ING Bank: Citizen Development Center of Excellence

When business teams start building their own tools, organizations face a choice: lock it down and kill innovation, or let it run and accept the risk. At ING, with automation adoption accelerating across more than 30 countries, neither option was acceptable.

Business units were building apps, flows, and RPA bots at speed - but without ownership models, risk classification, or compliance controls. There was no standardized way to assess what was being built, who was responsible for it, or whether it met the bank's regulatory obligations under frameworks like GDPR, DORA, and internal EUC policies. The result was a growing inventory of ungoverned tools, inconsistent practices across geographies, and compliance exposure that scaled with every new automation.

The organization needed a structured way to enable citizen development without losing control, a governance model that worked at the scale of a global bank.

We designed and rolled out a Citizen Development Center of Excellence (CoE) from the ground up, built to operate across ING's global footprint:

• A Target Operating Model (TOM) defining roles, responsibilities, and escalation paths across business and IT, making clear who owns what at every stage of an automation's lifecycle
• A data classification and ownership governance framework for end-user computing (EUC), ensuring every tool was assessed for data sensitivity, access controls, and regulatory alignment before going into production
• Standardized governance templates across low-code, RPA, and AI-assisted tools, so teams across geographies worked from the same baseline
• Cross-functional coordination across teams in the Netherlands, Slovakia, Poland, and the Philippines, with the CoE acting as the connective layer between central compliance, IT security, and business operations

Critically, the CoE was designed as a service function, not a control function. Business units could come to it for support, not just for approval. That distinction made the difference between a governance model people worked with and one they worked around.

• 30+ countries operating under a unified governance framework
• Global standardization of automation practices across low-code, RPA, and AI tools
• Measurable reduction in compliance exposure from ungoverned citizen-built tools
• Operating model adopted as the standard for ING's enterprise automation program

Key Learnings

• Governance without enablement fails. The moment the CoE became a blocker rather than a partner, adoption dropped. Speed of approval and clarity of process were as important as the controls themselves.
• Data classification is the hardest part - and the most important. Most citizen development risks trace back to tools handling data they should not, owned by people who do not know they are responsible. Getting this right before scaling is non-negotiable.
• Scale requires standardization, not uniformity. Different business units had different risk profiles and different tool preferences. The framework had to accommodate that without creating governance gaps.
• Every governance pattern we saw at ING, we keep seeing at our clients today with vibe coding: ownership mapping, classification tiers, maturity scoring, policy enforcement, security controls, etc. We did not design NEKOD in theory. We built it from five years of doing this inside one of Europe's largest banks.