You've asked a bunch of questions and some are relatively painless to answer.
Yes, there are relatively inexpensive tools that you can buy to edit ribbons with.
Absolutely, you can edit the zip file's xml components but as you discovered, it won't work if you make a mistake with the code. Editing the zip file is easy but it is also easy to make a mistake which prevents the ribbon code from loading.

It is possible to create ribbon customisations that don't require vba code. So in that case your dotx/docx file is already safe and therefore trusted. However most customised ribbons do make use of code and the authoring of vba code is easier than the authoring of ribbons. Assuming your customisation requires code then (as recommended by Italophile) you would sign the code in the file and install the public key certificate on your user's machines so they can see the file is trusted.

__________________
Andrew Lockton
Chrysalis Design, Melbourne Australia

Thanks for the detailed explanation!

I’ve been thinking about how to handle deploying macros in an organization, especially with the rise of AI-generated code. Do you have any suggested workflows for rolling out new macros to multiple users?

I ask because I’ve seen cases where users rely on AI to generate VBA code, and while it’s great for quick solutions, it can also lead to security issues. For example, I once came across a Word macro that someone created using AI—it automatically searched selected text on Google. At first glance, it seemed harmless, but it ended up triggering antivirus alerts because it was flagged for potentially malicious behavior (turned out there was a trojan in the code).

So, I’m curious:

How do you balance the convenience of AI tools with the need for secure, reliable macros?

Do you have any tips for ensuring macros are safe before deploying them across an organization?

Looking forward to hearing your thoughts!

Ban the use of code generated by Artificial Idiocy.

• Always write the code yourself.
• Never use code from the internet unless you fully understand what each line does.
• Get a code signing certificate and sign your code.
• Set macro security to "Disable all macros except digitally signed macros"
• Accept that there is no such thing as "safe", there are only managed risks.
• Accept that it will be necessary to educate the organization's IT staff as they will be risk averse by default.

Thank you for sharing your insights and advice on balancing the convenience of AI tools with the need for secure and reliable macros.

Your emphasis on understanding code, using code signing certificates, and managing risks is invaluable. I also appreciate your practical tips, such as setting macro security to disable unsigned macros and the importance of educating IT staff.

Your perspective on managed risks and the proactive steps you outlined are incredibly helpful for anyone navigating this space. Thanks again for your thoughtful contribution!