In recent years, the advent of artificial intelligence has significantly transformed client expectations regarding the speed and efficiency of work. As we contemplate the potential of large language models like Claude Code and ChatGPT, the question arises: what must the professional community do to harness their capabilities for application development, thereby improving productivity while upholding quality?
Not every task requires a sophisticated user interface. Large language models can be leveraged to develop focused applications that streamline essential compliance functions. These tools can be shared and reused within the community, adhering to open-source practices. However, challenges remain—especially concerning secure coding. Accessing sensitive data necessitates expertise and diligence in cybersecurity, and we must also navigate various regulatory frameworks in our applications. The most significant obstacle lies in cultivating a mindset open to shaping compliance tools tailored to our needs.
The Core Argument
Millions of software engineers are utilizing AI-enabled coding tools like Claude Code and Cursor on a daily basis. From my experience leading a startup focused on governance, regulation, and compliance automation, these technologies have democratized coding, enabling individuals with limited programming knowledge to create Python applications that automate tedious tasks. These applications can be swiftly refined and enhanced by their engineering counterparts.
Why did I transition from my identity as a product manager and compliance expert to embrace this new approach? It’s because a paradigm shift is occurring within our professions, driven by this technology. Traditional boundaries are dissolving as AI reshapes client expectations regarding work velocity. We—professionals across disciplines—must adapt.
There is an urgent need for more effective tools to expedite our work processes, and this technology empowers us to build these tools ourselves.
Many specialized tasks surrounding privacy, artificial intelligence, and cybersecurity governance are currently performed using costly enterprise software or rudimentary tools like spreadsheets. These responsibilities are ripe for automation.
Do you need to identify new cookies in real time at the consent wall on your clients’ websites? Code it! Want an automated solution to monitor changes in vendors or processing locations among clients’ application stacks? Piece it together yourself! You possess the resources you need.
Your application’s user base might be small, potentially comprising just one individual. That’s perfectly acceptable; the primary goal is to accomplish the task effectively.
Importantly, as members of the International Association of Privacy Professionals (IAPP), we share common challenges, despite the unique aspects of each client situation. Reliable legal frameworks, such as Apache 2.0 Open Source Software licensing, alongside various model contracts, can mitigate legal risks. Many free open-source software (OSS) tools, including VS Code, Pytest, and Docker, are also available. For the more adventurous, process automation tools like n8n represent cutting-edge solutions. Collectively, these resources alleviate the burden of repetitive development tasks.
However, substantial challenges remain. A crucial skill required—and one that many in the governance, risk, and compliance (GRC) community may lack—is secure coding. Recognizing this, we can mitigate risks by limiting use cases to those that utilize only publicly available information, such as data about cookies, tracking pixels, and consent strings from management platforms. Additionally, search automation for information in publicly accessible documents like privacy policies or data processing agreements can be implemented.
For tasks involving client applications or sensitive data, collaboration with the engineering team is essential. Although many may find these configuration tasks daunting, they are essential competencies for application engineers. They can enforce read-only access, adhering to the principle of least privilege, thus minimizing unauthorized use. Furthermore, applications must undergo malware scans before deployment. Implementing such measures does require significant engineering time.
For motivated engineers, refining your application is more productive than manually completing outdated questionnaires. However, it’s crucial to avoid scenarios where engineers feel “voluntold” by management to participate, as that fosters resentment.
Once a collaborative relationship is established, you can transparently monitor and modify each line of code in your application. It may not be visually appealing, but it will effectively deliver the desired outcomes. Although maintenance can be demanding over time, keeping the scale of your applications small and targeted typically makes this manageable.
There will always be a need for GRC vendors. Organizations may have legitimate reasons for not relying on internal resources for developing and maintaining compliance automation. Some stakeholder teams might prefer applications with user-friendly graphical interfaces instead of command-line options. They may require guaranteed support and maintenance, especially as the user base expands; these are legitimate concerns that organizations must address.
Additionally, a small but expanding group of open-source vendors is emerging in the GRC sector, which provides organizations the flexibility to utilize coding tools for developing customized features and analytics without waiting for vendor input or incurring consultancy costs. Notable examples include OpenGRC, OpenVAS, and GLPI.
What is holding people back? While I cannot speak for everyone, I have posed this question multiple times to my peers in the IAPP community. Some are eager to seize this opportunity and are fully engaged, while others hesitate, concerned about “overstepping” into roles traditionally held by others.
The reality is that AI is continuously dismantling the barriers that once defined the skill set and knowledge split within GRC teams, and it’s already happening. Privacy UX designers are increasingly taking on product management roles, and vice-versa. Cybersecurity engineers are engaging more in product design and management tasks, and vice-versa. Compliance analysts are now collating and analyzing risks using legal frameworks more effectively.
All of these professionals are striving to solve organizational problems—and often contribute to the public good—more quickly. They are doing so with confidence in their training and awareness that, ultimately, they are accountable for quality.
This mindset extends to legal counsel as well, who should also engage more in prototyping and lightweight application development, ideally collaborating with surrounding stakeholders. The traditional boundaries are fading, and tools are evolving within the GRC landscape.
Conclusion
The intersection of AI-driven coding, open-source GRC tools, and emerging mindsets is about to redefine how we develop, maintain, and enhance our working tools. Application development is no longer confined to external vendors or internal teams; it is now within our grasp as a community. The resources we need are readily available. The question that remains is: how will the IAPP community of practitioners harness this newfound potential? The future holds exciting possibilities.
