralised, and shaped by an explosion of tools, teams, and AI. What was once a linear assembly line is now a sprawling, interconnected ecosystem: pipelines, runners, containers, orchestrators scattered across teams and environments.
Governance hasn’t kept up. Unknown assets multiply. Rogue pipelines proliferate. Misconfigured workflows persist. “Just make me admin” requests go unrevoked. All stitched together by secrets no one knew existed. This isn’t an edge case. It’s the new normal. And much of it grows in the shadows.
Securing applications, cloud, and data is table stakes. But what about the factory that builds and ships your software? Secure software can’t come from insecure systems.
Most security teams are chasing what they can see. The real risk lies in what they can’t. And attackers know it. They’re not just targeting apps anymore. They’re targeting sprawl.
Sprawl isn’t only technical. It’s cultural, human, and increasingly AI-driven.
AI hasn’t just accelerated development; it’s changed who develops. Teams in marketing, sales, and HR, once far from coding, now build workflows with a prompt. For example, a marketing manager can now generate a Python script with a prompt and deploy it directly into a production analytics tool. An HR coordinator can spin up an onboarding bot in Slack that pulls from payroll APIs.
That’s progress. But often outside secure paths. These AI-generated workflows don’t live in source control, don’t appear in CI/CD dashboards, and can run inside trusted SaaS environments. That means your existing security tooling never even sees them. Structured pipelines and gated reviews have been replaced by instant execution at the prompt. Quality checks are skipped, dependencies go unchecked, and code and automation go unvetted. All quietly embedded in trusted environments, by people unaware they’re part of the software development lifecycle. You can’t protect what you can’t see - and AI is rapidly expanding the attack surface in places that have historically been outside your visibility.
This isn’t the shadow IT of the past. It’s shadow development: AI-led, toolchain-free, governance-blind, and increasingly beyond traditional security’s reach.
The tradeoff is familiar. Velocity and access have grown, but guardrails, ownership, and accountability haven’t. Organizations remain misaligned. Vendors struggle to explain the new risks they introduce. Teams don’t always know what’s running. Leadership lacks visibility to make data-driven decisions.
Mapping this end-to-end is impossible. Securing it is even harder. You can’t protect what you can’t see.
Applying yesterday’s solutions to today’s problems only adds friction. Tearing everything down and starting over isn’t realistic; it’s costly, disruptive, and often drives more shadow usage. Scanners help, but only if you know where to look. Compliance attestations show yesterday, not what’s exposed today.
Organizations moving forward aren’t ignoring the sprawl. They’re learning to lead through it. They accept complexity as the new baseline and focus on tackling challenges where they actually operate:
They start with visibility: a real-time, end-to-end view of the software factory through a unified source of truth
They rethink strategy: understanding how the factory runs, what’s working, what’s not, and what must change to close the gaps
They align teams: upskilling, collaborating across functions, clarifying ownership, and driving shared outcomes
They reframe threat models: recognizing that code ownership no longer maps to job titles
They modernise controls: shaping them to how teams actually work, not how traditional governance assumes they should
They pave secure paths: embedding secure defaults and automation to reduce friction and keep development moving fast
They validate security: integrating vulnerability scanning, code analysis, and pen testing for a proactive security posture
They stop risk early: continuous monitoring and dynamically enforcing policy in real time to catch issues before they spread
This is not an overnight fix. It is a continuous journey defined by learning, adapting, and evolving alongside an ever-changing landscape. The hardest step is starting with clarity and purpose. Organizations making progress are those who make their sprawl visible, manageable, and aligned. They partner with their teams to adapt guardrails that accelerate innovation, improve delivery efficiency, and drive business growth.
Miss the sprawl, and you miss the risk. That’s exactly what attackers are counting on.
The organizations getting ahead of this aren’t waiting for perfect solutions. They’re rethinking how platform teams can gain control without stifling innovation.
Sprawl thrives in the shadows. The first step to control is visibility. Get our quick 5-step guide to uncovering and eliminating shadow code.