[{"data":1,"prerenderedAt":985},["ShallowReactive",2],{"/en-us/the-source":3,"footer-en-us":35,"the-source-banner-en-us":369,"the-source-navigation-en-us":375,"the-source-newsletter-en-us":398,"featured-article-en-us":405,"authors-en-us":449,"categories-en-us":489,"the-source-ai-landing-category-en-us":490,"the-source-security-landing-category-en-us":515,"the-source-platform-landing-category-en-us":537,"hero-most-recent-articles-en-us":559,"ai-landing-most-recent-articles-en-us":675,"security-landing-most-recent-articles-en-us":715,"platform-landing-most-recent-articles-en-us":815,"the-source-ai-landing-resources-en-us":906,"the-source-security-landing-resources-en-us":935,"the-source-platform-landing-resources-en-us":960},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":9,"description":6,"extension":26,"meta":27,"navigation":28,"path":29,"seo":30,"slug":6,"stem":33,"testContent":6,"type":6,"__hash__":34},"pages/en-us/the-source/index.yml","",null,{"layout":8},"the-source",[10,12,17,22],{"componentName":11},"TheSourceLandingHero",{"componentName":13,"componentContent":14},"TheSourceLandingCategory",{"config":15},{"category":16},"ai",{"componentName":13,"componentContent":18},{"config":19},{"category":20,"theme":21},"security","surface",{"componentName":13,"componentContent":23},{"config":24},{"category":25},"platform","yml",{},true,"/en-us/the-source",{"title":31,"description":32},"The Source: Insights for the future of software development","Your decision-making partner for transformative strategies and expert technology advice.","en-us/the-source/index","XG89aFwXiQwjI_pkdcM-ndrKQuKJyGxAvVaK_zPQEYc",{"data":36},{"text":37,"source":38,"edit":44,"contribute":49,"config":54,"items":59,"minimal":358},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":39,"config":40},"View page source",{"href":41,"dataGaName":42,"dataGaLocation":43},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":45,"config":46},"Edit this page",{"href":47,"dataGaName":48,"dataGaLocation":43},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":50,"config":51},"Please contribute",{"href":52,"dataGaName":53,"dataGaLocation":43},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":55,"facebook":56,"youtube":57,"linkedin":58},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[60,117,174,233,296],{"title":61,"links":62,"subMenu":78},"Pricing",[63,68,73],{"text":64,"config":65},"View plans",{"href":66,"dataGaName":67,"dataGaLocation":43},"/pricing/","view plans",{"text":69,"config":70},"Why Premium?",{"href":71,"dataGaName":72,"dataGaLocation":43},"/pricing/premium/","why premium",{"text":74,"config":75},"Why Ultimate?",{"href":76,"dataGaName":77,"dataGaLocation":43},"/pricing/ultimate/","why ultimate",[79],{"title":80,"links":81},"Contact Us",[82,87,92,97,102,107,112],{"text":83,"config":84},"Contact sales",{"href":85,"dataGaName":86,"dataGaLocation":43},"/sales/","sales",{"text":88,"config":89},"Support portal",{"href":90,"dataGaName":91,"dataGaLocation":43},"https://support.gitlab.com","support portal",{"text":93,"config":94},"Customer portal",{"href":95,"dataGaName":96,"dataGaLocation":43},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":98,"config":99},"Status",{"href":100,"dataGaName":101,"dataGaLocation":43},"https://status.gitlab.com/","status",{"text":103,"config":104},"Terms of use",{"href":105,"dataGaName":106,"dataGaLocation":43},"/terms/","terms of use",{"text":108,"config":109},"Privacy statement",{"href":110,"dataGaName":111,"dataGaLocation":43},"/privacy/","privacy statement",{"text":113,"config":114},"Cookie preferences",{"dataGaName":115,"dataGaLocation":43,"id":116,"isOneTrustButton":28},"cookie preferences","ot-sdk-btn",{"title":118,"links":119,"subMenu":130},"Product",[120,125],{"text":121,"config":122},"DevSecOps platform",{"href":123,"dataGaName":124,"dataGaLocation":43},"/platform/","devsecops platform",{"text":126,"config":127},"AI-Assisted Development",{"href":128,"dataGaName":129,"dataGaLocation":43},"/gitlab-duo-agent-platform/","ai-assisted development",[131],{"title":132,"links":133},"Topics",[134,139,144,149,154,159,164,169],{"text":135,"config":136},"CICD",{"href":137,"dataGaName":138,"dataGaLocation":43},"/topics/ci-cd/","cicd",{"text":140,"config":141},"GitOps",{"href":142,"dataGaName":143,"dataGaLocation":43},"/topics/gitops/","gitops",{"text":145,"config":146},"DevOps",{"href":147,"dataGaName":148,"dataGaLocation":43},"/topics/devops/","devops",{"text":150,"config":151},"Version Control",{"href":152,"dataGaName":153,"dataGaLocation":43},"/topics/version-control/","version control",{"text":155,"config":156},"DevSecOps",{"href":157,"dataGaName":158,"dataGaLocation":43},"/topics/devsecops/","devsecops",{"text":160,"config":161},"Cloud Native",{"href":162,"dataGaName":163,"dataGaLocation":43},"/topics/cloud-native/","cloud native",{"text":165,"config":166},"AI for Coding",{"href":167,"dataGaName":168,"dataGaLocation":43},"/topics/devops/ai-for-coding/","ai for coding",{"text":170,"config":171},"Agentic AI",{"href":172,"dataGaName":173,"dataGaLocation":43},"/topics/agentic-ai/","agentic ai",{"title":175,"links":176},"Solutions",[177,181,186,191,196,200,205,208,213,218,223,228],{"text":178,"config":179},"Application Security Testing",{"href":180,"dataGaName":178,"dataGaLocation":43},"/solutions/application-security-testing/",{"text":182,"config":183},"Automated software delivery",{"href":184,"dataGaName":185,"dataGaLocation":43},"/solutions/delivery-automation/","automated software delivery",{"text":187,"config":188},"Agile development",{"href":189,"dataGaName":190,"dataGaLocation":43},"/solutions/agile-delivery/","agile delivery",{"text":192,"config":193},"SCM",{"href":194,"dataGaName":195,"dataGaLocation":43},"/solutions/source-code-management/","source code management",{"text":135,"config":197},{"href":198,"dataGaName":199,"dataGaLocation":43},"/solutions/continuous-integration/","continuous integration & delivery",{"text":201,"config":202},"Value stream management",{"href":203,"dataGaName":204,"dataGaLocation":43},"/solutions/value-stream-management/","value stream management",{"text":140,"config":206},{"href":207,"dataGaName":143,"dataGaLocation":43},"/solutions/gitops/",{"text":209,"config":210},"Enterprise",{"href":211,"dataGaName":212,"dataGaLocation":43},"/enterprise/","enterprise",{"text":214,"config":215},"Small business",{"href":216,"dataGaName":217,"dataGaLocation":43},"/small-business/","small business",{"text":219,"config":220},"Public sector",{"href":221,"dataGaName":222,"dataGaLocation":43},"/solutions/public-sector/","public sector",{"text":224,"config":225},"Education",{"href":226,"dataGaName":227,"dataGaLocation":43},"/solutions/education/","education",{"text":229,"config":230},"Financial services",{"href":231,"dataGaName":232,"dataGaLocation":43},"/solutions/finance/","financial services",{"title":234,"links":235},"Resources",[236,241,246,251,256,261,266,271,276,281,286,291],{"text":237,"config":238},"Install",{"href":239,"dataGaName":240,"dataGaLocation":43},"/install/","install",{"text":242,"config":243},"Quick start guides",{"href":244,"dataGaName":245,"dataGaLocation":43},"/get-started/","quick setup checklists",{"text":247,"config":248},"Learn",{"href":249,"dataGaName":250,"dataGaLocation":43},"https://university.gitlab.com/","learn",{"text":252,"config":253},"Product documentation",{"href":254,"dataGaName":255,"dataGaLocation":43},"https://docs.gitlab.com/","docs",{"text":257,"config":258},"Blog",{"href":259,"dataGaName":260,"dataGaLocation":43},"/blog/","blog",{"text":262,"config":263},"Customer success stories",{"href":264,"dataGaName":265,"dataGaLocation":43},"/customers/","customer success stories",{"text":267,"config":268},"Remote",{"href":269,"dataGaName":270,"dataGaLocation":43},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":272,"config":273},"GitLab Services",{"href":274,"dataGaName":275,"dataGaLocation":43},"/services/","services",{"text":277,"config":278},"Community",{"href":279,"dataGaName":280,"dataGaLocation":43},"/community/","community",{"text":282,"config":283},"Forum",{"href":284,"dataGaName":285,"dataGaLocation":43},"https://forum.gitlab.com/","forum",{"text":287,"config":288},"Events",{"href":289,"dataGaName":290,"dataGaLocation":43},"/events/","events",{"text":292,"config":293},"Partners",{"href":294,"dataGaName":295,"dataGaLocation":43},"/partners/","partners",{"title":297,"links":298},"Company",[299,304,309,314,319,324,329,333,338,343,348,353],{"text":300,"config":301},"About",{"href":302,"dataGaName":303,"dataGaLocation":43},"/company/","company",{"text":305,"config":306},"Jobs",{"href":307,"dataGaName":308,"dataGaLocation":43},"/jobs/","jobs",{"text":310,"config":311},"Leadership",{"href":312,"dataGaName":313,"dataGaLocation":43},"/company/team/e-group/","leadership",{"text":315,"config":316},"Team",{"href":317,"dataGaName":318,"dataGaLocation":43},"/company/team/","team",{"text":320,"config":321},"Handbook",{"href":322,"dataGaName":323,"dataGaLocation":43},"https://handbook.gitlab.com/","handbook",{"text":325,"config":326},"Investor relations",{"href":327,"dataGaName":328,"dataGaLocation":43},"https://ir.gitlab.com/","investor relations",{"text":330,"config":331},"Sustainability",{"href":332,"dataGaName":330,"dataGaLocation":43},"/sustainability/",{"text":334,"config":335},"Diversity, inclusion and belonging (DIB)",{"href":336,"dataGaName":337,"dataGaLocation":43},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":339,"config":340},"Trust Center",{"href":341,"dataGaName":342,"dataGaLocation":43},"/security/","trust center",{"text":344,"config":345},"Newsletter",{"href":346,"dataGaName":347,"dataGaLocation":43},"/company/contact/#contact-forms","newsletter",{"text":349,"config":350},"Press",{"href":351,"dataGaName":352,"dataGaLocation":43},"/press/","press",{"text":354,"config":355},"Modern Slavery Transparency Statement",{"href":356,"dataGaName":357,"dataGaLocation":43},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":359},[360,363,366],{"text":361,"config":362},"Terms",{"href":105,"dataGaName":106,"dataGaLocation":43},{"text":364,"config":365},"Cookies",{"dataGaName":115,"dataGaLocation":43,"id":116,"isOneTrustButton":28},{"text":367,"config":368},"Privacy",{"href":110,"dataGaName":111,"dataGaLocation":43},{"visibility":28,"title":370,"button":371},"The Intelligent Software Development Era: How AI is reshaping DevSecOps teams",{"config":372,"text":374},{"href":373},"/resources/developer-survey/","Get the research report",{"logo":376,"subscribeLink":381,"navItems":385},{"altText":377,"config":378},"the source logo",{"src":379,"href":380},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":382,"config":383},"Subscribe",{"href":384},"#subscribe",[386,390,394],{"text":387,"config":388},"Artificial Intelligence",{"href":389},"/the-source/ai/",{"text":391,"config":392},"Security & Compliance",{"href":393},"/the-source/security/",{"text":395,"config":396},"Platform & Infrastructure",{"href":397},"/the-source/platform/",{"title":399,"description":400,"submitMessage":401,"formData":402},"The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":403},{"formId":404,"formName":347,"hideRequiredLabel":28},1077,{"id":406,"title":407,"body":6,"category":25,"config":408,"content":412,"description":6,"extension":26,"meta":439,"navigation":28,"path":440,"seo":441,"slug":445,"stem":446,"type":447,"__hash__":448},"theSource/en-us/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox.yml","More Code More Bottlenecks Tackling The Ai Paradox",{"layout":8,"template":409,"featured":28,"author":410,"sourceCTA":411},"TheSourceArticle","gitlab","global-devsecops-report-2025",{"title":413,"description":414,"date":415,"timeToRead":416,"heroImage":417,"keyTakeaways":418,"articleBody":422,"faq":423},"From fragmented tools to faster delivery: A modernization roadmap","AI coding tools speed up development but not delivery. Learn how DevOps, Security, and AI modernization work together to close the gap.","2026-03-05","5 min read","https://res.cloudinary.com/about-gitlab-com/image/upload/v1772560228/bxbyenstqjwgyryegvno.png",[419,420,421],"AI coding tools accelerate code creation, but the work that happens downstream — review, testing, security, deployment — still relies on fragmented tools. More code going in means more pressure on bottlenecks that already exist.","Closing the delivery gap requires three interconnected modernization journeys: DevOps (unified toolchains), Security (continuous and automated), and AI (agents across the full lifecycle, not just coding). Progress in one accelerates the others.","Organizations like Ericsson, Ally Financial, and Barclays are already seeing results by addressing all three dimensions. Use GitLab's five-minute maturity assessments to identify where to start and build a personalized modernization roadmap.","AI is generating code at speeds that were unimaginable three years ago. Unfortunately, the pace of deploying that code to production hasn’t kept up. In fact, AI coding has _slowed_ delivery for many organizations.\n\nThe authors of the [DORA State of DevOps Report](https://dora.dev/research/2024/dora-report/) identified this trend as far back as 2024 when they found that increased AI adoption correlated with lower software delivery throughput and stability. This pattern only intensifies as code volumes grow.\n\nWhat explains this paradox? [Coding represents only about 15%](https://about.gitlab.com/resources/developer-survey/) of the work involved in shipping software. The other 85% — code review, testing, security scanning, compliance, deployment — still relies on fragmented tools and manual processes. AI coding tools accelerate code creation while leaving the manual work downstream intact. More code translates to more bottlenecks.\n\nSolving the AI paradox for software delivery requires a coordinated transformation across three interconnected journeys: [DevOps modernization](https://about.gitlab.com/assessments/devops-modernization-assessment/), [Security modernization](https://about.gitlab.com/assessments/security-modernization-assessment/), and [AI modernization](https://about.gitlab.com/assessments/ai-modernization-assessment/).\n\n## DevOps modernization: The foundation\n### What is DevOps modernization?\nMost engineering organizations are running a patchwork of tools that were never designed to work together. Each tool has its own contract, security review, and support overhead. That fragmentation is expensive to maintain, but the hidden cost is even larger: every handoff between disconnected systems introduces latency, context loss, and the risk of errors. Developers spend time chasing status across tools instead of building. Managers lack a clear picture of where work is stalled. The more code AI generates, the more those handoffs hurt.\n\n**DevOps modernization** is the process of consolidating fragmented toolchains into a unified platform, automating manual processes, and standardizing how teams build and ship software. It tackles the infrastructure of the 85%: the pipelines, handoffs, and coordination overhead where AI-generated code gets stuck.\n\n### How do you progress?\nOrganizations typically start by auditing their current toolchain and identifying where handoffs introduce the most friction. Consolidation usually begins with source control and CI/CD — getting pipelines running consistently and replacing project-by-project configurations with shared templates and reusable components.\n\nFrom there, the focus shifts to performance and scale: optimizing pipeline execution times, automating deployments across multiple environments, and standardizing practices across teams.\n\nThe final frontier is enterprise-scale automation, organization-wide standardization, and AI agents that automate routine tasks across the development lifecycle, freeing engineers to focus on the work that requires human judgment.\n\n### What outcomes can you expect?\nEricsson, the global telecommunications company, lived this reality before consolidating their toolchain. They were stuck in long release cycles, manual processes, and thousands of hours lost to coordination across disconnected systems. After unifying with a single DevSecOps platform, they [saved 130,000 engineering hours in six months](https://about.gitlab.com/customers/ericsson/) and cut release cycles from years to months.\n\nFor most organizations, the early payoff is visibility: a clear, real-time picture of where software is in the delivery pipeline and what’s slowing it down. Every manual step eliminated frees engineering capacity and accelerates the next stage of the journey.\n\n## Security modernization: The safeguard\n### What is Security modernization?\nAI is rapidly generating staggering amounts of code while security reviews remain stuck at the old pace. All that code needs to be scanned, reviewed, and approved. Security teams simply can’t keep up. Things get worse when compliance evidence is scattered across multiple disconnected systems, requiring weeks of manual effort to aggregate for audits.\n\n**Security modernization** means shifting security and compliance from manual checkpoints late in development to automated, continuous processes embedded earlier in the lifecycle. In a modernized security posture, scanning runs automatically inside CI/CD pipelines. Vulnerabilities surface to developers in context, at the moment they can most efficiently fix them, rather than arriving as a list of findings weeks after the code was written. Compliance evidence is collected continuously rather than assembled manually before each audit.\n\n### How do you progress?\nSecurity modernization typically starts with embedding automated scanning (dependency scanning, SAST, and secret detection) directly into existing pipelines, beginning with the vulnerability types that carry the most regulatory or business risk.\n\nAs scanning becomes routine, the focus shifts to ownership and scale: moving from project-level to group-level security policies, establishing defined SLAs for vulnerability response, and putting findings in front of developers with enough context to act on them rather than routing everything through a security team bottleneck.\n\nFrom there, the work becomes predictive — leveraging risk-based prioritization, automating compliance evidence collection, and deploying AI agents that can explain, triage, and remediate vulnerabilities automatically.\n\nAt the highest level of maturity, security is embedded enterprise-wide with policy-as-code enforcement across every project and executive dashboards that connect security posture directly to business outcomes.\n\n### What outcomes can you expect?\nAlly Financial, one of the largest digital financial services companies in the U.S., shifted security left and embedded scanning directly into their DevOps platform. As a result, they were able to [increase deployments by 55%](https://about.gitlab.com/customers/ally/) while reducing downtime by 100 hours per month and saving $300,000 annually.\n\nSpeed and security improved in lockstep. Modernizing security removes the tradeoff between velocity and security by making security a built-in property of the delivery process rather than a gate at the end of it.\n\n## AI modernization: The multiplier\n### What is AI modernization?\nMost organizations have deployed AI coding tools and seen individual developers get faster. But productivity at the individual level doesn't automatically translate into faster delivery at the organizational level. AI assistance that stops at code generation still leaves the downstream steps of the lifecycle running on manual processes. The gains stall. Worse, more code entering the pipeline can actively increase pressure on review, testing, and security processes that haven’t scaled to match.\n\n**AI modernization** builds on top of DevOps and Security modernization. Once your DevOps workflows are unified and your security processes are continuous, you can extend AI from coding into the rest of the software lifecycle. AI modernization is the progression from individual developers using AI coding tools in isolation to teams orchestrating AI agents across every stage, from code review and testing to security remediation and deployment.\n\nThis is where you fully resolve the AI paradox.\n\n### How do you progress?\nAI modernization typically begins with individual developers adopting pre-built AI capabilities such as code suggestions and agentic chat for code assistance, building confidence through hands-on experimentation.\n\n\nFrom there, the focus shifts to the team level: creating custom agents tailored to specific workflows and coding standards, establishing governance and best practices, and building repeatable multi-step flows that automate handoffs between development stages. Integrating external tools through Model Context Protocol expands the context available to agents and enables more sophisticated orchestration across the broader toolchain.\n\n\nThe final stage is organization-wide deployment: autonomous agent workflows executing across the full software lifecycle. Agents execute traditionally manual processes in real time and in parallel across multiple teams, projects, and releases and always within enterprise-level governance. AI impact on organization-wide operational efficiency is measured in real time and can be closely associated with business outcomes.\n\n### What outcomes can you expect?\nBarclays is [scaling this approach to 18,000 team members](https://home.barclays/insights/2025/07/scaling-AI-at-Barclays/), and their developers report that AI assistance across the full lifecycle is freeing them to focus on architecture, design, and customer-facing innovation rather than manual coordination. In organizations with a modernized AI approach, the work that genuinely requires human expertise gets more human attention, while agents handle the coordination, verification, and execution.\n\n## From incremental gains to wholesale transformation\nImagine an engineering organization operating at the intersection of all three journeys.\n\nDevelopers work on a unified platform where AI agents handle routine code generation, documentation, and test creation. Engineers focus on architecture, design, and the work that genuinely requires creative problem-solving. Those agents are embedded in a delivery pipeline that runs in minutes, not hours, with automated testing at every stage and production deployments happening multiple times a day.\n\nSecurity is continuous and invisible. Vulnerabilities are detected and often remediated before code even reaches review. Compliance evidence is collected automatically with every pipeline run. The security team focuses on threat modeling and policy, not triage.\n\nWhen a developer opens a merge request, AI agents review the code, generate tests, run security scans, and flag issues — all before a human reviewer ever looks at it. When something breaks in production, agents diagnose the failure, identify the root cause, and recommend a fix. The cycle from incident to resolution is measured in minutes.\n\nAcross the organization, multiple teams ship releases in parallel, each supported by AI agents that maintain context across projects, enforce governance, and execute workflows end to end. Human engineers define the strategy and guardrails. Agents handle the execution.\n\nIndustry leaders are already building toward this vision. Those that move deliberately now will compound their advantage over those that wait.\n\n## Where to start\nYou can begin with whichever journey addresses your most pressing pain. A team drowning in toolchain complexity might start with DevOps consolidation. An organization under regulatory pressure might prioritize security. A team that has already unified their software lifecycle but wants to multiply output might lead with AI. The entry point matters less than recognizing that all three journeys are dimensions of the same transformation — and that progress in one accelerates the others.\n\nWe've created maturity assessments for each journey ([DevOps](https://about.gitlab.com/assessments/devops-modernization-assessment/), [Security](https://about.gitlab.com/assessments/security-modernization-assessment/), and [AI](https://about.gitlab.com/assessments/ai-modernization-assessment/)) that help you understand where you stand today and what steps will deliver the greatest impact. They take about five minutes and provide a personalized roadmap based on your results.\n\nThe AI coding gains are already here. Closing the delivery gap is what turns them into a competitive advantage.",[424,427,430,433,436],{"header":425,"content":426},"Why does AI coding make software delivery slower? ","AI coding tools accelerate code creation but leave the downstream 85% of work — code review, testing, security scanning, and deployment — relying on fragmented tools and manual processes. More code entering the pipeline increases pressure on bottlenecks that already exist, slowing overall delivery.",{"header":428,"content":429},"What are the three modernization journeys that solve the AI paradox? ","The three interconnected journeys are DevOps modernization (consolidating fragmented toolchains), Security modernization (embedding automated scanning continuously into pipelines), and AI modernization (extending AI agents across the full software lifecycle beyond just code generation).",{"header":431,"content":432},"What is DevOps modernization and what results can it deliver? ","DevOps modernization consolidates fragmented toolchains into a unified platform and automates manual handoffs. Ericsson implemented this approach and saved 130,000 engineering hours in six months while cutting release cycles from years to months.",{"header":434,"content":435},"How does security modernization improve both speed and compliance? ","Security modernization shifts scanning from manual end-of-cycle checkpoints to automated processes embedded directly in CI/CD pipelines. Ally Financial achieved a 55% increase in deployments, reduced downtime by 100 hours per month, and saved $300,000 annually using this approach.",{"header":437,"content":438},"Where should an organization start its modernization journey? ","Organizations can begin with whichever journey addresses their most pressing pain — toolchain complexity, regulatory pressure, or AI scaling. Each five-minute maturity assessment (DevOps, Security, or AI) provides a personalized roadmap, and progress in any one journey accelerates the other two.",{},"/en-us/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox",{"config":442,"title":444,"description":414},{"noIndex":443},false,"Turn AI coding gains into faster software delivery","more-code-more-bottlenecks-tackling-the-ai-paradox","en-us/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox","article","bzY8pt1bwUpS7p9yTuLjz9N9_gO_Ket8f-d4UbecbeU",{"amanda-rueda":450,"andre-michael-braun":451,"andrew-haschka":452,"ayoub-fandi":453,"bob-stevens":454,"brian-wald":455,"bryan-ross":456,"chandler-gibbons":457,"cherry-han":458,"dave-steer":459,"ddesanto":460,"derek-debellis":461,"emilio-salvador":462,"erika-feldman":463,"george-kichukov":464,"gitlab":465,"grant-hickman":466,"haim-snir":467,"iganbaruch":468,"jason-morgan":469,"jessie-young":470,"jlongo":471,"joel-krooswyk":472,"josh-lemos":473,"joshua-carroll":474,"julie-griffin":475,"kristina-weis":476,"lee-faus":477,"marco-caronna":478,"michelle-gill":479,"nathen-harvey":480,"ncregan":481,"rob-smith":482,"rschulman":483,"sabrina-farmer":484,"sandra-gittlen":485,"sharon-gaudin":486,"stephen-walters":487,"taylor-mccaslin":488},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Cherry Han","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Jason Morgan","Jessie Young","Joseph Longo","Joel Krooswyk","Josh Lemos","Joshua Carroll","Julie Griffin","Kristina Weis","Lee Faus","Marco Caronna","Michelle Gill","Nathen Harvey","Niall Cregan","Rob Smith","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"ai":387,"platform":395,"security":391},{"id":491,"title":5,"body":6,"category":6,"config":492,"content":493,"description":6,"extension":26,"meta":509,"navigation":28,"path":510,"seo":511,"slug":16,"stem":512,"testContent":6,"type":513,"__hash__":514},"pages/en-us/the-source/ai/index.yml",{"layout":8},[494,501],{"componentName":495,"type":495,"componentContent":496},"TheSourceCategoryHero",{"title":387,"description":497,"image":498},"Explore expert insights on how AI is transforming software development, and how organizations can get the most out of their AI investments.",{"config":499},{"src":500},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463300/eoudcbj5aoucl0spsp0c.png",{"componentName":502,"type":502,"componentContent":503},"TheSourceCategoryMainSection",{"config":504},{"sourceCTAs":505},[506,507,508],"source-lp-how-to-get-started-using-ai-in-software-development","navigating-ai-maturity-in-devsecops","source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{},"/en-us/the-source/ai",{"title":387,"description":497,"ogImage":500},"en-us/the-source/ai/index","category","wtQi5a4Yy8rZpv9pRFgz-LgiIdSY188tyR5WwsQyl-w",{"id":516,"title":5,"body":6,"category":6,"config":517,"content":518,"description":6,"extension":26,"meta":532,"navigation":28,"path":533,"seo":534,"slug":20,"stem":535,"testContent":6,"type":513,"__hash__":536},"pages/en-us/the-source/security/index.yml",{"layout":8},[519,525],{"componentName":495,"type":495,"componentContent":520},{"title":391,"description":521,"image":522},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.",{"config":523},{"src":524},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",{"componentName":502,"type":502,"componentContent":526},{"config":527},{"sourceCTAs":528},[529,530,531],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age",{},"/en-us/the-source/security",{"title":391,"description":521,"ogImage":524},"en-us/the-source/security/index","Yz-XSZ2w3Zg4r2_4aWlzq2kmfduukECmMNfXD6Ha26w",{"id":538,"title":5,"body":6,"category":6,"config":539,"content":540,"description":6,"extension":26,"meta":554,"navigation":28,"path":555,"seo":556,"slug":25,"stem":557,"testContent":6,"type":513,"__hash__":558},"pages/en-us/the-source/platform/index.yml",{"layout":8},[541,547],{"componentName":495,"type":495,"componentContent":542},{"title":395,"description":543,"image":544},"Learn how to build a DevSecOps framework that sets your team up for success, from planning to delivery.",{"config":545},{"src":546},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463263/bdz7hmhpbmgwvoybcaud.png",{"componentName":502,"type":502,"componentContent":548},{"config":549},{"sourceCTAs":550},[551,552,553],"source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams","source-lp-measuring-success-in-software-development-a-guide-for-leaders","source-lp-building-a-resilient-software-development-practice",{},"/en-us/the-source/platform",{"title":395,"description":543,"ogImage":546},"en-us/the-source/platform/index","u9v0Yrf14Lhx-hAKL_t8ViZ-OxgRjEc5QiV6CvI6bJc",[560,598,637],{"id":561,"title":562,"body":6,"category":16,"config":563,"content":565,"description":6,"extension":26,"meta":591,"navigation":28,"path":592,"seo":593,"slug":595,"stem":596,"type":447,"__hash__":597},"theSource/en-us/the-source/ai/beyond-the-quick-win-how-enterprises-can-scale-ai-in-2026.yml","Beyond The Quick Win How Enterprises Can Scale Ai In 2026",{"layout":8,"template":409,"featured":443,"author":564,"sourceCTA":531},"michelle-gill",{"date":566,"title":567,"description":568,"timeToRead":416,"heroImage":569,"keyTakeaways":570,"articleBody":574,"faq":575},"2026-03-30","Beyond the quick win: How enterprises can scale AI in 2026","Turn early AI wins into lasting competitive advantage with three enterprise strategies to build on your AI momentum.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463704/u3dshy4qn6rtrklfalx7.png",[571,572,573],"Shadow AI creates unchecked costs and redundant solutions. Enterprises need governance frameworks that track which agents are running, the resources they consume, and the business value they deliver.","Point solutions that speed up isolated tasks create downstream bottlenecks. Agentic systems that manage end-to-end processes serve as connective tissue between teams and eliminate review backlogs.","AI systems are only as smart as the data they can access. A unified data architecture gives agents the institutional context they need to deliver results beyond technically sound output. ","Congratulations! With AI in your toolbelt, developers are shipping code faster, costs are down, and you started 2026 with concrete AI wins.\n\nBut, you’re about to face a new set of problems. \n\nThe decisions you make about scaling, governance, and integration in 2026 will set the foundation for your organization’s performance for years to come. Get it right, and the wins you’ve seen in the past year will compound. Get it wrong, and your growth will plateau or worse.\n\nHere are three ways to keep the AI momentum going. \n\n## Govern what you’ve built\n\nAt some point in the coming year, your CFO may ask why your cloud costs have skyrocketed and you’ll likely find that teams across the organization are using AI without approval or oversight from the organization. This shadow AI usage leads to multiple teams solving a similar problem using different agentic AI tools. \n\nThe spirit of experimentation is exactly what’s driving AI adoption and the discovery of helpful, quick fixes. But as teams spin up ad hoc solutions from development tools, cloud platforms and countless other sources, the lack of centralized oversight becomes an issue that you can’t afford to ignore. All of these agents will increase cloud and compute costs, but an even greater challenge is the risk to your intellectual property (IP). \n\nWhen developers use unvetted AI tools to ship faster, they end up pasting in proprietary code to debug or sharing internal architecture docs for context. That information may be stored, shared, or used to train third-party models, and lead to a breach of proprietary source code or compliance risks when customer data is pulled into unvetted AI tools. \n\nOrganizations need to implement [governance frameworks](https://about.gitlab.com/the-source/security/ai-agents-are-reshaping-software-what-cisos-need-to-know/) that track which agents are running, what data they have access to, and how they interact with each other and with critical systems. These frameworks give your teams clear guidelines on how to move fast without creating a security breach. \n\nWith governance in place, organizations will have lower cloud bills *and* they’ll be able to prove exactly how their AI systems are interacting with sensitive data. Developers still need the ability to experiment with new AI tools. But the most successful organizations will find the right [balance between AI innovation and governance](https://about.gitlab.com/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/).\n\n## Build agents that go beyond automating tasks\n\nYou should already be using AI to automate all of your safely repeatable tasks. If your teams tried to implement AI, but aren’t seeing results, the problem might be the approach. Many teams believe AI doesn’t work for them because they took a buckshot approach and used AI for every possible scenario. Instead, try two AI-integrated tasks 500 times rather than 500 tasks twice. This targeted strategy allows you to continually optimize and hone your AI solutions before adding more. \n\nOnce your repeatable tasks have been automated, it’s time to use AI holistically across your pipeline. The organizations that see long-term success with AI will be those that build [agentic AI systems](https://about.gitlab.com/the-source/ai/transform-development-with-agentic-ai-the-enterprise-guide/) to handle complex, multistep processes, such as code review cycles and pipeline failures. \n\nAI agents can serve as the connective tissue between teams, handling the administrative work and streamlining review cycles that create bottlenecks. For code reviews, this looks like routing reviews, surfacing relevant context, and keeping workflows moving. For pipeline durations and reliability, agents can diagnose pipeline failures and prioritize runs, saving developers time and mental bandwidth.\n\nBy managing end-to-end processes and overseeing the full software delivery pipeline, these agents move beyond isolated use cases. Instead, they own the workflows between tasks, removing dead time, friction, and coordination overhead. \n\n## Unify your data architecture\n\nYour AI is only as smart as the data it can access. Context is spread across different systems that operate in silos. AI might be able to write technically sound Python code, but without access to design decisions recorded in a wiki, compliance requirements buried in Jira, or a customer data model that exists only in the company’s customer relationship management (CRM) system, the code is strategically useless.\n\nThat fragmented data landscape is the main obstacle between your current AI performance and the full potential of your AI investments. To close that gap, you need to build a data architecture that actually supports the AI systems you're already running.\n\nWhen you prioritize [DevOps modernization](https://about.gitlab.com/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox/) with unified data and context infrastructure, you'll see faster deployments and reduced security risk. Plus, your AI systems can finally draw on institutional knowledge instead of working around it.\n\n## Are you reimagining? Or just automating?\n\nThis is the question that will separate AI leaders in 2026: Are you reimagining the way work gets done or are you just automating old processes? \n\nSucceeding in this next chapter of AI means integrating agentic capabilities into business operations, rather than adopting point solutions and haphazardly addressing challenges across teams. \n\nSetting your organization up for success starts with building a strong foundation: governance that enables experimentation, agentic systems that solve challenges holistically, and a data architecture that provides agents with the context they need. \n\nAccomplish these three things, and your AI gains will turn into lasting competitive advantage.",[576,579,582,585,588],{"header":577,"content":578},"What is shadow AI and why is it a problem for enterprises?","Shadow AI occurs when teams use AI tools without organizational approval or oversight. It leads to redundant solutions across teams, skyrocketing cloud and compute costs, and serious IP risks — including proprietary code or customer data being shared with unvetted third-party models.",{"header":580,"content":581},"What should an enterprise AI governance framework track?","An effective AI governance framework tracks which agents are running, what data they can access, and how they interact with each other and critical systems. This gives teams clear guidelines to move fast without creating security breaches or compliance risks.",{"header":583,"content":584},"Why do many enterprise AI implementations fail to deliver results?","Many teams take a buckshot approach — applying AI to every possible scenario without depth. A more effective strategy is to run two AI-integrated tasks 500 times rather than 500 tasks twice, allowing continuous optimization before expanding AI's scope.",{"header":586,"content":587},"How do agentic AI systems reduce bottlenecks in software delivery?","AI agents act as connective tissue between teams by handling administrative work, routing code reviews, surfacing relevant context, and diagnosing pipeline failures. By owning end-to-end workflows — not just isolated tasks — they eliminate dead time, friction, and coordination overhead.",{"header":589,"content":590},"Why does data architecture determine the ceiling of your AI performance?","AI can only act on data it can access. Without connections to wikis, compliance systems, or CRM data, AI produces technically sound but strategically useless output. A unified data architecture gives agents the institutional context needed to close the gap between current AI performance and its full potential.",{},"/en-us/the-source/ai/beyond-the-quick-win-how-enterprises-can-scale-ai-in-2026",{"config":594,"title":567,"description":568},{"noIndex":443},"beyond-the-quick-win-how-enterprises-can-scale-ai-in-2026","en-us/the-source/ai/beyond-the-quick-win-how-enterprises-can-scale-ai-in-2026","nObNyPIQP67AQGSEkgmvWAxaUDIibIwr5suIovGD_IE",{"id":599,"title":600,"body":6,"category":16,"config":601,"content":604,"description":6,"extension":26,"meta":630,"navigation":28,"path":631,"seo":632,"slug":634,"stem":635,"type":447,"__hash__":636},"theSource/en-us/the-source/ai/why-enterprises-can-t-afford-to-standardize-on-one-ai-model.yml","Why Enterprises Can T Afford To Standardize On One Ai Model",{"layout":8,"template":409,"featured":443,"author":602,"sourceCTA":603},"bryan-ross","software-innovation-report-2025",{"date":605,"title":606,"description":607,"timeToRead":416,"keyTakeaways":608,"articleBody":612,"faq":613,"heroImage":629},"2026-03-26","Why enterprises can’t afford to standardize on one AI model","Explore why enterprises need AI model diversity to match tasks to performance, cost, and governance needs, and how orchestration makes it work at scale.",[609,610,611],"No single AI model can optimize for speed, quality, and cost at once. Enterprises that route tasks to the right model extract more value from AI while keeping spending under control.","IDC projects that organizations will underestimate AI infrastructure costs by 30% through 2027. Applying FinOps practices to model spend gives enterprises the visibility and control they need to scale.","The most resilient enterprise AI systems support model diversity within a governed control plane, enabling teams to use frontier, self-hosted, and custom models without sacrificing reliability or compliance.","Most organizations are setting themselves up for failure by adopting AI the same way they buy software: pick a vendor, standardize, and roll it out everywhere.\n\nThe assumption is that one model will solve every problem. But a model that excels at code generation might struggle with security analysis, while a frontier model that’s perfect for prototyping may not meet your data residency requirements.\n\nSolving this mismatch requires flexibility in how you deploy AI models. Some teams need advanced, large-scale models for cutting-edge reasoning, while others need specialized models for domain-specific work. And, critically, you need the ability to mix and match based on the task at hand.\n\n## The AI Paradox: Coding is just one piece of the puzzle\nThe current wave of AI adoption focuses almost entirely on accelerating code generation. But coding represents a fraction of what developers actually do. According to [GitLab’s 2025 Global DevSecOps Survey](https://about.gitlab.com/developer-survey/), developers spend only about 15% of their time writing code. The rest goes to planning, reviewing code, testing, debugging, managing dependencies, coordinating with teammates, and navigating compliance requirements.\n\nThis creates an AI paradox: AI is accelerating coding, but disconnected toolchains and manual coordination overhead have slowed overall productivity so much that it’s costing nearly a full workday per developer each week.\n\nTo solve this, AI needs to work across the entire development lifecycle, not just code generation. The challenge is that different activities across the software lifecycle have fundamentally different performance requirements:\n* **Speed-critical tasks** like auto-completing code or suggesting fixes during active development need sub-second response times, which might favor smaller, locally hosted models.\n* **Quality-critical tasks** like architectural planning or security analysis justify the cost of frontier models with superior reasoning.\n* **Cost-sensitive tasks** at high volume, like running tests or updating dependencies across hundreds of repositories, require economical options to stay viable.\n\nA single model can’t optimize for all three simultaneously. The organizations that gain the most from AI are the ones building systems flexible enough to route each task to the model that best fits its performance, quality, and cost profile.\n\n## Premium models for every task will break your budget\nPrice is a major factor influencing which model teams should choose for each job. A practical cost-to-value strategy might look like this:\n* For high-volume, routine work like writing commit messages, summarizing log files, or writing test cases, teams lean toward cheaper and faster options, including open-source models where feasible.\n* For tasks that demand complex reasoning, like code generation, teams pay for more capability.\n* For specialized models that are more deterministic, teams might be willing to pay a premium for infrastructure-as-code generation or high-accuracy data transformation.\n\nOptionality — the ability to choose between different models based on the task — is a hedge against model performance differences, pricing swings, and the reality that providers may sunset products or go out of business altogether.\n\nBut where does that optionality come from? There are essentially three sources:\n1. Commercial frontier models (Anthropic, OpenAI, Google) deliver cutting-edge performance and are constantly improving, but you’re dependent on vendor roadmaps and pricing.\n1. Self-hosted commercial or open-source models give you control over data residency, costs, and availability, but require infrastructure management and, in the case of open source, cannot handle agentic workflows.\n1. Domain-specific models you’ve trained can outperform general models on narrow, high-stakes tasks where you have unique data and clear success criteria, but such work requires specialist expertise and can be operationally very expensive.\n\nEach approach has trade-offs. The key is building systems that let you use all three strategically.\n\n## Managing AI like cloud infrastructure\nModel flexibility only creates value if you can manage the economics behind it. The price gap between models is substantial: complex reasoning models can cost 500% more per request than general-purpose models that work fine for routine tasks.\n\nThis is where model routing — the ability to define which models get used for which tasks — becomes critical. A code review might route to a frontier model, while commit message generation uses a faster, cheaper option.\n\nBut routing alone isn’t enough. Enterprises need the same financial controls they have for cloud infrastructure: quotas to prevent runaway spending, limits to enforce budget discipline, and chargeback models that allocate costs to the departments actually using AI. Without these guardrails, AI adoption becomes financially unsustainable.\n\nThis is why [FinOps practices](https://about.gitlab.com/the-source/platform/finops-balancing-financial-responsibility-and-innovation/) are extending to AI. [According to IDC](https://www.cio.com/article/4107377/cios-will-underestimate-ai-infrastructure-costs-by-30.html), organizations will underestimate their AI infrastructure costs by 30% through 2027, and combining GenAI with FinOps processes will be essential for managing this complexity. (And that's just for GenAI — the impact of underestimating agentic AI could be considerably higher.) The organizations that treat AI spend like cloud spend — with visibility, accountability, and governance — are the ones that will scale AI successfully.\n\n## How customization delivers ROI\nModel flexibility also depends on context. AI needs information spread across systems that weren’t designed to work together by default. A developer debugging an issue might need to reference the work backlog, pull recent discussions from Slack, and review app performance metrics in Grafana. If every system has its own AI experience and none of them connect cleanly, AI slows productivity.\n\nFortunately, recent open source developments have paved the way forward: [Model Context Protocol (MCP)](https://about.gitlab.com/topics/ai/model-context-protocol/) makes AI reliable by letting tools share relevant context and actions across a single workspace.\n\nThis shared foundation (with unified context) is what makes meaningful customization possible. In fact, the most effective customization works best in layers because you can encode how your organization performs work within each one.\n\nI think about this in three layers. Most developers will rely on pre-built agents and workflows that make AI available for common tasks without requiring expertise. Power users shape how a model operates through detailed prompting, essentially teaching it to follow their organization's playbook. And experts connect multiple agents into governed flows that mirror how humans deliver work, with strict review protocols in place.\n\nOrganizations get the most ROI by designing a system where AI is constrained by context and accountability, and where they can connect different models based on their requirements: frontier commercial models, self-hosted instances of commercial models for data residency, or specialized models they’ve already trained for domain-specific work.\n\n## Reliability comes from orchestration, not standardization\nEnterprise AI adoption requires outputs that reliably hold up inside real systems, under real constraints. \n\nThe most successful organizations are building systems that support model diversity while maintaining strict governance. They treat AI spend like cloud spend, with model routing, quotas, and chargeback. And they’re focusing on orchestration to ensure AI fits naturally into daily workflows and relevant context is shared across tools.\n\nA rigorous selection process matters here. The best platforms use under-the-hood subagents that evaluate models across quality, performance, and cost for each type of operation — and make those evaluations visible to users so teams understand why a given model is being used for a given task. That transparency creates trust. And when teams have requirements that differ from the defaults, they should be able to override model selections with their own preferences, or bring their own models entirely.\n\nThis approach lets them use frontier models where performance matters, self-hosted models where data residency is required, and specialized models where domain expertise makes the difference. The common thread is the governed control plane that maintains the same standards for reliability and security regardless of model source.\n\nThe future of enterprise AI isn’t about finding one perfect model. It’s about building systems that let you connect the models that match your requirements.",[614,617,620,623,626],{"header":615,"content":616},"Why can't enterprises rely on a single AI model for all tasks?","Different tasks have fundamentally different performance requirements. Speed-critical tasks favor smaller, locally hosted models; quality-critical tasks justify frontier model costs; and high-volume, cost-sensitive tasks require economical options. No single model can optimize for speed, quality, and cost simultaneously.",{"header":618,"content":619},"How much more do complex AI reasoning models cost compared to general-purpose models?","Complex reasoning models can cost up to 500% more per request than general-purpose models. This price gap makes model routing — directing specific tasks to appropriately priced models — essential for keeping enterprise AI spending financially sustainable at scale.",{"header":621,"content":622},"What is AI model routing and why do enterprises need it?","Model routing defines which AI models handle which tasks — for example, sending code reviews to a frontier model while routing commit message generation to a faster, cheaper option. Combined with quotas, spending limits, and chargeback models, it gives enterprises the same financial controls they apply to cloud infrastructure.",{"header":624,"content":625},"How much are organizations underestimating their AI infrastructure costs?","According to IDC, organizations will underestimate AI infrastructure costs by 30% through 2027. The gap could be even larger when accounting for agentic AI workloads, making FinOps practices — visibility, accountability, and governance over AI spend — essential for scaling successfully.",{"header":627,"content":628},"What are the three sources of AI model optionality for enterprises?","Enterprises can draw from: (1) commercial frontier models like Anthropic, OpenAI, and Google for cutting-edge performance; (2) self-hosted commercial or open-source models for data residency and cost control; and (3) domain-specific models trained on proprietary data for narrow, high-stakes tasks where unique data creates a performance edge.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1774036667/gukolblclgirfae9a1qg.png",{},"/en-us/the-source/ai/why-enterprises-can-t-afford-to-standardize-on-one-ai-model",{"config":633,"title":606,"description":607},{"noIndex":443},"why-enterprises-can-t-afford-to-standardize-on-one-ai-model","en-us/the-source/ai/why-enterprises-can-t-afford-to-standardize-on-one-ai-model","sFWU0kpwu6i7oZqyfu_731NCwI9WE55ZISQiIPnNKAg",{"id":638,"title":639,"body":6,"category":16,"config":640,"content":641,"description":6,"extension":26,"meta":667,"navigation":28,"path":668,"seo":669,"slug":672,"stem":673,"type":447,"__hash__":674},"theSource/en-us/the-source/ai/the-real-cost-of-build-vs-buy-for-agentic-ai-in-regulated-industries.yml","The Real Cost Of Build Vs Buy For Agentic Ai In Regulated Industries",{"layout":8,"template":409,"featured":443,"author":602,"sourceCTA":411},{"date":642,"title":643,"description":644,"timeToRead":416,"keyTakeaways":645,"articleBody":649,"faq":650,"heroImage":666},"2026-03-24","The real cost of build vs. buy for agentic AI in regulated industries","Agentic AI is repeating the DevOps toolchain sprawl pattern — and the organizations that recognize it early will have a significant advantage.",[646,647,648],"In regulated industries, building agentic AI in-house is a multi-year platform engineering commitment. The regulatory, security, and integration obligations tend to be far greater than initial analyses suggest.","Agentic AI is following the same fragmentation arc as DevOps toolchains. Organizations that make a platform decision early, rather than a series of point decisions, can compress years of catch-up into months.","For a team of roughly 200 developers, an internal AI build costs an estimated $1.4M in year one with 12–18 months to first use case. A purpose-built platform runs roughly $410K–$460K with deployment in days.","There's a pattern regulated industries know well. A new capability emerges. Teams spin up point solutions. Each one solves a discrete problem. Before long, you're managing fifteen tools that were never designed to work together and spending more engineering time on integration than on the outcomes you were trying to achieve.\n\nThat's what happened with DevOps toolchains. And it's exactly what's starting to happen with agentic AI.\n\n## The build trap\n\nWhen AI coding tools started delivering real productivity gains, the natural instinct for many organizations was to go deeper. A code assistant here. An internal AI gateway there. A few open-source models, some custom orchestration, and suddenly you're calling it a platform.\n\nThere's a reason this happens. Technology teams are wired to build, and that instinct isn't wrong. Building is how engineers learn, how teams develop expertise, and how genuinely novel problems get solved. The same DIY energy that shaped the early DevOps era produced some remarkable tools and practices. But that same divergent experimentation rarely serves the broader organization. Organizations don't want some people to be AI-enabled. They want everyone to be AI-enabled, consistently, in a way that's governable and scalable. That's the tension at the center of every build vs. buy conversation right now.\n\nBefore going further, it's worth naming what you're actually deciding. Most build vs. buy conversations quietly compare two very different things:\n\n* **Build**: Assemble open models + cloud AI services + custom orchestration + custom governance + the underlying infrastructure (compute, storage, databases, networking) required to run it all. You are the platform vendor.\n* **Buy**: Adopt a platform that already unifies models, tools, orchestration, and governance across the SDLC. You are the platform consumer.\n\nThat distinction matters enormously in a regulated environment. Building an internal agentic AI platform in banking or insurance is a multi-year platform engineering commitment with regulatory surface area most organizations underestimate:\n\n* **Model lifecycle management**: Selection, tuning, drift monitoring, deprecation. Ongoing, always on.\n* **Security hardening**: Agents that touch code and infrastructure trigger obligations well beyond a standard SaaS integration: prompt injection defenses, sandboxing, SIEM and DLP integration, red-team testing.\n* **Regulatory documentation**: Under frameworks like DORA and the EU AI Act, an internal AI system is a *regulated system*. You define the risk classification, maintain the documentation, and produce the audit evidence, meaning recurring obligations for the life of the system.\n* **Platform integration**: Agents must be embedded in your SDLC to deliver meaningful value. Every touchpoint is a mini-product that requires maintenance across IDE versions, tooling changes, and org restructures.\n\nAnd then there's the cost that rarely makes it into initial analyses: every engineer building the platform is an engineer *not* modernizing a legacy pipeline, remediating security debt, or accelerating a critical delivery program.\n\n## Agentic AI is following the DevOps playbook — for better and worse\n\nLet’s think back to the DevOps era. Teams didn't set out to build fragmented toolchains, they made rational, incremental decisions. A better CI tool here. A preferred SCM there. A security scanner bolted on. A separate secrets manager. A different deployment orchestrator.\n\nEach decision made sense in isolation. Collectively, [they created sprawl](https://about.gitlab.com/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox/): integration burden, inconsistent governance, duplicated effort, and no single view of what was happening across the SDLC.\n\nThe industry spent the better part of a decade consolidating around platforms precisely because that sprawl was expensive and hard to audit, two things regulated organizations can't afford. Agentic AI is following the same arc, faster. The organizations that recognize this early enough to make a *platform decision*, rather than a series of point decisions, will compress years of catch-up into months.\n\n![Regulated organizations spent a decade consolidating fragmented DevOps toolchains. Agentic Al is following the same arc — faster.](https://res.cloudinary.com/about-gitlab-com/image/upload/v1774033724/hhkpa2moojmnjfp4q5tb.png)\n\n## A framework for the decision\n\nRather than a generic build vs. buy debate, anchor on three questions:\n\n1. **Is your requirement truly unique?** Build is defensible when you have workflows no vendor supports, deployment patterns no platform can meet, and genuine appetite to fund platform engineering as an enduring capability. Modern platforms, however, increasingly meet regulated organizations where they are and support cloud-hosted, self-managed, and dedicated single-tenant deployments to narrow the gap between platform convenience and enterprise control requirements. If your goals are faster code review, pipeline migration, security triage, or test automation, you're in territory where platforms are already delivering for your peers.\n2. **How much regulatory surface area can you realistically own?** Building makes you the system owner under ICT risk frameworks, the AI provider under emerging AI regulations, and the entity accountable for model behavior, documentation, and monitoring. Buying doesn't eliminate regulatory responsibility, but it offloads platform-level obligations to a vendor whose business depends on getting them right, freeing your compliance cycles for how AI is used, not how it's built.\n3. **What's your time horizon?** If your board expects demonstrable AI value across multiple teams within 12–24 months, a multi-year internal build is misaligned with those expectations from day one. \n\nThe numbers reflect this. For example, for a regulated organization of roughly 200 developers, an internal build on a cloud AI foundation typically runs ≈$1.4M in year one — engineering labor, infrastructure, integration, security, compliance — with 6–12 months before anything is production-ready and 2–3 dedicated FTEs required just to keep it stable. Time to first real use case: 12–18 months, conservatively.\n\nAn agentic AI platform like [GitLab Duo Agent Platform](https://about.gitlab.com/gitlab-duo-agent-platform/) runs ≈$410K–$460K for the same population with initial deployment in days and early productivity gains of 15–25% (sample from previous implementations) once agents are embedded in everyday workflows. Time to first use case: weeks, not years. That's not a marginal difference. It's the difference between showing your board AI ROI this fiscal year or explaining why you're still building infrastructure.\n\n*Analysis courtesy of Sumedh Jigjinni and GitLab's [Business Value Services](https://handbook.gitlab.com/handbook/solutions-architects/sa-practices/business-value-consulting/) team.*\n\n## “But we need to customize”\n\nThis is the most common objection for regulated industries. The goal isn't to take customization off the table. It's to right-size where customization happens.\n\nThe best agentic AI platforms support a layered model that serves every level of the organization. Most users don't need to build anything: they access agents created by others through a shared catalog, getting immediate value within a governed environment. Power users can tailor agents to their specific context by adjusting system prompts and parameters, without writing a line of code. Teams with genuinely differentiated use cases can develop custom agent flows and publish them to the catalog, turning internal work into organizational capability. And experts can still integrate external models, domain-specific tools, and proprietary data sources through a governed interface, rather than as a parallel shadow platform.\n\nThis is what intelligent orchestration actually looks like: [not uniformity, but coherence](https://about.gitlab.com/the-source/ai/the-next-wave-of-devsecops-team-of-one-manager-of-many/). Everyone operates within the same governance layer, with flexibility that scales to need.\n\nThe lesson from DevOps consolidation wasn't \"don't use tools.\" It was \"don't let tools use you.\" Agentic AI deserves the same discipline.",[651,654,657,660,663],{"header":652,"content":653},"What is the difference between building and buying an agentic AI platform?","Building means assembling open models, cloud AI services, custom orchestration, and governance infrastructure yourself — making your team the platform vendor. Buying means adopting a unified platform that already combines models, tools, orchestration, and governance. In regulated environments, that distinction carries significant compliance and resourcing implications.",{"header":655,"content":656},"How much does it cost to build agentic AI in-house vs. buying a platform?","For a team of roughly 200 developers, an internal build typically costs around $1.4M in year one, requires 2–3 dedicated FTEs to maintain, and takes 12–18 months to reach a first real use case. A purpose-built platform like GitLab Duo Agent Platform runs approximately $410K–$460K with deployment in days.",{"header":658,"content":659},"Why is agentic AI following the same fragmentation pattern as DevOps toolchains?","Just as DevOps teams made rational, incremental tool decisions that collectively created sprawl, agentic AI teams are assembling point solutions that weren't designed to work together. The result is the same: integration burden, inconsistent governance, and no unified view across the SDLC.",{"header":661,"content":662},"What regulatory obligations does building an internal AI system create?","Under frameworks like DORA and the EU AI Act, an internally built AI system is a regulated system. The building organization owns risk classification, audit documentation, model lifecycle management, security hardening, and ongoing compliance monitoring — obligations that persist for the life of the system.",{"header":664,"content":665},"Can organizations still customize agents if they buy a platform instead of building?","Yes. Leading agentic AI platforms support a layered model: most users access pre-built agents through a shared catalog, power users adjust prompts and parameters without coding, and teams with differentiated needs can build and publish custom agent flows — all within a single governance layer.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1774034036/ulsa40ld4bz9t1rjez3y.png",{},"/en-us/the-source/ai/the-real-cost-of-build-vs-buy-for-agentic-ai-in-regulated-industries",{"config":670,"title":671,"description":644},{"noIndex":443},"Build vs. buy for agentic AI in regulated industries","the-real-cost-of-build-vs-buy-for-agentic-ai-in-regulated-industries","en-us/the-source/ai/the-real-cost-of-build-vs-buy-for-agentic-ai-in-regulated-industries","8YiHH3Xt0YoJRdQI-e6p5_nStW4YVlE9jjglEO0MqQU",[676,689,702],{"id":561,"title":562,"body":6,"category":16,"config":677,"content":678,"description":6,"extension":26,"meta":686,"navigation":28,"path":592,"seo":687,"slug":595,"stem":596,"type":447,"__hash__":597},{"layout":8,"template":409,"featured":443,"author":564,"sourceCTA":531},{"date":566,"title":567,"description":568,"timeToRead":416,"heroImage":569,"keyTakeaways":679,"articleBody":574,"faq":680},[571,572,573],[681,682,683,684,685],{"header":577,"content":578},{"header":580,"content":581},{"header":583,"content":584},{"header":586,"content":587},{"header":589,"content":590},{},{"config":688,"title":567,"description":568},{"noIndex":443},{"id":599,"title":600,"body":6,"category":16,"config":690,"content":691,"description":6,"extension":26,"meta":699,"navigation":28,"path":631,"seo":700,"slug":634,"stem":635,"type":447,"__hash__":636},{"layout":8,"template":409,"featured":443,"author":602,"sourceCTA":603},{"date":605,"title":606,"description":607,"timeToRead":416,"keyTakeaways":692,"articleBody":612,"faq":693,"heroImage":629},[609,610,611],[694,695,696,697,698],{"header":615,"content":616},{"header":618,"content":619},{"header":621,"content":622},{"header":624,"content":625},{"header":627,"content":628},{},{"config":701,"title":606,"description":607},{"noIndex":443},{"id":638,"title":639,"body":6,"category":16,"config":703,"content":704,"description":6,"extension":26,"meta":712,"navigation":28,"path":668,"seo":713,"slug":672,"stem":673,"type":447,"__hash__":674},{"layout":8,"template":409,"featured":443,"author":602,"sourceCTA":411},{"date":642,"title":643,"description":644,"timeToRead":416,"keyTakeaways":705,"articleBody":649,"faq":706,"heroImage":666},[646,647,648],[707,708,709,710,711],{"header":652,"content":653},{"header":655,"content":656},{"header":658,"content":659},{"header":661,"content":662},{"header":664,"content":665},{},{"config":714,"title":671,"description":644},{"noIndex":443},[716,754,793],{"id":717,"title":718,"body":6,"category":20,"config":719,"content":721,"description":6,"extension":26,"meta":747,"navigation":28,"path":748,"seo":749,"slug":751,"stem":752,"type":447,"__hash__":753},"theSource/en-us/the-source/security/ai-agents-are-reshaping-software-what-cisos-need-to-know.yml","Ai Agents Are Reshaping Software What Cisos Need To Know",{"layout":8,"template":409,"featured":28,"author":720,"sourceCTA":603},"josh-lemos",{"title":722,"description":723,"date":724,"timeToRead":416,"heroImage":725,"keyTakeaways":726,"articleBody":730,"faq":731},"AI agents are reshaping software: What CISOs need to know","Most executives believe AI agents will dominate software development by 2028. Here’s what security leaders must do to prepare today.","2025-10-21","https://res.cloudinary.com/about-gitlab-com/image/upload/v1761059283/rolzub9bctnigdo573kb.png",[727,728,729],"Nearly 9 in 10 executives expect AI agents to become standard in software development within three years, creating urgent security challenges.","Organizations lack proper AI governance, with nearly half missing regulatory compliance and internal policies for artificial intelligence systems.","Security leaders can prepare by implementing identity policies, monitoring frameworks, and upskilling teams for the AI-driven software future.","New research from GitLab shows that 89% of C-level executives surveyed expect AI agents will become the standard approach for building software within three years. This transformation brings significant security implications, as 85% of these leaders recognize that AI agents will introduce never-before-seen security challenges.\n\nThe findings highlight a critical dilemma facing CISOs and security professionals: They can’t afford to pause AI adoption, but they must address the emerging risks it creates. With 91% of executives surveyed planning to boost their AI investments in software development over the next 18 months, each new AI breakthrough intensifies these security concerns.\n\n## AI governance gaps create adoption barriers\nSecurity leaders clearly understand the primary risks associated with [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/). Survey participants identified cybersecurity threats (52%), data privacy and security concerns (51%), and governance challenges (45%) as their top worries. These interconnected risks continue to evolve as the technology advances.\n\nOrganizations need robust AI governance frameworks to adapt their security approaches in response to emerging threats. However, this is easier said than done, since AI impacts multiple technology areas, from data governance to identity and access management. GitLab’s research indicates that organizations are falling behind in governance frameworks as many surveyed leaders said their organizations haven’t implemented regulatory-aligned governance (47%) or internal policies (48%) around AI.\n\nThis governance gap is the result of legitimate industry-wide challenges that make it difficult for leaders to focus their efforts effectively. AI agents behave unpredictably due to their non-deterministic nature, which disrupts traditional security boundaries. Additionally, new universal protocols such as [Model Context Protocol](https://about.gitlab.com/topics/ai/model-context-protocol/) and Agent2Agent, which simplify data access and improve how agents work together, increase security complexity because they expand the attack surface and create new pathways for unauthorized access across interconnected systems.\n\nHowever, these challenges shouldn’t stop security leaders from prioritizing AI governance. Organizations waiting for comprehensive AI best practices will find themselves constantly behind the curve, and those that avoid AI altogether will still be exposed to AI risks through vendor relationships and unauthorized AI use within their environments.\n\n## Practical steps CISOs can take for AI agent readiness\nSecurity leaders should start by establishing AI observability systems that can track, audit, and attribute agent behaviors across all environments. Here are a few steps CISOs can take today to reduce AI risk and improve governance.\n\n### Establish identity policies that create accountability for agent actions\nAs AI systems proliferate, managing non-human identities will be just as critical as controlling human user access. [Composite identities](https://about.gitlab.com/blog/improve-ai-security-in-gitlab-with-composite-identities/) offer one solution by connecting AI agent credentials with the human users who direct them. This approach helps organizations to authenticate and authorize agents while maintaining clear accountability for their actions.\n\n### Implement comprehensive monitoring frameworks\nDevelopment, operations, and security teams require visibility into AI agent activities across various workflows, processes, and systems. Monitoring cannot stop at code repositories. Teams must track agent behavior in staging environments, production systems, connected databases, and all applications the agents can access.\n\n### Develop team AI capabilities\nAI literacy is now a must-have for security teams. In GitLab’s survey, 43% of respondents acknowledged a growing AI skills gap, and this is likely to expand unless technical leaders invest in team education. Training should cover model behavior, prompt engineering, and critical evaluation of model inputs and outputs.\n\nKnowing where models excel and where they underperform helps teams avoid unnecessary security risks and technical debt. For instance, models trained on anti-patterns effectively detect those specific issues but struggle with unfamiliar logic bugs. AI models that perform poorly in areas where security engineers or developers lack experience will leave security gaps that human professionals won’t be able to identify. One solution that can help is to ensure teams have sufficient expertise to validate AI outputs and catch potential errors.\n\nCISOs should consider dedicating a portion of learning and development budgets to continuous technical education. This [builds internal AI security expertise](https://about.gitlab.com/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders/), creating AI champions who can train colleagues and reinforce good practices.\n\n## Security benefits outweigh AI adoption risks\nProperly monitored and implemented AI actually enhances security outcomes. In fact, 45% of survey respondents ranked security as the top area where AI can add value for software development. When used to accelerate rather than replace human expertise, AI can democratize security knowledge across development teams by automating routine security tasks, providing intelligent coding suggestions, and offering security context within developer workflows.\n\nFor example, AI can explain vulnerabilities, enabling developers to resolve issues quickly without waiting for security team guidance. These capabilities help improve security outcomes, reduce risk exposure, and increase understanding between development and security teams.\n\nSuccess belongs to organizations that embrace AI — but do so carefully. Even imperfect foundational controls help teams adapt as conditions change. If the executives surveyed are right, the three-year clock is already ticking. Leaders who guide their teams toward the right AI use cases won't just minimize risk; they will gain a competitive advantage. After all, the security of your software is a core component of its quality.",[732,735,738,741,744],{"header":733,"content":734},"What percentage of executives expect AI agents to become standard practice?","89% of C-level executives surveyed expect AI agents will become the standard approach for building software within three years. Additionally, 91% of executives plan to boost their AI investments in software development over the next 18 months. However, 85% recognize that AI agents will introduce never-before-seen security challenges.",{"header":736,"content":737},"What are the top security concerns executives have about AI agents?","The primary risks identified by survey participants are cybersecurity threats at 52%, data privacy and security concerns at 51%, and governance challenges at 45%. These interconnected risks continue to evolve as AI technology advances, creating complex security implications for organizations.",{"header":739,"content":740},"How many organizations currently lack proper AI governance frameworks?","Nearly half of surveyed leaders report governance gaps in their organizations. 47% said their organizations haven't implemented regulatory-aligned governance around AI, and 48% lack internal policies. This governance gap creates adoption barriers despite the urgent need for AI integration in business operations.",{"header":742,"content":743},"What practical steps can CISOs take to prepare for AI agent security?","CISOs should establish identity policies that create accountability for agent actions through composite identities connecting AI credentials with human users. Implement comprehensive monitoring frameworks tracking agent behavior across all environments including staging, production, and connected databases. Develop team AI capabilities including prompt engineering and model evaluation skills.",{"header":745,"content":746},"How do security benefits compare to AI adoption risks for organizations?","Security benefits can outweigh adoption risks when AI is properly monitored and implemented. 45% of survey respondents ranked security as the top area where AI can add value for software development. AI can democratize security knowledge, automate routine tasks, provide intelligent coding suggestions, and explain vulnerabilities to help developers resolve issues quickly.",{},"/en-us/the-source/security/ai-agents-are-reshaping-software-what-cisos-need-to-know",{"config":750,"title":722,"description":723},{"noIndex":443},"ai-agents-are-reshaping-software-what-cisos-need-to-know","en-us/the-source/security/ai-agents-are-reshaping-software-what-cisos-need-to-know","GWKfSmPXw84SGvDRnBgunUqPToAkDw9Nx9BuwSK-lxs",{"id":755,"title":756,"body":6,"category":20,"config":757,"content":760,"description":6,"extension":26,"meta":786,"navigation":28,"path":787,"seo":788,"slug":790,"stem":791,"type":447,"__hash__":792},"theSource/en-us/the-source/security/speed-and-control-gitops-for-insurance-leaders.yml","Speed And Control Gitops For Insurance Leaders",{"layout":8,"template":409,"featured":443,"author":758,"sourceCTA":759},"jason-morgan","beginners-guide-to-gitops",{"title":761,"description":762,"date":763,"timeToRead":416,"heroImage":764,"keyTakeaways":765,"articleBody":769,"faq":770},"Speed and control: GitOps for insurance leaders","Discover how GitOps and enterprise CI/CD enable insurance companies to deploy fast while meeting strict regulatory compliance and audit requirements.","2025-09-25","https://res.cloudinary.com/about-gitlab-com/image/upload/v1758827423/hpvkk3b8mozeqhed6daf.png",[766,767,768],"Insurance companies can achieve fast development cycles while maintaining regulatory compliance by combining GitOps tools like FluxCD with enterprise CI/CD platforms like GitLab.","Storing all deployment configs in Git creates automatic audit trails, version control, and enforced approval workflows that satisfy regulators and eliminate manual documentation.","Modern pipelines can automatically enforce separation of duties, require approvals, and block deployments that don't meet compliance rules—making governance systematic, not optional.","In conversations with insurance technology leaders, one challenge consistently emerges: How do you enable development teams to move at the speed modern customers expect while satisfying regulators who demand every change be tracked, approved, and reversible?\n\nThe answer isn't choosing between speed and control; it's combining the right tools to get both. That's where pairing GitOps tools like FluxCD with enterprise CI/CD platforms like GitLab creates something special: a deployment pipeline that's both developer-friendly and maintains the audit trails regulators require.\n\n## Why GitOps matters for insurance\n\nIf you're managing Kubernetes deployments in a regulated environment, you already know that \"just SSH in and fix it\" isn't an option. FluxCD and similar GitOps tools fundamentally change how we think about configuration management, and honestly, it's about time.\n\n### Everything lives in Git (where it belongs)\n\nWith FluxCD, your entire deployment configuration becomes code. Real, version-controlled, reviewable code. No more mystery configurations that changed three months ago and were never documented. Every YAML file, every Helm chart, every configuration parameter lives in Git repositories where they're subject to the same controls as your application code.\n\nThis isn't just about organization (though your future self will thank you during the next state insurance audit). When you treat configuration as code, you inherit all the battle-tested controls that software teams have refined over decades. Branch protection rules, pull request reviews, and signed commits aren't just for your Java or Python files anymore.\n\n### Your project becomes the single source of truth\n\nHere’s where compliance teams take notice: GitOps continuously monitors declared states and ensures clusters match what’s approved. Any drift between what’s intended and what’s running is automatically detected and reconciled.\n\nThis means your project isn't just documentation of what you think is running, it's the enforced state of your entire system. When an auditor asks, \"What version of this service was running on March 15th at 2 PM?\" you don't scramble through logs. You check the Project history. Simple, verifiable, and impossible to argue with.\n\n## Making GitOps enterprise-ready\n\nNow, having everything in Git is great, but insurers need more than just version control. They need to prove that every change followed proper procedures, met security requirements, and links to an approved business justification. This is where organizations must extend GitOps with a robust CI/CD system.\n\n### Change management that actually works\n\nInsurance CIOs and CTOs consistently cite manual change management processes as a major operational bottleneck. Their teams waste countless hours updating tickets, chasing approvals, and documenting deployments that should be automatic. Modern CI/CD pipelines solve this by integrating directly with change management systems, automatically creating and updating tickets as code moves through the deployment pipeline.\n\nEven better, these pipelines can enforce compliance rules:\n\n* Need actuarial approval for rating algorithm updates? The pipeline won’t proceed without it.\n* Require compliance review for underwriting logic? The deployment halts until sign-off.\n\nThis isn’t security theater — it’s real enforcement, applied consistently and automatically.\n\n### Separation of duties made simple\n\nInsurance regulators, whether state departments or international bodies like EIOPA, emphasize the separation of duties. The person who writes the code for premium calculations shouldn't be the one who approves it for production. Modern CI/CD platforms make this straightforward to implement and, more importantly, impossible to bypass.\n\nDevelopers can push code all day long, but they can't approve their own merge requests. They can't trigger production deployments without passing the necessary control gates. They can't modify audit logs. These aren't suggestions or guidelines; they're system-enforced rules that work across your entire development lifecycle.\n\n### A policy engine that speaks \"compliance\"\n\nThis is where [enterprise CI/CD platforms](https://about.gitlab.com/blog/ultimate-guide-to-ci-cd-fundamentals-to-advanced-implementation/) really earn their keep in insurance environments. Based on implementations I've overseen, the most successful platforms include comprehensive policy engines that can enforce virtually any requirement your compliance team requires:\n\n* **Permissions that make sense**: Role-based access control that maps to your actual organizational structure, not some generic \"admin/user\" split\n* **Audit trails that tell the whole story**: Not just who did what, but why they did it, who approved it, and what controls were validated\n* **Artifact management that satisfies regulators**: Automatic retention of build artifacts, deployment manifests, and security scan results for whatever period your regulations require\n* **Change window enforcement**: Block deployments during freeze periods, require additional approvals for emergency changes, or restrict certain types of changes to specific maintenance windows\n\n## GitOps and insurance: Better together\n\nIn my recent engagements with insurers ranging from regional carriers to global reinsurers, I've observed a clear pattern in successful GitOps adoptions. The magic happens when you pair GitOps approaches with enterprise controls, creating a deployment pipeline that developers actually want to use and that satisfies insurance compliance teams.\n\nDevelopers get to work with familiar Git workflows. They push code for new coverage types, create merge requests for claims automation improvements, and see their changes automatically deployed. No special deployment tools to learn, no manual steps to forget, no \"works in my machine\" mysteries when the new mobile claims app behaves differently in production.\n\nMeanwhile, your governance teams — who in insurance often report directly to the board's risk committee — get comprehensive audit trails, enforced approval workflows, and the ability to prove compliance without manual documentation. Every deployment is traceable from commit to production, with all the required approvals and security scans documented along the way.\n\nThe result? Your most advanced teams can iterate quickly, deploy frequently, and innovate confidently, all while maintaining the iron-clad controls that financial services require. It's not about choosing between moving fast and maintaining control. With the right tooling, you genuinely can have both.\n\n## Ready to see this in action?\n\nIf you're curious about how this approach could work in your organization, we're bringing the [Financial Services Roadshow](https://about.gitlab.com/events/financial-services-roadshow/) to several cities in the coming months. You'll see real-world implementations, hear from organizations that have made this transition, and get hands-on experience with the tools and workflows discussed here.",[771,774,777,780,783],{"header":772,"content":773},"How does GitOps help insurance companies balance speed and regulatory compliance?","GitOps enables insurance companies to deploy fast while meeting strict compliance requirements by combining tools like FluxCD with enterprise CI/CD platforms. All deployment configurations become version-controlled code in Git repositories, creating automatic audit trails and enforced approval workflows. This approach satisfies regulators while enabling developer-friendly deployment pipelines.",{"header":775,"content":776},"What makes GitOps configuration management suitable for regulated insurance environments?","GitOps treats entire deployment configurations as real, version-controlled, reviewable code stored in Git repositories. Every YAML file, Helm chart, and configuration parameter is subject to the same controls as application code, including branch protection rules and pull request reviews. This creates a single source of truth that's continuously monitored and automatically reconciled.",{"header":778,"content":779},"How do modern CI/CD pipelines enforce separation of duties for insurance compliance?","CI/CD platforms make separation of duties system-enforced rules rather than guidelines. Developers can push code but cannot approve their own merge requests or trigger production deployments without passing control gates. The person writing premium calculation code cannot approve it for production, and nobody can modify audit logs or bypass necessary approvals.",{"header":781,"content":782},"What compliance features do enterprise CI/CD platforms provide for insurance companies?","Enterprise platforms include comprehensive policy engines with role-based access control mapping to organizational structures, complete audit trails showing who did what and why with approval documentation, automatic retention of build artifacts and security scan results, and change window enforcement that blocks deployments during freeze periods.",{"header":784,"content":785},"How does storing deployment configurations in Git benefit insurance audits?","When deployment configurations live in Git, every change is tracked with complete version history, making audits straightforward. Instead of scrambling through logs when auditors ask about system states on specific dates, teams can check Git project history for simple, verifiable, and impossible-to-argue-with documentation of exactly what was running when.",{},"/en-us/the-source/security/speed-and-control-gitops-for-insurance-leaders",{"config":789,"title":761,"description":762},{"noIndex":443},"speed-and-control-gitops-for-insurance-leaders","en-us/the-source/security/speed-and-control-gitops-for-insurance-leaders","x8VwqQIO_oD5Aus0U1uo_Ve4JadCSYG6vRSfq92ZT-I",{"id":794,"title":795,"body":6,"category":20,"config":796,"content":798,"description":6,"extension":26,"meta":808,"navigation":28,"path":809,"seo":810,"slug":797,"stem":812,"type":813,"__hash__":814},"theSource/en-us/the-source/security/building-resilient-software-through-secure-development.yml","Building Resilient Software Through Secure Development",{"layout":8,"template":409,"featured":443,"gatedAsset":797},"building-resilient-software-through-secure-development",{"title":799,"description":800,"date":801,"heroImage":802,"keyTakeaways":803,"articleBody":807},"Building resilient software through secure development","Discover how to automate compliance, reduce security risks, and build resilient software. Learn proven strategies for integrating security into your SDLC.","2025-09-22","https://res.cloudinary.com/about-gitlab-com/image/upload/v1761157735/hfazekmlyinw8pvxcm2r.png",[804,805,806],"With 80% of Chief Compliance Officers foreseeing escalating compliance pressures, automating security processes throughout your development lifecycle is critical for maintaining competitive advantage and meeting evolving standards.","Organizations implementing automated compliance solutions eliminate manual audit tasks, allowing developers to focus on innovation while security and governance controls operate seamlessly in the background.","Modern DevSecOps platforms enable organizations to enforce compliance directly in CI/CD pipelines, providing comprehensive audit trails, vulnerability management, and provenance tracking required by federal standards.","In today's threat landscape, software vulnerabilities can swiftly escalate to national security issues. Foreign adversaries conduct sophisticated cyber campaigns costing billions of taxpayer dollars while undermining organizational security and privacy. With Executive Order 14306 reinforcing the government's commitment to secure software development and strengthening NIST's Secure Software Development Framework as the definitive best practice, the question isn't whether to prioritize security, it's how to implement it effectively.\n\n## The challenge: Speed vs. security\nHistorically, organizations have prioritized development speed at the expense of security, leaving critical vulnerabilities in their products. This trade-off became more prominent with widespread DevOps adoption, as rapid release cycles often outpaced security considerations. Manual compliance tracking pulls developers away from core development work, with teams spending significant time on audit tasks and regulatory documentation.\n\nOrganizations navigating multiple compliance frameworks (NIST, FedRAMP, FISMA, ISO 27001, SOC 2) face an even greater challenge. While these frameworks share common controls, they rarely align perfectly, creating manual tracking burdens that scale poorly across complex development environments.\n\n## A strategic approach to embedded security\nThe path forward requires more than checkbox compliance. Organizations that proactively embed compliance requirements into development processes from the outset realize significant competitive advantages, time savings, and cost efficiencies. This means codifying standards and seamlessly integrating security throughout the software development lifecycle rather than treating it as a final gate.\n\nEffective implementation demands automated guardrails that enforce security policies without slowing development velocity. Protected branches, merge request approvals, and automated scanning ensure code stability while maintaining rapid delivery cycles. Security policies act as automated safeguards throughout the software development lifecycle, enforcing specific security actions at each pipeline stage.\n\n## Visibility and control across the supply chain\nModern development environments require answers to fundamental questions: What assets do we have? Are they being scanned? Where are we most at risk? Software bill of materials generation, dependency scanning, and continuous vulnerability monitoring provide the visibility needed to manage risk across sprawling codebases.\n\nStatic reachability analysis enables teams to prioritize remediation based on actual threat exposure rather than scanning all vulnerable dependencies. Comprehensive vulnerability risk assessment data, including EPSS scores and Known Exploited Vulnerabilities status, allows teams to focus on real-world threats.\n\n## From principle to practice\nThe Principle of Least Privilege, developed in the 1970s, remains fundamental to modern security. Implementing sophisticated role-based access control ensures each user and system has precisely the permissions required for designated responsibilities. Fine-grained permissions for both human users and non-human identities minimize blast radius if credentials are compromised.\n\nOrganizations that successfully navigate today's compliance landscape don't treat security as an afterthought. They embed it into every stage of development, automate verification processes, and maintain continuous monitoring. This comprehensive approach transforms compliance from a burden into a competitive advantage.\n\n**Download the complete guide to learn how leading organizations can automate compliance, implement secure guardrails, and build truly resilient software.**",{},"/en-us/the-source/security/building-resilient-software-through-secure-development",{"config":811,"title":799,"description":800},{"noIndex":443},"en-us/the-source/security/building-resilient-software-through-secure-development","guide","TgSsnoMelUOj0999RUDkqQUEl4K7M2shao-EnfeR4_M",[816,829,867],{"id":406,"title":407,"body":6,"category":25,"config":817,"content":818,"description":6,"extension":26,"meta":826,"navigation":28,"path":440,"seo":827,"slug":445,"stem":446,"type":447,"__hash__":448},{"layout":8,"template":409,"featured":28,"author":410,"sourceCTA":411},{"title":413,"description":414,"date":415,"timeToRead":416,"heroImage":417,"keyTakeaways":819,"articleBody":422,"faq":820},[419,420,421],[821,822,823,824,825],{"header":425,"content":426},{"header":428,"content":429},{"header":431,"content":432},{"header":434,"content":435},{"header":437,"content":438},{},{"config":828,"title":444,"description":414},{"noIndex":443},{"id":830,"title":831,"body":6,"category":25,"config":832,"content":834,"description":6,"extension":26,"meta":860,"navigation":28,"path":861,"seo":862,"slug":864,"stem":865,"type":447,"__hash__":866},"theSource/en-us/the-source/platform/code-is-currency-in-the-software-defined-finance-era.yml","Code Is Currency In The Software Defined Finance Era",{"layout":8,"template":409,"featured":28,"author":833,"sourceCTA":603},"joshua-carroll",{"title":835,"description":836,"date":837,"timeToRead":416,"heroImage":838,"keyTakeaways":839,"articleBody":843,"faq":844},"Code is currency in the software-defined finance era","Speed drives success in today's code-driven economy. Here’s why financial organizations must adopt DevSecOps practices to compete. ","2025-11-13","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464105/b0sltyrnkzt8yzgikqgl.jpg",[840,841,842],"Finance is now software at its core — every transaction, payment, and compliance check runs on code, making technology the actual business product, not just infrastructure.","Development velocity determines competitive advantage — organizations that deploy daily and learn instantly outpace those still planning quarterly and executing monthly.","Security and compliance must be built into deployment pipelines, not added later — when policies become code, they scale with growth and accelerate rather than block progress.","Here’s what changed while everyone was debating digital transformation: money became code.\n\nNot metaphorically. Literally. The payment you just received? Software executed it. The loan decision that took seconds? Algorithms, not underwriters. The compliance check that happened invisibly in the background? Code reviewing code.\n\nThe shift happened gradually, then suddenly. And most organizations are still operating like it’s 2015. They treat technology as infrastructure when, in fact, it is the product. They manage risk in quarterly reviews while threats evolve hourly. They ship updates monthly while markets move in milliseconds.\n\n## The new physics of financial services\n\nSoftware follows its own laws. It compounds. It scales non-linearly. It fails in cascades. More importantly, it evolves at the speed of deployment, not the speed of planning.\n\nWhen your business runs on software, these become business fundamentals. A deployment pipeline determines how fast you can respond to markets. A security vulnerability becomes an existential threat that compounds every hour it exists. A compliance framework either enables or blocks transactions.\n\nThe organizations thriving in this reality have absorbed one truth: in software-defined finance, your release cycle is your innovation cycle. You don’t plan quarterly and execute monthly. You ship daily and learn instantly.\n\n## When speed and safety collide\n\nHere’s the paradox that breaks most financial organizations: the faster you need to move, the more trust you must maintain. And trust in finance takes years to build but only seconds to destroy.\n\nTraditional thinking says slow down, add checkpoints, and review everything twice. But that’s industrial-age logic applied to information-age problems. You can’t inspect quality into software any more than you can inspect trust into a financial system.\n\nThe answer is to make security a property of speed itself. When every commit triggers scans, every deployment generates audit logs, and every configuration change is instantly reversible, security becomes an accelerator rather than a brake.\n\nUltimately, this is about architecture, not tools. When security policies are code, they evolve with your product. When compliance is automated, it scales with your growth. When systems assume breach and contain blast radius by design, you can move faster because you’ve reduced the cost of being wrong.\n\n## Why integration can't wait\n\nMost organizations still operate in silos because that’s how they’ve always operated. But software doesn’t respect organizational boundaries. A vulnerability in development becomes a breach in production. A compliance gap in one service can cascade across the enterprise. A single API slowdown can stall entire payment flows.\n\nThe reflexive response is to buy more tools and build more bridges between them. But that is just digitizing dysfunction. When your developers, security, ops, and compliance teams each live in different toolchains, you haven't solved the silo problem — you've automated it. Every handoff becomes an API. Every integration becomes technical debt. Every tool boundary is where context dies.\n\nThe organizations winning this game collapse these boundaries with unified workflows:\n\n* The same commit that adds a feature also updates its security profile\n* The same pipeline that deploys code also generates compliance evidence\n* The same dashboard that shows system health also shows security posture\n* The same team that owns a feature owns its reliability, security, and compliance\n\nWhen developers see the security implications of their code in real time, they write more secure code. When security policies are code that flows through the same pipeline as features, protection scales automatically. When compliance evidence generates from actual development activity rather than manual attestations, trust becomes provable.\n\nThe leaders aren't just integrating their tools better. They're rethinking the entire architecture of how software-defined financial services are built, secured, and shipped. They understand that in a world where finance runs on software, your platform architecture is your business architecture.\n\n## The great divergence\n\nIt's not the tech stack. It's not the talent. It's not even the funding.\n\nThe best fintechs don't have better developers. They've figured out the secret everyone's missing: in software-defined finance, your process and tools determine how fast you can move.\n\nFragment your workflow across fifteen platforms? You'll move like fifteen companies trying to coordinate. Unify everything into one flow? You'll move like software actually moves: continuously, securely, inevitably forward.\n\nThe leaders of these organizations aren't trying harder. They're playing a different game entirely. New regulation? That's tomorrow's update. Security patch? That ships with the next feature. Compliance audit? Here's the dashboard.\n\nWhen friction disappears, everything accelerates. When everything accelerates, you stop competing on the old metrics. You're not winning the game anymore — you're playing a different one.\n\n## What actually matters\n\nDigital transformation and disruption are yesterday’s conversations.\n\nToday’s question is simpler: How fast can you ship secure, compliant, trusted code?\n\nThe finance industry has become inseparable from technology, which is essentially technology that facilitates the movement of money. Your advantage isn’t your charter, your partnerships, or your marketing. It’s your ability to turn ideas into running code before markets shift. It’s your deployment frequency, your security automation, your compliance as code.\n\nThe infrastructure exists. The patterns are proven. The only question is whether you’ll adapt to the new physics of finance, or insist on the old rules while the world accelerates past you.",[845,848,851,854,857],{"header":846,"content":847},"How has finance become software-defined and why does this matter?","Finance has become software at its core where every transaction, payment, and compliance check runs on code rather than manual processes. Money became code literally, not metaphorically - software executes payments, algorithms make loan decisions in seconds, and code reviews code for compliance. This makes technology the actual business product, not just supporting infrastructure.",{"header":849,"content":850},"Why do organizations that deploy daily have competitive advantages over those deploying monthly?","In software-defined finance, release cycles determine innovation cycles. Organizations shipping daily and learning instantly can respond to markets in real-time, while those planning quarterly and executing monthly operate at industrial-age speeds in information-age markets. Deployment pipelines determine how fast organizations can respond to market changes.",{"header":852,"content":853},"How should financial organizations approach security in fast-moving development environments?","Security must become a property of speed itself rather than a brake on velocity. When every commit triggers scans, every deployment generates audit logs, and every configuration change is instantly reversible, security becomes an accelerator. When security policies are code evolving with products and compliance is automated scaling with growth, organizations can move faster.",{"header":855,"content":856},"What is the cost of fragmented toolchains in software-defined finance?","Fragmenting workflows across fifteen platforms makes organizations move like fifteen companies trying to coordinate. Every handoff becomes an API, every integration becomes technical debt, and every tool boundary is where context dies. This digitizes dysfunction rather than solving silo problems, as developers, security, ops, and compliance teams in different toolchains automate isolation.",{"header":858,"content":859},"What defines successful organizations in software-defined finance?","Successful organizations unify workflows where the same commit updates security profiles, the same pipeline deploys code and generates compliance evidence, and the same dashboard shows system health and security posture. Leaders turn ideas into running code before markets shift through deployment frequency, security automation, and compliance as code rather than competing on traditional metrics.",{},"/en-us/the-source/platform/code-is-currency-in-the-software-defined-finance-era",{"config":863,"title":835,"description":836},{"noIndex":443},"code-is-currency-in-the-software-defined-finance-era","en-us/the-source/platform/code-is-currency-in-the-software-defined-finance-era","05MIgcy8ddI6nmfpUcym5HWEtMUnaB1rvRIopwRyDN4",{"id":868,"title":869,"body":6,"category":25,"config":870,"content":872,"description":6,"extension":26,"meta":899,"navigation":28,"path":900,"seo":901,"slug":903,"stem":904,"type":447,"__hash__":905},"theSource/en-us/the-source/platform/unlocking-software-driven-business-transformation-in-telco.yml","Unlocking Software Driven Business Transformation In Telco",{"layout":8,"template":409,"featured":443,"author":871,"sourceCTA":551},"marco-caronna",{"title":873,"description":874,"date":875,"timeToRead":876,"heroImage":877,"keyTakeaways":878,"articleBody":882,"faq":883},"Unlocking software-driven business transformation in telco","How AI-native DevSecOps and GitOps help telcos open new revenue streams, accelerate innovation, and outflank tech-native competitors.","2025-11-04","7 min read","https://res.cloudinary.com/about-gitlab-com/image/upload/v1762195291/e2zdeclyrqtso3flxlyw.png",[879,880,881],"Telcos must transform from hardware-centric infrastructure to software-driven operations to compete with digital-native companies capturing value from their networks.","A unified AI-native platform with DevSecOps and GitOps eliminates operational silos, accelerates innovation through agentic AI, and automates security and compliance.","GitOps and infrastructure automation enable 5G network function deployments with version-controlled configurations, audit trails, and instant rollback capabilities.","Over the past several years, I've watched telecommunications companies navigate an increasingly difficult paradox. The telco executives I speak with routinely describe investing billions in network infrastructure, only to struggle capturing value from those investments. The numbers tell a sobering story: in 2024, the return on invested capital (ROIC) for telcos dropped well below the median weighted average cost of capital (WACC), [falling as far as 6.7%](https://www.bcg.com/publications/2025/boosting-value-creation-in-telcos).\n\n\nWhat makes this particularly frustrating for these leaders is watching  digital-native companies like Netflix, WhatsApp, and Google generate [massive revenues](https://wjarr.com/sites/default/files/WJARR-2024-0113.pdf) using the very infrastructure telcos built. Time and again, I've seen telcos relegated to the sidelines as their networks, which are increasingly commoditized, create immense value for tech companies and hyperscalers.\n\n\nThe telecommunications executives who grasp this reality understand that Communication Service Providers (CSPs) and Network Equipment Providers (NEPs) must transform into software-driven technology companies. In my experience working with industry leaders, those that make the \"telco-to-techco\" transition position themselves for competitive advantage and unlock new growth opportunities that their competitors miss.\n\n## Why legacy software development approaches undermine telco innovation\nWhether you are a CSP diversifying into digital services or a NEP delivering cloud-native network functions, you need a modern software development foundation on which to build. Unfortunately, legacy processes prevent many telcos from establishing this foundation.\n\n### Innovation velocity gaps\nSome telcos have release cycles that are 18+ months long. Digital-native competitors, on the other hand, iterate through continuous deployment cycles in days or weeks. Hardware-based deployments play a big role in creating these innovation bottlenecks, prompting the industry shift toward software-based alternatives.\nThe innovation velocity gap impacts CSPs' revenue diversification efforts because new digital services require rapid iteration to find market fit. Subsidiaries tasked with entering IoT, edge computing, or digital payment solutions struggle to compete when constrained by legacy processes.\n\nNEPs face similar pressures, as lengthy development and deployment cycles strain relationships with CSPs who need faster deployment and reconfiguration of network modernization solutions.\n\n### Security and compliance overhead\nRegulatory requirements add complexity, leading to more inefficiency. The General Data Protection Regulation (GDPR) requires comprehensive data lineage tracking and audit trails. Industry best practices, including ETSI guidance on NFV testing and operations (such as NFV-TST 006), recommend that CSPs and NEPs adopt synchronized software delivery processes through continuous integration and delivery (CI/CD).\n\nUnfortunately, due to fragmented development toolchains, telcos must aggregate data across incompatible systems, maintain audit trails, and coordinate deployments — often in a manual fashion.\n\n### Barriers to AI-powered automation\nAI-powered software development presents a major opportunity for telcos, but fragmented toolchains hinder effective AI implementations. This may partly explain why [telcos trail other industries](https://about.gitlab.com/the-source/platform/whats-next-in-devsecops-for-telecommunications/) in operationalizing AI.\n\nWhen contextual data is sprawled across disparate systems, it leaves AI with a limited view of your business. Because AI systems thrive on context, this restricted view leads to poor outputs.\n\nSecurity and governance further complicate matters. Telcos must carefully control which data AI tools can access, implement governance policies, and avoid vendors that train their models on proprietary data.\n\nLastly, popular AI point solutions fixate on code generation while neglecting the broader software development lifecycle. Developers spend [less than a quarter of their time writing code](https://about.gitlab.com/developer-survey/). What about the other three-quarters of the development process? Telcos that rely on these AI coding assistants will struggle to meaningfully improve their time-to-market.\n\n## Driving telco transformation with a unified AI-native platform\nA unified AI-native platform that enables both DevSecOps and GitOps practices removes the many barriers to telco transformation. It accelerates innovation on a large scale while strengthening security and compliance.\n\n### Platform unification removes operational silos\nA unified platform eliminates operational silos that cause widespread inefficiency. It replaces fragmented toolchains with integrated workflows, enabling better collaboration between network operations and digital services teams — and removes the need to translate data between incompatible systems. Key outcomes include:\n* **Greater capital efficiency**: CSPs avoid excessive tool investments across subsidiaries and business units\n* **Accelerated market responsiveness**: Teams launch new services faster through better coordination\n* **Vendor ecosystem optimization**: NEPs deliver software updates and network functions through standardized processes that CSPs can integrate seamlessly\n* **Strategic execution alignment**: Network modernization and revenue diversification initiatives improve with shared visibility and better coordination\n* **Reduced talent waste**: Engineering resources focus on customer value creation rather than managing tools\n\n### Agentic AI acts as a force multiplier\nWhen a platform natively integrates agentic AI capabilities across both development and infrastructure operations, it yields large-scale productivity gains. The platform orchestrates autonomous AI workflows across the entire software lifecycle, enabling human-AI collaboration with complete business context. This delivers:\n* **Revenue acceleration through automation**: Addresses the entire software development process beyond code generation, enabling telcos to launch digital services faster and capture emerging IoT, edge computing, 5G applications, and other high-growth digital markets\n* **Dramatic cycle time reduction**: Development cycles accelerate from months to weeks/days\n* **Operational cost reduction**: Automatic CI/CD pipeline failure diagnosis and deployment optimization reduce engineering overhead, freeing teams for innovation\n* **Data sovereignty and privacy protection**: Privacy-first AI architecture with self-managed deployment options for air-gapped environments, granular permissions control, and commitment to never training models on customer data\n* **Improved competitiveness**: Enables telcos to dramatically increase their innovation velocity while maintaining regulatory compliance\n\n### Automated security and compliance removes transformation barriers\nThe platform’s DevSecOps capabilities eliminate the trade-off between speed and compliance. They automate security scanning and compliance workflows throughout the development lifecycle, strengthening telcos’ security posture while accelerating time-to-market. Critical business outcomes include:\n* **Cyber risk reduction**: Automated threat detection and vulnerability management protect against cyber attacks\n* **Supply chain transparency**: Complete visibility into third-party software components and dependencies reduces vendor risk\n* **Compliance workflow automation**: GDPR data protection, CSRD environmental reporting, and ETSI/BEREC standards adherence through automated workflows eliminates manual compliance overhead\n* **Audit readiness**: Real-time traceability and documentation reduce the time and cost of regulatory audits while ensuring continuous compliance\n* **Operational resilience**: Proactive security monitoring and automated policy enforcement prevent security incidents that can cause costly service disruptions\n\n### Infrastructure automation enables network modernization\nThe platform’s GitOps capabilities address the manual infrastructure deployments and configuration management challenges that slow telco transformation. The platform treats all network infrastructure as version-controlled code, enabling automated, consistent deployments across complex environments. Infrastructure automation delivers:\n* **Network function modernization**: Automates 5G and cloud-native network function deployments using Kubernetes orchestration, reducing deployment time while ensuring consistency across environments\n* **Multi-vendor coordination**: Standardized deployment processes enable synchronized delivery between NEPs and CSPs, meeting ETSI requirements while accelerating time-to-market for new services\n* **Risk mitigation through automation**: Version-controlled infrastructure configurations provide complete audit trails and instant rollback capabilities, reducing the operational risk that regulatory bodies and boards scrutinize\n* **Operational cost reduction**: Reduces manual configuration management, freeing engineers to focus on strategic initiatives\n\n> Learn how [Deutsche Telekom](https://about.gitlab.com/customers/deutsche-telekom/) achieved dramatic business results with GitLab, demonstrating the competitive advantage of a unified platform for telcos.\n\n## Your transformation opportunity\nThreats from digital-native competitors continue to mount. By transforming into software-driven technology companies, telcos can overcome these threats and capture more value from their infrastructure investments.\n\nA unified AI-native platform that enables both DevSecOps and GitOps practices removes transformation barriers. It eliminates operational silos, accelerates innovation through agentic AI, automates security and compliance, and enables the infrastructure automation critical for network modernization and 5G monetization.\n\nTelcos that act decisively today may emerge as industry leaders tomorrow.",[884,887,890,893,896],{"header":885,"content":886},"Why do telcos need to transition from hardware-centric to software-driven approaches?","Telcos invest billions in network infrastructure but struggle to capture value from those investments. Return on invested capital dropped well below the median weighted average cost of capital, falling as far as 6.7%. Digital-native companies like Netflix, WhatsApp, and Google generate massive revenues using telco infrastructure. Telcos watch from the sidelines as their increasingly commoditized networks create immense value for tech companies and hyperscalers.",{"header":888,"content":889},"What legacy software development challenges undermine telco innovation?","Legacy challenges include innovation velocity gaps with release cycles of 18+ months. Digital-native competitors iterate through continuous deployment cycles in days or weeks. Security and compliance overhead requires manual data aggregation across fragmented incompatible systems. Barriers to AI-powered automation occur when fragmented toolchains prevent effective AI implementations, leaving agents with limited business context.",{"header":891,"content":892},"How do unified AI-native platforms accelerate telco transformation?","Unified platforms eliminate operational silos by replacing fragmented toolchains with integrated workflows. This enables better collaboration between network operations and digital services teams. The platforms remove the need to translate data between incompatible systems. They orchestrate autonomous AI workflows across the entire software lifecycle with complete business context. Development cycles accelerate from months to weeks or days.",{"header":894,"content":895},"What business outcomes do DevSecOps capabilities provide for telecommunications companies?","DevSecOps capabilities deliver cyber risk reduction through automated threat detection and vulnerability management. They provide supply chain transparency with complete visibility into third-party components. Compliance workflow automation covers GDPR, CSRD, and ETSI/BEREC standards, eliminating manual overhead. Audit readiness comes through real-time traceability, reducing regulatory audit time and cost. Operational resilience improves through proactive security monitoring and automated policy enforcement.",{"header":897,"content":898},"How does GitOps enable network modernization for telecommunications companies?","GitOps treats all network infrastructure as version-controlled code. This enables automated consistent deployments across complex environments. It automates 5G and cloud-native network function deployments using Kubernetes orchestration. Standardized deployment processes enable multi-vendor coordination meeting ETSI requirements. Version-controlled configurations provide complete audit trails and instant rollback capabilities. This reduces manual configuration management, freeing engineers for strategic initiatives.",{},"/en-us/the-source/platform/unlocking-software-driven-business-transformation-in-telco",{"config":902,"title":873,"description":874},{"noIndex":443},"unlocking-software-driven-business-transformation-in-telco","en-us/the-source/platform/unlocking-software-driven-business-transformation-in-telco","vaTlm6Z0vp3x0E7NjRpMnZ58lHbxB3hTNG0U0nLyQrY",[907,917,926],{"config":908,"title":909,"description":910,"link":911},{"slug":507},"Navigating AI maturity in DevSecOps","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are incorporating AI into the software development lifecycle.",{"text":912,"config":913},"Read the report",{"href":914,"dataGaName":915,"dataGaLocation":916},"/resources/developer-survey/2024/ai/","Navigating AI Maturity in DevSecOps","thesource",{"config":918,"title":919,"description":920,"link":921},{"slug":508},"AI guide for enterprise leaders: Building the right approach","Download our guide for enterprise leaders to learn how to prepare your C-suite, executive leadership, and development teams for what AI can do today — and will do in the near future — to accelerate software development.",{"text":922,"config":923},"Read the guide",{"href":924,"dataGaName":925,"dataGaLocation":916},"/the-source/ai/ai-guide-for-enterprise-leaders-building-the-right-approach/","AI Guide For Enterprise Leaders: Building the Right Approach",{"config":927,"title":928,"description":929,"link":930},{"slug":506},"How to get started using AI in software development","Learn how to strategically implement AI to boost efficiency, security, and reduce context switching. Empower every member of your team with AI capabilities.",{"text":931,"config":932},"Download the guide",{"href":933,"dataGaName":934,"dataGaLocation":916},"/the-source/ai/getting-started-with-ai-in-software-development-a-guide-for-leaders/","How to Get Started Using AI in Software Development",[936,944,952],{"config":937,"title":938,"description":939,"link":940},{"slug":531},"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":912,"config":941},{"href":942,"dataGaName":943,"dataGaLocation":916},"/resources/developer-survey/2024/security-compliance/","Application Security in the Digital Age",{"config":945,"title":946,"description":947,"link":948},{"slug":530},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":931,"config":949},{"href":950,"dataGaName":951,"dataGaLocation":916},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience",{"config":953,"title":954,"description":955,"link":956},{"slug":529},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":922,"config":957},{"href":958,"dataGaName":959,"dataGaLocation":916},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs",[961,969,977],{"config":962,"title":963,"description":964,"link":965},{"slug":553},"Building a resilient software development practice","Learn strategies to bolster your team's effectiveness amid shifts in the industry with a standardized approach to software development.",{"text":922,"config":966},{"href":967,"dataGaName":968,"dataGaLocation":916},"/the-source/platform/building-a-resilient-software-development-practice/","Building a Resilient Software Development Practice",{"config":970,"title":971,"description":972,"link":973},{"slug":552},"Measuring success in software development: A guide for leaders","Discover how to measure software delivery performance with key metrics that optimize workflows, enhance team productivity, and drive better decisions.",{"text":931,"config":974},{"href":975,"dataGaName":976,"dataGaLocation":916},"/the-source/platform/measuring-success-in-software-development-a-guide-for-leaders/","Measuring success in software development",{"config":978,"title":979,"description":980,"link":981},{"slug":551},"The ultimate playbook for high-performing DevSecOps teams ","Learn how to tackle issues like deployment slowdowns, lack of collaboration, and developer burnout.",{"text":982,"config":983},"Read the ebook",{"href":984,"dataGaName":979,"dataGaLocation":916},"/the-source/platform/the-ultimate-playbook-for-high-performing-devsecops-teams/",1776403411137]