The Lotus Notes Problem and the Rise of the Citizen Developer

Opinions expressed in this article are not representative of my employer

I haven’t pondered Lotus Notes in at least a decade. Recently, it came up in a conversation with some of my peers in my network: the context was that “vibe coding” (using AI to build meaningful applications) may lead to massive application sprawl and shadow IT, not unlike “the Lotus Notes Problem.”

It seems that mentioning Lotus Notes in a conversation invites ridicule and ageism: I can’t imagine anyone under forty knowing what it is.

Lotus was an early business software pioneer, best known for its innovative spreadsheet software, Lotus 1-2-3. Lotus also built an innovative collaboration platform called Lotus Notes (later called IBM Notes, HCL Notes, and Domino), which IBM deemed strategically essential to acquire Lotus in 1995:

“Lotus will be a very critical and important part of IBM and IBM’s growth strategy,” IBM chairman Louis V. Gerstner Jr. said Sunday. Together, industry analysts said, IBM and Lotus should be well-positioned to battle it out with software leader Microsoft Corp.

Lotus Notes (and later Lotus Domino) combined a document-oriented database with a rapid application development environment. They had a forms designer tool, and a programming language called Lotus Script.

To put it in more modern terms, Lotus Notes was a cross-platform distributed document-oriented NoSQL database, messaging framework, and rapid application development environment. It included built-in basics like email and calendar. It allowed for almost infinite expandability through low-code development.

Business users could use the software to graphically design forms, views, and workflows and add logic via Lotus Script. Notes stores design and data in the same Notes app file called NSF. The app was replicated alongside its data, and as it was the age of client-server computing, it existed simultaneously on both the client and server.

Even application design elements are replicated to users’ desktops just like data, making it easy to deploy and keep applications up to date. In other words, a Notes developer could deploy their application, and each user’s Notes client would automatically sync it.

This architecture, comprised of rich client apps with offline-capable, peer-to-peer replication, allowed business units to quickly build and distribute custom solutions without needing a formal deployment pipeline.

Crucially to its success, Notes acted as an all-in-one low-code development and runtime platform. Unlike dedicated email servers or line-of-business applications, it lets users define new workflows on the fly. It allowed a small team, or even an individual, to create a working, meaningful enterprise application and deploy it company-wide within hours or days.

The flip side of empowering business users was chaos for IT, which lost visibility and control. Each department could produce bespoke databases and applications without formal change control. The GSA inspector general noted:

Over the years, GSA has accumulated thousands of Lotus applications on an office-by-office basis; one former GSA official, speaking on background, said many of those applications were developed with no central oversight, or even knowledge of their existence.

A CIO columnist observed that business units would take matters into their own hands, leading to proliferation of applications that lacked enterprise integration:

[..] ungoverned and uncontrolled hodgepodge jumble of applications that lacked the cohesion and integration necessary to help the business units or the enterprise over the long run.

Common governance issues included:

• Thousands of small Notes databases emerged, and each team solved local problems. In fact, as an intern at IBM, I built a bug tracking tool in Lotus Notes. In UN field missions, even telephone billing was handled by dozens of different local Notes solutions; a unified eBilling project aimed to replace “hundreds of different databases on multiple platforms” with one system;

• Without standards, different groups built slightly different apps for the same function, leading to redundant processes and inconsistent data;

• IT had to eventually support or migrate these apps. Upgrades, backups, or disaster recovery were difficult when apps lived on individual machines. In some cases, crucial business logic was embedded in untracked and ungoverned files in a random individual’s files on their PC;

• Many Notes apps bypassed corporate security governance, creating risks of data leaks;

• By today’s terminology, Notes deployments were classic shadow IT. Citizen-developed solutions existed parallel to official systems, eventually requiring IT-driven consolidation or replacement

In other words, what made Lotus Notes successful with end users also fostered an environment where thousands of custom apps could silently proliferate across an enterprise, resulting in massive governance headaches.

Today’s low-code platforms like Microsoft Power Apps and Salesforce Lightning address similar business demands in different contexts. The client-server model is long dead. Modern platforms are cloud-based SaaS with centralized control. For example, Power Apps runs on Azure and ties into Azure Active Directory. Modern low-code platforms offer rich visual designers and built-in business components that focus on the architecture and simplify integration and deployment.

Modern platforms incorporate enterprise-grade identity and security. For example, Microsoft Power Apps can enforce Azure AD authentication and conditional access. Modern platforms emphasize IT-sanctioned citizen development instead of the perceived chaos of Notes-era sprawl.

A recent Gartner survey predicted that by today, citizen developers would outnumber professional developers 4:1! Even Microsoft warns that citizen development can easily slide into shadow IT without governance. While tools have matured, many of the governance lessons from the Lotus Notes era still apply.

The latest evolution of the “Lotus Notes Problem” is vibe coding. A developer uses AI to generate software via natural language prompts in this model. There are reports in the media about meaningful apps built by otherwise non-professional developers. A non-technical entrepreneur can, at least in theory, make a working web application in hours by guiding chatbots with prompts. Vibe coding lets users describe a desired function and let an LLM produce the code.

The surge in AI-generated development further democratizes app creation. The process is iterative: the user prompts the AI, the AI writes the code, the user reviews it, adjusts the prompt, and so on. The net result is that those without training can build sophisticated prototypes or even MVPs by vibe coding.

In the enterprise, vibe coding raises fresh concerns about “shadow IT.” The code produced by AI varies significantly in quality and security. Though it speeds up development, it still relies on human expertise. The same problems of unchecked development recur in a new form. If business users can now prompt chatbots to build apps, IT must grapple with unknown AI-generated code behind the scenes.

Back in 2015, I wrote that the answer to shadow IT is not unenforceable standards or costly governance. The correct answer is enablement. IT, that is, should not stop at infrastructure as it often does. IT needs to be elevated higher in the value chain to the level of business capability platforms, not merely DevX and infrastructure platforms. As such, IT can own the ecosystem and let citizen developers build apps on top of it.

IT needs to become the owner of the business platform, and rather than restricting the apps that can be built on top of it, enable as many to be built as needed by the business.

Some Final Thoughts

The story of Lotus Notes teaches us that empowering users to build their own tools is a double-edged sword. It fosters innovation and agility, but without governance, it leads to fragmentation, inconsistency, and risk. Today’s low-code platforms and emerging AI-driven “vibe coding” tools bring these same dynamics into sharper focus. IT must shift from gatekeeping to enabling. It must provide higher-level business platforms, embed governance into the ecosystem, and foster responsible innovation. The goal isn’t to stop citizen development but to guide it in ways that serve both business agility and enterprise integrity.