Understanding Citizen Application Development Platforms, Their Security Risks, and the Rise of Gen AI

In this interaction, Yair Finzi, CEO and Co-Founder of Nokod Security, details how GenAI amplifies citizen developed application risks and ways to address supply-chain concerns when using connectors in citizen application development platforms.

With experience shaped by his leadership roles at SecuredTouch, and Meta, along with contributions to the Forbes Technology Council, Finzi has built companies, guided teams, and advised startups across disciplines. 

He explains how citizen development, AI agents, and runtime governance intersect with current threats in ways enterprises can no longer overlook.

Vishwa: What is the single biggest security risk introduced by citizen application development platforms today?

Yair: For years, cybersecurity has focused on external threats. But in the new world of no-coder development, the line between internal and external has almost disappeared. The single biggest risk now is the unmanaged internal attack surface created by citizen-built apps and AI agents.

Most of these apps are built for internal use, but in a large company “internal” can mean thousands of employees, contractors, and temporary staff. We routinely see apps shared with “everyone in the organization” by default. That’s a huge attack surface hiding in plain sight.

One misconfiguration or one overly curious employee can cause just as much damage as an external attacker.

Worse, many internal apps contain serious vulnerabilities, client-side injection paths, sensitive data exposures, and hard-coded secrets. I remember a PTO request app that exposed the salaries of every employee because of a simple request manipulation.

When a token is embedded into an app accessible to 100 employees, it’s not a secret anymore. It’s an internal breach waiting to happen.

Citizen development has created an internal attack surface that’s larger than most companies’ external ones, and most organizations don’t even know it exists.

Vishwa: What key metrics should security leaders track for citizen application development platforms security posture?

Yair: The first metric is visibility: 

• What percentage of citizen-built apps, automations, and agents do you actually know about?
  • You can’t protect assets you don’t see.

The second is exposure. 

• Roughly one-fifth of no-code apps and agents are externally facing. But exposure isn’t just about public access.

And finally, runtime indicators matter: 

• Are risky behaviors being blocked, over-permissioned connectors being eliminated and how quickly are internal misconfigurations being detected and remediated. 

These tell you whether you’re actually improving posture or just documenting the problem.

Vishwa: In what ways does the rise of GenAI amplify citizen developed application risks?

Yair: GenAI doesn’t just expand the attack surface. In these business-user development platforms AI agents blur the boundary between internal and external in a way we’ve never had to deal with before.

Think about an agent built on a platform like Microsoft Copilot Studio. On paper, it’s an internal tool meant to assist employees. But many agents need to reach outside the company for context, instructions, or data. So is it an internal asset? An external one? The truth is, it’s both.

And that becomes a problem when an agent is compromised or manipulated, since it can be used to pull data, trigger workflows, or exfiltrate information.

GenAI accelerates misconfigurations, replicates insecure patterns instantly, and creates agents that make autonomous decisions. Traditional perimeter-based thinking doesn’t work here anymore. Internal threat is no longer a contained concept.

Vishwa: How should supply-chain concerns be addressed when using connectors or templates in citizen application development platforms?

Yair: In the citizen development world, your supply chain is made of pre-built components, connectors, templates, data actions, that business users can install in seconds. These components often have broad access to internal systems, and when they’re misconfigured or outdated, they introduce internal risk far more often than external attackers do.

You need to treat these building blocks like any other software dependency: understand what permissions they grant, what data they touch, and whether they’re shared too broadly. And because internal apps often spread virally inside organizations, you need ongoing monitoring, not just a one-time evaluation.

Vishwa: What role does automation play in securing citizen-developed applications?

Yair: It enables the scale and speed required in today’s no-code, citizen developer landscape. Manual detection and remediation simply can’t keep up with the proliferation of apps, bots and AI agents built by non-traditional developers. 

By automatically discovering and continuously mapping the inventory of AI-assisted no-code applications and automations, security teams gain real-time visibility across development silos, a critical first step in replacing the “we’ll review when we have time” approach.

But visibility is not enough. Automation further transforms security by detecting risks, vulnerabilities and malicious activity in citizen-built apps, without placing the burden entirely on security engineers. 

It can perform continuous scanning for issues such as misconfigurations, injection vulnerabilities and external attack-surface exposure, which traditional AppSec stacks often miss in no-code environments. Automation also allows for real-time alerts and prioritized remediation, closing the gap between detection and action, and reducing reliance on manual reviews or spreadsheets.

Beyond discovery and detection, automation powers remediation and user-engagement workflows that support large-scale citizen development. Instead of relying on manual tickets or asking developers to fix issues without guidance, automation can deliver contextual, remediation-ready options and interactive guidance (directed at both security teams and citizen developers). 

The automated remediation orchestration and communication not only accelerate resolution but embed security into the dev cycle.

Vishwa: What common misconfiguration do you see repeatedly in citizen application development platforms environments?

Yair: The most common issue is sensitive data exposure inside internal apps: HR details, financial records, customer data. These are often designed as simple utilities by well-meaning employees but can expose far more than intended.

And of course, there’s the classic: hard-coded secrets. If a citizen-developed app contains a credential and even 100 people can access it, that credential is essentially public.

These patterns repeat across organizations because the platforms make it easy to build, but give no contextual warning about security implications.

Vishwa: Looking ahead 3–5 years, how will the attack surface created by citizen application development platforms change, and how should companies prepare?

That means three things for the future:

• Internal threats will matter as much as external threats.
  • An employee-built agent with broad access can cause more damage than an outsider.

• Runtime governance will become mandatory.
  • You’ll need real-time controls that watch what agents are doing, not just how they were configured.
    
• Continuous visibility will be the baseline.
  • Inventorying apps once a quarter won’t cut it. You’ll need Continuous Threat Exposure Management-style, always-on discovery.

Companies that start building these capabilities now by treating citizen developed apps and AI agents as first-class assets within their security programs, will be in a far better position than those who try to retrofit controls after an incident.