Skip to content

The Tool Your Security Team Blocks Is the One Your Engineers Already Depend On #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
superterran wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

The Tool Your Security Team Blocks Is the One Your Engineers Already Depend On #38

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions content/blog/2026-05-18-tool-security-blocks-engineers-depend-on.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
title: "The Tool Your Security Team Blocks Is the One Your Engineers Already Depend On"
date: 2026-05-18
draft: true
pillar: "The Constellation"
tags: []
linkedin_copy: |
Your engineering team's sprint velocity already assumes AI tooling you have not approved.

The pattern is consistent. An engineer discovers a tool. It works. They get faster. They tell a colleague. Within weeks, half the team uses it daily. Within two months, estimates quietly assume the tool exists.

Then security reviews it and blocks it. The team slows down. Nobody can explain why, because nobody reported the dependency.

This is not hypothetical. I have watched it happen with coding assistants, meeting transcription services, and document generation tools. The cycle is identical: bottom-up adoption, productivity gain, silent dependency, governance review, revocation, velocity drop.

The technical risk of an unapproved tool is usually manageable. Security teams know how to evaluate data exfiltration and compliance exposure. The operational risk is harder. When a tool gets pulled, the team does not just lose a feature. They lose the productivity that was baked into their commitments. Leadership sees underperformance. The real cause is a process gap nobody designed for.

The organizations handling this well do not try to speed up approval. They accept that approval will always lag adoption. They maintain a short list of pre-approved tools covering core use cases and draw a clear line between personal productivity experiments and team-level dependencies.

AI tooling is now part of the integration constellation. Platform, CDP, ESP, OMS, payments, tax, and now the tools your engineers use to build it all. If you do not govern AI tooling like a system dependency, you will discover its failure mode the way you discover every other ungoverned integration: too late.

Full post: {{url}}
---

Here is the pattern. An engineer discovers an AI tool. They start using it for code generation, test scaffolding, documentation. It works. They get faster. They tell a colleague. Within a month, half the team is using it daily. Within two months, sprint estimates quietly assume the tool exists.

Then security reviews it. And blocks it.

Nobody has a fallback plan. The team's velocity drops. Commitments made with the tool's productivity baked in are now unachievable at the original pace. Leadership sees a slowdown they cannot explain because nobody reported the dependency in the first place.

This is not hypothetical. It is happening right now in organizations of every size.

## Shadow IT never left. It just learned to code.

The commerce and enterprise technology world spent a decade learning painful lessons about shadow IT. Marketing teams buying SaaS tools without IT approval. Business units spinning up integrations that nobody in engineering knew about. The lesson was supposed to be: ungoverned tools create ungoverned risk.

AI tooling is repeating the cycle, faster. The difference is that the previous generation of shadow IT was mostly about data flow. AI tooling is about productivity itself. When someone adopts an unauthorized CDP connector, the risk is data leakage. When someone adopts an unauthorized AI coding assistant, the risk is that your delivery capacity is silently dependent on a tool you do not control.

An engineer using an unapproved AI tool to write tests is not doing something reckless. They are doing something rational. The tool makes them better at their job. The approval process takes months. The gap between "this tool works" and "this tool is approved" is where the dependency forms.

## The governance gap is a timing problem

Most enterprise security review processes were designed for a world where tool adoption was slow. You evaluate a tool, you approve or reject it, you roll it out. The cycle takes weeks or months. That worked when the tools in question were platforms with procurement cycles.

AI tools do not have procurement cycles. They have a free tier and a credit card. An engineer can go from "I heard about this" to "I use it eight hours a day" in a single afternoon. By the time the security team knows it exists, the dependency is already load-bearing.

The teams I have watched handle this well do not try to speed up the approval process. They accept that the approval process will always lag adoption, and they build around that reality.

What that looks like: maintain a short list of pre-approved tools that cover the core use cases. Not every use case. The core ones. Code completion, test generation, documentation. If an engineer needs something outside that list, they can use it, but they cannot build it into a shared workflow or a sprint commitment until it clears review.

This is not perfect. It is honest. It acknowledges that engineers will find and use tools before governance catches up, and it draws a line between personal productivity and team dependency.

## The real risk is in the estimates

The technical risk of an unapproved AI tool is usually manageable. Data exfiltration, IP exposure, compliance violations: these are real, but they are the risks security teams already know how to evaluate.

The operational risk is less visible and harder to unwind. When a team's sprint velocity assumes AI-assisted development, and that tool gets pulled, the team does not just slow down. They slow down in ways that look like underperformance. Leadership asks why the last sprint missed its targets. The answer is: "We lost the tool that was making us 30% faster, and nobody told you we were using it."

I have seen this play out with coding assistants, meeting transcription tools, and document generation services. The pattern is identical every time. Bottom-up adoption. Productivity gain. Silent dependency. Governance review. Revocation. Velocity drop. Blame misdirected at the team instead of the process.

## The constellation now includes your AI toolchain

Commerce architects are used to thinking about integration risk across the stack: platform, CDP, ESP, OMS, payments, tax. Each system in the constellation carries its own governance, its own failure modes, its own operational dependencies.

AI tooling is now part of that constellation. It is not a productivity nice-to-have. It is a system your teams depend on to deliver at the pace they have committed to. If you do not govern it like a system, you will discover its failure mode the same way you discover every other ungoverned integration failure: too late, and at the worst possible time.

The question is not whether your engineers are using unapproved AI tools. They are. The question is whether you know which ones are load-bearing before someone pulls the plug.
Loading