Technology Governance & Security teams are often painted as the people who slow things down or block innovation. But the truth is far simpler: they’re not saying “no” to innovation — they’re saying “no” to unnecessary risk.
And in a world where attackers now target the tools we trust most, that distinction matters more than ever.
The Myth: Governance Blocks Innovation
Modern organisations run on a chaotic mix of automation scripts, open‑source libraries, personal projects, AI‑generated code, and developer‑installed packages. Individually, these feel harmless. Collectively, they create an unbounded attack surface.
Technology Governance & Security isn’t trying to stop people from using Python, PowerShell, or automation tools. They’re trying to stop:
- untracked scripts running on unmanaged laptops
- dependencies pulled from unknown sources
- code with no provenance entering production
- supply‑chain malware hiding inside “trusted” libraries
Governance isn’t about control — it’s about containment.
The Python Ecosystem Has Become a Target-Rich Environment
Recent attacks have shown just how fragile the open‑source supply chain can be.
1. The PyPI/NPM Cross‑Ecosystem Attack
Attackers uploaded malicious Python packages that mimicked legitimate ones through typo‑squatting. These packages delivered credential theft, persistent remote access, and Windows Defender tampering. Developers installed them unknowingly because the names looked legitimate.
2. The LiteLLM Compromise (2026)
A hugely popular Python library used across AI and automation workflows was hijacked. Attackers injected malicious code into the release pipeline, causing RAM exhaustion, system freezes, and credential exfiltration.
3. The Trivy → LiteLLM Supply‑Chain Cascade
Trivy, a vulnerability scanner used to detect supply‑chain attacks, was itself compromised. Attackers used it to steal publishing credentials and poison LiteLLM releases. This is the new reality: attackers don’t hack your servers — they hack your dependencies.
Why Unstructured Code on Unmanaged Machines Is a Governance Nightmare
When developers run Python scripts from GitHub, StackOverflow, or AI tools on unmanaged devices, they bypass every safeguard the organisation relies on.
- No dependency pinning — version drift becomes an attack vector
- No provenance — malicious packages look legitimate
- No endpoint controls — malware hides in user space
- No CI/CD validation — poisoned code runs unchecked
- No audit trail — investigations become impossible
This is why Technology Governance & Security sometimes has to say “no.” Not because they dislike Python. Not because they want control. But because ungoverned code is now a direct business risk.
Governance Isn’t Anti‑Python — It’s Anti‑Chaos
Python, PowerShell, R, Bash, and AI‑generated code are all powerful tools. But power without structure becomes fragility.
Technology Governance & Security teams are responsible for ensuring code is traceable, dependencies are validated, environments are controlled, and supply‑chain risks are mitigated. They’re not blocking innovation — they’re protecting the organisation from invisible threats hiding inside the tools we love.
The Real Message
If the last two years of supply‑chain attacks have taught us anything, it’s this: innovation without governance isn’t innovation — it’s exposure.
Technology Governance & Security isn’t the department of “no.” It’s the department of “not like that — because we want you, and the organisation, to stay safe.”