In the world of software development, things can linger on to-do lists for years – it’s only a technology-based disruption that suddenly pushes them to the top of your priorities.
Remember the move to mobile 15 years ago? All of a sudden, organisations were rushing to address things they should have already dealt with in the web app age. User experience, robust testing, programmes that are truly fit for purpose and not just functional – the emergence of mobile brought to light enormous gaps in risk management that organisations had to fill at pace.
Fast forward 15 years and we now live in a world that’s increasingly built on software. AI and cloud are now part and parcel of critical infrastructure. Managing their inherent risks is prompting further change. The emergence of new regulations like the EU’s Digital Operational Resilience Act (DORA) is a sign of the times. Designed to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats, DORA places new requirements on organisations, demanding a deeper integration of operational resilience into their core technology strategies.
This shift is forcing teams to confront longstanding issues around visibility, incident response, supply chain dependencies, and operational continuity. These are areas IT often neglects or defers due to slashed budgets and resource scarcity. What used to be a compliance checkbox now demands a systemic, architectural response. The complexity lies not only in meeting a new requirement but in weaving resilience into the fabric of software systems without losing agility or innovation in the process.
The balance of managing risk while retaining a spirit of innovation is becoming even more critical as the pace of technological change advances. In 2025, AI and low code are innovations having the most profound impact on software development. And one, perhaps under-acknowledged, consequence is a shift in how organisations approach risk management and regulatory compliance.
The decentralisation of development
How enterprises develop and deliver technology- for both internal and external use – is changing. Where once technology development was a process led centrally by IT, today low code and AI are triggering a shift toward a more collaborative and iterative development process, providing insights and gathering feedback across the organisation, in a decentralised manner
This is incredibly exciting in many ways, as developers can be more responsive to business needs, engaging directly with the people most aware of what customers, employees and partners require. But at the same time, changes in processes create new ways of working, which in turn changes the business’ relationship with risk.
IT’s relationship with risk has evolved rapidly with AI tools in play. New phenomena like Shadow AI, where employees adopt AI tools of their own choice without IT’s knowledge, can introduce significant risks around data privacy, security, and compliance. For example, a marketing team might upload customer data to a public AI tool to generate campaign content, unknowingly violating data protection policies or exposing sensitive information. What was once a manageable perimeter for IT has now expanded into unpredictable territory, demanding new governance models and proactive oversight.
In the old world, the IT professionals driving development had a holistic perspective of the security concerns, risk profiles, and compliance requirements of the organisation as a whole. But in a decentralised model, distributed developers work on smaller pieces of the puzzle, each presenting a range of risk management and governance questions. Enterprises are now being faced with managing the risk. AI makes it tougher to balance the risk and reward with digital transformation.
The age of adaptive governance
Risk is a complex question in the time of distributed development. Governance and risk mean different things, depending on where the technology sits in the business. Issues like whether applications are customer-facing, the sensitivity of data and how it’s stored, and privacy considerations will each vary from case to case.
Delivering a mobile banking feature, for instance, raised all kinds of questions around data storage, role-based access and features, and system integrations. A mobile banking application leveraging large language models and AI agents now introduces a whole new level of data privacy, governance, and integration concerns. with AI assistance now introduces a whole new level of data privacy and integration concerns. With so many interconnected issues, it could be easy to miss something crucial from a privacy, security or regulatory perspective.
It’s more important than ever that individual developer teams get to grips with the risk and compliance implications that their activities have across the entire development ecosystem.. This creates a new role for risk managers and compliance officers. Rather than simply sitting centrally, these specialists need to be embedded in multidisciplinary technology delivery teams across the organisation, often referred to as “fusion teams”. There, they act as a front line for risk management, empowering development teams with the right guidance and oversight of their activities.
The smartest organisations are moving to a model of adaptive governance: risk management that’s appropriate for each scenario, and balances innovation with compliance. It’s here that fusion teams will really deliver. With a blend of experts from the business, software developers, and UX specialists, teams can better understand the risk and compliance implications of their work – and proactively protect the organisation.
The invisible shift
The shift to decentralised technology is nothing new. But low code and AI are catalysing helping organisations shift to new forms of new risk management and compliance models. It may be less visible – but the consequences will be significant. It’s important that everyone gets to grips with the age of adaptive governance, to ensure that distributed development can deliver on its promise, without compromising the business.
