Codenotary CEO deploys 140,000-line mainframe bulletin board as executive shadow IT bypasses the developer queue
The C-suite is adopting Claude and Cursor to generate production systems, shifting the bottleneck from engineering capacity to security auditing.
One hundred and forty thousand lines of code, five hundred active users, and exactly ten lines written by a human. The system is a bulletin board for IBM 3270 mainframe terminals, deployed in March by Codenotary chief executive Moshe Bar. Bar is not a programmer, but he is running a secure production system that has yet to experience downtime. The C-suite has historically relied on enterprise engineering queues to build and maintain internal tooling. They are now using agentic orchestrationThe automated configuration, coordination, and management of complex computer systems, often required to stitch together multiple APIs, models, and databases into a single workflow. to bypass the developer bottleneck entirely, deploying undocumented software straight to the network.
The mechanism is direct prompt-to-production deployment. Instead of filing tickets and waiting for sprint planning, executives are wiring Claude and Cursor directly to their existing backend services. OutSystems chief executive Woodson Martin rebuilt his own mobile briefing application twice—once with Claude and once with internal tools—simply to avoid explaining the requirements to a developer who was supposed to build it. The traditional enterprise software lifecycle assumes a translation layer between business requirements and functional code. That layer is being collapsed into a single prompt window, completely sidestepping the architecture review board.
The scale of these deployments breaks traditional shadow IT models. Bar’s mainframe application runs on 23 megabytes of memory and avoided an estimated $400,000–$500,000 in engineering costs per developer. At Zapier, chief executive Wade Foster connected the company’s internal SDK to Cursor to generate a personal agent that handles authentication and API routing without human oversight. The applications are not wireframes or mockups; they are stateful, persistent systems managing live corporate data and serving hundreds of concurrent sessions.
The winners are the executives reclaiming their own operational velocity, achieving a time-to-market compression that Bar estimates has shrunk from three years down to three months. The losers are the enterprise security and infrastructure teams who inherit the risk. These generated applications are rarely hardened against attack, often lack baseline audit controls, and are inevitably handed off to the chief technology officer for maintenance the moment they require complex database migrations or persistent memory scaling.
What this shift forecloses is the assumption that engineering capacity is the hard limit on internal enterprise tooling. What it opens is a fundamentally unmanageable security perimeter. When the chief executive is deploying undocumented, agent-generated code into production, the architecture diagram is no longer a planning document. It is merely a suggestion of what might be running on the network.