Ask an enterprise how long it takes to build a new application from scratch, and the honest answer is that the first API alone takes three to six weeks, often longer. Not because the API is hard, but because of everything an engineer has to build, secure and maintain around it.

That gap, between the capability you actually want and the infrastructure, integration and compliance work you take on to get it, is why kis.ai exists. This is the story of the platform, and of why keeping IT simple turned out to be an architecture decision.

How enterprises build software in 2026

Enterprise delivery is still a waterfall, a sequence of handoffs. It starts with a business requirements document. Consultants write the functional spec, architects the technical design, designers the mockups. Only then do developers begin to build. Testing follows, then integration, UAT, and a final handoff to production. Security and compliance come last, a review at the end of work they should have shaped from the start.

Every handoff loses context, and leaving those constraints to the end means fixing them exactly where change is most expensive.

The first API, and everything it drags behind it

“Build the first API” sounds like one task. It is not. Before an engineer writes the behavior anyone asked for, they settle the language, framework, runtime, infrastructure, authentication, authorization, configuration, database and storage, CMS, observability, and the security and compliance controls that wrap all of it. None of that is the feature, and every team pays for it again, from scratch, on the next project.

By the time it is wired together, tested and reviewed, you are three to six weeks in and holding 3,000 to 5,000 lines of code and infrastructure config that now belong to you. Forever.

The same API, composed from pre-built services

kis.ai takes a different route. You do not build that layer; you compose the application from services that already exist.

This first API needs only a handful of them: IAM for authentication and authorization; Data to define the API and its data in YAML; Content for images, video and documents. The platform has many more services, and an application uses only the ones its requirements call for.

So the same API is not 3,000 to 5,000 lines of code. It is five or six YAML files, 150 to 300 lines in total, describing which services it uses and how they should behave.

Put the cross-cutting concerns in shared services, and a new requirement becomes a configuration change instead of a new project.

When requirements change (they always do)

No application is built once and left alone. Watch what each new requirement costs, in code versus in configuration.

Single sign-on instead of usernames and passwords. In code, it is a project: pick a protocol, wire the identity provider, migrate accounts, re-test every path that touches auth. On kis.ai, the IAM service already speaks SSO, so you name the provider in configuration and the service enforces it. Three to five lines of change in the config file.

Portable, multi-cloud identity: support Azure Entra ID and AWS IAM without locking to either. In code, you build one integration, then a second, then a defensive layer to stay provider-agnostic for requirements that do not exist yet, usually the most brittle code you own. On kis.ai, provider-agnostic identity is what the IAM service is for. Each provider is a few lines of configuration.

Move on-prem, air-gapped. In code, this reopens everything: networking, secrets, storage, identity, deployment, data residency. It is not a change, it is a second build for a new environment. On kis.ai, the same application runs where you point it, in the cloud, on-prem or air-gapped, on AI-managed infrastructure across Azure, AWS, GCP or bare metal. A few hundred lines of configuration.

The business asks for In code On kis.ai
SSO instead of passwords 3,000–4,000 lines over 2–3 weeks 3–5 lines in the config file
Portable, multi-cloud identity tens of thousands of lines over 1–2 months a few lines per provider
Move on-prem / air-gapped a second build over months a few hundred lines of config

These are ranges from real systems, not a benchmark. The order of magnitude is the point.

Why “keep IT simple” is an architecture decision

Simplicity here does not mean fewer features. It means less code standing between intent and behavior.

Carry the cross-cutting concerns once in shared services, and your team spends its code budget on what is genuinely yours. Fewer lines is less to secure, less to patch, and fewer integration seams, which is where most production failures occur.

Compliance from the first line, not the last review

Because every application is composed from the same governed services, the controls auditors care about are present from the start, not retrofitted at the end.

Identity runs through IAM. Every action lands in an append-only, tamper-evident audit trail with data and change lineage. However the app was built, each release is versioned, tested, and carries an SBOM and build provenance, so what shipped is traceable to where it came from.

The platform holds ISO 27001, ISO 22301 and SOC 2 Type II, and is aligned to HIPAA, GDPR and DORA. The review at the end is short because the controls were never bolted on.

From waterfall to a short loop

Put it back together, and the waterfall collapses into a loop.

Before · the waterfall
BRD Functional spec Technical design Mockups Build Test Integrate UAT Production Security & compliance
Compliance built in
After · the short loop
Compose with Anica Build Test Runtime: deploy, run, guard many times a day
Same outcome, far fewer handoffs. Compliance stops being a gate at the end and becomes a property of every service.

A product manager composes the application from plain-language intent with Anica (our AI copilot); where it needs production UI and integration, that is AI App Forge; engineers who want full control use AI Platform Engineering. However it was built, each release is versioned, tested, and carries an SBOM and build provenance, then deploys unchanged to the Runtime, which runs and guards it in production, on-prem or air-gapped.

A medium application that took three to six months now takes two to four weeks, and the security review is short because compliance was a property of how it was built.

The point

The costly part of enterprise software was never the feature. It was the volume of code and process each feature dragged behind it, and the way every change in requirements made you pay for it again.

Keep the information technology simple, and everything built on it is cheaper to secure, faster to change, and easier to prove compliant. That is the argument, and the name: kis.ai, Keep IT Simple.