The widespread adoption of low-code platforms within DevOps environments has exposed systemic gaps in security and governance. Drawing on semi-structured interviews with twelve practitioners experienced in both low-code development and DevOps, this study employs grounded theory for qualitative analysis to uncover, from a practitioner perspective, the “efficiency–security” paradox inherent in their integration: while low-code accelerates automation and delivery speed, it concurrently amplifies security vulnerabilities and compliance risks. The findings underscore the necessity of proactive security mechanisms and a collaborative governance culture to reconcile development agility with system resilience. This work thus provides both theoretical grounding and practical guidance for designing effective security governance frameworks tailored to low-code DevOps contexts.

DevOps has become a dominant paradigm in modern software engineering, while low-code development platforms (LCDPs) are increasingly adopted to streamline software development. The integration of these approaches promises efficiency gains but also raises critical concerns regarding security and governance. Despite their growing use, insufficient attention has been given to the implications of these platforms for security and governance in DevOps environments. This study investigates practitioners perspectives on the security and governance implications of LCDPs in DevOps environments. Twelve semi-structured interviews were conducted with IT professionals experienced in low-code and DevOps practices. The data were analyzed using a grounded theory approach to identify emergent themes. Findings reveal that LCDPs help automate tasks; however, they also increase security risks and governance challenges, highlighting the need for robust practices and a security-conscious culture. This study suggests that the intersection of DevOps and LCDPs requires careful governance and proactive security practices. Addressing these issues is essential for organizations to unlock the potential of LCDPs while safeguarding resilience, compliance, and developer needs.