Beyond "Right-Click Deploy": Fixing the SaaS Accountability Gap

21/02/2026

TL;DR: The "right-click deploy" world of SaaS and AI means business units no longer wait for ICT - they just subscribe. But while the capability to move fast has shifted to the business, the accountability for the associated risks (like cyber safety, PII, and data ROT) has been left behind. This massive gap is breeding accountability avoidance, risking value innovation.

The solution isn't throwing another governance policy at the business; it is providing them with true agency. ICT must shift from being a traditional gatekeeper to an enabler, providing the context, tooling, and "hidden safety rails" that allow our digitally savvy peers to visibly own, manage, and safely execute on their decisions.

The "right-click deploy" world has arrived.

These days, ICT no longer has the monopoly on digital skills. The model has fundamentally changed this millennia - digital natives are now spread across the entire organisation. So, what is next for ICT-business relations?

Business units no longer wait for ICT to build tools; they reach for their credit cards and subscribe to the future. A lot of our thinking, expectations, and control mechanisms have not moved with this change. Because of this, there is a hidden friction in this new speed: a massive accountability and decision gap.

Business leaders want to move capability and decisions closer to the work. It makes sense, but, without the wider context, we have a large gap in understanding around accountability and responsibility. Without this clarity, we in ICT naturally resists. After all, baked into our bones is decades of understanding and responsibility regarding the risk and safety of technology use, and we are not currently seeing anything in this new "credit card" approach that alleviates those concerns.

This is not an "us vs them" scenario, or even a "Shadow ICT" (and now "Shadow AI") challenge - although those are certainly the symptoms. This is a profound lack of clarity around accountabilities and the responsibilities that come with them. If the business can deploy SaaS services with little or no need for the tech teams' involvement, what are each (business and ICT owners) accountable for now - and to whom?

The Missing Pieces of the SaaS Migration

Don't get me wrong here, I am totally for moving this decision closer to the work. For the business to move fast, they need the freedom to make decisions closer to the coalface than traditionally provided by the old accountability models.

The business wants to lean into the direct relationship with the SaaS vendor, and fair do. They are digitally savvy, after all, and this is not a large technology deployment anymore. It is a configuration exercise - and mostly, it is business capability configuration.

But, what accountabilities are not being moved with that configuration?

What about PII risk? Cyber safety and reputational risks? Technology redundancy and obsolescence costs? Data quality and ROT (Redundant, Obsolete, Trivial data)? If the business assumes they do not own these, and ICT assumes they do, what then?

I think one of the fundamental challenges here is that we have not actually paused to talk, and consider and articulated these accountabilities. We haven't asked who owns them, and why. Nor have we checked if we all even agree that they are still real, relevant, and right in this modern context. Without this understanding, we Ass-U-Me.

Agency: The Antidote to Avoidance

Unclear accountabilities in this new SaaS world present a fundamental challenge to opening up business self-service safely. Starting a conversation on these opens up opportunities for acceptance, understanding, and collaboration, as trust and assurance start to grow across the whole business.

But a conversation is not enough. It needs to come with the capability to action.

For a business leader to truly accept responsibility for adding, changing, or growing a new platform - and the related accountabilities that come with it - they must first have the visibility and capability to manage those associated risks - they need agency.

Accountability without agency is just a recipe for avoidance - and this is exactly what we are seeing today.

This isn't about throwing a governance manual or policy at a business unit and wishing them luck. Governance is just one of the tools we have. This is about agency.

The new ICT enablement game isn't about "doing the IT" for the business - that has mostly gone with SaaS. It is about providing the context and tooling that allows the business to see and manage the risks they now own and decisions at the speed they choose to move.

ICT will have a clear, understood, and agreed set of accountabilities too, the Board is still looking to the CIO for assurance across our ecosystem. I am sure that these new era accountabilities are now less onerous than we are assuming from our past, pre-SaaS experiences. We are no longer protecting the digitally ignorant - these are our digitally savvy peers.

ICT's role shifts from a gatekeeper to a provider of context and platform "safety rails."

This architecture allows a business leader to own, and have agency for, their data inputs and outcomes, and the related quality, because the context is visible and the management is simple and attainable. ICT maintains its own accountability to the board - managing platform risks, security, and systemic integrity - while empowering the business to drive forward safely.

Shifting the Dial: From Gatekeeper to Enabler of Value

Take AI as a hot conversation that is currently sitting right in the middle of this change. As highlighted in the Deloitte "State of AI in the Enterprise 2026" report, the gap between AI deployment and governance maturity is widening. Only 21% of organisations have a mature model for the autonomous agents they are currently deploying. The end result? "Shadow AI" and accountability gaps (and related risks) appearing throughout the organisation.

ICT has a key role to play in bridging this gap with the right context and tooling for the business owners of these agents - delivering Safe Self-Service capabilities. You own it and have agency to manage it.

I relish this as a technologist. So often, the unstated thought is "I don't know how the tech works, so this is ICT's problem" simply because the actual owner of the application, data, and outcomes does not know, nor have the ability to affect, these things. Historically, only ICT did.

This change moves that "Ownership" of the problem exactly where it should be: with the people who have a stake in the outcomes.

I have seen what happens when this agency is achieved in real life. When you share the context with the actual business owner, and give them the ability to influence it, they lean in - way in. The avoidance we see is not about pushing away from responsibility; it is simply this lack of agency.

To be clear, I don't think there are any bad actors in this situation. The landscape has changed, but our ways of farming it have not. We all want this clarity.

By baking this "Accountability by Design" into our thinking, from the exec tables down, and into the tools themselves - through automated auditing, transparent reporting, most-things-as-code, and clear workflow - the business is truly empowered. They can safely and visibly make context-driven decisions, generating value without the fear of hitting a "hidden" regulatory or risk cliff ahead.

What if ICT empowers and enables this? We unlock the ability for the business to reach for the new value they are looking for, as and when they need, through safe self-service - agency.

Five Strategies for Integrated Accountability

So, how can we approach this practically? MIT Sloan Management Review recently published a set of five strategies that outline a framework we should think on: "The Three Obstacles Slowing Responsible AI".

While their focus is Responsible AI, these strategies should be considered for the wider "right-click deploy" SaaS ecosystem - after all, AI is simply becoming an embedded part of this ecosystem anyway.

To move decisions closer to the work effectively, we must adopt these five strategies for "Ethical Judgment" over simple compliance:

  • Structure Ownership at the Point of Impact: Shift the "Who owns the risk?" question from the IT department to the business lead, who actually owns the outcome.
  • Hardwire Guardrail controls into the Tooling: Use platforms that provide "audit-as-you-go" capabilities, so compliance is a by-product of the work, not a burdensome extra step - building visibility and trust.
  • Align Ethical Risk with Business Risk: PwC's 2025 RAI survey shows 58% of leaders see RAI as a tool for positive ROI. Safe AI is simply more profitable AI. (While this is RAI specific, it has wider implications as an approach that provides the oversight needed in this rapidly changing SaaS ecosystem we are now in.)
  • Reward Responsible Innovation: Foster a culture where "right-click deploy" is celebrated because it happens within a governed framework.
  • Practice Ethical Judgment: Move the conversation from "Is it legal?" to "Is it right for our context?" This requires specialists embedded in business squads, not hidden away in an ICT ivory tower.

The New Architecture of Trust

When I understand what I am accountable for - whether I am the business owner or the ICT enabler - I can understand, and articulate to others, what I need in place and why. I can trust moving the decision boundary closer to the work.

Simple, efficient, and effective capability allows the business to articulate why they need a specific move and what controls they have in place to manage it. This isn't about red tape; it's about the articulation of safety that allows us to go faster with assurance.

As Wolters Kluwer noted in February 2026, "Speed vs. defensibility is a false choice". When the guardrails are baked in, you don't have to slow down to be safe.

Upfront "Accountability by Design" isn't a handbrake; it's the scaffold that allows the business to scale safely and with speed. ICT's new role is to enable safe, transparent, fast value. To provide the business the context and tools that make owning the risk accountability as simple as clicking "deploy."

This is about the Why, What, and Who of accountabilities - once we have this the How becomes clear and straight forward.

Photo by Roberto Cosentino: Pexels 

Share
I'm always on LinkedIn. Let's korero (chat) there. 

© 2025 Kefyn's Digital Life blog. All rights reserved.
Powered by Webnode Cookies
Create your website for free! This website was made with Webnode. Create your own for free today! Get started