DOP 349: Shadow AI Is Going to Be a Thousand Times Worse Than Shadow IT
Show Notes
#349: Every platform you already own is about to have AI baked into it. Not next year. This year. That is Ben Wilcox’s blunt prediction, and Ben is the CTO and CISO at ProArch, so when he says shadow AI is going to make shadow IT look quaint, it is worth slowing down to figure out what that actually means. The data leaves your stack through tools you already paid for, through features the vendor shipped without asking, through copilot agents nobody filed a ticket for.
Here is the uncomfortable part. This is not a new problem. It is the exact same retroactive-security failure pattern that broke DevSecOps, just with higher stakes and a faster clock. A pen test done six months ago is already obsolete because the app added AI in the meantime. Models get deprecated on seven-month windows while frameworks still get years of support. The whole “we will deal with it at the end” approach that worked badly for cloud and worked worse for containers is going to be catastrophic for AI.
The fix is older than the problem. Landing zones. Well-architected frameworks. A storage account that already has the right policy. An API gateway already in front of the API. The developer should not be picking from twenty checkboxes to figure out which combination is secure – that decision should already be made before the ticket lands. Stop forcing developers onto the security team. Stop running security reviews while the head developer sweats through his shirt right before release. Build the foundation up front and let the developer deploy into it.
Then the harder question. The leaders making these calls today are the same engineers who lived through every prior cycle of this exact pain. Why are they letting another generation eat it again? Viktor’s answer is one line: “It’s my time now, baby.” Ben does not disagree. PE pressure, VC timelines, race-to-market everything – the budget exists, the tools exist, the patterns exist. What is missing is the will to invest two weeks up front so the last two months do not turn into panic. Ben’s practical advice for any leader dipping a toe in: do not do it alone, inventory everything, talk to sales and finance and the developers, and assume the conversation you are having today will be obsolete in six months.
Episode Transcript
Share and Download
Guests
Ben Wilcox
Ben Wilcox is the Chief Technology Officer and Chief Information Security Officer at ProArch, where he helps organizations modernize, secure, and scale through data, cloud, and AI. With a rare dual lens across technology and security, Ben bridges innovation and risk—ensuring transformation efforts are not only cutting-edge, but resilient and trustworthy.
At ProArch, a top Microsoft Partner, Ben works closely with enterprise leaders to turn technology ambition into measurable business outcomes. He brings a business-first mindset to complex technical challenges, guiding teams through cloud modernization, AI adoption, and security strategy in highly regulated and fast-evolving environments.
Ben is known for his practical, no-hype approach to leadership—focused on aligning engineering, security, and business priorities to drive real impact.
Hosts
Viktor Farcic
Viktor Farcic is a member of the Google Developer Experts and Docker Captains groups, and published author.
His big passions are DevOps, Containers, Kubernetes, Microservices, Continuous Integration, Delivery and Deployment (CI/CD) and Test-Driven Development (TDD).
He often speaks at community gatherings and conferences.
He has published DevOps Paradox and Test-Driven Java Development.
His random thoughts and tutorials can be found in his blog The DevOps Toolkit.