News Analysis
Microsoft’s updated Microsoft 365 Copilot on October 28 with the introduction of the App Builder and Workflows agents and a lightweight version of the Copilot Studio agent builder. All three tools aim to turn employees into citizen developers.
The promise is similar to previous no-code app builders, only with a generative AI twist. Tasks that once took weeks waiting on IT backlogs now get done in minutes through simple conversation. Yet the newfound power comes with responsibilities many organizations aren’t ready to manage.
Table of Contents
- A No-Code App Builder for the AI Age
- App Builder and Workflows Focus on Knowledge Workers
- The Risks of AI App Building
- Encouraging Citizen Developer Innovation Within Guardrails
- Five Steps for AI App Building
A No-Code App Builder for the AI Age
For years, employees have lived with a familiar frustration. They see inefficiencies everywhere: a manual process that begs for automation, a tracking need that a simple app could solve. They can picture the solution, but turning it into reality meant submitting a ticket, waiting weeks or months for a busy IT team's attention and often discovering that by the time the solution arrived, the problem had changed.
The new App Builder and Workflows Agents flip this dynamic. Marketing teams now spin up custom tracking applications themselves. Facilities managers build room booking systems through natural conversation. Customer service teams create knowledge base agents that pull from SharePoint and meeting transcripts without waiting for integration cycles.
App Builder and the new Workflows Agent are currently available to Microsoft 365 customers in the Frontier Program, expanding its ability to create apps and automate tasks with simple natural language prompts.
Here’s how Charles Lamanna, president, business and industry copilot at Microsoft, explained the two releases:
- App Builder: Lets users build and deploy interactive apps without needing database setup. It integrates with Microsoft 365 content and uses Microsoft Lists for data storage. Preview, refine and share apps with a link.
- Workflows Agent: Automates tasks such as sending email messages, managing calendars and sharing updates across Outlook, Teams, SharePoint and other Microsoft services. Users describe the workflow in plain language, see each step as it’s built and edit it in real time. It’s user-friendly yet built on the same infrastructure as Copilot Studio’s Agent Flows.
App Builder and Workflows Focus on Knowledge Workers
This release targets knowledge workers who have a clear vision of how to improve their work. The offerings differ from the full Copilot Studio in their grounding specifically within the Microsoft 365 environment and the relative simplicity of the tools that can be built. Copilot Studio, by contrast, provides multi-agent capabilities, broader integrations and more advanced functionality — and a different licensing model.
This as an evolution for a specific type of employee, said Tom Keuten, senior vice president and Microsoft go-to-market lead for Rightpoint.
"This feels like something that will be used by 'power users,' which most companies and even most big departments have," he said. "They do not sit in IT, but they create databases and workflows and solutions that are specific to their jobs and solve problems that the enterprise IT team doesn't usually support."
Power users have always existed in organizations. Now they're getting enterprise-grade AI tools designed for their workflows. The advantage is immediate: agency, the ability to solve their own problems and the reduction of frustrating delays that have plagued knowledge work for decades.
The Risks of AI App Building
But this liberation comes with a cost that's only becoming apparent as security professionals examine the implications.
"AI significantly accelerates development, which rapidly increases the deployment of new, unknown and unmanaged systems, often referred to as 'Shadow IT,’” said Dan Andrew, head of security at Intruder.
Shadow IT has plagued enterprise security for years, and AI app building threatens to turn a trickle into a flood. The risks multiply across several dimensions:
Data Exposure
When workers build systems through conversation, traditional code review transparency disappears. "The issue isn't necessarily the access that Copilot gets to corporate data," Andrew explained. “It's the abstraction away from writing code that makes it less transparent where that data is going, and how it's being secured." This abstraction layer — the very feature that makes the technology accessible — becomes a security liability.
Compliance implications are equally concerning. The speed of AI-generated development outpaces an organization's ability to maintain oversight. "AI can quickly generate new APIs, cloud assets or data endpoints that fall outside your compliance scope or security scanning," Andrew warned. Particularly for regulated industries, this represents an existential risk.
"With the rise of AI and LLMs, enterprise platforms pivoted to leveraging unstructured data for insights," said Anand Narasimhan, CTO of S-Docs and former vice president of transformation at Salesforce. Unstructured data such as email messages, chat messages and meeting transcripts now represents the majority of information flowing through organizations.
"A notable example of this is Disney's 2024 data breach, where a compromised employee's laptop led to exfiltration of significant amounts of data from Disney's internal Slack channels," Narasimhan said. "Without robust data governance and security measures, organizations are vulnerable to data leaks and compliance violations."
This is the environment where AI app-building now operates — where AI tools retrieve and manipulate vulnerable collaboration data in employee-built applications.
Quality and Reliability
"Considering Microsoft Copilot already experienced a critical flaw earlier this year, news of automated workflows emerging from conversational prompts is not comforting," Andrew said. "These innovations will require a human-in-the-loop to ensure workflows are accurate and protect sensitive data."
On the defensive side, Andrew offers a sobering reality: "The reality with AI is that it makes hacking just as easy as automating defense mechanisms. Misuse or security breaches will continue to occur and may occur at a higher rate considering there is less human oversight."
Encouraging Citizen Developer Innovation Within Guardrails
Organizations face an uncomfortable question: How do you capture the productivity benefits without exposing yourself to catastrophic failures?
Visium's AI transformation director Michael Hunkeler sees both promise and peril. "With Apps & Workflows, Microsoft is introducing Copilot features that let employees build directly on top of their company's data," he said. "The upside is clear: if it runs inside the Microsoft ecosystem, organizations can rely on existing permission models, auditability and data-protection controls rather than stitching together new third-party tools."
Conference
Nov
17
KMWorld Washington 2025
Register
Webinar
On demand
AI in Customer Service: Faster Resolutions, Happier Customers
Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.
Watch Now
Webinar
On demand
Accelerating Healthcare Ops with AI
Sign up to see how your peers are putting AI to work — and making it stick.
Watch Now
Webinar
On demand
From Nice-to-Have to Non-Negotiable: Prove the Value of Your EX Stack
Transform your tech stack: prove its value, secure your future.
Watch Now
Webinar
On demand
The Great Workforce Breakdown (And How to Stop It)
Disconnected employees. Failing communication. It’s time to turn things around.
Watch Now
Webinar
On demand
Maximize Your Intranet’s Value: Enhance the Employee Experience for Greater Adoption
Learn practical strategies to enhance usability, boost adoption and ensure your intranet becomes a true productivity hub.
Watch Now
However, Hunkeler adds a warning: "As a rule of thumb, companies should be careful with early versions of new AI features. Look no further than the recent security lessons from AI-browsers." He's referring to recent incidents where AI-powered browser features inadvertently exposed user data — cautionary tales that should inform how organizations approach this capability.
"You should definitely try it if you have a clear AI strategy and governance in place, and employees are well-trained in the use of AI," Hunkeler advised. But “if” is doing a lot of work in that sentence: if you have strategy, governance and training. Without those foundations, organizations are putting themselves at risk.
Five Steps for AI App Building
Based on this guidance, organizations must take these steps before unleashing AI app building:
- Establish boundaries: "IT will also need to be very clear in terms of what IT supports and does not support," Keuten said. Define explicitly what employee-built solutions can do vs. what requires IT involvement. Create a classification system for apps and make these boundaries visible across the organization.
- Implement continuous discovery: Organizations need solutions "properly integrated into continuous threat exposure management or vulnerability management processes,” Andrew said. Deploy automated scanning to discover AI-built applications as they're created. Your security team can't protect what they don't know exists.
- Data governance foundations: "The key is to start with clean, well-governed data and clearly define which tasks truly require AI vs. simple automation,” said Narasimhan. Audit and clean your data before giving AI tools access to it. "Without that foundation, even the most promising AI tools can amplify errors rather than reduce them."
- Capability and responsibility: Don't just teach employees how to build apps, Narasimhan said. Teach them data security basics, compliance requirements and why certain practices matter. Make training mandatory before granting access.
- Human review: Andrew is unequivocal: "These innovations will require a human-in-the-loop to ensure workflows are accurate and protect sensitive data,” he said. Implement oversight for any AI-built application that handles sensitive data, makes automated decisions affecting people or integrates with core business systems.
Organizations that succeed will take advantage of the technology while building robust governance frameworks. They'll invest in training and maintain appropriate human oversight. "Companies should view this as an opportunity to accelerate innovation but should do so with eyes wide open to the risks and the proper governance to make sure work put into any AI built apps and workflows deliver the intended results,” Keuten said.
The superpower is real. Microsoft has changed what's possible for ordinary employees to create. But organizations need to define what responsibility looks like before everyone starts building. The choice isn't between innovation and security — it's between planned governance and crisis management.
Editor's Note: How else has generative AI changed no code development?
- AI, Low-Code Innovation Reshape Content Services and Collaboration — With AI automation, accessible low-code innovation and cloud-native scalability, CSC platforms are changing how organizations create, manage & activate content.
- How Generative AI and Low-Code Can Work Together — Will AI render low-code and no-code platforms obsolete? Not so fast. Recent developments suggest they may be a match made in tech heaven.
- Vibe Coding Is Making Everyone a Developer — Vibe coding lowers the barrier to app creation by letting non-developers describe solutions to common workplace problems in plain language.