That is the bottleneck signal. The cost of code generation dropped to near zero. The cost of human code review did not. Any governance model that puts a senior engineer in the path of every vibe-coded internal app fails by simple arithmetic. You cannot review a Claude-generated codebase the way you review a pull request from a human teammate. The volume is wrong by an order of magnitude.
The companies that solve this will solve it the way Anthropic describes building effective agents — by putting the checks at the seams that matter rather than auditing every step. The seam that matters for shadow IT 2.0 is the deploy, not the diff.
The Substrate Is the Only Chokepoint
Every internal vibe-coded app has to land somewhere. Vercel, Cloudflare Pages, Netlify, AWS Amplify, a personal S3 bucket — the deployment substrate is the new SSO catalog. Own that, and most of the OP's problem list collapses.
A practical paved road looks like this.
-
One sanctioned deploy path. A self-service Backstage-style internal developer portal that takes a Cursor or Claude Code output and ships it in 60 seconds, but wraps it in SSO, secret scanning, data classification, CMDB registration, and your domain. Make the boring secure path also the only easy path. If the marketing team's "ship it now" instinct routes through the paved road by default, the policy fight stops being a policy fight.
-
Outbound deploy enforcement. Block deploys to
*.vercel.app, *.netlify.app, *.pages.dev from corporate networks and managed devices except through the paved road. Treat unsanctioned deploys the way you treat unsanctioned SaaS — a network event, not a policy violation.
-
Every internal app gets a vendor record. Owner, business sponsor, data classification, retention policy, kill switch. The CMDB entry that one Reddit commenter described as their company's working pattern is not bureaucracy. It is the only artifact that survives the engineer's vacation, the marketing manager's promotion, and the eventual audit.
Cloudflare Access and equivalents from the major clouds already do the SSO-and-tunnel side cheaply. The infrastructure exists. The missing piece is making it the path of least resistance for a marketing person who just got a working prototype out of Claude Code.
Why a Browser-Security Vendor Just Sold for 205ドルM
This week Akamai announced its intent to acquire LayerX Security for roughly 205ドル million. LayerX builds browser-based AI usage control — visibility and policy enforcement at the point where employees paste customer data into a foundation model or deploy a generated app from a SaaS workspace. A 205ドル million acquisition does not happen because a handful of enterprises are worried about shadow AI. It happens because the security market just priced in that this is a category.
That category is the Shadow IT 2.0 category, and the substrate vendors and security platforms are racing to claim it before the customer's internal platform team builds an alternative. The DevOps engineer who posted the Reddit question is buying or building in this space whether they planned to or not.
The Air Canada Logic Applies
Air Canada was ordered in February 2024 to pay a customer whose refund policy the airline's chatbot had invented. The airline's defense — that the chatbot was "a separate legal entity" — was rejected by the BC Civil Resolution Tribunal. The agent's promise was the company's promise.
The same logic applies one layer down. The customer-data dashboard your marketing manager vibe-coded last Thursday is the company's product when it leaks. The "I just made it for myself" defense lasts about as long as Air Canada's chatbot-is-separate defense did. Your liability surface is not the apps your engineering team ships. It is every app any employee deploys with company data, on company devices, under company infrastructure.
What to Do This Quarter
Stop trying to gate the building — speed is the reason vibe coding exists. Gate the deployment substrate, register every app as a vendor product, and accept that the marketing team writing software is now a permanent feature of how your company operates.
The platform team's job description just changed. It is no longer "support the engineering org." It is "run the internal vendor-onboarding desk for everyone who can now write software with an LLM." The companies that adapt fast will ship a paved road this quarter. The ones that send the policy email will, as the top Reddit reply put it, get to enjoy the inevitable disaster.