Low-Code / No-Code: What Place in Enterprise IT Strategy?
Low-code platforms genuinely accelerate certain categories of applications — and quietly create a new generation of shadow IT when left ungoverned. Where they fit, where they break, and how to govern them.
José DA COSTA January 13, 2026 3 min read
Low-code and no-code platforms — Power Platform, Mendix, OutSystems, Retool, and many others — promise application delivery at a fraction of traditional cost and time. The promise is real within a bounded territory, and misleading outside it. The strategic question for IT leadership is not whether to allow these tools, because business teams are already using them; it is how to channel them.
Where low-code genuinely excels
The sweet spot is well defined: internal applications of modest complexity built around forms, workflows, and dashboards. Request tracking, approval chains, inspection checklists, departmental reporting, simple portals over existing data — applications that would never justify a full development team and that historically lived in spreadsheets emailed back and forth. For this category, low-code delivers working software in days, maintained close to the business need it serves.
It also has a legitimate role in prototyping: validating a workflow with real users on a low-code platform before committing to custom development can save months of building the wrong thing.
Where it breaks down
The limits appear predictably. Complex business logic becomes an unmaintainable tangle of visual flows that no one can review, test, or version properly. Performance-sensitive or high-volume workloads hit platform ceilings. Applications with demanding security, compliance, or integration requirements strain against what the platform abstracts away. And licensing costs, modest at pilot scale, can grow surprisingly steep as usage spreads across an organization.
The most expensive low-code application is the one that outgrew the platform: what began as a departmental tool has become business-critical, and the organization now faces a rebuild under pressure, with the original citizen developer long gone. Recognizing that trajectory early — and planning the handover to professional development — is a governance skill, not a technical one.
Governance: avoiding shadow IT 2.0
Ungoverned, low-code reproduces the shadow IT problem with better tooling: hundreds of applications with no identified owner, unknown data flows, and access rights nobody reviews. The answer is not prohibition — which simply pushes usage underground — but a lightweight framework: a catalog of applications with named owners, environment tiers separating personal productivity tools from anything touching shared or sensitive data, data classification rules that determine what may be built where, and periodic reviews that retire abandoned applications.
Citizen developers need enablement, not just rules: training on data handling and security basics, reusable approved connectors, and a clear escalation path to the IT team when an application starts to matter. A fusion-team model — business builders supported by professional developers — consistently outperforms both free-for-all and lockdown.
A decision framework
Route each need through three questions. Is the application's logic simple enough to remain legible on the platform? Will it stay within the platform's performance, integration, and compliance envelope over its realistic lifespan? If it becomes critical, is there an exit path? Three yes answers: build it on low-code with an owner and a review date. Any no: custom development, or a hybrid where low-code handles the interface over properly engineered APIs. Low-code deserves a place in the portfolio — a defined place, with borders.
Founder and president of ACCENSEO, software engineer. He works directly with clients on software architecture, cloud infrastructure, and custom development.