As organizations have embraced low-code and AI-driven development to speed software development, they have relinquished centralized control in the name of agility.
The shift was very subtle. Perhaps a product manager used a low-code tool to automate internal reporting. And business analyst used AI to generate a customer feedback dashboard. Then a support team built a self-service portal, with no engineers involved. None of this triggered a compliance review. No architecture board weighed in. Risk didn’t object, because it didn’t know. And that lack of visibility and control are the problems.
Business units are building applications with drag-and-drop tools, integrating AI co-pilots, and pushing live updates, all outside the traditional IT perimeter. In June 2025, EY launched EY.ai for Risk, a new suite of AI-driven risk management solutions built on its agentic platform and powered by NVIDIA technology, designed to automate third-party risk processes, enhance operational resilience, and embed over a century of EY risk expertise into dynamic, cross-sector applications (EY, 2025). “As the global business landscape shifts, driven by rapid advances in new technologies, regulation becomes an increasingly complex issue to navigate and organizations are demanding an accelerated experience across the risk spectrum,” EY said in a release..
But most enterprises are still using risk models designed for centralized architectures. Legacy governance assumes oversight lives at the top, with cascading controls down to the execution layer. That model breaks, though, when the execution layer is dispersed. A marketing analyst building a lead scoring app may inadvertently expose PII. A sales ops team might deploy an integration that bypasses identity checks.
AI and low-code flatten these hierarchies. They remove the distance between intent and execution. That’s where risk quietly mutates, all from something owned by a centralized function, to something emergent, lateral, and embedded in day-to-day work. Traditional controls: policy documents, review gates, and after-the-fact audits, are poorly suited to this environment. What’s needed is a governance model that moves with the development process. That surfaces friction only where warranted. That recognizes that not all apps are created equal, and not all risks require the same level of scrutiny.
Currently, to manage decentralized risk, enterprises require governance that adapts to two key factors: context and impact. A retail chatbot and a core payments system should not undergo the same level of compliance scrutiny, but both should be subject to governance. Adaptive governance involves evaluating risk at the feature level, rather than the platform level. It means giving teams the tools and frameworks to make smart decisions in real-time, without reverting to the command-and-control model.
Most developers and business users still see governance as a roadblock, as something to navigate around. That view needs to change: governance must become a product design principle. Governance cannot be reactive. Risk teams must become product-oriented: embedded in fusion teams, attending backlog grooming, and influencing feature prioritization.
As foundational as UX or scalability. The job of leadership is not to enforce compliance from above, but to integrate it into how software is built, reviewed, and maintained. That means incentivizing proactive risk thinking, funding internal tooling that flags issues early, and making the cost of noncompliance visible, not merely after a breach, but during design.
This requires different skills. Not policy literacy alone, but system design fluency. Risk professionals must now understand development flows, data lineage, and cloud architecture to effectively manage risk. They must engage upstream, not audit downstream.