Big numbers gain big attention. Once those numbers are shared in online publications and event keynotes, they become “real”. At least in the sense that they keep getting referred to, repeatedly, up to a point where we stop questioning them.

Many low-code application platform vendors, Microsoft included, have shared the number from IDC’s latest prediction on how many new logical applications will be built by 2028. It’s easy to remember because it’s the same figure used by Dr. Evil (fictional antagonist of Austin Powers): 1 billion.

What’s a “logical application”? I don’t want to pay $2,500 for the IDC report to find out, so I asked ChatGPT instead:

How much should we trust these numbers from big industry analysts like IDC, Gartner, Forrester etc.? Aren’t they incentivized to predict endless growth for markets where software vendors are paying them directly to get included in reports like the magic quadrants?

Alongside the ambitious predictions that aim to estimate global market size, we do also have other kinds of evidence about the growth trajectory of low-code/no-code business applications. By combining several different information sources, we can gain more certainty on the phenomena of explosive business app growth.

Zenity, a software company developing security products specifically for low-code platforms, has published their own findings in a white paper called “The State of Enterprise Copilots and Low-Code Development”. Their research of apps & copilots found within enterprise organizations that (presumably) have used the Zenity security tools discovered close to 80k low-code apps on average within one organization:

One particularly interesting piece of data was the comparative figure for SaaS vs. low-code apps. For each SaaS app used at these enterprise organizations, 168 apps/copilots exist on their internal low-code platforms. With ~500 SaaS apps for enterprise IT to worry about, the number of apps on these platforms leveraged by citizen developers is over 100x bigger. Here’s a visualization of the difference that I created based on the report data:

I tried to make the surface area of those circles to be as close to the true 1:168 ratio as possible. Because there’s a deeper meaning to the word “surface” in the context of security. Can you imagine the size of the new attack surface that this explosive growth of apps & AI bots can create for malicious actors to make use of? Formal governance of low-code platforms is not the only method for attack surface reduction, yet it’s hard to achieve much without it.

Known unknowns

Given the massive numbers we are seeing, maintaining the enterprise application portfolio is not getting any easier. Traditional methods for trying to manually list and document the IT tools in use will hardly scale to this new low-code reality. At the same time, there’s hardly an obvious solution for how it should be done. Even when talking about just one vendor’s platform, like Microsoft. Bigger enterprises will usually have several platforms to worry about when it comes to apps and automation.

“How many apps are there currently in your organization?” Asking a question like that can still lead to awkward silence today in many places.

A few years ago, Power Platform wasn’t ready for enterprise scale adoption yet. We’ve seen big investments from MS into making it so, yet there’s only so much that they can deliver as one-size-must-fit-all features built into the platform. It’s amazing what a sizable share of the platform governability story has relied on one GitHub project, the CoE Starter Kit. Together with the active community members openly sharing their own tips on how to govern Power Platform, this has become a fitting example of how the real-world patterns and practices get assembled via relying on the wisdom of crowds.

Microsoft naturally uses the Power Platform extensively in their own production tenant. Every now & then you’ll see them share statistics about the growth of their low-code use. Below are statistics of the situation exactly 3 years ago (taken from this video). At that time, they already had 10k environments, 161k apps, 432k flows and 7.5k chatbots (now copilot agents).

On the video we hear Don Willits, Power Platform Security Architect, tell how the MSFT tenant “has always been at least an order of magnitude larger than any customer tenant, typically two”. Today, 3 years later, similar numbers could be found in a larger tenant of a Power Platform enterprise customer organization.

Where is Microsoft today with their own tenant then? At this year’s Power Platform Community Conference (PPCC) the numbers shared were obviously higher. Just the number of environments had grown 3X to 30,000 already. For more details, check out the great article by William Liu from Venture Maven who wrote about “Governing Tenant 0 – A Deep Dive into Microsoft’s Own Environment Strategy”.

As a result of explosive viral adoption, Microsoft has had to build a lot of custom “IT Glue” to manage and secure all those apps and other artifacts. This internal stress testing of Power Platform has then been used in driving product features that help the commercial low-code offering scale to enterprise level customer orgs that are following similar adoption trends, but a couple of years behind MSFT.

Managed Environments is the capability advertised as the productized solution for governing Power Platform at enterprise scale. There certainly are useful features included there, with no additional license required - assuming you’ve got every single one of your app & flow users covered by a Premium Power Apps / Power Automate license, of course. Few Microsoft cloud customers are there just yet, so full coverage of in-product governance tools is rarely the starting point.

Even once you do get to wall-to-wall premium licensing state, your governance problems won’t end. What exactly are you going to do with those thousands of apps, flows, bots/copilots/agents that already exist in your Default environment? Since you want to be able to restrict the use of the inherently ungovernable Default environment where every user has Environment Maker rights by design, a lot of work will be needed in taming this beast.

Don’t you just wish there were migration tools for taking those apps and flows somewhere safer? Well, unfortunately there isn’t any, and it’s unlikely we’d see a full solution emerge in the future (partial solutions do exist). Factors that make this a tough problem to solve include the technical dependencies to individual users in the Power Platform connections used (a.k.a. “credentials sharing as a service”). The softer issues of “what’s used by whom, where does it belong, who’s gonna take care of it” are the real kicker, though. Because you would need information that no one has gathered before.

It’s much easier to do things the right way when you start from a low-code governance model already in place. In reality, everyone has started to use Power Platform already before such models were ever considered. Therefore, it’s exceedingly rare to experience a greenfield implementation that wouldn’t need manual cleaning and case-by-case evaluation of the sensible steps forward. Meaning, you’ll need the good ol’ triangle of people-process-technology to tackle these challenges.

“Can we just turn it all off?”

Is it even worth fighting this battle if you are working at enterprise IT? Wouldn’t it make sense to stop the madness of citizen developer artifacts appearing everywhere and just block all the things? While the big numbers can make it seem like mission impossible, it’s great to also hear some small numbers about low-code. Such as: five (5). That’s the number of persons in charge of managing the world’s largest Power Platform tenant, at Microsoft. Yes, it all takes time and effort, yet the business case could very well be there - if you get a chance to truly analyze the business value achievable from intentional usage of Power Platform across the organization.

One thing you must realize is that if you’re attempting to reduce your business dependency on Power Platform, you are in fact also reducing the benefits you can expect to gain from Copilot. Why is that? Because the agentic AI story of extending the MS Copilot products with skills and access to enterprise apps and data sources relies on Power Platform. The connectors for low-code apps and automation are the same thing that becomes available inside Copilot Studio.

In the future, Microsoft wants the users of Copilot to continue the evolution of the citizen developer, equipped with the sometimes-magical skills of large language models. In the latest MSFT quarterly earnings call, CEO Satya Nadella made the below statement on what the future of business applications will look like:

In short: where we’re going, we won’t need apps. The concept of a predefined set of features, data sources and UI elements could potentially become the legacy way to use computers. Assuming AI really can grow into a smart (and reliable & secure) assistant that can understand the context of our work tasks at any given time, it could eventually lead us into the world beyond apps that I blogged about last year already:

It’s both scary and exciting to think about such future paths. This is the true meaning of digital transformation. This is what disruption via new digital platforms looks like. It’s just that this time the IT folks are standing on both sides of the wave of disruption. Not only are we making it possible by designing and running the supportive structures for low-code apps and now Copilots. We’re also among the professionals most likely to have their current work tasks either replaced or made redundant by AI.

Low-code and no-code haven’t replaced custom software yet. They have simply scaled the total number of apps into a level that would have been impossible to reach via classic software delivery models. The next disruption looks to be powered by generative AI - whether it makes app creation quicker or replaces the need to even have dedicated apps for everyday tasks.

In the middle of this digital hurricane stands that individual person who dares to try and solve problems in a new way. Without knowing exactly how it should be done. I end this post with a motivational poster dedicated to all those heroes: