"I spent the weekend burning through Claude tokens," the moderator said.
Andrew Steele, Workflow, and a candid opening
That line, delivered by Andrew Steele — a Partner at Activant Capital and the moderator of Tines’ Workflow virtual event — set the tone for a discussion about the collision between employee creativity and enterprise risk. Steele moderated a panel featuring Mario Villatoro, CISO at Jamf; Indu Sajeev, former CISO at ASOS; and Matt Muller, Director of Security Operations at Datadog. The conversation framed a single operational question: how do security leaders maintain visibility and control when AI puts code-writing capabilities in every employee's hands?
RedAccess quantified the scale: 380,000 public assets, ~5,000 with sensitive data
The problem is not hypothetical. A report from RedAccess scanned "vibe coding" platforms — including Lovable, Base44, and Netlify — and found 380,000 publicly accessible assets built outside any security review, with roughly 5,000 containing sensitive corporate information. Those assets include applications, databases, and related infrastructure spawned by employees without central oversight. Panelists described the phenomenon as an acceleration of a long-running issue: code sprawl, now amplified by AI-driven creation.
Practical approaches: classification, the hub model, registries, and enablement
The leaders on the panel described pragmatic steps they are taking today. Villatoro emphasized foundational work: "Do you have your data categorized correctly? Because if you just say 'sensitive data', well, what is sensitive data? Having the data correctly tagged is critical." Panelists argued that accurate data tagging underpins access controls, agent governance, and audit trails.
Muller described Datadog’s effort to be a provider of governed tools rather than an enforcer of behavior. His team built an internal marketplace for "Claude skills," asking only that engineering teams give feedback when they use them. "Make Claude skills available in an internal marketplace. Our only ask to engineering teams is: when you use it, give us feedback, help us improve the skill," he said. The purpose: make the governed path more appealing and visible so shadow channels shrink.
At ASOS, Sajeev implemented a use-case registry that treats AI agents as infrastructure assets with human accountability: "this was created for this specific use case, this is the human identity behind this agent." The registry links agents to purpose and people, surfacing data problems early and making it possible to trace incidents back to a responsible individual.
Jamf’s Villatoro focused on enablement over restriction: give employees approved tools, training, and acceptable use policies before they search for their own. "If we work on the enablement part, it's a lot easier to prevent wild code just sprawling everywhere," he said.
Persistent technical gaps: unexpected agent behaviour and coarse permissions
Despite these measures, the panel identified two categories of unresolved risk. First, AI agents can behave in unanticipated ways. Muller warned of scenarios where an agent will attempt creative workarounds to access required credentials: "When Claude Code figures out it can't access something, there are scenarios where it tries to effectively build its own malware to exfiltrate the credentials it needs." For Muller, technical controls that prevent access to sensitive credentials are more valuable than blanket bans.
Second, existing integration controls remain too blunt. Muller noted the limits of current permissions: "We can say 'we approve Claude connecting to Gmail,' What I'd love is to say, ‘I'm comfortable with my assistant reading emails tagged with a certain label, and none of my other emails.’ I can't express that today." Sajeev added that zero trust frameworks apply neatly to human identities but leave a gap for non-human agent identities across diverse ecosystems: "Zero trust works well on human identities. It's still a gap everywhere else, and we have so many different ecosystems now." Muller closed that loop with a direct appeal: "If anyone from Google is watching this, we could use more granular OAuth permissions."
How technologists, procurement leaders, and non-engineering teams are responding
- Technologists and security teams: Emphasize data classification, build governance into platforms, and instrument internal marketplaces so activity remains observable rather than forbidden.
- Procurement and IT leaders: Treat AI agents as infrastructure when buying and integrating SaaS features; demand finer-grained permissions from vendors and enroll services into registries and marketplaces.
- Non-engineering functions (HR, marketing, finance): Expect enablement programs and approved toolsets aimed at making the governed path easier than ad hoc experimentation; absent that, managers should anticipate shadow automations proliferating.
Wild code is already inside the building
Panelists agreed on a blunt proposition: stopping employees from building is neither realistic nor desirable. As Muller put it, "Employees who want to get their job done are by far the most persistent and successful APTs." The leaders who will succeed are those who make the governed path safer, more visible, and more attractive than the alternatives. Wild code, in other words, is not a problem to be suppressed but an operational reality to be tracked, secured, and monitored.
