[{"data":1,"prerenderedAt":1006},["ShallowReactive",2],{"/en-us/the-source/":3,"footer-en-us":36,"the-source-banner-en-us":342,"the-source-navigation-en-us":354,"the-source-newsletter-en-us":382,"featured-article-en-us":393,"the-source-ai-landing-category-en-us":434,"the-source-security-landing-category-en-us":458,"the-source-platform-landing-category-en-us":479,"featured-authors-en-us":500,"category-authors-en-us":532,"hero-most-recent-articles-en-us":533,"platform-landing-most-recent-articles-en-us":646,"ai-landing-most-recent-articles-en-us":738,"security-landing-most-recent-articles-en-us":792,"the-source-platform-landing-resources-en-us":887,"the-source-ai-landing-resources-en-us":928,"the-source-security-landing-resources-en-us":967,"categories-en-us":1004},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":10,"content":13,"_id":30,"_type":31,"title":7,"_source":32,"_file":33,"_stem":34,"_extension":35},"/en-us/the-source","en-us",false,"",{"layout":9},"the-source",{"title":11,"description":12},"The Source: Insights for the future of software development","Your decision-making partner for transformative strategies and expert technology advice.",[14,16,21,26],{"componentName":15},"TheSourceLandingHero",{"componentName":17,"componentContent":18},"TheSourceLandingCategory",{"config":19},{"category":20},"ai",{"componentName":17,"componentContent":22},{"config":23},{"category":24,"theme":25},"security","surface",{"componentName":17,"componentContent":27},{"config":28},{"category":29},"platform","content:en-us:the-source:index.yml","yaml","content","en-us/the-source/index.yml","en-us/the-source/index","yml",{"_path":37,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"data":38,"_id":338,"_type":31,"title":339,"_source":32,"_file":340,"_stem":341,"_extension":35},"/shared/en-us/main-footer",{"text":39,"source":40,"edit":46,"contribute":51,"config":56,"items":61,"minimal":330},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":41,"config":42},"View page source",{"href":43,"dataGaName":44,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":47,"config":48},"Edit this page",{"href":49,"dataGaName":50,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":52,"config":53},"Please contribute",{"href":54,"dataGaName":55,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":57,"facebook":58,"youtube":59,"linkedin":60},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[62,89,161,229,291],{"title":63,"links":64,"subMenu":70},"Platform",[65],{"text":66,"config":67},"DevSecOps platform",{"href":68,"dataGaName":69,"dataGaLocation":45},"/platform/","devsecops platform",[71],{"title":72,"links":73},"Pricing",[74,79,84],{"text":75,"config":76},"View plans",{"href":77,"dataGaName":78,"dataGaLocation":45},"/pricing/","view plans",{"text":80,"config":81},"Why Premium?",{"href":82,"dataGaName":83,"dataGaLocation":45},"/pricing/premium/","why premium",{"text":85,"config":86},"Why Ultimate?",{"href":87,"dataGaName":88,"dataGaLocation":45},"/pricing/ultimate/","why ultimate",{"title":90,"links":91},"Solutions",[92,97,101,106,111,116,121,126,131,136,141,146,151,156],{"text":93,"config":94},"Digital transformation",{"href":95,"dataGaName":96,"dataGaLocation":45},"/topics/digital-transformation/","digital transformation",{"text":98,"config":99},"Application Security Testing",{"href":100,"dataGaName":98,"dataGaLocation":45},"/solutions/application-security-testing/",{"text":102,"config":103},"Automated software delivery",{"href":104,"dataGaName":105,"dataGaLocation":45},"/solutions/delivery-automation/","automated software delivery",{"text":107,"config":108},"Agile development",{"href":109,"dataGaName":110,"dataGaLocation":45},"/solutions/agile-delivery/","agile delivery",{"text":112,"config":113},"Cloud transformation",{"href":114,"dataGaName":115,"dataGaLocation":45},"/topics/cloud-native/","cloud transformation",{"text":117,"config":118},"SCM",{"href":119,"dataGaName":120,"dataGaLocation":45},"/solutions/source-code-management/","source code management",{"text":122,"config":123},"CI/CD",{"href":124,"dataGaName":125,"dataGaLocation":45},"/solutions/continuous-integration/","continuous integration & delivery",{"text":127,"config":128},"Value stream management",{"href":129,"dataGaName":130,"dataGaLocation":45},"/solutions/value-stream-management/","value stream management",{"text":132,"config":133},"GitOps",{"href":134,"dataGaName":135,"dataGaLocation":45},"/solutions/gitops/","gitops",{"text":137,"config":138},"Enterprise",{"href":139,"dataGaName":140,"dataGaLocation":45},"/enterprise/","enterprise",{"text":142,"config":143},"Small business",{"href":144,"dataGaName":145,"dataGaLocation":45},"/small-business/","small business",{"text":147,"config":148},"Public sector",{"href":149,"dataGaName":150,"dataGaLocation":45},"/solutions/public-sector/","public sector",{"text":152,"config":153},"Education",{"href":154,"dataGaName":155,"dataGaLocation":45},"/solutions/education/","education",{"text":157,"config":158},"Financial services",{"href":159,"dataGaName":160,"dataGaLocation":45},"/solutions/finance/","financial services",{"title":162,"links":163},"Resources",[164,169,174,179,184,189,194,199,204,209,214,219,224],{"text":165,"config":166},"Install",{"href":167,"dataGaName":168,"dataGaLocation":45},"/install/","install",{"text":170,"config":171},"Quick start guides",{"href":172,"dataGaName":173,"dataGaLocation":45},"/get-started/","quick setup checklists",{"text":175,"config":176},"Learn",{"href":177,"dataGaName":178,"dataGaLocation":45},"https://university.gitlab.com/","learn",{"text":180,"config":181},"Product documentation",{"href":182,"dataGaName":183,"dataGaLocation":45},"https://docs.gitlab.com/","docs",{"text":185,"config":186},"Blog",{"href":187,"dataGaName":188,"dataGaLocation":45},"/blog/","blog",{"text":190,"config":191},"Customer success stories",{"href":192,"dataGaName":193,"dataGaLocation":45},"/customers/","customer success stories",{"text":195,"config":196},"Remote",{"href":197,"dataGaName":198,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":200,"config":201},"GitLab Services",{"href":202,"dataGaName":203,"dataGaLocation":45},"/services/","services",{"text":205,"config":206},"TeamOps",{"href":207,"dataGaName":208,"dataGaLocation":45},"/teamops/","teamops",{"text":210,"config":211},"Community",{"href":212,"dataGaName":213,"dataGaLocation":45},"/community/","community",{"text":215,"config":216},"Forum",{"href":217,"dataGaName":218,"dataGaLocation":45},"https://forum.gitlab.com/","forum",{"text":220,"config":221},"Events",{"href":222,"dataGaName":223,"dataGaLocation":45},"/events/","events",{"text":225,"config":226},"Partners",{"href":227,"dataGaName":228,"dataGaLocation":45},"/partners/","partners",{"title":230,"links":231},"Company",[232,237,242,247,252,257,262,266,271,276,281,286],{"text":233,"config":234},"About",{"href":235,"dataGaName":236,"dataGaLocation":45},"/company/","company",{"text":238,"config":239},"Jobs",{"href":240,"dataGaName":241,"dataGaLocation":45},"/jobs/","jobs",{"text":243,"config":244},"Leadership",{"href":245,"dataGaName":246,"dataGaLocation":45},"/company/team/e-group/","leadership",{"text":248,"config":249},"Team",{"href":250,"dataGaName":251,"dataGaLocation":45},"/company/team/","team",{"text":253,"config":254},"Handbook",{"href":255,"dataGaName":256,"dataGaLocation":45},"https://handbook.gitlab.com/","handbook",{"text":258,"config":259},"Investor relations",{"href":260,"dataGaName":261,"dataGaLocation":45},"https://ir.gitlab.com/","investor relations",{"text":263,"config":264},"Sustainability",{"href":265,"dataGaName":263,"dataGaLocation":45},"/sustainability/",{"text":267,"config":268},"Diversity, inclusion and belonging (DIB)",{"href":269,"dataGaName":270,"dataGaLocation":45},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":272,"config":273},"Trust Center",{"href":274,"dataGaName":275,"dataGaLocation":45},"/security/","trust center",{"text":277,"config":278},"Newsletter",{"href":279,"dataGaName":280,"dataGaLocation":45},"/company/contact/","newsletter",{"text":282,"config":283},"Press",{"href":284,"dataGaName":285,"dataGaLocation":45},"/press/","press",{"text":287,"config":288},"Modern Slavery Transparency Statement",{"href":289,"dataGaName":290,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":292,"links":293},"Contact Us",[294,299,304,309,314,319,324],{"text":295,"config":296},"Contact an expert",{"href":297,"dataGaName":298,"dataGaLocation":45},"/sales/","sales",{"text":300,"config":301},"Get help",{"href":302,"dataGaName":303,"dataGaLocation":45},"/support/","get help",{"text":305,"config":306},"Customer portal",{"href":307,"dataGaName":308,"dataGaLocation":45},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":310,"config":311},"Status",{"href":312,"dataGaName":313,"dataGaLocation":45},"https://status.gitlab.com/","status",{"text":315,"config":316},"Terms of use",{"href":317,"dataGaName":318,"dataGaLocation":45},"/terms/","terms of use",{"text":320,"config":321},"Privacy statement",{"href":322,"dataGaName":323,"dataGaLocation":45},"/privacy/","privacy statement",{"text":325,"config":326},"Cookie preferences",{"dataGaName":327,"dataGaLocation":45,"id":328,"isOneTrustButton":329},"cookie preferences","ot-sdk-btn",true,{"items":331},[332,334,336],{"text":315,"config":333},{"href":317,"dataGaName":318,"dataGaLocation":45},{"text":320,"config":335},{"href":322,"dataGaName":323,"dataGaLocation":45},{"text":325,"config":337},{"dataGaName":327,"dataGaLocation":45,"id":328,"isOneTrustButton":329},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":343,"_dir":344,"_draft":6,"_partial":6,"_locale":7,"visibility":329,"id":345,"title":346,"button":347,"_id":351,"_type":31,"_source":32,"_file":352,"_stem":353,"_extension":35},"/shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18","banner","The Economics of Software Innovation","The Economics of Software Innovation—AI’s $750 Billion Opportunity",{"config":348,"text":350},{"href":349},"/software-innovation-report/","Get the research report","content:shared:en-us:the-source:banner:the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18",{"_path":355,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":356,"subscribeLink":361,"navItems":365,"_id":378,"_type":31,"title":379,"_source":32,"_file":380,"_stem":381,"_extension":35},"/shared/en-us/the-source/navigation",{"altText":357,"config":358},"the source logo",{"src":359,"href":360},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":362,"config":363},"Subscribe",{"href":364},"#subscribe",[366,370,374],{"text":367,"config":368},"Artificial Intelligence",{"href":369},"/the-source/ai/",{"text":371,"config":372},"Security & Compliance",{"href":373},"/the-source/security/",{"text":375,"config":376},"Platform & Infrastructure",{"href":377},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":383,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":384,"description":385,"submitMessage":386,"formData":387,"_id":390,"_type":31,"_source":32,"_file":391,"_stem":392,"_extension":35},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":388},{"formId":389,"formName":280,"hideRequiredLabel":329},1077,"content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"_path":394,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":395,"type":396,"category":20,"config":397,"seo":402,"content":407,"_id":431,"_type":31,"title":7,"_source":32,"_file":432,"_stem":433,"_extension":35},"/en-us/the-source/ai/how-ctos-can-capture-the-750-billion-ai-opportunity","how-ctos-can-capture-the-750-billion-ai-opportunity","article",{"layout":9,"template":398,"featured":329,"articleType":399,"author":400,"gatedAsset":401},"TheSourceArticle","Regular","sabrina-farmer","software-innovation-report-2025",{"config":403,"title":404,"description":405,"ogImage":406},{"noIndex":6},"How CTOs can capture the $750 billion AI opportunity","Discover how CTOs can unlock $750 billion in AI value through strategic leadership, platform thinking, and team restructuring for competitive advantage.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1756475163/rxkl32r5y4yf69exmiqn.png",{"title":404,"description":405,"date":408,"timeToRead":409,"heroImage":406,"keyTakeaways":410,"articleBody":414,"faq":415},"2025-09-02","5 min read",[411,412,413],"AI-powered software innovation saves $28,249 per developer annually, creating a $750 billion global opportunity that requires the right CTO leadership to capture.","Success depends on matching CTO style to company stage: Builder CTOs for innovation, Strategist CTOs for scaling, Guardian CTOs for governance.","Platform thinking and strategic upskilling enable human-AI partnerships where developers focus on high-value work that drives competitive advantage.","Technical leaders understand how profoundly AI has reshaped innovation workflows. Now we have data that quantifies the massive impact it’s creating.\n\n[GitLab’s 2025 executive research report](https://about.gitlab.com/software-innovation-report/), which surveyed 2,786 C-level leaders worldwide, reveals that AI-powered software innovation delivers an average of $28,249 in annual savings per developer. With 27 million developers globally, that means AI could unlock over $750 billion in value each year.\n\nGiven these potential savings, it’s unsurprising that C-suite executives are embracing AI’s efficiency-driving capabilities. Ninety-one percent of leaders now consider software innovation, including AI, a core business priority for their organizations.\n\n## Bridging the human-AI collaboration divide\nDespite the enthusiasm around AI, significant growth opportunities remain. Executives say their ideal state is splitting development work equally between humans and AI, but the reality is that AI currently handles only 25% of tasks. To maximize the benefits of AI across development teams, leaders must effectively communicate the value of AI, linking development activities to business outcomes through problem-solving capabilities and measurable business impact rather than focusing solely on code output. This mindset shift will prove essential for realizing AI’s full potential.\n\nAI isn’t going to eliminate the role of the developer. Instead, it is fundamentally transforming role requirements, and how executives must lead and organize teams to capitalize on this enormous opportunity.\n\nMost organizations that successfully capture AI value share a few things in common: they have strategic CTO leadership with an unwavering customer focus; they implement platform-based approaches that enable teams to scale effectively with AI; and they invest in team structures and upskilling initiatives that help developers maximize the benefits of AI.\n\n## Which type of technical leader is right for your team?\nThe vast majority (82%) of C-suite executives we surveyed said they are prepared to invest over half of their IT budgets in software innovation. This is an unprecedented moment for technical leaders to shine, but what kinds of leaders are best placed to seize the opportunity? Throughout my career, I’ve found that organizations need specific leadership approaches at different points in their evolution. I like to categorize CTO leadership styles into three distinct buckets that correspond to different phases of organizational growth: Builder, Strategist, and Guardian.\n\n**Builder CTOs** excel at AI-driven innovation, establishing core technical architecture, and creating innovative products while continuously validating their assumptions through customer feedback. They’re ideal for smaller, rapidly growing organizations and those just starting their AI transformation journeys.\n\n**Strategist CTOs** become invaluable as companies mature, combining deep technical expertise with business knowledge to build platforms, develop long-term visions, nurture strategic partnerships, and position the organization for sustained, scalable growth. Strategist CTOs help transform AI into a permanent, value-generating component of the organization’s strategic platform.\n\n**Guardian CTOs** are critical for supporting organizations with complex IT infrastructures and extensive customer bases to maintain stability, security, and operational efficiency. They are a good fit for organizations whose priorities include AI governance, security implementation, and establishing AI processes and standards that maximize efficiency while reducing costs.\n\nTo drive success in AI-powered software innovation, leaders must be able to identify targeted AI applications, translate them into customer value, and enable teams to concentrate on higher-value activities.\n\n## Adopt platform thinking for scalability\nAs organizations grow, teams specialize in addressing specific challenges. But with larger teams come difficulties in coordination. By the time an organization reaches tens of thousands of employees, these challenges often become silos that hinder effective collaboration and prevent organizations from realizing the benefits of human-AI partnerships.\n\nIn my experience, the most effective CTOs implement [platform-based strategies](https://about.gitlab.com/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first/) to position companies for scalable growth without creating silos. The most common approach involves establishing a centralized team that is responsible for building platforms that product teams can utilize organization-wide. This team’s primary function is to automate routine tasks and provide streamlined workflows for all software innovation teams throughout the organization, a role that AI can significantly enhance.\n\nCTOs may need to create specialized teams that support complicated subsystems required by the broader organization. An organization with complex requirements, such as evaluating fraud risk in new customers or solving supply-chain complexities in real time, might organize dedicated teams to support these as AI-powered “subsystems” that the entire company can use.\n\n## Restructure and upskill teams to maximize their capabilities\nSetting up software teams for success in the AI era means freeing up humans to focus on work that AI can’t perform effectively. AI can help with tasks such as coding and answering questions, but it can’t determine the “why” behind a project.\n\nEngineers who translate business requirements into technical solutions and anticipate future trends will be invaluable. Those who can combine technical skills with critical thinking will better guide AI technologies and achieve productivity gains from human-AI partnerships.\n\nTraining in specific AI-related skills, such as prompt engineering and data management, will also be essential. Our survey found that executives view creativity, strategic vision, and collaboration as the most valuable human contributions to software development.\n\nHowever, there’s also a significant perception gap here: [Our global survey of more than 5,000 DevSecOps professionals at all job levels](https://learn.gitlab.com/devsecops-survey-2024/) found that 25% of individual contributors feel their organizations don’t provide sufficient AI training, compared to only 15% of C-level executives.\n\nForward-thinking CTOs will frame upskilling as an investment in human-AI partnerships that is crucial to delivering competitive advantages.\n\n## The future requires human innovators\nThe $750 billion opportunity from AI-powered software innovation won’t materialize automatically. Harnessing the power of AI requires appropriate leadership, platform thinking, and upskilling that enables humans to focus on their strengths while AI manages and automates routine tasks.\n\nAI is transforming the software development landscape, but it’s not eliminating the need for skilled engineers. Instead, it’s shifting focus toward higher-value work requiring human judgment, creativity, and strategic thinking. Over time, human software innovators will increasingly concentrate on work that drives competitive advantage and allows organizations to transform themselves and their industries in unprecedented ways.",[416,419,422,425,428],{"header":417,"content":418},"How much annual savings can AI deliver per developer according to executive research?","GitLab's 2025 executive research report of 2,786 C-level leaders worldwide reveals AI-powered software innovation delivers $28,249 in annual savings per developer. With 27 million developers globally, this represents over $750 billion in potential value annually.",{"header":420,"content":421},"What are the three types of CTO leadership styles for AI transformation?","Builder CTOs excel at AI-driven innovation and core technical architecture for smaller, rapidly growing organizations. Strategist CTOs combine technical expertise with business knowledge for scalable growth and strategic platforms. Guardian CTOs focus on AI governance, security, and operational efficiency for complex infrastructures.",{"header":423,"content":424},"What percentage of executives are willing to invest their IT budget in software innovation?","82% of C-suite executives surveyed are prepared to invest over half of their IT budgets in software innovation. Additionally, 91% of leaders consider software innovation, including AI, a core business priority for their organizations.",{"header":426,"content":427},"How do current human-AI collaboration ratios compare to executive expectations?","Executives say their ideal state is splitting development work equally between humans and AI, but reality shows AI currently handles only 25% of tasks while humans manage 75%. This gap represents significant untapped value that CTOs must address through strategic leadership.",{"header":429,"content":430},"What skills gap exists between executive and developer perceptions of AI training?","25% of individual contributors feel their organizations don't provide sufficient AI training, compared to only 15% of C-level executives who share this concern. This perception gap highlights the need for CTOs to frame upskilling as investment in human-AI partnerships.","content:en-us:the-source:ai:how-ctos-can-capture-the-750-billion-ai-opportunity:index.yml","en-us/the-source/ai/how-ctos-can-capture-the-750-billion-ai-opportunity/index.yml","en-us/the-source/ai/how-ctos-can-capture-the-750-billion-ai-opportunity/index",{"_path":435,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":436,"config":437,"seo":438,"content":441,"slug":20,"_id":455,"_type":31,"title":7,"_source":32,"_file":456,"_stem":457,"_extension":35},"/en-us/the-source/ai","category",{"layout":9},{"title":367,"description":439,"ogImage":440},"Explore expert insights on how AI is transforming software development, and how organizations can get the most out of their AI investments.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463300/eoudcbj5aoucl0spsp0c.png",[442,447],{"componentName":443,"type":443,"componentContent":444},"TheSourceCategoryHero",{"title":367,"description":439,"image":445},{"config":446},{"src":440},{"componentName":448,"type":448,"componentContent":449},"TheSourceCategoryMainSection",{"config":450},{"gatedAssets":451},[452,453,454],"source-lp-how-to-get-started-using-ai-in-software-development","navigating-ai-maturity-in-devsecops","source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach","content:en-us:the-source:ai:index.yml","en-us/the-source/ai/index.yml","en-us/the-source/ai/index",{"_path":459,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":436,"config":460,"seo":461,"content":464,"slug":24,"_id":476,"_type":31,"title":7,"_source":32,"_file":477,"_stem":478,"_extension":35},"/en-us/the-source/security",{"layout":9},{"title":371,"description":462,"ogImage":463},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",[465,469],{"componentName":443,"type":443,"componentContent":466},{"title":371,"description":462,"image":467},{"config":468},{"src":463},{"componentName":448,"type":448,"componentContent":470},{"config":471},{"gatedAssets":472},[473,474,475],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age","content:en-us:the-source:security:index.yml","en-us/the-source/security/index.yml","en-us/the-source/security/index",{"_path":480,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":436,"config":481,"seo":482,"content":485,"slug":29,"_id":497,"_type":31,"title":7,"_source":32,"_file":498,"_stem":499,"_extension":35},"/en-us/the-source/platform",{"layout":9},{"title":375,"description":483,"ogImage":484},"Learn how to build a DevSecOps framework that sets your team up for success, from planning to delivery.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463263/bdz7hmhpbmgwvoybcaud.png",[486,490],{"componentName":443,"type":443,"componentContent":487},{"title":375,"description":483,"image":488},{"config":489},{"src":484},{"componentName":448,"type":448,"componentContent":491},{"config":492},{"gatedAssets":493},[494,495,496],"source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams","source-lp-measuring-success-in-software-development-a-guide-for-leaders","source-lp-building-a-resilient-software-development-practice","content:en-us:the-source:platform:index.yml","en-us/the-source/platform/index.yml","en-us/the-source/platform/index",{"amanda-rueda":501,"andre-michael-braun":502,"andrew-haschka":503,"ayoub-fandi":504,"bob-stevens":505,"brian-wald":506,"bryan-ross":507,"chandler-gibbons":508,"dave-steer":509,"ddesanto":510,"derek-debellis":511,"emilio-salvador":512,"erika-feldman":513,"george-kichukov":514,"gitlab":515,"grant-hickman":516,"haim-snir":517,"iganbaruch":518,"jlongo":519,"joel-krooswyk":520,"josh-lemos":521,"julie-griffin":522,"kristina-weis":523,"lee-faus":524,"ncregan":525,"rschulman":526,"sabrina-farmer":527,"sandra-gittlen":528,"sharon-gaudin":529,"stephen-walters":530,"taylor-mccaslin":531},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Joel Krooswyk","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"amanda-rueda":501,"andre-michael-braun":502,"andrew-haschka":503,"ayoub-fandi":504,"bob-stevens":505,"brian-wald":506,"bryan-ross":507,"chandler-gibbons":508,"dave-steer":509,"ddesanto":510,"derek-debellis":511,"emilio-salvador":512,"erika-feldman":513,"george-kichukov":514,"gitlab":515,"grant-hickman":516,"haim-snir":517,"iganbaruch":518,"jlongo":519,"joel-krooswyk":520,"josh-lemos":521,"julie-griffin":522,"kristina-weis":523,"lee-faus":524,"ncregan":525,"rschulman":526,"sabrina-farmer":527,"sandra-gittlen":528,"sharon-gaudin":529,"stephen-walters":530,"taylor-mccaslin":531},[534,572,609],{"_path":535,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":536,"type":396,"category":20,"config":537,"seo":540,"content":545,"_id":569,"_type":31,"title":7,"_source":32,"_file":570,"_stem":571,"_extension":35},"/en-us/the-source/ai/transform-legacy-systems-faster-with-ai-automation-tools","transform-legacy-systems-faster-with-ai-automation-tools",{"layout":9,"template":398,"featured":6,"articleType":399,"author":538,"gatedAsset":539},"bob-stevens","source-lp-enterprise-guide-to-agentic-ai",{"config":541,"ogImage":542,"title":543,"description":544},{"noIndex":6},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1757084642/vjyxm7kj6xehb8jt8smh.png","Update legacy systems faster with AI automation tools","Discover how artificial intelligence accelerates legacy system upgrades, reduces security risks, and streamlines development workflows.",{"title":543,"description":544,"date":546,"timeToRead":547,"heroImage":542,"keyTakeaways":548,"articleBody":552,"faq":553},"2025-09-18","4 min read",[549,550,551],"AI agents translate outdated code into modern languages, reducing manual developer effort and accelerating system upgrades.","Automated vulnerability detection and remediation helps organizations address security gaps in legacy applications more efficiently.","AI-assisted development enables teams to build new applications while modernizing existing systems simultaneously.","If your team is wasting time trying to understand and update 1990s code instead of building 2025 solutions, it might be time to have a conversation about codebase modernization. Luckily, AI can help.\n\nMany enterprise companies continue operating with outdated IT infrastructure built decades ago. These aging systems create security risks, introduce software defects, and slow down development cycles, preventing teams from meeting delivery deadlines.\n\nModernizing these systems requires significant time and budget investments. Organizations recognize the long-term benefits of infrastructure upgrades, but justifying immediate costs proves difficult when returns may not appear for several years.\n\nMemory-unsafe programming languages remain embedded within complex enterprise systems, creating ongoing security concerns. Research indicates that approximately 70% of security flaws stem from [outdated systems using memory-unsafe languages](https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF). Legacy code presents challenges for developers who must understand and convert it to contemporary memory-safe alternatives or updated application frameworks. Successfully migrating these systems requires developers with expertise across multiple programming languages.\n\nProactive [AI agents](https://about.gitlab.com/the-source/ai/how-ai-can-fix-governments-legacy-code-problem/) can assist development teams during modernization projects, enabling human developers to concentrate on strategic planning and building innovative customer solutions. Organizations can leverage AI for modernization through three primary approaches: explaining legacy programming languages, supporting new application development, and accelerating security issue resolution.\n\n## Explaining and updating legacy code\nStandard refactoring methods include inline refactoring, which restructures outdated code components, and abstraction, which eliminates duplicate code. These traditional methods require substantial time, experienced developers knowledgeable in outdated languages, and comprehensive testing to ensure their effectiveness.\n\nJunior development teams typically lack sufficient knowledge and background in the legacy languages found in existing codebases. This makes understanding legacy source code an overwhelming and lengthy process. AI agents can streamline this process by converting existing code into natural language and then creating updated code using memory-safe languages for review and testing by human developers.\n\nThe new code can then operate on cloud infrastructure using microservices or other available compute resources. This approach allows modernized code to deliver identical functionality with improved efficiency and security, plus enhanced scalability and faster response times.\n\n## Supporting new application development\nIn addition to modernizing existing code, AI can help create new applications based on specific requirements or business functions. Development teams can provide requirements using natural language descriptions, and AI can then generate frameworks and code components that support those needs, sometimes even writing substantial portions of applications using modern architectures.\n\nAI can also aid collaboration among development professionals by summarizing feedback within code reviews, identifying potential integration problems, and tracking compliance requirements, making communication smoother across distributed development organizations.\n\n## Accelerating security assessment and issue resolution\nSecurity responsibilities now extend beyond dedicated security professionals to include developers throughout the organization. Constant threats from malicious actors have grown substantially with AI-enhanced attack methods that exploit known weaknesses in legacy applications and aging infrastructure. Security teams must adopt AI tools to keep pace with these evolving threats.\n\nAI can analyze existing code for user behavioral patterns, conduct root cause investigations, automate security assessments, and apply fixes for identified vulnerabilities. This improves coordination between security professionals and developers, enabling them to recognize and address security issues independently and reducing security team workloads.\n\nThis partnership between AI, developers, and security professionals has the potential to allow organizations to respond more quickly to emerging threats and cut response times from days to hours.\n\n## Building for tomorrow\nAlthough the transition from legacy codebase maintenance to comprehensive modernization appears challenging, it represents an essential step for maintaining organizational security and preparing for the future. The bottom line is that development teams should focus their energy on delivering value to customers, not on supporting and maintaining outdated languages and frameworks. AI-powered code modernization helps teams optimize workflows, enhance performance, and encourage innovation while reducing operational expenses.\n\nModernizing legacy systems also eliminates entire categories of security vulnerabilities and strengthens protection across the technology landscape. AI will function as both an accelerator and a protector in this technological evolution.\n\nCompanies that embrace AI-driven modernization position themselves to compete more effectively while building stronger, more secure digital foundations for future growth and innovation.",[554,557,560,563,566],{"header":555,"content":556},"How does AI help explain and update legacy code for development teams?","AI agents streamline legacy code understanding by converting existing code into natural language explanations, then creating updated code using memory-safe languages for human review and testing. This approach helps junior developers who lack knowledge in outdated languages and accelerates the modernization process significantly.",{"header":558,"content":559},"What percentage of security flaws come from outdated legacy systems?","Research indicates that approximately 70% of security flaws stem from outdated systems using memory-unsafe programming languages. These legacy systems create ongoing security concerns and present challenges for developers who must convert them to contemporary memory-safe alternatives.",{"header":561,"content":562},"How can AI support new application development alongside legacy modernization?","AI can generate frameworks and code components based on natural language requirements, sometimes writing substantial portions of applications using modern architectures. AI also aids collaboration by summarizing code review feedback, identifying integration problems, and tracking compliance requirements across distributed development teams.",{"header":564,"content":565},"What are the three primary approaches for leveraging AI in modernization projects?","Organizations can leverage AI through three main approaches: explaining legacy programming languages and converting them to modern alternatives, supporting new application development with automated code generation, and accelerating security issue resolution through automated vulnerability detection and remediation.",{"header":567,"content":568},"How does AI-powered modernization impact security response times?","AI enables partnerships between developers and security professionals that can cut response times from days to hours. AI analyzes code for behavioral patterns, conducts root cause investigations, automates security assessments, and applies fixes for identified vulnerabilities, allowing faster responses to emerging threats.","content:en-us:the-source:ai:transform-legacy-systems-faster-with-ai-automation-tools:index.yml","en-us/the-source/ai/transform-legacy-systems-faster-with-ai-automation-tools/index.yml","en-us/the-source/ai/transform-legacy-systems-faster-with-ai-automation-tools/index",{"_path":573,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":574,"type":396,"category":20,"config":575,"seo":578,"content":583,"_id":606,"_type":31,"title":7,"_source":32,"_file":607,"_stem":608,"_extension":35},"/en-us/the-source/ai/ai-transforms-agile-planning-for-modern-development-teams","ai-transforms-agile-planning-for-modern-development-teams",{"layout":9,"template":398,"featured":329,"articleType":399,"author":576,"gatedAsset":577},"lee-faus","source-lp-navigating-a-smooth-transition-to-agile-planning",{"config":579,"ogImage":580,"title":581,"description":582},{"noIndex":6},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1755530469/emjkvobknbai4rceregn.png","AI transforms Agile planning for modern development teams","Discover how AI-powered platforms can streamline Agile workflows, reduce administrative burden, and help teams focus on delivering customer value.",{"title":581,"description":582,"date":584,"timeToRead":409,"heroImage":580,"keyTakeaways":585,"articleBody":589,"faq":590},"2025-08-19",[586,587,588],"AI can automate routine tasks like backlog grooming and sprint planning, freeing teams to focus on strategic work and customer value delivery.","Modern platforms integrate planning, coding, and delivery in one environment, enabling AI to provide real-time insights across the entire workflow.","Smart automation handles administrative burden while preserving human judgment for innovation, making Agile planning more effective at scale.","After two and a half decades, Agile planning faces a crisis. What started as a revolutionary approach to software development has become bogged down by complex processes and endless administrative tasks. Today’s Agile practices often feel far removed from the original vision of rapid, responsive development.\n\nAs companies tried to scale Agile across large organizations, frameworks like the [Scaled Agile Framework (SAFe)](https://framework.scaledagile.com/) emerged to bridge the gap between team-level agility and enterprise requirements. As a result, the software industry’s most dangerous phrase has evolved from “we’ve always done it this way” to “we’re agile, but…,” signaling how far we've drifted from the principles that made Agile revolutionary in the first place. \n\nDespite these challenges, the fundamental ideas behind Agile — being responsive, iterating quickly, and focusing on customer value — remain as important as ever. The real issue isn’t with Agile itself but with how we execute it in complex organizational environments. We don’t need to abandon Agile; we need better tools that actually support its core principles.\n\nArtificial intelligence (AI) offers a promising solution by automating the administrative overhead that has weighed down modern Agile practices.\n## AI and the platform revolution\nMy experience with Agile methodologies started alongside pioneers like Jon Kern, one of the original signers of the [Agile Manifesto](https://agilemanifesto.org/). He taught me that focusing on customers and delivery is more effective than creating endless documentation. This approach helped me build small, high-performing teams that achieved remarkable results through quick iterations and constant customer feedback. However, I've also seen how these principles can get lost in large enterprise settings.\n\nToday's AI-powered platforms offer a way back to those original ideals. Modern multi-agent collaboration platforms create integrated environments where [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) work together to scan code, analyze customer feedback, and suggest solutions. This coordinated intelligence helps teams stay responsive to real-time insights.\n\nImagine AI systems that can analyze customer feedback, support tickets, and usage patterns, then automatically identify and group related issues into meaningful project themes without requiring lengthy planning meetings. These systems could break down large projects into appropriately sized tasks based on data about team velocity and dependencies, then assign them to sprints that optimize for both business value and technical coherence.\n\nIn this way, AI tools can transform the tedious work of manual backlog management, estimation sessions, and sprint planning into brief validation meetings where human creativity and strategic thinking help teams focus on the “why” rather than the “how.” In this world, teams spend more time delivering value than discussing how to deliver value.\n\nHere’s a real-world example: [Cube](https://about.gitlab.com/blog/2023/02/07/how-cube-uses-gitlab-to-increase-efficiency-and-productivity/), a software development company based in the Netherlands, significantly improved both development speed and code quality by adopting a unified platform strategy that leveraged AI across all stages of the development lifecycle.\n\nThis isn’t about removing human judgment from Agile; it’s about elevating it from administrative burden to strategic guidance, allowing teams to truly embrace the responsive, value-focused delivery that Agile originally promised.\n## Streamlined planning in an AI-driven world\nMany organizations are already replacing the complicated workflows of monolithic planning tools with lightweight issue management systems that [smoothly integrate with the entire development lifecycle](https://about.gitlab.com/the-source/platform/devops-teams-want-to-shake-off-diy-toolchains-a-platform-is-the-answer/). When issue tracking exists alongside code repositories, CI/CD pipelines, and delivery systems, it creates an environment where AI can truly enhance our workflows.\n\nThis integrated platform approach enables a fundamental shift in how we plan and execute work. Here are some key applications:\n\n**AI-driven security remediation planning**: Instead of treating security as a separate workflow, intelligent AI tools can automatically create remediation issues from vulnerability scans, prioritize them based on risk assessment, and intelligently schedule them alongside feature work. This ensures that security debt doesn’t accumulate in forgotten backlogs while providing clear visibility into application security status.\n\n**Intelligent code review automation**: AI-powered tools can automatically analyze code changes, identify potential bugs, suggest improvements, and check for compliance with architectural patterns — all before a human reviewer even sees the code. This shifts human review time from finding basic issues to making strategic decisions about implementation approaches.\n\n**Smart cross-platform coordination**: Through agent-to-agent (A2A) communication frameworks, organizations can create powerful integrations between development platforms and planning and issue management tools. These integrations enable AI agents to automatically synchronize data across platforms, providing a comprehensive view of development activities regardless of where planning occurs. They adjust sprint allocations based on developer activity and provide early warnings when timelines or team capacity are at risk.\n\nThese capabilities, which exist today, can make developers more efficient and enable leadership to make informed decisions. The result is a cohesive ecosystem where information flows seamlessly between planning and execution tools, eliminating the need for developers to switch between systems.\n## What this means for your team\nThe move toward AI-enhanced Agile planning requires a practical look at your current processes and toolchain.\n\nStart by **evaluating whether your current processes create bottlenecks** between development and deployment. Look for gaps where Agile ceremonies exist, but traditional approval workflows still dominate critical decisions.\n\nNext, **assess how much time your teams spend on planning ceremonies** versus actual development work. Consider whether AI can automate administrative tasks such as backlog grooming, estimation sessions, and status updates while preserving human strategic input on priorities and technical decisions.\n\n**Examine your current toolchain** to identify where manual coordination is required between the planning, development, and deployment phases. Look for opportunities where AI can automate data synchronization and provide predictive insights about team capacity and timeline risks, reducing the context switching that fragments developer focus.\n\nFinally, **review your current planning overhead** and identify which administrative tasks can be automated, allowing your team to focus on delivering customer value and making strategic technical decisions rather than adhering to process compliance. The goal is not to eliminate human judgment but to elevate it from routine tasks to the strategic thinking that drives innovation.\n\nThe future belongs to teams that embrace lightweight, AI-enabled platforms, where planning, code, and delivery coexist in a single, integrated environment. When machines handle the tactical execution and administrative burden, humans can focus on innovation and customer delight — the roles that truly add value to your organization.",[591,594,597,600,603],{"header":592,"content":593},"How can AI automate routine Agile planning tasks?","AI can automate backlog grooming, estimation sessions, and sprint planning by analyzing customer feedback, support tickets, and usage patterns to automatically identify and group related issues into meaningful project themes. This transforms tedious manual work into brief validation meetings where teams focus on strategic thinking rather than administrative tasks.",{"header":595,"content":596},"What are the key benefits of AI-driven security remediation planning?","AI tools automatically create remediation issues from vulnerability scans, prioritize them based on risk assessment, and intelligently schedule them alongside feature work. This ensures security debt doesn't accumulate in forgotten backlogs while providing clear visibility into application security status without treating security as a separate workflow.",{"header":598,"content":599},"How does intelligent code review automation improve development workflows?","AI-powered tools automatically analyze code changes, identify potential bugs, suggest improvements, and check compliance with architectural patterns before human reviewers see the code. This shifts human review time from finding basic issues to making strategic decisions about implementation approaches, improving both efficiency and code quality.",{"header":601,"content":602},"What is smart cross-platform coordination in AI-enhanced Agile planning?","Through agent-to-agent (A2A) communication frameworks, AI agents automatically synchronize data across development platforms and planning tools, providing comprehensive views of development activities. They adjust sprint allocations based on developer activity and provide early warnings when timelines or team capacity are at risk.",{"header":604,"content":605},"How should teams evaluate their readiness for AI-enhanced Agile planning?","Teams should assess whether current processes create bottlenecks between development and deployment, evaluate time spent on planning ceremonies versus actual development work, examine toolchain gaps requiring manual coordination, and identify administrative tasks that can be automated while preserving human strategic input on priorities and technical decisions.","content:en-us:the-source:ai:ai-transforms-agile-planning-for-modern-development-teams:index.yml","en-us/the-source/ai/ai-transforms-agile-planning-for-modern-development-teams/index.yml","en-us/the-source/ai/ai-transforms-agile-planning-for-modern-development-teams/index",{"_path":610,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":611,"type":396,"category":20,"config":612,"seo":614,"content":619,"_id":643,"_type":31,"title":7,"_source":32,"_file":644,"_stem":645,"_extension":35},"/en-us/the-source/ai/to-maximize-the-750b-ai-opportunity-human-innovation-is-key","to-maximize-the-750b-ai-opportunity-human-innovation-is-key",{"layout":9,"template":398,"featured":329,"articleType":399,"author":613,"gatedAsset":401},"emilio-salvador",{"config":615,"title":616,"ogTitle":616,"description":617,"ogDescription":617,"ogImage":618},{"noIndex":6},"Maximize the $750B AI opportunity with human innovation","Discover how human-AI partnerships can save tens of thousands of dollars per developer annually while boosting innovation and productivity across your team.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1754661325/ntf0xsctetcx7uq1yfpy.png",{"title":620,"description":617,"date":621,"timeToRead":409,"heroImage":618,"keyTakeaways":622,"articleBody":626,"faq":627},"To maximize the $750B AI opportunity, human innovation is key","2025-08-12",[623,624,625],"Companies save an average of $28,249 per developer annually through strategic AI investments, creating $750 billion in global value potential.","The majority of executives want 50/50 human-AI partnerships, but teams currently operate at 75% human, 25% AI — revealing untapped efficiency opportunities.","Technical leaders who master AI orchestration and quality governance will drive the next wave of software innovation and competitive advantage.","Imagine that your team is tasked with an enormous challenge: Due to intensifying customer demands, you need to double your feature delivery velocity in 90 days without increasing the team’s size. The budget is frozen, hiring is on hold, but the business timeline is non-negotiable. The answer isn’t working nights and weekends. It’s fundamentally changing how your developers collaborate with AI to architect *solutions* instead of just writing code.\n\nWhile studying classical languages years ago, I discovered that Latin demanded architectural thinking — seeing how complex systems interconnect, understanding cross-layer dependencies, and building logical structures that withstand analysis. Every sentence was an interconnected puzzle where changing one component affected everything else.\n\nThat linguistic training unexpectedly prepared me for today’s software development revolution. AI is fundamentally changing how we build software, and engineering leaders who understand architectural approaches to human-AI collaboration will shape the next era of innovation.\n\nThe financial impact is substantial. [GitLab’s recent C-Suite survey of thousands of executives globally](https://about.gitlab.com/software-innovation-report/) shows that AI-enhanced software innovation delivers exceptional returns: Organizations save an average of $28,249 per developer annually from AI investments. Applied to the world’s 27 million developers, this represents over $750 billion in potential global value, with $149 billion in the U.S. market alone.\n\nHowever, the survey data also reveal a striking disconnect: While 73% of executives believe the ideal human-AI partnership should be 50/50, in reality, humans manage three-quarters of development work, with AI contributing just one-quarter. This gap represents a massive unclaimed competitive advantage.\n\n## Why architectural thinking matters for AI collaboration\n\nThe engineering leaders succeeding in this transformation aren’t simply writing better prompts. They’re cognitive architects who break down business challenges into core principles and design “thought blueprints” that guide AI systems toward precise solutions.\n\nThis architectural mindset mirrors the systematic approach I learned analyzing Latin texts. You need to grasp the underlying structure before manipulating surface elements. With 89% of executives expecting agentic AI to become standard practice within three years, engineering leaders who think systematically about human-AI workflows will be essential.\n\nThe C-suite is taking notice: 91% of executives say software innovation is a core business priority, and 58% have experienced business growth from innovation efforts in the past year. With leaders estimating increases of 44% in revenue and 48% in developer productivity from AI adoption, this isn't a distant future — it’s today’s competitive advantage.\n\n## Strategic moves for engineering teams\n\nThree key strategies can position your engineering organization for optimal 50/50 AI-human collaboration:\n\n**Build AI communication and context management capabilities.** Effective AI collaboration isn’t about crafting perfect prompts. It’s about designing process-oriented thinking that guides AI through complex tasks. Focus on developing frameworks for framing problems, providing appropriate context, and structuring interactions with AI. Create workflows aligned with business goals, breaking down complex problems into manageable components that AI can handle efficiently.\n\n**Cultivate system-level thinking across your team.** As AI becomes more capable of code generation, the value of engineering teams shifts from code creation to strategic architecture and design principles. Invest time in defining system-to-subsystem connections, establishing business logic, and building context-rich environments for AI tools. Position your team as software orchestrators, rather than just code writers, through upfront analysis and planning, and then thoroughly review outputs to prevent technical debt.\n\n**Establish quality and security standards for AI.** With 52% of executives identifying cybersecurity threats as their primary concern around agentic AI adoption, engineering teams that can validate AI reasoning processes, implement adversarial testing, and establish specialized review procedures for AI-generated code will be highly valuable to the business. This represents an evolution from traditional debugging to validating AI reasoning and ensuring business logic alignment. It's not enough to consider code security and quality; you’ll also need to ensure that you have [guardrails in place that control the behavior of AI agents](https://about.gitlab.com/the-source/ai/implementing-effective-guardrails-for-ai-agents/) to prevent introducing risks (such as the unintended deletion or alteration of code) into your software development lifecycle.\n\n## The human advantage in an AI-driven world\n\nThe survey data also reveal the criticality of human input in the age of AI: 99% of executives believe human contributions remain valuable for software development. The value of AI isn’t in replacing engineers. It’s about amplifying human capabilities.\n\nExecutives identified creativity and strategic vision as the top two most valued human inputs. This makes sense, since although AI excels at pattern recognition and code generation, the architectural thinking required to understand system interconnections, anticipate dependencies, and design for long-term stability remains distinctly human.\n\nOrganizations that [optimize human-AI partnerships](https://about.gitlab.com/the-source/ai/three-ways-to-operationalize-ai-for-engineering-teams/) today will define tomorrow’s software landscape. Our survey found that 53% of executives have already implemented regulatory-aligned governance measures for agentic AI, and 52% have developed internal AI policies.\n\n## Capturing the opportunity\n\nTransformation is accelerating rapidly. The vast majority (82%) of executives say they are willing to invest over half their annual IT budget in software innovation, and 90% report their organizations have adopted frameworks linking development activities to key business outcomes.\n\nEngineering leaders who embrace 50/50 human-AI partnerships and think architecturally about human-AI collaboration, while maintaining the creative vision and strategic thinking that only humans provide, will drive this transformation forward.\n\nThe $750 billion opportunity represents an opportunity for engineering teams to do better work, solve larger problems, and create unprecedented value. AI is already transforming software development — the question is whether your engineering organization will be ready to lead that transformation. The future belongs to teams that build effective bridges between human creativity and AI capability.",[628,631,634,637,640],{"header":629,"content":630},"How much money can companies save per developer with AI investments?","Organizations save an average of $28,249 per developer annually from AI investments, according to GitLab's C-Suite survey of thousands of executives globally. This substantial financial impact demonstrates the measurable ROI of strategic AI adoption in software development teams.",{"header":632,"content":633},"What is the ideal human-AI partnership ratio according to executives?","73% of executives believe the ideal human-AI partnership should be 50/50, but current reality shows humans managing three-quarters of development work with AI contributing just one-quarter. This gap represents a massive unclaimed competitive advantage for organizations.",{"header":635,"content":636},"What percentage of executives expect agentic AI to become standard practice?","89% of executives expect agentic AI to become standard practice within three years. Additionally, 91% say software innovation is a core business priority, with leaders estimating 44% revenue increases and 48% developer productivity gains from AI adoption.",{"header":638,"content":639},"What are the top human contributions that remain valuable in AI-driven development?","Executives identified creativity and strategic vision as the top two most valued human inputs, with 99% believing human contributions remain valuable for software development. Architectural thinking for system interconnections, dependencies, and long-term stability design remains distinctly human.",{"header":641,"content":642},"How much are executives willing to invest in software innovation initiatives?","82% of executives are willing to invest over half their annual IT budget in software innovation, and 90% report their organizations have adopted frameworks linking development activities to key business outcomes, demonstrating significant commitment to transformation.","content:en-us:the-source:ai:to-maximize-the-750b-ai-opportunity-human-innovation-is-key:index.yml","en-us/the-source/ai/to-maximize-the-750b-ai-opportunity-human-innovation-is-key/index.yml","en-us/the-source/ai/to-maximize-the-750b-ai-opportunity-human-innovation-is-key/index",[647,684,718],{"_path":648,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"slug":649,"type":396,"category":29,"config":650,"seo":653,"content":657,"_id":681,"_type":31,"title":7,"_source":32,"_file":682,"_stem":683,"_extension":35},"/en-us/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first","beyond-the-portal-hype-why-you-need-a-platform-first",{"layout":9,"template":398,"featured":329,"articleType":399,"author":651,"gatedAsset":652},"bryan-ross","source-lp-how-to-build-a-resilient-software-development-practice",{"title":654,"ogTitle":654,"description":655,"ogDescription":655,"ogImage":656},"Beyond the portal hype: Why you need a platform first","Discover why many internal developer portals fall short and why a platform-first approach is key to improving developer productivity.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1752086082/z2udikxenysukvroywvb.png",{"title":654,"description":655,"date":658,"timeToRead":659,"heroImage":656,"keyTakeaways":660,"articleBody":664,"faq":665},"2025-07-15","6 min read",[661,662,663],"Most portal initiatives struggle with adoption because organizations underestimate the product management effort required for successful implementation and ongoing maintenance.","Start by building a robust platform with streamlined workflows and automation before investing in a portal interface; the value of any portal is entirely dependent on the capabilities of the underlying platform.","Consider whether tool consolidation might be more effective than integration; end-to-end solutions can simplify your ecosystem and reduce the need for the complex integrations that portals attempt to solve.","When Spotify released Backstage as an open source project in 2020, it sparked a wave of enthusiasm across the platform engineering community. The promise was compelling: a unified dashboard where developers could discover, access, and consume everything they needed to build software efficiently. Who wouldn't want a sleek “shop front” to simplify the increasingly complex world of software development?\n\nFast forward to today, and the reality has proven more complicated. Despite the initial excitement, many organizations struggle to realize the promised benefits of internal developer portals. \n\n## Portals vs. platforms: What’s the difference?\nAn internal developer portal is a “front door” to your technical ecosystem. It sits atop your developer platform, which integrates different tools to provide standardized workflows and underlying infrastructure and helps enforce governance. While the platform handles the technical implementation of tooling and automation, the portal provides a single pane of glass that makes development resources discoverable and accessible.\n\nBefore we get to the challenges around portals, it’s worth acknowledging the very real challenges they aim to address:\n1. **Discovery obstacles**: Many organizations lack an API catalog, causing developers to struggle to find existing software components, documentation, best practices, and support channels. Portals attempt to solve this by creating a centralized catalog where developers can access these resources through a unified search and navigation experience.\n1. **Tool sprawl**: The modern software development lifecycle relies on numerous specialized tools, each with its own interface and learning curve. [GitLab research](https://about.gitlab.com/developer-survey/) found that 62% of teams use six or more separate tools for software development. Portals address this by integrating these disparate tools behind a consistent interface, reducing the cognitive load of context switching.\n1. **Siloed knowledge**: Teams focused on their specific challenges often create their own workflows and toolchains, hampering cross-team collaboration and leading to duplicated work. Portals aim to break down these silos by making team assets visible across the organization and promoting standardized workflows that encourage collaboration and reuse of existing solutions.\nThese challenges have a measurable business impact: According to the [2024 GitLab Global DevSecOps Report](https://about.gitlab.com/developer-survey/), 78% of developers spend at least a quarter of their time maintaining and integrating toolchains.\n\n## Why portal initiatives often fall short\nIf internal developer portals address genuine business problems, why do these initiatives regularly fail to gain traction? In my conversations with technical leaders at companies of all sizes, I’ve noticed several key factors:\n1. **Insufficient product management**: Many organizations underinvest in release announcements, internal enablement examples, training, and other adoption-fueling activities essential for portal success.\n1. **Dependency on platform capabilities**: A portal is only as valuable as its underlying platform. Without robust platform capabilities, a portal merely presents a unified view of dysfunction.\n1. **Technical complexity**: Organizations often underestimate that a portal is not simply a tool to install but a software development framework requiring significant engineering skills to build and maintain.\n1. **Ongoing investment requirements**: Building and maintaining a portal demands substantial continuous investment, which many organizations underestimate during initial planning stages.\n1. **Limited developer resonance**: Despite being highly discussed in platform engineering circles, a recent CNCF App Development Working Group survey revealed that many developers remain unaware of Backstage — suggesting it may not address problems developers consider material to their work.\n\nThese challenges are particularly acute when building the portal’s frontend interface. A portal essentially functions as a wrapper built around existing tools, aiming to become the single source of truth for developer interactions.\n\nBut here's the catch: If your portal doesn't mirror enough of the functionality of those underlying tools, developers will bypass it and go straight to the underlying tools, making your portal just another item in an already crowded toolchain. At the same time, trying to keep up with feature changes across a dozen backend tools requires a massive ongoing effort. Every time a backend system changes or releases a new capability, the portal team faces the same question: implement, integrate, or ignore?  Providing a single pane of glass is a significant, perpetual engineering investment that most organizations underestimate.\n\n[Netflix, which has deep experience in developer tooling, puts it bluntly](https://www.youtube.com/watch?v=qgFyb28NvlQ): “A common front door for existing tools is insufficient on its own to attract and keep a user base. Rather [it] needs end-to-end experiences not available in other tools to keep users coming back and discovering the additional features and capabilities.”\n\n## The platform-first approach\nOrganizations that have successfully improved developer productivity typically follow a platform-first approach rather than beginning with a portal. Here’s what this looks like in practice:\n1. **Start with developer needs**: Don’t assume what developers need. Speak directly with teams about their challenges and work closely with them to develop solutions that demonstrably improve their day-to-day experiences.\n1. **Focus on platform capabilities first**: Prioritize creating streamlined, automated workflows for regular tasks that incorporate best practices and corporate standards. Any future portal's value will entirely depend on these underlying capabilities.\n1. **Consider tool consolidation before integration**: Portals primarily solve integration issues between tools by abstracting authentication methods and bringing data sources together. Before investing in complex integrations, evaluate whether consolidating tools might simplify your ecosystem. End-to-end solutions across the software development lifecycle can reduce the need for extensive integration work.\n1. **Invest in product management**: Ensure strong product management to encourage platform adoption by new teams and drive new capability adoption by teams who have already embraced the platform.\n\n## When portals make sense\nThis isn’t to say that internal developer portals are inherently flawed. In fact, I’ve worked with several large, mature organizations that successfully use internal developer portals like Backstage, but with a crucial difference in approach and expectations.\n\nOne large financial institution I worked with recently has had tremendous feedback from their portal implementation. Rather than trying to create a single pane of glass for all development activities, their portal was built to serve two specific workflows: developer onboarding and new project scaffolding. When a developer joins a team, the portal guides them through account setup across six different systems, automatically provisioning access based on their team assignment. For new projects, the portal provides developers with an intuitive interface to select an appropriate template and configure it to their needs. The portal then triggers the necessary backend systems to build the required project scaffolding, including an initial code repository and a CI/CD pipeline with [policy-driven testing](https://about.gitlab.com/blog/how-to-use-gitlabs-custom-compliance-frameworks-in-your-devsecops/) and [infrastructure-as-code](https://about.gitlab.com/blog/using-ansible-and-gitlab-as-infrastructure-for-code/) to deploy the application.\n\nSuccessful implementations like this leverage portals for activities that genuinely benefit from a simplified point-and-click interface. The portal doesn't try to be the primary interface for all activity; developers still work directly in their IDEs, Git repositories, and monitoring dashboards.\nCritically, organizations with successful developer portals build solid, capable internal developer platforms first. They also have mature approaches to gathering developer feedback to direct their efforts to real-world points of friction.\n\n## The path forward\nThe message for technical leaders navigating the platform engineering landscape is clear: Start with a strong platform rather than focusing primarily on a portal. Prioritize creating tangible value for developers through automation, standardization, and simplified workflows. Once your platform capabilities mature and deliver measurable benefits, consider adding a portal as an enhancement if specific needs warrant it.\n\nBy taking this measured approach, you'll avoid the common pitfall of implementing a beautiful dashboard that sits atop dysfunction — and instead build developer tooling that genuinely improves productivity, reduces cognitive load, and accelerates innovation.",[666,669,672,675,678],{"header":667,"content":668},"What's the difference between an internal developer portal and a platform?","An internal developer portal is a \"front door\" interface that sits atop your developer platform. The platform handles technical implementation, tooling, and automation with standardized workflows, while the portal provides a single pane of glass that makes development resources discoverable and accessible.",{"header":670,"content":671},"How much time do developers spend on toolchain maintenance and integration?","According to the 2024 GitLab Global DevSecOps Report, 78% of developers spend at least a quarter of their time maintaining and integrating toolchains. GitLab research also found that 62% of teams use six or more separate tools for software development.",{"header":673,"content":674},"Why do internal developer portal initiatives often fail?","Portal initiatives fail due to insufficient product management, dependency on weak platform capabilities, underestimated technical complexity, ongoing investment requirements, and limited developer resonance. Many organizations underestimate that portals require significant continuous engineering investment to maintain feature parity with underlying tools.",{"header":676,"content":677},"What should organizations prioritize before building a developer portal?","Organizations should follow a platform-first approach: start with developer needs assessment, focus on platform capabilities with streamlined automated workflows, consider tool consolidation before integration, and invest in strong product management for adoption. Build robust platform capabilities before adding portal interfaces.",{"header":679,"content":680},"When do internal developer portals make sense to implement?","Portals work best for specific workflows like developer onboarding and new project scaffolding rather than trying to be a single pane of glass for all activities. Successful implementations focus on activities that genuinely benefit from simplified point-and-click interfaces while developers continue using specialized tools directly.","content:en-us:the-source:platform:beyond-the-portal-hype-why-you-need-a-platform-first:index.yml","en-us/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first/index.yml","en-us/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first/index",{"_path":685,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":686,"seo":687,"content":691,"type":396,"slug":714,"category":29,"_id":715,"_type":31,"title":7,"_source":32,"_file":716,"_stem":717,"_extension":35},"/en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates",{"layout":9,"template":398,"articleType":399,"author":651,"featured":329,"gatedAsset":474},{"title":688,"description":689,"ogImage":690},"Transform your platform onboarding for higher adoption rates","Redesign your platform onboarding to boost adoption, reduce friction, and create seamless experiences for development teams.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463510/hm90bhwzptl1b2gwovhx.png",{"title":688,"date":692,"description":689,"timeToRead":547,"heroImage":690,"keyTakeaways":693,"articleBody":697,"faq":698},"2025-07-01",[694,695,696],"A weak onboarding experience can significantly impact platform adoption, with research showing that one-third of users consider abandoning platforms after poor experiences.","Simple improvements like creating an intuitive landing page, writing clear documentation, and automating access processes can dramatically increase user adoption and satisfaction.","Building effective support systems across multiple channels (chat, email, ticketing) creates trust and ensures users can quickly overcome obstacles during their onboarding journey.","In my work with platform teams across industries, from startups to enterprises, I’ve noticed a consistent blind spot: the onboarding experience. While teams focus intensely on building robust features, they often neglect how new users first encounter their platform - and this oversight can severely limit adoption.\n\nAccording to the [diffusion of innovations theory](https://en.wikipedia.org/wiki/Diffusion_of_innovations), most platforms achieve about 16% adoption before stagnating. That's because innovators and early adopters - representing about 16% of an organization - are often willing to tolerate rough edges, motivated by novelty or vision. The early majority, comprising 34%, is key to going mainstream. They prioritize proven reliability, a clear value proposition, and ease of use. This shift in expectations is the chasm where many platform teams stumble. Your early adopters might forgive a clunky onboarding process, but the early majority won’t.\n\n![Diffusion of Innovation](https://res.cloudinary.com/about-gitlab-com/image/upload/v1752176125/Blog/k6kxdtokv4laph4exsdt.png)\n\n## Start with a memorable, future-proof name\nThe platform's name is likely the first part of the platform that users will engage with. Choose something unique within your organization that’s easy to spell and not tied to specific technologies.\n\nEffective platform names often:\n\n**Reflect your value proposition** rather than the underlying technology. For example, try a name such as “Runway” that reflects the value proposition of helping teams launch faster instead of something more literal like “K8sPipeline.”\n\n**Use simple, memorable words** that evoke the platform’s purpose. Can someone easily understand and spell it after hearing it once? Choosing something simple and easy to remember, such as “Beacon,” will likely serve you better than a unique or creative option such as “Syzygy.”\n\nAvoid these common pitfalls:\n- **Version numbers in names** signal previous failures and raise doubts about longevity.\n- **Generic three-letter acronyms** become instantly forgettable in a sea of other TLAs.\n- **Technology-based names** suggest you prioritize tools over user needs.\n\n## Develop a multi-channel communication strategy\nEffective platform adoption requires deliberate communication planning across multiple channels, from a product website that clearly articulates your platform’s value proposition to user-centric documentation and email updates. Your communication strategy should also include a reliable health dashboard that gives users visibility into known issues and their resolution status. Remember that in enterprise environments, how you communicate about your platform often matters as much as the platform itself. Invest in communication with the same care you invest in your technical infrastructure.\n\n> [Learn more about building a comprehensive communication framework for platform engineering](https://about.gitlab.com/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/).\n\n## Simplify the access process\nTeams often spend months perfecting platform features while neglecting the most basic step: making it easy to access the platform.\n\nI’ve seen many examples of this at organizations of all sizes, across every industry. Common barriers include:\n\n**Manual onboarding processes** for supposedly self-service platforms. If you can’t fully automate the process, do your best to perform human-in-the-loop tasks asynchronously.\n\n**Time-consuming approval steps** or other barriers that delay initial exploration. One great solution to this is to offer immediate, temporary access to your platform for free for 30 days. This is long enough for someone to decide if your platform helps them and raise the necessary request to gain full access.\n\n**Mandatory training requirements** before users can begin. Training is valuable, but it should be required within a period of joining the platform rather than being a prerequisite.\n\n## Don’t neglect design and tone\nFirst impressions are largely visual. An outdated or inconsistent interface can deter users even if your functionality is excellent. Pay attention to branding, color schemes, and the tone of your messaging. These details might seem trivial, but they set the tone for user engagement.\n\nAim for clear, human communication rather than technical jargon. A user-friendly tone makes your platform more approachable to diverse stakeholders.\n\n## Build responsive support systems\nEven the best platforms need support, and nothing builds trust faster than responsive help when users encounter problems. Your primary goal during support interactions should be minimizing user frustration.\n\nCreate an effective support framework by leveraging multiple channels:\n- **Support tickets** provide accountability and integration with other systems.\n- **Email communication** works well for complex topics requiring clarity.\n- **Chat systems** enable real-time problem-solving when users are “in the flow.”\n\nBe present where your users are, even if that means monitoring multiple communication tools. Aim to answer chat queries within 30-60 minutes, and always follow up publicly so others can benefit from solutions.\n\n## The path to successful platform adoption\nOrganizations that prioritize user experience from day one gain significant advantages in adoption rates and user satisfaction. By creating intuitive onboarding processes, clear documentation, and responsive support systems, you transform the user journey from frustration to delight.\n\nRemember that your platform users are making a critical decision: whether your solution deserves their time and trust. A thoughtful onboarding experience tells them you value that investment - and dramatically increases your chances of widespread adoption.",[699,702,705,708,711],{"header":700,"content":701},"Why is platform onboarding so important to user adoption?","Poor onboarding experiences are a leading cause of stalled platform adoption. Research shows that one-third of users consider abandoning platforms after a frustrating first encounter. A thoughtful, streamlined onboarding process helps build trust and accelerates user engagement.",{"header":703,"content":704},"What are the most common onboarding mistakes platform teams make?","Teams often over-engineer platform features while neglecting usability basics. Common mistakes include clunky access processes, mandatory training before usage, poor visual design, inconsistent messaging, and weak support channels, all of which discourage adoption.",{"header":706,"content":707},"How can platform teams improve onboarding access without sacrificing control?","Offer temporary, self-service access, such as a 30-day trial, to remove early friction. If full automation isn’t possible, use asynchronous human-in-the-loop onboarding and avoid approval-heavy workflows that delay initial exploration and testing.",{"header":709,"content":710},"What role does naming and communication play in platform success?","A clear, future-proof name and consistent multi-channel communication strategy help build platform recognition and trust. Names should reflect user value, not technology, while communication must include user-focused documentation, health dashboards, and regular updates.",{"header":712,"content":713},"How should platform support be structured during onboarding?","Support should be fast, responsive, and multi-modal. Use tickets for tracking, email for clarity, and chat for real-time help. Aim for quick response times and always share publicly resolved issues to benefit all users.","transform-your-platform-onboarding-for-higher-adoption-rates","content:en-us:the-source:platform:transform-your-platform-onboarding-for-higher-adoption-rates:index.yml","en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/index.yml","en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/index",{"_path":719,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"slug":720,"type":396,"category":29,"config":721,"seo":724,"content":728,"_id":735,"_type":31,"title":7,"_source":32,"_file":736,"_stem":737,"_extension":35},"/en-us/the-source/platform/accelerate-embedded-development-in-software-defined-vehicles","accelerate-embedded-development-in-software-defined-vehicles",{"layout":9,"template":398,"featured":6,"articleType":722,"gatedAsset":723},"Guide","pf-accelerate-embedded-development-in-software-defined-vehicles",{"noIndex":6,"title":725,"ogTitle":725,"description":726,"ogDescription":726,"ogImage":727},"Accelerate embedded development in software-defined vehicles","Learn how DevSecOps transforms automotive embedded development. Reduce feedback cycles from weeks to hours while maintaining safety compliance.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1752239485/acehu4zl6nv8dntuafvx.png",{"title":725,"description":726,"date":729,"heroImage":727,"keyTakeaways":730,"articleBody":734},"2025-06-30",[731,732,733],"Modern automotive development faces unprecedented complexity with millions of lines of code across dozens of ECUs. Traditional approaches with weeks-long feedback cycles and manual processes cannot scale.","Leading manufacturers achieve dramatic improvements through DevSecOps: automated workflows reduce feedback from weeks to hours, integrated hardware testing eliminates bottlenecks, and compliance automation.","Real results include a reduction in feedback cycles from 4-6 weeks to 30 minutes, increased Linux build frequency, and simplified build systems.","The automotive industry is undergoing its most significant transformation since the assembly line. With the advent of electric vehicles (EVs) and software-defined vehicles (SDVs), software powers everything from advanced driver assistance to infotainment systems. However, the complexity of modern vehicles creates unprecedented development challenges that traditional approaches cannot address.\n\nToday's connected vehicles contain millions of lines of code across dozens of electronic control units. Autonomous vehicles push this complexity even further, requiring real-time processing, cybersecurity integration, and seamless coordination between hardware and software systems. Development teams struggle with feedback cycles measured in weeks, manual security testing processes, and disconnected compliance workflows that create bottlenecks and increase costs.\n\nForward-thinking automotive manufacturers are solving these challenges through comprehensive DevSecOps transformation. By integrating development, security, and operations into unified workflows, they're achieving remarkable results: feedback cycles reduced from weeks to hours, automated compliance with automotive cybersecurity standards, and development velocity that scales with business growth.\n\nThe transformation centers on end-to-end workflow automation that eliminates the inefficiencies of traditional embedded development. Instead of developers working in isolation with inconsistent build environments, leading companies implement automated pipelines that ensure consistency and reliability. \n\nCollaborative code review processes catch security vulnerabilities early when they're less expensive to fix — particularly critical for safety-critical vehicle security applications. And by codifying compliance requirements and enforcing them automatically through customizable frameworks, organizations can ensure compliance is built into the process rather than bolted on afterward.\n\nHardware testing integration represents another breakthrough. Unlike enterprise software, automotive embedded code must be tested on target hardware or accurate simulations. Innovative manufacturers are connecting cloud-based processors, virtual hardware simulators, and physical test benches directly to automated workflows. This eliminates manual scheduling bottlenecks and enables continuous testing, dramatically increasing utilization of expensive test hardware.\n\nThe results speak for themselves. With a comprehensive DevSecOps platform, one auto manufacturer is now able to process over 120,000 CI/CD jobs daily, supporting massive repositories while maintaining the rigorous security standards required for automotive industry applications.\n\nAs SDVs and EVs reshape the competitive landscape, software development capability becomes a strategic differentiator. Companies that successfully transform their embedded development practices through comprehensive DevSecOps approaches position themselves to lead in the software-defined future, while those that don't risk falling behind as the industry accelerates into its next chapter.\n\nDownload the complete guide to discover real-world implementations, detailed case studies, and proven strategies for transforming your automotive embedded development practices.","content:en-us:the-source:platform:accelerate-embedded-development-in-software-defined-vehicles:index.yml","en-us/the-source/platform/accelerate-embedded-development-in-software-defined-vehicles/index.yml","en-us/the-source/platform/accelerate-embedded-development-in-software-defined-vehicles/index",[739,759,771],{"_path":740,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":741,"type":396,"category":20,"config":742,"seo":744,"content":749,"_id":756,"_type":31,"title":7,"_source":32,"_file":757,"_stem":758,"_extension":35},"/en-us/the-source/ai/transform-development-with-agentic-ai-the-enterprise-guide","transform-development-with-agentic-ai-the-enterprise-guide",{"layout":9,"template":398,"featured":6,"articleType":722,"gatedAsset":743},"pf-whitepaper-agentic-ai-ent-guide",{"config":745,"ogImage":746,"title":747,"description":748},{"noIndex":6},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758133543/htbvxdbczqnt72hrh0xv.png","The Enterprise Guide to Agentic AI","Discover how agentic AI revolutionizes enterprise software development. Learn to achieve 10x productivity gains while reducing costs and security risks.",{"title":750,"description":748,"date":546,"heroImage":746,"keyTakeaways":751,"articleBody":755},"Transform development with agentic AI: The enterprise guide",[752,753,754],"Experienced developers take 19% longer with current AI tools. Point solutions create tool sprawl, security gaps, and fragmented workflows that amplify organizational problems rather than solving them.","Unlike reactive AI assistants, agentic AI systems plan, execute, and adapt independently. They coordinate complex workflows across your entire tech stack with full contextual awareness.","Organizations report a 44% increase in revenue from AI adoption, with 943 hours saved annually. Agentic AI platforms deliver measurable business impact through unified intelligence.","After two years of AI hype, the reality is sobering. While executives estimate significant revenue increases from AI adoption, developer satisfaction with AI tools is declining from over 70% in 2023-2024 to just 60% in 2025. The problem isn't AI itself; it's how enterprises are implementing it.\n\nMost organizations deploy AI as isolated point solutions focused on code suggestions, lacking the context needed to account for all aspects of your development environment. These tools are layered onto existing dysfunctions such as tool sprawl, siloed teams, technical debt, and understaffing, amplifying rather than solving underlying organizational problems.\n\n## The hidden cost of AI point solutions\nEnterprise organizations manage approximately 254 tools, with IT departments juggling 61 tools directly. When AI solutions are added to this complex ecosystem, they create additional maintenance burdens rather than productivity gains.\n\nThe security implications are equally concerning. With one security team member for every 80 developers, organizations face governance fragmentation, declining code scrutiny, expanded attack surfaces, and complex data handling requirements across multiple AI platforms.\n\n## Enter agentic AI: The next evolution\nAgentic AI represents a fundamental shift from reactive tools to autonomous systems that can plan, execute, and adapt without constant human guidance. Unlike traditional AI assistants that only respond when prompted, agentic systems independently initiate actions, make decisions within defined boundaries, and coordinate complex workflows across your entire technology stack.\n\nThe key differentiator is access to unified enterprise data. While point solutions operate in isolation, agentic AI platforms leverage your organization's complete knowledge graph, connecting code repositories, deployment pipelines, security scans, and business requirements. This comprehensive context enables truly intelligent decision-making rather than simple pattern matching.\n\n## Measurable business impact\nEarly adopters are already seeing transformative results. Development teams can achieve significant productivity gains through intelligent automation, and organizations report cost savings that pay for AI investments in less than two years. The benefits extend beyond productivity:\n* **Revenue growth**: Features delivered faster due to AI acceleration directly impact bottom-line results\n* **Security enhancement**: Automated vulnerability detection and remediation reduce organizational risk\n* **Cost efficiency**: Tool consolidation and process automation eliminate operational overhead\n* **Developer satisfaction**: Teams focus on strategic work rather than repetitive maintenance tasks\n\n## The enterprise imperative\nOrganizations that don’t take advantage of the next wave of AI innovation risk losing ground to competitors using autonomous agents to build secure software faster and at lower cost. Success requires moving beyond point solutions toward unified platforms that provide comprehensive lifecycle context and seamless workflow orchestration.\n\nRead our comprehensive guide to learn why leading enterprises are implementing agentic AI and how it helps organizations achieve unprecedented productivity gains while strengthening security postures. Discover the frameworks, metrics, and strategies that turn AI from a collection of isolated tools into a unified intelligence platform that drives measurable business outcomes.\n\nDownload your copy today and step into the era of truly intelligent software development.","content:en-us:the-source:ai:transform-development-with-agentic-ai-the-enterprise-guide:index.yml","en-us/the-source/ai/transform-development-with-agentic-ai-the-enterprise-guide/index.yml","en-us/the-source/ai/transform-development-with-agentic-ai-the-enterprise-guide/index",{"_path":535,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":536,"type":396,"category":20,"config":760,"seo":761,"content":763,"_id":569,"_type":31,"title":7,"_source":32,"_file":570,"_stem":571,"_extension":35},{"layout":9,"template":398,"featured":6,"articleType":399,"author":538,"gatedAsset":539},{"config":762,"ogImage":542,"title":543,"description":544},{"noIndex":6},{"title":543,"description":544,"date":546,"timeToRead":547,"heroImage":542,"keyTakeaways":764,"articleBody":552,"faq":765},[549,550,551],[766,767,768,769,770],{"header":555,"content":556},{"header":558,"content":559},{"header":561,"content":562},{"header":564,"content":565},{"header":567,"content":568},{"_path":772,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":773,"type":396,"category":20,"config":774,"seo":776,"content":781,"_id":789,"_type":31,"title":7,"_source":32,"_file":790,"_stem":791,"_extension":35},"/en-us/the-source/ai/cicd-modernization-break-down-barriers-with-agentic-ai","cicd-modernization-break-down-barriers-with-agentic-ai",{"layout":9,"template":398,"featured":6,"articleType":722,"gatedAsset":775},"pf-cicd-modernization-agentic-ai",{"config":777,"title":778,"description":779,"ogImage":780},{"noIndex":6},"Break down CI/CD barriers with agentic AI","Learn how you can modernize CI/CD infrastructure in a fraction of the time by leveraging agentic AI.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463876/kiw4eb54r8xtzztvbozf.jpg",{"title":782,"description":779,"date":783,"heroImage":780,"keyTakeaways":784,"articleBody":788},"CI/CD modernization: Break down barriers with agentic AI","2025-09-03",[785,786,787],"Enterprise tool sprawl hinders productivity. With the average IT department maintaining on average 61 tools, teams are burdened by unnecessary costs and disconnected toolchains.","CI/CD consolidation and modernization delivers sizable ROI with 30-40% cost reduction, 127x faster lead times, and 182x more deployments. However, significant barriers to modernization prevent organizations from realizing these benefits.","Agentic AI breaks down barriers to modernization by dramatically reducing translation time and enabling faster implementation at a fraction of historical costs.","Enterprise organizations are grappling with unsustainable tool sprawl. Organizations maintain an average of 254 SaaS applications with IT departments averaging 61 tools — a complexity that hinders both financial performance and competitive advantage. Three-quarters of these tools either duplicate existing capabilities or are nearing end-of-life, creating unnecessary costs and decreasing developer productivity.\n\nTo address these challenges, organizations look to modernize and standardize their CI/CD infrastructure, but find the barriers to modernization so expensive and time-consuming that they’re unable to move forward — until now. Organizations no longer have to choose between a resource-draining process and outdated, convoluted systems: agentic AI is making CI/CD modernization a high-ROI opportunity.\n\n## The business impact of CI/CD modernization\nBy consolidating CI/CD tools, teams are able to reduce costs and developers are able to focus on building features instead of maintaining toolchains. Organizations that modernize to a DevSecOps platform like GitLab report:\n* 30-40% reduction in total cost of ownership\n* 127x faster lead times\n* 182x more deployments per year\n* 25% fewer incidents with 50% faster resolution times\n\n## The barriers preventing CI/CD consolidation\nWhile the benefits of CI/CD consolidation are significant, the barriers to consolidation are often too challenging for organizations to overcome. Due to years of technical debt and business logic built into non-standardized systems, modernization often requires extensive, unaffordable consulting engagements. These efforts have historically demanded a high transition cost with million-dollar consulting agreements.\n\nCompanies choose to avoid the time-consuming and expensive process for modernization, pushing off consolidation efforts yet again.\n\n## The AI revolution in CI/CD\nBy automating the most time-consuming aspects of modernization, the incorporation of agentic AI reduces migration time by 81%. The GitLab Professional Services team found that using an agentic AI solution like GitLab Duo Agent Platform helps decrease time to translate because AI agents have context over every file in the repository and even in nearby repositories in the same group structure. Conservatively, a 5x increase in efficiency is expected when using the agentic AI approach compared to human/manual translation.\n\n## Your transformation roadmap\nBy combining the proven benefits of consolidation with AI-enabled implementation, CI/CD modernization can be one of the highest ROI investments in your digital transformation journey.\n\nTo help you reach this next stage of software delivery, the GitLab professional services team developed a whitepaper that includes a CI/CD implementation framework with agentic AI, stakeholder communication guidelines, a customer example, and ROI calculations. Download this comprehensive whitepaper to discover how your organization can get started modernizing your CI/CD infrastructure.","content:en-us:the-source:ai:cicd-modernization-break-down-barriers-with-agentic-ai:index.yml","en-us/the-source/ai/cicd-modernization-break-down-barriers-with-agentic-ai/index.yml","en-us/the-source/ai/cicd-modernization-break-down-barriers-with-agentic-ai/index",[793,812,850],{"_path":794,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":795,"seo":797,"content":801,"type":396,"slug":808,"category":24,"_id":809,"_type":31,"title":7,"_source":32,"_file":810,"_stem":811,"_extension":35},"/en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services",{"layout":9,"template":398,"articleType":722,"featured":6,"gatedAsset":796},"pf-the-key-to-innovation-and-compliance-in-financial-services",{"title":798,"description":799,"ogImage":800},"The key to innovation and compliance in financial services","Discover how financial services organizations can accelerate innovation while staying on top of complex regulatory requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464713/jc0ceajcrsgteyhtaibf.png",{"title":798,"date":802,"description":799,"heroImage":800,"keyTakeaways":803,"articleBody":807},"2025-05-20",[804,805,806],"Modern financial services firms face a critical challenge: balancing innovation against complex compliance requirements and regulatory frameworks. A comprehensiveDevSecOps approach transforms this traditional trade-off into a competitive advantage.","Financial institutions with fragmented toolchains experience significant friction points where each tool boundary introduces potential compliance gaps and security vulnerabilities — ultimately increasing compliance risks and exposure to hefty fines.","Organizations embracing unified software delivery platforms report 50-70% faster time-to-delivery, dramatically reduced operational disruptions, stronger compliance posture, and enhanced protection against cyber threats and financial crimes.","Decision-makers in financial services organizations face mounting pressure from multiple directions. Client expectations for digital innovation continue to rise while financial regulators simultaneously impose increasingly stringent compliance requirements.\n\nMany institutions have unwittingly positioned themselves on a seesaw where improving one side necessarily diminishes the other. When innovation accelerates, compliance struggles to keep pace - and when compliance processes tighten, development velocity slows.\n\nThis perceived incompatibility is not an inherent truth but rather a symptom of fragmented technology architecture.\n\n## The high cost of fragmentation\nMost established financial institutions - from investment banks to insurance companies and credit unions - operate with sprawling software delivery stacks cobbled together from disparate tools. This patchwork approach creates significant vulnerabilities across the organization:\n- Each tool boundary represents a potential security vulnerability and compliance gap\n- Disjointed workflows frequently result in compliance breaches\n- Limited visibility across teams hampers ongoing compliance efforts\n- Increased complexity drives higher costs for maintaining regulatory compliance\n- Fragmented systems significantly increase exposure to financial losses and reputational damage\n\nWith the exponential rise in cyberattacks targeting the financial industry - 3,348 cyber incidents were reported worldwide in 2023, up from 1,829 the previous year - maintaining this fragmented approach is increasingly risky.\n\n## The DevSecOps transformation advantage\nForward-thinking organizations are discovering that DevSecOps isn't merely a technical methodology - it's a strategic business transformation that fundamentally changes how financial services organizations adhere to regulatory requirements  and prepare for audits.\n\nBy building security and compliance directly into the development process rather than treating them as reactive, separate functions, modern platforms transform what was once a painful trade-off into a competitive advantage:\n- Automated vulnerability detection in real time as developers write code\n- Continuous monitoring and compliance verification against regulatory standards\n- Comprehensive audit trails satisfying regulatory audit requirements\n- Pre-configured compliance templates tailored to financial services industry needs\n- Granular access control maintaining separation of duties while enabling collaboration\n- Version control and advanced workflow controls ensuring proper approval processes\n- Real-time metrics on development velocity, security posture, and compliance risks\n\n## Proven results from industry leaders\nFinancial institutions implementing unified DevSecOps approaches consistently report transformative business outcomes:\n- 50-70% reduction in time-to-delivery of new solutions\n- Dramatic simplification of toolchain complexity\n- Enhanced protection against cyber risks and financial crimes\n- Significant reductions in operational costs\n- Improved ability to attract and retain top technical talent\n- Better compliance posture with fewer security incidents and higher compliance scores\n\n## Seize the opportunity\nThe future of financial services technology is one where institutions no longer need to make painful choices between speed, security, and innovation. By evolving to a unified platform approach, your organization can deliver on all three objectives simultaneously while reducing risk, improving operational efficiency, and building a more agile foundation for future growth.\n\nDownload our comprehensive guide to discover how your organization can implement this transformative approach, with detailed implementation frameworks, critical success factors, and real-world case studies from leading financial services companies who have successfully navigated this journey.","the-key-to-innovation-and-compliance-in-financial-services","content:en-us:the-source:security:the-key-to-innovation-and-compliance-in-financial-services:index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index",{"_path":813,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":814,"seo":816,"content":820,"type":396,"slug":846,"category":24,"_id":847,"_type":31,"title":7,"_source":32,"_file":848,"_stem":849,"_extension":35},"/en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc",{"layout":9,"template":398,"articleType":399,"author":815,"featured":329,"gatedAsset":474},"ayoub-fandi",{"title":817,"description":818,"ogImage":819},"Compliance at the speed of AI: Reimagining GRC","Is your governance, risk, and compliance strategy keeping pace with AI-accelerated development? Learn how to prepare for secure software delivery at scale.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463857/sb6to0pyohg2ubpxf3ex.png",{"title":817,"date":821,"description":818,"timeToRead":659,"heroImage":819,"keyTakeaways":822,"articleBody":826,"faq":827},"2025-05-14",[823,824,825],"Traditional GRC approaches fail in modern development environments because they operate on quarterly/annual cycles while DevSecOps teams deploy code multiple times daily, creating a fundamental timing mismatch and compliance that exists only on paper.","Successful GRC modernization requires shifting from a project to a product mindset, building continuous compliance into development pipelines, and automating evidence collection as a byproduct of normal development activities.","Organizations must create unified information flows between security functions, replace manual processes with API-driven automation, and redefine metrics to focus on risk reduction rather than compliance artifacts.","The software release calendar has been replaced by a continuous flow of updates and innovations. Yet many organizations still approach compliance like it's 2010.\n\nThe adoption of DevOps practices fundamentally changed the game, compressing release cycles from months to days or even hours. Organizations that once celebrated quarterly releases now deploy to production dozens or hundreds of times daily. This acceleration has delivered enormous business value - faster time to market, quicker feedback loops, and increased competitive advantage.\n\nNow add AI-powered development tools to the mix. Large language models, AI coding assistants, and [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) have become sophisticated enough to generate substantial amounts of functional code with minimal human input.\n\nHowever, this creates a significant challenge for governance, risk, and compliance (GRC) teams, who are often still using approaches designed for a world where releases occur quarterly, rather than hourly. Traditional GRC approaches simply weren't designed for this velocity and scale - it’s like trying to monitor and track every car on every highway in the world with a pen and paper.\n\n## Why traditional GRC falls short\nThe fundamental mismatch between modern development and traditional GRC starts with timing. While DevSecOps teams operate continuously, traditional GRC functions typically operate on quarterly or annual cycles. Annual penetration tests, quarterly compliance control testing, and monthly risk assessments simply can't keep pace with environments that change hourly. By the time a traditional security assessment is complete, the system being evaluated may have undergone dozens of changes.\n\nThe gap between automated infrastructure and manual compliance processes compounds this timing mismatch. Cloud-native applications automatically scale resources up and down in response to demand. Infrastructure-as-code templates can spin up and tear down entire environments with a single command. Meanwhile, compliance verification still relies heavily on manual evidence collection and human review. GRC teams can spend days taking screenshots of configurations that were automatically changed minutes after they documented them.\n\nThe result is security compliance that exists largely on paper but bears little resemblance to operational reality. When your integrated DevSecOps platform supports hundreds of deployments daily, yet your GRC team still manually collects screenshots every quarter for audit purposes, you have a fundamental disconnect. Risk registers become outdated almost immediately. Compliance certifications verify controls that may no longer exist in the form originally documented. And security policies address threats to systems that have since been redesigned or replaced entirely.\n\n## Transforming GRC for modern DevSecOps\nI’ve seen this tension unfold in countless organizations. Here are a few steps you can take now to help GRC keep up:\n\n### Think about GRC as a product, not a project\nThe first step in transforming GRC for modern DevSecOps environments requires a fundamental shift in thinking. Traditional GRC operates as a project - a recurring set of activities with a defined beginning and end. Modern GRC needs to function as a product - a continuously evolving set of capabilities that deliver ongoing value.\n\nThis product mindset transforms how we approach compliance and security. Instead of preparing for an annual SOC 2 audit by scrambling to collect evidence in the weeks before the auditor arrives, think about building continuous compliance directly into your development pipeline. Instead of quarterly risk management assessments, aim for real-time visibility. And look for ways to embed governance in daily operations, with version-controlled policies managed like code using Markdown.\n\nWithin [a unified DevSecOps platform](https://about.gitlab.com/platform/), this product-based approach happens naturally. Security scans become part of the merge request process. Compliance requirements transform into pipeline rules that run with every commit. And audit evidence is automatically collected as a byproduct of normal development activities. The result? The focus shifts from \"passing the audit\" to \"[building securely by default](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/).\"\n\n### Create unified, automated information flows\nYou’ll also need to rethink both the architecture of your GRC program and the engineering approach behind it. Begin by establishing unified information flows among security, risk, and compliance functions. A vulnerability found in a security scan should automatically update your risk register and compliance status without manual intervention. This unified data model ensures everyone works from a single source of truth, breaking down siloes between security and development teams.\n\nThe next step is to replace manual evidence collection with API-driven automation. Instead of taking screenshots of access control settings, implement API calls that query your identity provider and generate access reports automatically. Rather than manually reviewing infrastructure settings, pull configuration data directly from your cloud providers. Every security setting that requires verification should be accessible programmatically.\n\nPerhaps most importantly, leverage the same pipeline-based approach for security that you use for code validation. [Integrated CI/CD pipelines](https://about.gitlab.com/blog/ultimate-guide-to-ci-cd-fundamentals-to-advanced-implementation/) allow you to define security and compliance requirements as code, running automated validation with every change. This infrastructure-as-code approach ensures that security controls are implemented consistently and verified continuously, eliminating the gap between documented controls and operational reality.\n\n### Connect GRC to business value\nThe practical implementation of these changes doesn't happen overnight, but organizations can follow a clear path to transform their GRC approach.\n\nFirst, bridge the cultural and language gap between GRC and engineering teams. Security professionals need to understand how developers work, while engineers need to appreciate security requirements. This mutual understanding creates the foundation for effective collaboration. Create joint working sessions where compliance teams learn basic Git workflows while developers understand compliance requirements in concrete terms.\n\nNext, redefine success metrics to focus on risk reduction rather than compliance artifacts. Instead of tracking the number of policies documented or controls tested, measure actual security outcomes: vulnerability remediation times, security issues found in production versus development, and the number of compliance exceptions. These outcome-based metrics drive real improvements in security posture.\n\nThis transforms GRC from a necessary evil to a business enabler. When [security and compliance are built into development workflows](https://about.gitlab.com/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/), they stop being roadblocks and become competitive advantages. Organizations with integrated security can ship faster and with greater confidence than those with traditional bolted-on approaches.\n\nThis transformation becomes even more powerful within a unified platform. End-to-end visibility across the entire software development lifecycle creates unmatched transparency into security status. The same controls that verify code quality can enforce security requirements, creating a seamless experience for developers while maintaining strong governance for security teams.\n\n## Security as an enabler, not a bottleneck\nAs AI-accelerated development transforms software development, GRC must evolve from a checkpoint process to an integral part of the development workflow. Organizations can maintain strong governance without sacrificing speed by adopting a product mindset, reimagining GRC architecture, and implementing engineering solutions that match the pace of modern development. The future of GRC isn't about slowing down development - it's about building security and compliance into every step of the process, enabling teams to move faster with greater confidence.",[828,831,834,837,840,843],{"header":829,"content":830},"Why do traditional GRC models struggle in modern software environments?","Traditional GRC models operate on quarterly or annual cycles, but DevSecOps teams now deploy code multiple times a day. This timing mismatch means compliance efforts often lag behind actual development changes, making them ineffective in dynamic environments.",{"header":832,"content":833},"What does it mean to treat GRC as a product instead of a project?","Viewing GRC as a product means continuously evolving and embedding compliance into daily workflows, rather than treating it as a periodic event. It’s about creating always-on capabilities like automated evidence collection and policy enforcement through code.",{"header":835,"content":836},"How can automation improve governance and compliance?","Automation reduces the reliance on manual reviews and paperwork by using API calls and pipeline integrations to validate security settings and collect audit data. This makes compliance scalable, real-time, and aligned with the pace of software delivery.",{"header":838,"content":839},"What tools or strategies support continuous compliance?","Unified DevSecOps platforms with integrated CI/CD pipelines support continuous compliance. They allow you to define security policies as code, apply them automatically with every change, and log evidence of compliance as part of normal workflows.",{"header":841,"content":842},"How should success be measured in modern GRC programs?","Instead of counting controls or documented policies, success should be measured through real-world outcomes like faster vulnerability remediation, fewer security exceptions, and better security hygiene from development to production.",{"header":844,"content":845},"How can AI development practices coexist with compliance requirements?","By embedding guardrails and governance into the software pipeline, AI-powered development can align with compliance needs. Structured policies, automated validation, and continuous monitoring ensure security isn’t compromised while enabling fast iteration.","compliance-at-the-speed-of-ai-reimagining-grc","content:en-us:the-source:security:compliance-at-the-speed-of-ai-reimagining-grc:index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index",{"_path":851,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":852,"seo":853,"content":857,"type":396,"slug":883,"category":24,"_id":884,"_type":31,"title":7,"_source":32,"_file":885,"_stem":886,"_extension":35},"/en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain",{"layout":9,"template":398,"articleType":399,"author":576,"featured":329,"gatedAsset":474},{"title":854,"description":855,"ogImage":856},"Embedding risk intelligence into your software supply chain","Transform your security strategy by embedding risk assessment into development workflows instead of treating it as a final checkpoint.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463994/rexeefvqpj1xs8vq7ugl.jpg",{"title":854,"date":858,"description":855,"timeToRead":409,"heroImage":856,"keyTakeaways":859,"articleBody":863,"faq":864},"2025-04-22",[860,861,862],"Focus on business impact instead of vulnerability counts by targeting security threats that pose actual danger to your business rather than trying to fix every potential issue.","Embed risk checks throughout development by adding quality metrics and automated testing early in your software pipeline to catch issues when they’re easier to fix.","Create audit trails for security decisions through “breadcrumbed” processes that document who approved changes and why, creating accountability and improving future decisions.","It’s a nightmare scenario for any business: Hackers have exposed the personal information of millions of your users. What if this wasn’t due to critical vulnerabilities in your application but simply poorly configured API endpoints that hackers could abuse to farm user data? That’s precisely what happened to a popular tech company in 2023, and it’s more common than you might think.\n\nSecurity resources are finite, and [not all threats pose equal business risk](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/). Organizations that are laser-focused on technical severity ratings rather than actual business impact could be leaving themselves open to unanticipated risks.\n\nMeanwhile, the urgency for better risk quantification has never been greater. Threat actors can now leverage multiple AI systems to execute sophisticated, multi-pronged attacks targeting exploitable vulnerabilities. These AI-accelerated campaigns can quickly identify and exploit business-critical weaknesses that traditional security approaches might overlook or deprioritize - turning yesterday's “medium-risk” vulnerability into today’s multimillion-dollar breach.\n\nTo counter these evolving threats and navigate this growing complexity, leading organizations are fundamentally reimagining their approach. Instead of treating security as a separate function that happens after development, they’re embedding **risk intelligence** throughout their software supply chain. This approach allows them to focus resources where they matter most, reduce time-to-market for secure products, and demonstrate due diligence to regulators and customers.\n\nThe key is distinguishing between vulnerabilities that might cause harm and those that will cause damage in your specific business context. Companies can achieve stronger security and faster innovation by rethinking how risk is evaluated and managed across development and operations.\n\n## Limiting risk through data-driven change management\n**Risk intelligence helps you focus on threats that matter. It’s the difference between knowing you have 3,000 vulnerabilities and understanding which 50 could harm your business.**\n\nKey elements of risk intelligence include:\n\n**Exploitability assessment (reachability)**: Not all vulnerabilities can be weaponized. Risk intelligence evaluates which security findings have actual attack paths versus those that exist in code but cannot be reached by malicious actors.\n\n**Dependency context**: Risk-based security recognizes that a vulnerable package doesn’t just affect one application - it can impact dozens or hundreds across your organization. Modern approaches map dependencies across projects, enabling teams to understand the cascading impact of vulnerabilities throughout the organization. This ecosystem view provides critical context for prioritization decisions.\n\n**Continuous risk monitoring**: Instead of point-in-time assessments, risk intelligence requires ongoing monitoring that adjusts as threat landscapes evolve. A vulnerability that was low risk yesterday may become critical today based on emerging exploit techniques.\n\nSo how can you move from reactive security scanning to proactive risk intelligence? The journey begins where your software does - in the software factory itself.\n\n## The software factory: Quality gates and risk signals\nThe software factory is where code transforms from an idea to a deployable package. This phase encompasses everything from initial code commits to unit testing to packaging, creating the foundation for your entire software supply chain. By adding risk checks early, teams can find and fix issues before they spread. Just as critical is establishing clear attribution for every code change, knowing exactly who made each change (contractor, consultant, or employee), why, and when - creating an audit trail providing crucial risk assessment context.\n\nThe software factory offers three key opportunities to embed risk assessment into your development process:\n\n### Collaboration through quality intelligence\nEstablishing cross-functional quality metrics can help organizations create a shared understanding of risk across teams. Potential metrics include code coverage trends, security vulnerability density, technical debt accumulation, performance regression patterns, API compatibility scores, and documentation completeness.\n\n### Transparency through correlated data\nRisk intelligence requires connecting disparate data points into a comprehensive view. Quality intelligence dashboards with real-time metrics and trend visualization help teams spot emerging risk patterns, while documentation traceability creates auditable trails linking requirements, changes, and security findings. Automated data collection enables cross-system correlation between code changes and security findings, with pattern recognition algorithms identifying unusual behaviors that manual review might miss. This democratized intelligence empowers all stakeholders to make risk-informed decisions instead of siloing information within security teams.\n\n### Automation for quality assurance\nManual risk assessment can’t scale to modern development speeds. Continuous testing pipelines with automated security scans and performance tests provide early feedback on potential risks without slowing velocity. Automated quality gates enforce minimum standards throughout development, and risk threshold monitoring flags concerning trends before they become critical. These automated guardrails maintain consistent risk assessment while allowing development teams to maintain productivity and improve safety without sacrificing speed.\n\n## Software logistics: Risk management through team-based scorecards\nAfter code is packaged, it enters the logistics phase - provisioning, deployment, configuration, monitoring, and maintenance. Here, potential bugs meet real-world exposure. This makes assessing risk in actual operating conditions vital. However, traditional approaches to risk assessment at this stage are often inflexible and inefficient.\n\n> [Learn how effective software logistics can enable operations teams to efficiently support developers and accelerate delivery](https://about.gitlab.com/the-source/platform/why-software-logistics-is-key-to-accelerating-innovation/).\n\nEffective risk intelligence means helping teams focus on why they should deploy instead of why they shouldn’t - replacing the binary, inflexible assessment methods of the past with an automated, metrics-driven approach. Here are three critical aspects to keep in mind:\n\n### Collaborative assessment model\nModern risk approaches replace binary go/no-go decisions with multi-stakeholder evaluations, sometimes called a Change Advisory Board (CAB), incorporating diverse perspectives. Security teams evaluate vulnerability context and exploitability, operations teams assess deployment impact and rollback capabilities, and business stakeholders weigh customer impact against needs. This team-based approach builds consensus around acceptable risk rather than imposing rigid standards, allowing for nuanced decisions that balance security with business objectives.\n\n### Scorecard transparency\nEffective risk evaluation requires visible criteria that consider multiple dimensions of impact. Comprehensive scorecards include security risk factors that assess severity and real-world exploitability, operational metrics that evaluate system stability implications, compliance requirements for relevant regulations, and business impact on customers and revenue. This transparent approach creates a holistic risk profile that provides the context necessary for informed deployment decisions while ensuring all stakeholders understand the basis for security choices.\n\n### Automated scorecard processing\nManual risk assessment creates bottlenecks that slow deployment cycles. Modern approaches use real-time processing with automated score calculation and threshold monitoring to evaluate changes continuously. Integration with CI/CD pipelines, security tools, and compliance systems ensures risk data flows automatically between systems without manual intervention. This automation maintains consistent evaluation standards while eliminating the delays typically associated with security reviews.\n\n## From vulnerability counts to business impact: The future of software security\nThe future of application security isn’t about finding more vulnerabilities - it’s about understanding the risk those vulnerabilities pose. By embedding risk intelligence throughout your software supply chain, you can drive team collaboration to help you create secure software faster.\n\nEstablishing this risk assessment process across both your software factory and logistics phases has an added benefit: You’ll create an auditable trail that documents who made security decisions, what evidence they considered, when changes were approved, and why specific actions were taken. This transparency provides accountability across the entire software supply chain, builds institutional memory of risk management approaches, and creates data to inform future decisions. The resulting traceability transforms security from a point-in-time assessment to an ongoing, verifiable process demonstrating due diligence to auditors, regulators, and customers.",[865,868,871,874,877,880],{"header":866,"content":867},"What is risk intelligence in software development?","Risk intelligence is the practice of evaluating security threats based on their real-world business impact rather than just technical severity. It helps teams focus on exploitable and high-priority vulnerabilities, streamlining security efforts.",{"header":869,"content":870},"How does embedding risk checks early improve software security?","Introducing risk assessments during early development phases allows teams to catch and resolve issues sooner, reducing costs and complexity. This shift from reactive to proactive security enhances both speed and safety.",{"header":872,"content":873},"Why should organizations move beyond vulnerability counts?","Counting vulnerabilities doesn't reflect the true risk landscape. Many may be unreachable or irrelevant. Prioritizing based on exploitability and business context ensures limited security resources are used effectively.",{"header":875,"content":876},"How do audit trails contribute to better risk management?","Audit trails document who made a change, why, and when. These records provide accountability, aid compliance, and offer valuable insight for improving future decision-making and demonstrating due diligence.",{"header":878,"content":879},"What role does automation play in risk intelligence?","Automation enables consistent, scalable risk evaluation across CI/CD pipelines. It helps enforce security standards, reduces manual bottlenecks, and ensures timely responses to emerging risks without slowing development.",{"header":881,"content":882},"What’s the benefit of team-based scorecards for deployment decisions?","Team-based scorecards bring together inputs from security, operations, and business teams. This collaborative model replaces rigid go/no-go decisions with nuanced assessments that balance innovation and acceptable risk.","embedding-risk-intelligence-into-your-software-supply-chain","content:en-us:the-source:security:embedding-risk-intelligence-into-your-software-supply-chain:index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index",[888,903,916],{"_path":889,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":891,"title":892,"description":893,"link":894,"_id":900,"_type":31,"_source":32,"_file":901,"_stem":902,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-building-a-resilient-software-development-practice","gated-assets",{"id":496},"Building a resilient software development practice","Learn strategies to bolster your team's effectiveness amid shifts in the industry with a standardized approach to software development.",{"text":895,"config":896},"Read the guide",{"href":897,"dataGaName":898,"dataGaLocation":899},"/the-source/platform/building-a-resilient-software-development-practice/","Building a Resilient Software Development Practice","thesource","content:shared:en-us:the-source:gated-assets:source-lp-building-a-resilient-software-development-practice.yml","shared/en-us/the-source/gated-assets/source-lp-building-a-resilient-software-development-practice.yml","shared/en-us/the-source/gated-assets/source-lp-building-a-resilient-software-development-practice",{"_path":904,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":905,"title":906,"description":907,"link":908,"_id":913,"_type":31,"_source":32,"_file":914,"_stem":915,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-measuring-success-in-software-development-a-guide-for-leaders",{"id":495},"Measuring success in software development: A guide for leaders","Discover how to measure software delivery performance with key metrics that optimize workflows, enhance team productivity, and drive better decisions.",{"text":909,"config":910},"Download the guide",{"href":911,"dataGaName":912,"dataGaLocation":899},"/the-source/platform/measuring-success-in-software-development-a-guide-for-leaders/","Measuring success in software development","content:shared:en-us:the-source:gated-assets:source-lp-measuring-success-in-software-development-a-guide-for-leaders.yml","shared/en-us/the-source/gated-assets/source-lp-measuring-success-in-software-development-a-guide-for-leaders.yml","shared/en-us/the-source/gated-assets/source-lp-measuring-success-in-software-development-a-guide-for-leaders",{"_path":917,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":918,"title":919,"description":920,"link":921,"_id":925,"_type":31,"_source":32,"_file":926,"_stem":927,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams",{"id":494},"The ultimate playbook for high-performing DevSecOps teams ","Learn how to tackle issues like deployment slowdowns, lack of collaboration, and developer burnout.",{"text":922,"config":923},"Read the ebook",{"href":924,"dataGaName":919,"dataGaLocation":899},"/the-source/platform/the-ultimate-playbook-for-high-performing-devsecops-teams/","content:shared:en-us:the-source:gated-assets:source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams.yml","shared/en-us/the-source/gated-assets/source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams.yml","shared/en-us/the-source/gated-assets/source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams",[929,943,955],{"_path":930,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":931,"title":933,"description":934,"link":935,"_id":940,"_type":31,"_source":32,"_file":941,"_stem":942,"_extension":35},"/shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops",{"id":453,"formId":932},1002,"Navigating AI maturity in DevSecOps","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are incorporating AI into the software development lifecycle.",{"text":936,"config":937},"Read the report",{"href":938,"dataGaName":939,"dataGaLocation":899},"/developer-survey/2024/ai/","Navigating AI Maturity in DevSecOps","content:shared:en-us:the-source:gated-assets:navigating-ai-maturity-in-devsecops.yml","shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops.yml","shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops",{"_path":944,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":945,"title":946,"description":947,"link":948,"_id":952,"_type":31,"_source":32,"_file":953,"_stem":954,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"id":454},"AI guide for enterprise leaders: Building the right approach","Download our guide for enterprise leaders to learn how to prepare your C-suite, executive leadership, and development teams for what AI can do today — and will do in the near future — to accelerate software development.",{"text":895,"config":949},{"href":950,"dataGaName":951,"dataGaLocation":899},"/the-source/ai/ai-guide-for-enterprise-leaders-building-the-right-approach/","AI Guide For Enterprise Leaders: Building the Right Approach","content:shared:en-us:the-source:gated-assets:source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach.yml","shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach.yml","shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"_path":956,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":957,"title":958,"description":959,"link":960,"_id":964,"_type":31,"_source":32,"_file":965,"_stem":966,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development",{"id":452,"formId":932},"How to get started using AI in software development","Learn how to strategically implement AI to boost efficiency, security, and reduce context switching. Empower every member of your team with AI capabilities.",{"text":909,"config":961},{"href":962,"dataGaName":963,"dataGaLocation":899},"/the-source/ai/getting-started-with-ai-in-software-development-a-guide-for-leaders/","How to Get Started Using AI in Software Development","content:shared:en-us:the-source:gated-assets:source-lp-how-to-get-started-using-ai-in-software-development.yml","shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development.yml","shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development",[968,980,992],{"_path":969,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":970,"title":971,"description":972,"link":973,"_id":977,"_type":31,"_source":32,"_file":978,"_stem":979,"_extension":35},"/shared/en-us/the-source/gated-assets/application-security-in-the-digital-age",{"id":475,"formId":932},"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":936,"config":974},{"href":975,"dataGaName":976,"dataGaLocation":899},"/developer-survey/2024/security-compliance/","Application Security in the Digital Age","content:shared:en-us:the-source:gated-assets:application-security-in-the-digital-age.yml","shared/en-us/the-source/gated-assets/application-security-in-the-digital-age.yml","shared/en-us/the-source/gated-assets/application-security-in-the-digital-age",{"_path":981,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":982,"title":983,"description":984,"link":985,"_id":989,"_type":31,"_source":32,"_file":990,"_stem":991,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience",{"id":474},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":909,"config":986},{"href":987,"dataGaName":988,"dataGaLocation":899},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience","content:shared:en-us:the-source:gated-assets:source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience",{"_path":993,"_dir":890,"_draft":6,"_partial":6,"_locale":7,"config":994,"title":995,"description":996,"link":997,"_id":1001,"_type":31,"_source":32,"_file":1002,"_stem":1003,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms",{"id":473},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":895,"config":998},{"href":999,"dataGaName":1000,"dataGaLocation":899},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs","content:shared:en-us:the-source:gated-assets:source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms",{"categoryNames":1005},{"ai":367,"platform":375,"security":371},1758747427111]