Lovable, Bolt, and Replit Are Wonderful - Until Your CISO Finds Out
Non-technical teams are building apps on Lovable, Bolt.new, and Replit with company data and zero governance. Here's why that's a compliance nightmare - and what enterprise platform teams should deploy instead.
Your employees are already building apps with AI tools. Finance teams, sales teams, and product managers are using Lovable, Bolt.new, and Replit to build internal tools and client-facing applications. They're doing it with company credit cards, company data, and zero IT oversight.
This is shadow IT on steroids. Unlike the spreadsheet macros of the past, today's shadow IT is deployed web applications with database connections to production data. Every one of these apps is a compliance surface you don't control.
The answer isn't to ban AI builder tools. The business value is real. The answer is to give builders a controlled platform - with the same ease of use but enterprise-grade governance.
Two years ago, the idea that someone in finance could build and deploy a web application was laughable. Today, it happens every day.
A product manager opens Lovable, describes a client-facing dashboard, and has a working app in 20 minutes. A sales ops lead opens Bolt.new, builds an internal pipeline tracker connected to the company CRM, and shares the URL with the team. A finance analyst opens Replit, writes a data aggregation tool that connects to the company database, and runs it every morning.
None of these people filed a ticket with engineering. None of them asked IT for permission. And none of them thought about where the data goes.
What Your CISO Sees
Here's what these three platforms look like from a security and compliance perspective:
Lovable
Risk
Detail
Infrastructure
Multi-tenant cloud. Cannot self-host. Your app data lives on Lovable's shared servers.
Data residency
3 regions (US, EU, Asia). Locked after project creation. Cannot move.
Network
No VPC peering. No private networking. Cannot reach internal APIs.
Compliance
SOC 2, ISO 27001. But your data is on their shared infrastructure - your compliance posture is limited by theirs.
Lock-in
Once connected to Lovable Cloud, you cannot disconnect.
SSO
Available on Business plan ($50/mo). But enforcement across the org requires Enterprise.
Bolt.new
Risk
Detail
Infrastructure
Managed hosting. No self-host option.
Enterprise controls
No SSO. No RBAC. No audit logs. No environment isolation.
Network
No private networking capabilities documented.
Compliance
No compliance certifications documented.
Data
Code exportable to GitHub. But deployment infrastructure is proprietary.
Replit
Risk
Detail
Infrastructure
Managed cloud. Self-hosting limited to Enterprise plan.
Data
Code and data live on Replit's infrastructure by default.
Network
Limited networking controls. No VPC peering.
Compliance
SOC 2. But shared infrastructure model.
Enterprise
Enterprise plan available with SSO/SAML, but requires negotiation and premium pricing.
The pattern is the same across all three: great prototyping experience, consumer-grade governance. They were built for individual creators and small teams, not for enterprises with compliance obligations.
The Real Problem: You Can't Say No
Here's the thing your CISO knows but doesn't want to admit: banning these tools doesn't work.
The reason employees use Lovable, Bolt, and Replit is that they deliver real business value. Finance teams shipping internal tools in hours instead of waiting weeks for engineering. Product teams validating ideas without a sprint backlog. Sales teams building custom reporting dashboards for clients.
If you ban the tools, you kill the innovation. The backlog of "build me this small thing" requests goes back to engineering, where it sits for weeks. Business teams get frustrated. The competitive advantage disappears.
The answer isn't to ban. The answer is to provide a better alternative that your builders actually want to use.
What Enterprise Builders Actually Need
When we talked to a Series B+ fintech company, the CTO articulated the problem perfectly:
What they needed was:
Infrastructure they control - apps run on their own AWS account, in their own VPC
Data that never leaves the perimeter - no third-party cloud touching internal data
Pre-configured environments - databases, API connections, and network rules set up by the platform team
SSO for the whole company - builders log in with company credentials, not personal accounts
Full audit trail - every deployment, every environment, every data access logged and exportable
Cost controls - per-team budgets, auto-shutdown on idle, no surprise cloud bills
Notice what's NOT on this list: "a worse developer experience." The builder experience needs to be just as easy as Lovable. The governance is invisible to the builder - it's enforced by the platform team behind the scenes.
Everyone in your company is a developer now. Act like it.
Give non-technical builders a controlled platform with SSO, network isolation, and full audit trails.
Create blueprint environments for each team: finance gets a blueprint with a PostgreSQL connection to the analytics database. Sales gets a blueprint with CRM API credentials. Marketing gets a blueprint with the content management API.
Define network rules: each blueprint specifies which internal APIs the environment can reach, which external services are allowed, and what data can flow where.
Set cost controls: per-user and per-team budgets. Environments auto-shutdown after inactivity. No surprise bills.
Enable SSO: builders log in with their corporate identity. Every action is attributed and auditable.
For the Builder
Log in with your company credentials (SSO/SAML)
Pick a blueprint that matches your use case (finance, sales, ops)
Build your app using Claude Code, Cursor, or any AI coding tool - in a pre-configured environment
Deploy with one click - the app runs on the company's infrastructure, accessible via an internal URL
Never think about infrastructure - the platform team handles everything behind the scenes
The builder experience is as easy as Lovable. But the governance, compliance, and data control are enterprise-grade.
The Migration Path
If your teams are already on Lovable, Bolt, or Replit, here's how to transition:
Timeline
Action
Day 1
Platform team creates first blueprint on Qovery. Connect your cloud account.
Day 7
Pilot with one team (e.g., finance). They build and deploy their first internal tool on the controlled platform.
Day 14
Expand to sales and product teams. Each gets their own blueprint.
Day 30
Company-wide rollout. Decommission Lovable/Bolt/Replit accounts. Audit confirms all builder activity is on the governed platform.
Existing apps built on Lovable or Bolt can be exported to GitHub and redeployed on Qovery - the code is standard React/Node.js that runs anywhere.
The Bottom Line
Your employees are developers now. They didn't choose it - AI tools made it inevitable. The question isn't whether they'll build apps. The question is whether those apps run on infrastructure you control.
Romaric founded Qovery to make Kubernetes accessible to every engineering team. He writes about platform strategy, developer experience, and the future of cloud infrastructure.
Next step
Everyone in your company is a developer now. Act like it.
Give non-technical builders a controlled platform with SSO, network isolation, and full audit trails.
