In a few years, with the help of vibe coding apps, many people in the company will be "software devs" coming up with their apps and stuff, how IT folks handle this? As it is, my IT department claims my Procurement Saas stuff is "shadow IT"...
Posted by bobbystills5@reddit | sysadmin | View on Reddit | 70 comments
How will you deal with a world in where everyone in the company has their own platforms?
spazzvogel@reddit
It’s going to be a shitshow…
Aim_Fire_Ready@reddit
It always has been.
spazzvogel@reddit
That’s true, but even more so. I’m glad, yet sad to be leaving this all behind in a year or two.
tacos_y_burritos@reddit
Are you dying? Can I have your stuff?
spazzvogel@reddit
LOL, I’m leaving tech, afaik I’m not terminal or anything.
tacos_y_burritos@reddit
I see. Can I still have your stuff?
spazzvogel@reddit
Not yet… but I surely won’t be here forever. Name is in the hat.
kremlingrasso@reddit
Yeah until now they just exported stuff left and right in excel and hacked it together with lookups and god forbid: access.
diszemic@reddit
It's a tricky situation, and honestly, a lot of it comes down to having clear policies and good communication between IT and other departments. I've found that having a system in place to automate access and provisioning helps reduce the friction and makes it easier to manage what people are using; otherwise, it's a constant game of whack-a-mole.
bukkithedd@reddit
I deal with it by not dealing with it, basically, and I make DAMN sure that management and leadership knows both that and why.
I don't deal with it because it's not an IT-division problem if people use various vibecoding-tools to become "software devs". If management hasn't put forth a set of directives to deal with and guide things, it's not a problem that I can nor should correct for them.
Sure, I will voice my opinion of such things and outline the security-risks that inherently come with vibecoders, but that's about my extent of care unless and until I get told to make it something I have to deal with. Plus, of course, the power to actually do something about it. Because without that power and mandate, anything and everything I say is a suggestion, not The Law™.
WorkLurkerThrowaway@reddit
I mean it is and it isn’t. If an accountant is able to install Claude Code and start hammering away at a production DB that is definitely your problem.
Manager A wants access to some workflow app vibed coded by a former employee? Not your problem.
bukkithedd@reddit
That's true, yep. I'll have to deal with the fallout and the restore. But IF that happens, I'll also be adamantly clear on who caused the outage and more importantly why.
joedotdog@reddit
Read the AI generated documentation of course.
Ark161@reddit
>my Procurement Saas stuff is "shadow IT"...
If it wasnt vetted and approved for use, then yes, it is 100% shadow IT.
So either have it vetted and approved by your company, or stop it.
R2-Scotia@reddit
When I was young, I worked in IT for a resesrch group at the Ministry of Defence. Quute separately we had the usual corporate IT of the period, PCs becoming common, but the finance system was on a VAX mainframe, green text screens.
One of the accountants started tinkering in Visual Basic and came up with a tool that would take over the serial port, control the finance apps, screen scrape the data and populate Excel workbooks.
This got covertly passed atound departmental finance people and soon he had hundreds of customers. The app was known by his surname, as in "can we get that from McTavish?"
The finance crew would have spilled blood before giving up this app. Only one option for IT ....
.... they hired him.
pdp10@reddit
You didn't get upgraded to the amber ones?
And now we know how McTavish's Fabulous Screen-Scraper got its start. Though why they didn't just use ODBC, nobody knows.
Just kidding. We know they didn't know about ODBC, because they didn't ask the I.T department.
R2-Scotia@reddit
Never seen an amber VT220, but some later terminals had other colours, VT420 was light grey
You think a VAX finance app would support a Microsoft database protocol? Very optimistic 🙃
pdp10@reddit
It's a Microsoft API. There's an ODBC driver for DEC RDB even now, but it's hard to say when that was first available.
Today there's a driver for everything from PostgreSQL to DB2/400.
R2-Scotia@reddit
This did not use an RDBMS. More like COBOL relative file. Apps older than the hatdware I'm sure.
uptimefordays@reddit
I’m looking forward to cleaning up spaghetti code. It’ll be years and years of job security!
EIsydeon@reddit
Because it is.
bobbystills5@reddit (OP)
Technology is an input to every single thing in the company. Everyone is in "IT" now, there is no "shadow IT" anymore...
Dikembe_Mutumbo@reddit
What’s your security background? How are you checking for security vulnerabilities in these apps you’re creating? What language is it written in?What code languages are you fluent in that you can check for these vulnerabilities? Don’t have answers to all these questions? Then it’s Shadow IT. Just because you use a computer does not make you part of IT.
axonxorz@reddit
They have no background, their LLM told them that was okay.
They're using other GenAI models for security scans, those LLM told them everything was okay.
It's not shadow IT, because they prompt engineered their LLM into saying that was the case.
For AI boosters and simps, any open ended question about their motivations can be answered simply: because the model told me it was okay [and I believe CEO marketers, whose paychecks are dependent on my ability to believe their lies about costs and capabilities]
axonxorz@reddit
Right, because you say so.
throwaway117-@reddit
Yeah who do you think is on the hook legally when on those platforms is compromised? This fantasy land you've proposed is a security and liability nightmare.
Hell ai is already a liability nightmare.
kozak_@reddit
Not you as long as the risks are known and excepted
throwaway117-@reddit
Of course but if OP wants to play shadow IT then...
Defconx19@reddit
So I know what you think you mean, but you "know enough to be dangerous" as we say.
There is a middle ground, at my MSP we are enabling customers to fully take advantage of Claude, however we're working WITH them. There are core reasons why, security being #1, support being #2, and strategic alignment being #3.
AI is an amazing tool for business and the IT departments fearing it instead of leading their company to leverage it properly are choking their company.
That being said a non-technical user NEEDS oversight. We make every user who wants to.create an "app" schedule 2 meetings with someone on our team, the first is their proposal, what it does, who is the target audience etc... then they get approval to make it or we tell.them someone has something similar that can be added on to. Second meeting is to review what they created, make sure it's secure, and give it approval to go live, then document that it exists.
Also everyone likes to use the word SaaS, but if you arent selling your app, it's not SaaS. It cant be "Software as a Service" if you arent providing the service to a customer, its just an internal app you built.
Hopefully this makes sense?
Darth-Bosco@reddit
Just because I can ask Claude a legal question it doesn’t make me a lawyer. The same applies to coding. You are not a software developer and you are certainly not in IT.
JaschaE@reddit
Does "programming" or "responsibility for System security" turn up in your contract?
Kikz__Derp@reddit
Yea that’s all fine and dandy until auditors come in and see that your vibe coded app that hasn’t been run through the proper approvals is exposing PII and fines the company a bajillion dollars.
Connection-Terrible@reddit
We are working towards procurement of SaaS without involving IT to be a fireable offense. Curious, is it part of your job roll to obtain new applications? How is that not end running IT?
EIsydeon@reddit
No, anything that is added to the environment should be going through an IT department to be proper better and administrated. Anything outside of that is shadow IT and is a threat to the environment.
I don’t care how good you think you are, even with AI helping 5 years from now. It is and always will be shadow It as there is no proper change control behind it.
irish_guy@reddit
Without access to API keys they will be pretty limited. Ensure your existing keys that get approval are scoped.
Downinahole94@reddit
The company must set a standard of approved software. There must be a checks system with dev ops.
There also must be a system in which these rouge programs are supported by the Creator.
People will be less likely to roll out new software if they are in the hook.
Ummgh23@reddit
The problem is that more and more apps are Web based and anyone can create an account and pay for a license without IT having a way to know. Apart from blocking all URLs that are not manually approved, you can't really prevent that.
anotherkeebler@reddit
Same thing I do now: tune the platform for optimal performance, show them profiles of current resource usage, and tell them they can either pay for more platform or fix their code.
The only difference being that when before they would complain that they don’t have time to fix their code, now they simply don’t have the competence.
Opposite_Bag_7434@reddit
I’m actually not super worried about this.
First and foremost, this will never make a non-developer a developer. It will make the AI or whatever mechanism they use the developer. Yes it might be Shadow IT but if my team and I have done our jobs even that is not going to be the case.
We already use enterprise AI platforms that we have some control over. I expect within the next couple of years we will see that control and oversight deepen.
So when a user from sales decides he needs an app built the policy position will be to use the platform we have paid for and have control over to built the app. The app might take the role of what we might have once used a consultant or contractor for. But we use the very same mechanism to code review, fully document and ensure is fully compliant with our policies and practices. In essence, the platform that the employee uses is an extension of the IT department.
The other reason this is not a problem is that the user doesn’t get administrative access or control over anything. The data that is used is also data that the user would have otherwise been entitled to.
I do foresee a time when users are having apps built.
dadgenes@reddit
We kill it with fire because it was not authorized. End of story.
00001000U@reddit
Just wait til the real bills for those tools start to crop up. Problem should sort itself.
anthonysredditname@reddit
This^
AsherTheFrost@reddit
The only ones I really have to worry about are those with admin access. The rest can "vibe code" anything they want on their personal PCs. I work in education, so we have no shortage of staff and students trying to push the line with or without a.i. this is less a new issue and more a new coat of paint on a long running issue within IT
PM_ME_UR_BGP_PREFIX@reddit
Until ChatGPT shows them how to use Lovable to publish that neat app they vibe coded to plan layoffs…
AsherTheFrost@reddit
I'm the entire network team, I'm secure, and if I'm not, my last act (as I'm the one who removes access) will be to set everything on DHCP, kill all reservations, and set it all to reboot at 11 pm.
pdp10@reddit
I bet there are small businesses where doing that would solve a lot more problems than it causes.
AsherTheFrost@reddit
Probably, I've spent 5 years redesigning this network while it ran (frankly it's what I'm most proud of in my professional life) so I know exactly how bad the fallout would be
Walbabyesser@reddit
Easy - not a single user has admin rights on our managed clients. Case closed
AsherTheFrost@reddit
That's the proper policy in action.
pdp10@reddit
You know what that is, right? It's a few seconds to vibe search an answer to: "what are the business risks of shadow it?"
If you think the LLM answers are wrong, you can then write a miniature essay telling us why they're wrong.
tylrat93@reddit
Our company got ahead of it by creating an initiative,with a competent person leading it, focused on improvement and automation.
Essentially looking for those pain points and opportunities for automation and creating the apps/workflows instead of leaving people to their own devices.
However we already have strong limits on what’s accessible on the ai front for unapproved users. The whole thing so far has probably been the most well received thing the company has done internally ever.
RevolutionaryWorry87@reddit
None-meme answer here.
My company has fully invested in Claude AI (a license for everybody...)
Therefore, everybody and their mom has a website (html) from claude they want as a website to share to people.
Obviously, it's a governance and ownership nightmare. We usually just teach them how to share on Claude their projects, but it's a nightmare waiting to happen. Also, you are shadow IT and a nightmare too
beetcher@reddit
My wife's company too, everyone is required to use AI, they're using Claude now, part of performance reviews...she's an attorney.
If you don't use AI enough, you're on a PIP.
jhaand@reddit
How we always dealt with custom Excel sheets and VBA bullshit. If you want it in production, it will need some real work.
Here's a nice video about older crappy software.
Watch "The Error of our Ways - Kevlin Henney" on YouTube.
https://youtu.be/3YaI6lhn78g
SirLoremIpsum@reddit
You prevent them from having their own software tools, don't give them webservers and DB servers
You have appropriate monitoring and stop this before it starts.
You have a culture that allows people to bring it to IT and get it done properly instead of having a "nothing will happen ever" attitude.
JaschaE@reddit
Shadow IT means programs (and sometimes hardware) implemented by peiple who have no business implementing programs. Each program comes with security vulnerabilitys, permissions and connections to the outside world. The self important slopslinger that assumes himself a coder because he made a bot hallucinate will not be able to figure out those vulnerabilities and how they interact with the system as a whole. Not "everybody is a developer" but "most people are idiots" which, to IT, is business as usual.
slugshead@reddit
Departments having credit cards and SaaS is bad enough. I dread to think how it'll pan out when people decide to vibecode their own apps.
At least meet me half way and vibecode a powerapp!
Secret_Account07@reddit
What does policy say?
HR/Legal need to provide guidelines than ITs job is to enforce it.
We have a fuck ton of AI policies over the last 5 years. We have a spreadsheet with 151 AI software products that have gone through approval. No approval? No use
Top_Boysenberry_7784@reddit
It's not that much of a difference than current. It's gonna depend a lot on your company. Companies that already have great policies and checks to limit these things will be ok. Companies that don't are gonna have issues.
If your company cares about the safety of company data you better get serious with policies. Although it's an IT headache this is much more than only an IT department issue.
MiniOozy5231@reddit
“Vibe code” what you want in ChatGPT but you aren’t getting access to any IDEs, Powershell, command line, etc without admin approval. 😂
IT is important to keep these things in check.
the_angry_angel@reddit
Honestly it’s the Excel problem on speed and cranked to 11.
There’s an AI company with an ad I keep getting on YouTube and it describes a situation where 2 people built the same thing unaware.. as if that’s a good thing.
How are we gonna deal with it? No fucking idea.
slugshead@reddit
My firewall has an AI category that the manufacturer keeps updated.
I did at one point have an interception page for the category that would show the company AI policy and you had to scroll to the bottom and accept it to continue.
I thought it was good, I got shouted at. At alot. "Distruption"
admlshake@reddit
That's up to management.
Skyhound555@reddit
What are you talking about?
Not "everyone is in IT". The reality is that your platforms and agents are controlled by the real IT professionals at the top. They should be wrangling the employees and be cracking down on rogue shadow AI agents. The problem is that companies are being very gun shy because a lot of IT Professionals won't embrace this role of Agent Management.
Go watch Wall-e. The employees are the passengers whose ai agents are the screens they were using. The IT team is the captain of the ship who manages it alongside the AI platform. It's the IT team's job not to let the situation of Wall-e happen tbh
otacon967@reddit
Change control and cmdb will be absolutely necessary. Force agentic AI to present their ideas to a human change advisory board before any prod actions. If approved implement as scheduled. If denied either send to human for rework or require resubmit after cool off period. Change control can feed cmdb continuously (ai will probably end up being great at this)
slugshead@reddit
Half of my users can't change the channel on a TV so that halves the risk, right?
trogdan@reddit
I suspect this is going to coincide with in-house, real-people sysadmins and systems engineers being stretch even more thinly and the places that go whole-hog on this kind of thing will also be the leading edge of gutting ops and engineering teams.
unknwnerrr@reddit
Move to a swe role duh
C39J@reddit
Right now, no admin access for anything + (and it's more of an HR problem), but no confidential company data goes into unapproved apps.
We vibe code a couple things, but everything gets peer reviewed and security checked before it goes anywhere near production.
Aim_Fire_Ready@reddit
This has always been an issue. It’s a people problem, that is, a management problem, not a tech problem.
I’ve had professional developers color outside the lines. It starts with “I need local admin to set up my dev env.” Next thing you know, they’ve installed all kinds of crap and are dual booting with Linux. “I use Arch, btw.”