Unapproved AI tools and rapidly growing volumes of AI-generated code are creating new governance and operational problems inside engineering organizations, forcing platform teams to rethink how they manage developer workflows, tooling, and long-term maintainability.
The issue is no longer simply whether developers are experimenting with AI tools. In many organizations, they already are, often outside approved channels.
What is changing is the level of autonomy these systems increasingly possess, along with the speed at which AI-generated code is entering production environments.
“In one sense, shadow AI isn’t a new problem; developers have a long history of finding tools that they feel make them more effective and using them whether or not they’re officially sanctioned,” says Flynn, technology evangelist at Buoyant. “What’s new about shadow AI is the extent to which the tools show autonomy.”
That shift is raising concerns around visibility, governance, and data exposure. AI agents may now have access to production systems, infrastructure controls, or sensitive enterprise data, often without platform or security teams fully understanding which tools are being used or how they interact with internal systems.
Unmanaged Tooling, Restrictive Governance Risks
Rob Zuber, CTO at CircleCI, says organizations increasingly face two separate risks: Unmanaged tooling and governance processes so restrictive that developers bypass them entirely.
“The tooling landscape is moving incredibly fast,” Zuber says. “There is something new to experiment with every single day.”
At the same time, many platform teams are discovering that traditional review and governance processes are struggling to keep pace with the volume of AI-generated code entering development pipelines.
What some leaders are now calling “AI debt” refers to code that technically functions but is poorly understood by the teams deploying it. In many cases, developers may accept AI-generated output without fully understanding how it works, while reviewers lack the time or context to carefully validate every line before deployment.
“AI debt builds up when developers ship AI-generated code they don’t really understand, and reviewers wave it through without truly understanding it either,” Flynn says.
That creates downstream problems around debugging, maintenance, security, and future development.
Technical Liabilities Accrue
As AI coding tools accelerate software delivery, some platform leaders worry organizations are accumulating technical liabilities faster than existing engineering processes can manage them.
“The assumption that a human reviewer will catch what an AI generated is broken,” Zuber says. “The volume is too high, and the velocity is too fast.”
As a result, many organizations are shifting away from outright restrictions on AI usage and toward platform engineering strategies designed to guide developers toward approved tools and workflows.
The concept of “golden paths” has become central to that approach. Rather than banning AI tools outright, platform teams are building governed workflows that make sanctioned systems easier and faster to use than unsanctioned alternatives.
“If you tell me I can’t use a tool, I’ll find a different one I like,” Zuber says. “Restriction is a losing strategy.”
The approach reflects a broader realization inside engineering organizations that developers will continue experimenting with AI tools regardless of formal policy. Attempts to block usage entirely may simply reduce visibility into what teams are doing.
“Outright bans don’t really work,” Flynn says. “If developers find a tool genuinely useful, they’ll keep using it, just less visibly.”
Aligning Governance with Dev Convenience
Golden path strategies attempt to solve that problem by aligning governance with developer convenience. Instead of relying primarily on restrictions, platform teams are increasingly trying to embed security, validation, compliance, and observability directly into the preferred workflows developers already want to use.
At the same time, some platform leaders argue that even traditional golden path thinking may need to evolve as AI agents become more autonomous.
Pavlo Baron, co-founder and CEO of Platform Engineering Labs, says many existing DevOps and platform engineering processes were designed around the pace and limitations of human operators, not autonomous systems capable of acting far more quickly across multiple environments simultaneously.
“The whole DevOps cycle was built around the slowness of humans,” Baron says.
Routing AI agents through a single heavily controlled workflow designed for human decision-making may ultimately undermine many of the productivity gains organizations are pursuing through automation.
Instead, Baron argues that platform teams may need systems capable of governing and reconciling changes after they occur across multiple approved pathways.
That shift places additional pressure on platform engineering teams to move beyond infrastructure management and become more directly involved in governance, tooling strategy, and developer enablement.
“The opportunity is to become the thought leaders inside the organization,” Zuber says. “That means being able to tell them what’s running, where it came from, and whether they can trust it.”