[{"data":1,"prerenderedAt":892},["ShallowReactive",2],{"/en-us/the-source/":3,"footer-en-us":36,"the-source-navigation-en-us":344,"the-source-newsletter-en-us":371,"featured-article-en-us":383,"ai-categoryen-us":423,"security-categoryen-us":447,"platform-categoryen-us":467,"featured-authors-en-us":488,"category-authors-en-us":519,"platform-most-recent-articles-en-us":520,"the-source-resources-en-us":602,"hero-most-recent-articles-en-us":645,"ai-most-recent-articles-en-us":706,"security-most-recent-articles-en-us":794,"categories-en-us":890},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":10,"content":13,"_id":30,"_type":31,"title":7,"_source":32,"_file":33,"_stem":34,"_extension":35},"/en-us/the-source","en-us",false,"",{"layout":9},"the-source",{"title":11,"description":12},"The Source: Insights for the future of software development","Your decision-making partner for transformative strategies and expert technology advice.",[14,16,21,26],{"componentName":15},"TheSourceLandingHero",{"componentName":17,"componentContent":18},"TheSourceLandingCategory",{"config":19},{"category":20},"ai",{"componentName":17,"componentContent":22},{"config":23},{"category":24,"theme":25},"security","surface",{"componentName":17,"componentContent":27},{"config":28},{"category":29},"platform","content:en-us:the-source:index.yml","yaml","content","en-us/the-source/index.yml","en-us/the-source/index","yml",{"_path":37,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"data":38,"_id":340,"_type":31,"title":341,"_source":32,"_file":342,"_stem":343,"_extension":35},"/shared/en-us/main-footer",{"text":39,"source":40,"edit":46,"contribute":51,"config":56,"items":61,"minimal":332},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":41,"config":42},"View page source",{"href":43,"dataGaName":44,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":47,"config":48},"Edit this page",{"href":49,"dataGaName":50,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":52,"config":53},"Please contribute",{"href":54,"dataGaName":55,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":57,"facebook":58,"youtube":59,"linkedin":60},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[62,89,162,230,293],{"title":63,"links":64,"subMenu":70},"Platform",[65],{"text":66,"config":67},"DevSecOps platform",{"href":68,"dataGaName":69,"dataGaLocation":45},"/platform/","devsecops platform",[71],{"title":72,"links":73},"Pricing",[74,79,84],{"text":75,"config":76},"View plans",{"href":77,"dataGaName":78,"dataGaLocation":45},"/pricing/","view plans",{"text":80,"config":81},"Why Premium?",{"href":82,"dataGaName":83,"dataGaLocation":45},"/pricing/premium/","why premium",{"text":85,"config":86},"Why Ultimate?",{"href":87,"dataGaName":88,"dataGaLocation":45},"/pricing/ultimate/","why ultimate",{"title":90,"links":91},"Solutions",[92,97,102,107,112,117,122,127,132,137,142,147,152,157],{"text":93,"config":94},"Digital transformation",{"href":95,"dataGaName":96,"dataGaLocation":45},"/solutions/digital-transformation/","digital transformation",{"text":98,"config":99},"Security & Compliance",{"href":100,"dataGaName":101,"dataGaLocation":45},"/solutions/security-compliance/","security & compliance",{"text":103,"config":104},"Automated software delivery",{"href":105,"dataGaName":106,"dataGaLocation":45},"/solutions/delivery-automation/","automated software delivery",{"text":108,"config":109},"Agile development",{"href":110,"dataGaName":111,"dataGaLocation":45},"/solutions/agile-delivery/","agile delivery",{"text":113,"config":114},"Cloud transformation",{"href":115,"dataGaName":116,"dataGaLocation":45},"/solutions/cloud-native/","cloud transformation",{"text":118,"config":119},"SCM",{"href":120,"dataGaName":121,"dataGaLocation":45},"/solutions/source-code-management/","source code management",{"text":123,"config":124},"CI/CD",{"href":125,"dataGaName":126,"dataGaLocation":45},"/solutions/continuous-integration/","continuous integration & delivery",{"text":128,"config":129},"Value stream management",{"href":130,"dataGaName":131,"dataGaLocation":45},"/solutions/value-stream-management/","value stream management",{"text":133,"config":134},"GitOps",{"href":135,"dataGaName":136,"dataGaLocation":45},"/solutions/gitops/","gitops",{"text":138,"config":139},"Enterprise",{"href":140,"dataGaName":141,"dataGaLocation":45},"/enterprise/","enterprise",{"text":143,"config":144},"Small business",{"href":145,"dataGaName":146,"dataGaLocation":45},"/small-business/","small business",{"text":148,"config":149},"Public sector",{"href":150,"dataGaName":151,"dataGaLocation":45},"/solutions/public-sector/","public sector",{"text":153,"config":154},"Education",{"href":155,"dataGaName":156,"dataGaLocation":45},"/solutions/education/","education",{"text":158,"config":159},"Financial services",{"href":160,"dataGaName":161,"dataGaLocation":45},"/solutions/finance/","financial services",{"title":163,"links":164},"Resources",[165,170,175,180,185,190,195,200,205,210,215,220,225],{"text":166,"config":167},"Install",{"href":168,"dataGaName":169,"dataGaLocation":45},"/install/","install",{"text":171,"config":172},"Quick start guides",{"href":173,"dataGaName":174,"dataGaLocation":45},"/get-started/","quick setup checklists",{"text":176,"config":177},"Learn",{"href":178,"dataGaName":179,"dataGaLocation":45},"https://university.gitlab.com/","learn",{"text":181,"config":182},"Product documentation",{"href":183,"dataGaName":184,"dataGaLocation":45},"https://docs.gitlab.com/","docs",{"text":186,"config":187},"Blog",{"href":188,"dataGaName":189,"dataGaLocation":45},"/blog/","blog",{"text":191,"config":192},"Customer success stories",{"href":193,"dataGaName":194,"dataGaLocation":45},"/customers/","customer success stories",{"text":196,"config":197},"Remote",{"href":198,"dataGaName":199,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":201,"config":202},"GitLab Services",{"href":203,"dataGaName":204,"dataGaLocation":45},"/services/","services",{"text":206,"config":207},"TeamOps",{"href":208,"dataGaName":209,"dataGaLocation":45},"/teamops/","teamops",{"text":211,"config":212},"Community",{"href":213,"dataGaName":214,"dataGaLocation":45},"/community/","community",{"text":216,"config":217},"Forum",{"href":218,"dataGaName":219,"dataGaLocation":45},"https://forum.gitlab.com/","forum",{"text":221,"config":222},"Events",{"href":223,"dataGaName":224,"dataGaLocation":45},"/events/","events",{"text":226,"config":227},"Partners",{"href":228,"dataGaName":229,"dataGaLocation":45},"/partners/","partners",{"title":231,"links":232},"Company",[233,238,243,248,253,258,263,268,273,278,283,288],{"text":234,"config":235},"About",{"href":236,"dataGaName":237,"dataGaLocation":45},"/company/","company",{"text":239,"config":240},"Jobs",{"href":241,"dataGaName":242,"dataGaLocation":45},"/jobs/","jobs",{"text":244,"config":245},"Leadership",{"href":246,"dataGaName":247,"dataGaLocation":45},"/company/team/e-group/","leadership",{"text":249,"config":250},"Team",{"href":251,"dataGaName":252,"dataGaLocation":45},"/company/team/","team",{"text":254,"config":255},"Handbook",{"href":256,"dataGaName":257,"dataGaLocation":45},"https://handbook.gitlab.com/","handbook",{"text":259,"config":260},"Investor relations",{"href":261,"dataGaName":262,"dataGaLocation":45},"https://ir.gitlab.com/","investor relations",{"text":264,"config":265},"Environmental, social and governance (ESG)",{"href":266,"dataGaName":267,"dataGaLocation":45},"/environmental-social-governance/","environmental, social and governance",{"text":269,"config":270},"Diversity, inclusion and belonging (DIB)",{"href":271,"dataGaName":272,"dataGaLocation":45},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":274,"config":275},"Trust Center",{"href":276,"dataGaName":277,"dataGaLocation":45},"/security/","trust center",{"text":279,"config":280},"Newsletter",{"href":281,"dataGaName":282,"dataGaLocation":45},"/company/contact/","newsletter",{"text":284,"config":285},"Press",{"href":286,"dataGaName":287,"dataGaLocation":45},"/press/","press",{"text":289,"config":290},"Modern Slavery Transparency Statement",{"href":291,"dataGaName":292,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":294,"links":295},"Contact Us",[296,301,306,311,316,321,326],{"text":297,"config":298},"Contact an expert",{"href":299,"dataGaName":300,"dataGaLocation":45},"/sales/","sales",{"text":302,"config":303},"Get help",{"href":304,"dataGaName":305,"dataGaLocation":45},"/support/","get help",{"text":307,"config":308},"Customer portal",{"href":309,"dataGaName":310,"dataGaLocation":45},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":312,"config":313},"Status",{"href":314,"dataGaName":315,"dataGaLocation":45},"https://status.gitlab.com/","status",{"text":317,"config":318},"Terms of use",{"href":319,"dataGaName":320,"dataGaLocation":45},"/terms/","terms of use",{"text":322,"config":323},"Privacy statement",{"href":324,"dataGaName":325,"dataGaLocation":45},"/privacy/","privacy statement",{"text":327,"config":328},"Cookie preferences",{"dataGaName":329,"dataGaLocation":45,"id":330,"isOneTrustButton":331},"cookie preferences","ot-sdk-btn",true,{"items":333},[334,336,338],{"text":317,"config":335},{"href":319,"dataGaName":320,"dataGaLocation":45},{"text":322,"config":337},{"href":324,"dataGaName":325,"dataGaLocation":45},{"text":327,"config":339},{"dataGaName":329,"dataGaLocation":45,"id":330,"isOneTrustButton":331},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":345,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":346,"subscribeLink":351,"navItems":355,"_id":367,"_type":31,"title":368,"_source":32,"_file":369,"_stem":370,"_extension":35},"/shared/en-us/the-source/navigation",{"altText":347,"config":348},"the source logo",{"src":349,"href":350},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":352,"config":353},"Subscribe",{"href":354},"#subscribe",[356,360,363],{"text":357,"config":358},"Artificial Intelligence",{"href":359},"/the-source/ai/",{"text":98,"config":361},{"href":362},"/the-source/security/",{"text":364,"config":365},"Platform & Infrastructure",{"href":366},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":372,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":373,"description":374,"submitMessage":375,"formData":376,"_id":380,"_type":31,"_source":32,"_file":381,"_stem":382,"_extension":35},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":377},{"formId":378,"formName":379,"hideRequiredLabel":331},1077,"thesourcenewsletter","content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"_path":384,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":385,"seo":390,"content":394,"type":418,"slug":419,"category":29,"_id":420,"_type":31,"title":7,"_source":32,"_file":421,"_stem":422,"_extension":35},"/en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates",{"layout":9,"template":386,"articleType":387,"author":388,"featured":331,"gatedAsset":389},"TheSourceArticle","Regular","bryan-ross","source-lp-devsecops-the-key-to-modern-security-resilience",{"title":391,"description":392,"ogImage":393},"Transform your platform onboarding for higher adoption rates","Redesign your platform onboarding to boost adoption, reduce friction, and create seamless experiences for development teams.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463510/hm90bhwzptl1b2gwovhx.png",{"title":391,"date":395,"description":392,"timeToRead":396,"heroImage":393,"keyTakeaways":397,"articleBody":401,"faq":402},"2025-07-01","4 min read",[398,399,400],"A weak onboarding experience can significantly impact platform adoption, with research showing that one-third of users consider abandoning platforms after poor experiences.","Simple improvements like creating an intuitive landing page, writing clear documentation, and automating access processes can dramatically increase user adoption and satisfaction.","Building effective support systems across multiple channels (chat, email, ticketing) creates trust and ensures users can quickly overcome obstacles during their onboarding journey.","In my work with platform teams across industries, from startups to enterprises, I’ve noticed a consistent blind spot: the onboarding experience. While teams focus intensely on building robust features, they often neglect how new users first encounter their platform - and this oversight can severely limit adoption.\n\nAccording to the [diffusion of innovations theory](https://en.wikipedia.org/wiki/Diffusion_of_innovations), most platforms achieve about 16% adoption before stagnating. That's because innovators and early adopters - representing about 16% of an organization - are often willing to tolerate rough edges, motivated by novelty or vision. The early majority, comprising 34%, is key to going mainstream. They prioritize proven reliability, a clear value proposition, and ease of use. This shift in expectations is the chasm where many platform teams stumble. Your early adopters might forgive a clunky onboarding process, but the early majority won’t.\n\n![Diffusion of Innovation](//images.ctfassets.net/xz1dnu24egyd/71u266y7clfp1IpcjyUVoN/2434cbf43293cb5c0c4f0c6009e632f3/Copy_of_Diffusion_of_Innovation.png)\n\n## Start with a memorable, future-proof name\nThe platform's name is likely the first part of the platform that users will engage with. Choose something unique within your organization that’s easy to spell and not tied to specific technologies.\n\nEffective platform names often:\n\n**Reflect your value proposition** rather than the underlying technology. For example, try a name such as “Runway” that reflects the value proposition of helping teams launch faster instead of something more literal like “K8sPipeline.”\n\n**Use simple, memorable words** that evoke the platform’s purpose. Can someone easily understand and spell it after hearing it once? Choosing something simple and easy to remember, such as “Beacon,” will likely serve you better than a unique or creative option such as “Syzygy.”\n\nAvoid these common pitfalls:\n- **Version numbers in names** signal previous failures and raise doubts about longevity.\n- **Generic three-letter acronyms** become instantly forgettable in a sea of other TLAs.\n- **Technology-based names** suggest you prioritize tools over user needs.\n\n## Develop a multi-channel communication strategy\nEffective platform adoption requires deliberate communication planning across multiple channels, from a product website that clearly articulates your platform’s value proposition to user-centric documentation and email updates. Your communication strategy should also include a reliable health dashboard that gives users visibility into known issues and their resolution status. Remember that in enterprise environments, how you communicate about your platform often matters as much as the platform itself. Invest in communication with the same care you invest in your technical infrastructure.\n\n> [Learn more about building a comprehensive communication framework for platform engineering](https://about.gitlab.com/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/).\n\n## Simplify the access process\nTeams often spend months perfecting platform features while neglecting the most basic step: making it easy to access the platform.\n\nI’ve seen many examples of this at organizations of all sizes, across every industry. Common barriers include:\n\n**Manual onboarding processes** for supposedly self-service platforms. If you can’t fully automate the process, do your best to perform human-in-the-loop tasks asynchronously.\n\n**Time-consuming approval steps** or other barriers that delay initial exploration. One great solution to this is to offer immediate, temporary access to your platform for free for 30 days. This is long enough for someone to decide if your platform helps them and raise the necessary request to gain full access.\n\n**Mandatory training requirements** before users can begin. Training is valuable, but it should be required within a period of joining the platform rather than being a prerequisite.\n\n## Don’t neglect design and tone\nFirst impressions are largely visual. An outdated or inconsistent interface can deter users even if your functionality is excellent. Pay attention to branding, color schemes, and the tone of your messaging. These details might seem trivial, but they set the tone for user engagement.\n\nAim for clear, human communication rather than technical jargon. A user-friendly tone makes your platform more approachable to diverse stakeholders.\n\n## Build responsive support systems\nEven the best platforms need support, and nothing builds trust faster than responsive help when users encounter problems. Your primary goal during support interactions should be minimizing user frustration.\n\nCreate an effective support framework by leveraging multiple channels:\n- **Support tickets** provide accountability and integration with other systems.\n- **Email communication** works well for complex topics requiring clarity.\n- **Chat systems** enable real-time problem-solving when users are “in the flow.”\n\nBe present where your users are, even if that means monitoring multiple communication tools. Aim to answer chat queries within 30-60 minutes, and always follow up publicly so others can benefit from solutions.\n\n## The path to successful platform adoption\nOrganizations that prioritize user experience from day one gain significant advantages in adoption rates and user satisfaction. By creating intuitive onboarding processes, clear documentation, and responsive support systems, you transform the user journey from frustration to delight.\n\nRemember that your platform users are making a critical decision: whether your solution deserves their time and trust. A thoughtful onboarding experience tells them you value that investment - and dramatically increases your chances of widespread adoption.",[403,406,409,412,415],{"header":404,"content":405},"Why is platform onboarding so important to user adoption?","Poor onboarding experiences are a leading cause of stalled platform adoption. Research shows that one-third of users consider abandoning platforms after a frustrating first encounter. A thoughtful, streamlined onboarding process helps build trust and accelerates user engagement.",{"header":407,"content":408},"What are the most common onboarding mistakes platform teams make?","Teams often over-engineer platform features while neglecting usability basics. Common mistakes include clunky access processes, mandatory training before usage, poor visual design, inconsistent messaging, and weak support channels, all of which discourage adoption.",{"header":410,"content":411},"How can platform teams improve onboarding access without sacrificing control?","Offer temporary, self-service access, such as a 30-day trial, to remove early friction. If full automation isn’t possible, use asynchronous human-in-the-loop onboarding and avoid approval-heavy workflows that delay initial exploration and testing.",{"header":413,"content":414},"What role does naming and communication play in platform success?","A clear, future-proof name and consistent multi-channel communication strategy help build platform recognition and trust. Names should reflect user value, not technology, while communication must include user-focused documentation, health dashboards, and regular updates.",{"header":416,"content":417},"How should platform support be structured during onboarding?","Support should be fast, responsive, and multi-modal. Use tickets for tracking, email for clarity, and chat for real-time help. Aim for quick response times and always share publicly resolved issues to benefit all users.","article","transform-your-platform-onboarding-for-higher-adoption-rates","content:en-us:the-source:platform:transform-your-platform-onboarding-for-higher-adoption-rates:index.yml","en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/index.yml","en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/index",{"_path":424,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":425,"config":426,"seo":427,"content":430,"slug":20,"_id":444,"_type":31,"title":7,"_source":32,"_file":445,"_stem":446,"_extension":35},"/en-us/the-source/ai","category",{"layout":9},{"title":357,"description":428,"ogImage":429},"Explore expert insights on how AI is transforming software development, and how organizations can get the most out of their AI investments.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463300/eoudcbj5aoucl0spsp0c.png",[431,436],{"componentName":432,"type":432,"componentContent":433},"TheSourceCategoryHero",{"title":357,"description":428,"image":434},{"config":435},{"src":429},{"componentName":437,"type":437,"componentContent":438},"TheSourceCategoryMainSection",{"config":439},{"gatedAssets":440},[441,442,443],"source-lp-how-to-get-started-using-ai-in-software-development","navigating-ai-maturity-in-devsecops","source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach","content:en-us:the-source:ai:index.yml","en-us/the-source/ai/index.yml","en-us/the-source/ai/index",{"_path":448,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":425,"config":449,"seo":450,"content":453,"slug":24,"_id":464,"_type":31,"title":7,"_source":32,"_file":465,"_stem":466,"_extension":35},"/en-us/the-source/security",{"layout":9},{"title":98,"description":451,"ogImage":452},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",[454,458],{"componentName":432,"type":432,"componentContent":455},{"title":98,"description":451,"image":456},{"config":457},{"src":452},{"componentName":437,"type":437,"componentContent":459},{"config":460},{"gatedAssets":461},[462,389,463],"source-lp-guide-to-dynamic-sboms","application-security-in-the-digital-age","content:en-us:the-source:security:index.yml","en-us/the-source/security/index.yml","en-us/the-source/security/index",{"_path":468,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":425,"config":469,"seo":470,"content":473,"slug":29,"_id":485,"_type":31,"title":7,"_source":32,"_file":486,"_stem":487,"_extension":35},"/en-us/the-source/platform",{"layout":9},{"title":364,"description":471,"ogImage":472},"Learn how to build a DevSecOps framework that sets your team up for success, from planning to delivery.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463263/bdz7hmhpbmgwvoybcaud.png",[474,478],{"componentName":432,"type":432,"componentContent":475},{"title":364,"description":471,"image":476},{"config":477},{"src":472},{"componentName":437,"type":437,"componentContent":479},{"config":480},{"gatedAssets":481},[482,483,484],"source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams","source-lp-measuring-success-in-software-development-a-guide-for-leaders","source-lp-building-a-resilient-software-development-practice","content:en-us:the-source:platform:index.yml","en-us/the-source/platform/index.yml","en-us/the-source/platform/index",{"amanda-rueda":489,"andre-michael-braun":490,"andrew-haschka":491,"ayoub-fandi":492,"brian-wald":493,"bryan-ross":494,"chandler-gibbons":495,"dave-steer":496,"ddesanto":497,"derek-debellis":498,"emilio-salvador":499,"erika-feldman":500,"george-kichukov":501,"gitlab":502,"grant-hickman":503,"haim-snir":504,"iganbaruch":505,"jlongo":506,"joel-krooswyk":507,"josh-lemos":508,"julie-griffin":509,"kristina-weis":510,"lee-faus":511,"ncregan":512,"rschulman":513,"sabrina-farmer":514,"sandra-gittlen":515,"sharon-gaudin":516,"stephen-walters":517,"taylor-mccaslin":518},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Joel Krooswyk","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"amanda-rueda":489,"andre-michael-braun":490,"andrew-haschka":491,"ayoub-fandi":492,"brian-wald":493,"bryan-ross":494,"chandler-gibbons":495,"dave-steer":496,"ddesanto":497,"derek-debellis":498,"emilio-salvador":499,"erika-feldman":500,"george-kichukov":501,"gitlab":502,"grant-hickman":503,"haim-snir":504,"iganbaruch":505,"jlongo":506,"joel-krooswyk":507,"josh-lemos":508,"julie-griffin":509,"kristina-weis":510,"lee-faus":511,"ncregan":512,"rschulman":513,"sabrina-farmer":514,"sandra-gittlen":515,"sharon-gaudin":516,"stephen-walters":517,"taylor-mccaslin":518},[521,532,567],{"_path":384,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":522,"seo":523,"content":524,"type":418,"slug":419,"category":29,"_id":420,"_type":31,"title":7,"_source":32,"_file":421,"_stem":422,"_extension":35},{"layout":9,"template":386,"articleType":387,"author":388,"featured":331,"gatedAsset":389},{"title":391,"description":392,"ogImage":393},{"title":391,"date":395,"description":392,"timeToRead":396,"heroImage":393,"keyTakeaways":525,"articleBody":401,"faq":526},[398,399,400],[527,528,529,530,531],{"header":404,"content":405},{"header":407,"content":408},{"header":410,"content":411},{"header":413,"content":414},{"header":416,"content":417},{"_path":533,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":534,"seo":535,"content":539,"type":418,"slug":563,"category":29,"_id":564,"_type":31,"title":7,"_source":32,"_file":565,"_stem":566,"_extension":35},"/en-us/the-source/platform/unlock-developer-potential-with-effective-platform-teams",{"layout":9,"template":386,"articleType":387,"author":388,"featured":6,"gatedAsset":484},{"title":536,"description":537,"ogImage":538},"Unlock developer potential with effective platform teams","Discover how successful platform teams drive innovation by focusing on collaboration and developer experience rather than just technology.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463569/go1j065dkmpxh5qiabh1.png",{"title":536,"date":540,"description":537,"timeToRead":541,"heroImage":538,"keyTakeaways":542,"articleBody":546,"faq":547},"2025-06-24","6 min read",[543,544,545],"Platform teams thrive when they measure success through developer velocity and adoption rates, not by technical complexity or feature count—creating value by removing obstacles rather than adding layers.","Building strong feedback loops between platform teams and developers creates a virtuous cycle where platforms evolve based on real needs, fostering higher adoption and greater business impact.","The most successful platform teams focus on making the right way the easy way, reducing cognitive load for developers and allowing them to concentrate on building features that matter to customers.","Developers are drowning in complexity while delivery dates keep slipping. Everyone’s talking about platform teams as the solution, but if you build it, will they come? The harsh reality is that most platform initiatives fail not because of technology choices but because they miss what truly matters: genuine collaboration. The most powerful platforms aren’t technology stacks - they’re relationship accelerators that fundamentally change how teams work together.\n\n## What are platform teams and what do they do?\nThe [Team Topologies](https://www.amazon.co.uk/Team-Topologies-Organizing-Business-Technology/dp/1942788819) framework defined the four fundamental types of teams involved in software development:\n1. **Stream-aligned teams**, who focus on a single stream of work\n1. **Enabling teams**, who provide specialized skills and expertise to support stream-aligned teams\n1. **Complicated-subsystem teams**, who build and maintain backend systems that require specialist knowledge\n1. **Platform teams**, who enable stream-aligned teams to operate more quickly and autonomously.\n\nOf these, platform teams often get the most attention - and for good reason. When done right, they can transform how quickly an organization delivers software.\n\nPlatform teams make developers’ jobs easier by handling complex technical work for them. They give developers everything they need to build, test, and deploy applications without worrying about the underlying technology. Think of the platform team as a product team creating an internal product - and developers are their customers.\n\nA platform team’s core goal is simple: enable developers to deliver software faster by simplifying complexity. Rather than having each development team figure out how to set up monitoring, security controls, CI/CD pipelines, and cloud resources, the platform team creates [standardized, well-documented solutions that work seamlessly together](https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/).\n\nBut here’s a nuance many leaders miss: The success of a platform team isn’t measured by the sophistication of its technology stack or the number of features it delivers - it’s measured by how effectively it enables other teams to deliver business value. Platform teams are defined by how they collaborate with the teams they serve.\n\nI’ve worked with organizations across industries, and the pattern is clear. When platform teams focus on reducing cognitive load for developers and creating self-service capabilities that feel effortless, everyone wins. The business delivers faster, developers stay focused on what matters, and customers get better products.\n\n## The restaurant model of platform excellence\nThink of a well-designed platform like a restaurant. The food might be excellent, but customers are unlikely to return if the service is slow, the staff is rude, and the environment lacks character.\n\nThe same applies to platform teams. The technology matters, but how it’s organized and presented to developers - the customers of the platform - matters just as much. Great platforms create an environment where software developers can focus on creating business value instead of wrestling with infrastructure concerns or reinventing workflows.\n\nJust as restaurant kitchens must evolve with changing culinary techniques and equipment, platform teams must continuously evolve their offerings to meet changing business requirements and development processes.\n\n## Three pillars of platform team success\n### Align priorities around outcomes\nThe most effective platform teams align their priorities with the outcomes developers need to achieve. This alignment isn’t always easy, especially when platform teams report through IT functions while development teams report through business units.\n\nBreaking this organizational pattern requires platform teams to focus on what developers truly need. The metrics that matter aren’t technical but outcome-based: How much faster can developers ship? How confidently can they release changes? Here are a few of the outcomes you should be measuring:\n\n- **Increasing adoption rates**: Teams choose your platform because it makes their lives easier\n- **Developer velocity**: Teams using your platform ship faster than those who don't\n- **Developer satisfaction**: Regular feedback shows developers enjoy using your platform\n- **Reduced support burden**: Support tickets decrease dramatically as developers can self-serve through well-designed interfaces and comprehensive documentation\n\nGreat platform leaders advocate upward to leadership about the direct connection between developer productivity and business outcomes, turning “developer experience” from a nice-to-have into a strategic imperative.\n\n### Build strong communication channels\nRemember, the platform is a product, and developers are the customers. This mindset shift changes everything.\n\nThe best platform teams create multiple channels for feedback:\n- Regular user research sessions\n- Developer experience surveys\n- “Office hours” where developers can get help\n- Champions programs that bring developer perspectives into platform planning\n\nEven the name matters. Teams with names like “Developer Enablement Platform” or “Developer Experience Team” send a clear signal about their purpose - they exist to serve developers, not to control them.\n\nDevelopers who feel heard and respected become collaborators rather than mere users. They bring insights that improve your platform because they know their needs will shape its evolution.\n\n> [Learn more about how to create a communication framework for platform engineering that increases adoption, builds trust, and shows value](https://about.gitlab.com/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/).\n\n### Focus on developer delight\nDeveloper experience isn't just about reducing friction - it’s about creating delight. Think of your platform as a product that has to compete for mindshare. At one major media and telecommunications company I worked with, the platform team would theme their developer interfaces to celebrate key holidays and events throughout the year. These seasonal themes - whether for Halloween, major sporting events, or end-of-year celebrations - added no functional improvements yet consistently generated positive developer feedback. This simple touch demonstrated that the platform team cared about the human experience, not just the technical capabilities.\n\nThe best platforms don’t just build features; they craft experiences where:\n- Error messages guide rather than confuse\n- Documentation anticipates questions\n- Interfaces feel natural and intuitive\n- Common tasks require minimal cognitive load\n\nPlatform engineering excellence comes from making complex things appear simple. It’s not about building the most sophisticated system - it’s about hiding complexity so developers can focus on creating business value.\n\n## The path forward\nTeam Topologies provides a valuable framework for understanding how platform teams should function. But the real magic happens when you combine that framework with a relentless focus on the developer experience.\n\nMy advice for platform leaders:\n1. **Measure what matters**: Track developer velocity and platform adoption as your primary metrics.\n1. **Find champions**: Every feature should have a customer champion who helps shape it.\n1. **Make the right way the easy way**: Success comes when developers choose your platform because it's genuinely better than alternatives.\n\nThe most successful organizations I’ve worked with understand that platforms are collaborative ecosystems that succeed or fail based on human factors as much as technical ones.\n\nBy focusing on outcomes, communication, and experience, your platform team can become a force multiplier, transforming how your organization builds software.",[548,551,554,557,560],{"header":549,"content":550},"What is the main responsibility of a platform engineering team?","A platform engineering team's primary responsibility is to reduce complexity for developers by providing standardized tools, services, and workflows that enable faster, safer software delivery. Their role is to empower development teams, not control them.",{"header":552,"content":553},"How do successful platform teams measure their impact?","Impact is measured by developer outcomes, not technical features. Key metrics include adoption rates, developer velocity, satisfaction scores, and a reduced support burden. The best platforms help teams ship faster and more confidently.",{"header":555,"content":556},"Why is collaboration critical for platform engineering success?","Platforms succeed when built with developer input and feedback. Strong communication loops, including surveys, office hours, and developer champions, help ensure the platform evolves in response to real user needs, increasing adoption and trust.",{"header":558,"content":559},"What’s the “restaurant model” in platform engineering?","The restaurant model suggests that, like a good dining experience, a great platform needs more than good \"food\" (features). It also needs friendly service (support), clear signage (documentation), and a welcoming environment (developer experience).",{"header":561,"content":562},"How can platform teams boost developer engagement?","Beyond functionality, teams can create delight through intuitive interfaces, thoughtful error messaging, and even small cultural touches like themed dashboards. These elements show empathy and build stronger emotional connections with developers.","unlock-developer-potential-with-effective-platform-teams","content:en-us:the-source:platform:unlock-developer-potential-with-effective-platform-teams:index.yml","en-us/the-source/platform/unlock-developer-potential-with-effective-platform-teams/index.yml","en-us/the-source/platform/unlock-developer-potential-with-effective-platform-teams/index",{"_path":568,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":569,"seo":570,"content":575,"type":418,"slug":598,"category":29,"_id":599,"_type":31,"title":7,"_source":32,"_file":600,"_stem":601,"_extension":35},"/en-us/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams",{"layout":9,"template":386,"articleType":387,"author":388,"featured":331,"gatedAsset":483},{"title":571,"description":572,"ogImage":573,"config":574},"Building a communication strategy for platform engineering teams","Discover how to create a communication framework for platform engineering that increases adoption, builds trust, and shows value.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463500/aw80z4omecn1zduruwhi.png",{"ignoreTitleCharLimit":331},{"title":571,"date":576,"description":572,"timeToRead":541,"heroImage":573,"keyTakeaways":577,"articleBody":581,"faq":582},"2025-06-17",[578,579,580],"Effective communication is foundational to platform engineering success, directly impacting user adoption, satisfaction, and leadership support.","A multi-channel approach using product websites, blogs, health dashboards, documentation, emails, and chat platforms creates a comprehensive communication ecosystem.","Communication must be tailored to different audiences — from technical users needing implementation details to executives requiring value demonstrations.","Picture this: Your [platform engineering team](https://about.gitlab.com/the-source/platform/platform-engineering-its-about-culture-not-tools/) has spent months perfecting an internal solution that dramatically reduces deployment times and eliminates configuration errors. Yet three months after launch, adoption remains disappointingly low. The culprit? Not technical shortcomings but communication gaps.\n\nEven the most powerful internal developer platform will fail without effective communication. I consistently see technically sound platforms struggling with adoption because potential users don’t understand their value or how to use them.\n\nYour platform’s technical excellence means nothing if engineers don’t adopt it or leadership doesn’t fund its continuous improvement. Strategic communication bridges the gap between platform capability and business impact, transforming your technical innovation into measurable value that resonates with developers and executives.\n\n## Crafting effective rollout communications\nBefore diving into ongoing communication channels, we must address a crucial moment: your platform’s initial launch. Whether you’re communicating through email, Slack, or a real-time presentation, how you introduce your platform sets the foundation for adoption and engagement.\n\n**Start with the “why” behind your platform**. Engineers are naturally skeptical of new tools that appear to add complexity. Your communications should clearly explain how the platform reduces cognitive load, minimizes context switching, improves documentation access, and enables faster development cycles. Frame benefits as concrete improvements to daily workflows rather than abstract concepts. For example, highlight how automating environment setup can save each developer 5-7 hours weekly instead of simply claiming “increased productivity.”\n\n**Anticipate and address resistance points proactively**. Engineers often worry about how new platforms integrate with their preferred tools or disrupt established workflows. Your communications should acknowledge these concerns directly and explain integration capabilities, migration paths, and support options. Consider creating an FAQ document that addresses common objections before they arise. Being transparent about current limitations while sharing your roadmap builds credibility and sets appropriate expectations.\n\n**Recruit platform champions to amplify your message**. Identify respected technical colleagues who contributed to the platform’s development or successfully used early versions. Their authentic endorsements carry significantly more weight than official communications alone. Create opportunities for these champions to demonstrate the platform’s capabilities through lightning talks, recorded demos, or pair programming sessions. These peer-to-peer interactions allow potential users to see practical applications and ask candid questions in a low-pressure environment.\n\nOnce you’ve launched the platform, you’ll need to keep the communication with your users open. Let’s explore the five critical communication channels that should be part of every platform engineering team’s ongoing strategy.\n\n## The essential communication channels\n### Documentation\nGreat documentation - ideally in an editable wiki or intranet that everyone can contribute to - is transformative for platform adoption. It dramatically reduces support overhead and [accelerates user onboarding](https://about.gitlab.com/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/). Intentionally recording your knowledge is one of the most selfless and positive changes you can make in a team.\n\nYour documentation needs to answer three questions concisely: What problem does your platform solve, what benefits can developers expect, and where can they find more information?\n\nEffective documentation puts users first, organizing information around their journey rather than system architecture. It should also include:\n- Straightforward \"Getting Started\" guides showing how easily basic use cases can be implemented\n- A comprehensive knowledge base for more complex scenarios\n- Clear examples and code snippets that users can adapt\n- Regular updates that keep pace with platform changes\n\nThe best documentation anticipates user questions rather than just documenting system capabilities.\n\n### Team blog\nConsider creating an internal blog for your platform engineering team where they can share ideas and solutions with the platform users. A dedicated blog space enables your team to share deeper context about your platform that wouldn’t fit in brief communications. Blog posts allow you to:\n- Provide technical deep dives with diagrams or videos\n- Give users insights into how your platform operates\n- Cultivate knowledgeable platform advocates\n- Build trust through transparency\n- Give team members practice with technical communication\n- Share success stories or interesting use cases for the platform\n\nBlog content helps users understand how to use your platform and why certain design decisions were made, making them more effective users and potential advocates.\n\n### Health dashboard\nWhen users encounter platform issues, nothing frustrates them more than silence. A health dashboard provides immediate visibility into known issues and their resolution status.\n\nAn effective dashboard serves multiple purposes in your communication strategy. First, it builds trust by acknowledging problems quickly rather than leaving users to wonder if issues will be addressed. During widespread outages, a dashboard significantly reduces duplicate support requests by providing a central source of truth about system status. Prospective users often review these dashboards to evaluate how reliably you operate before committing to your platform. Perhaps most importantly, a transparent health dashboard demonstrates your team’s commitment to openness and accountability, qualities that foster long-term trust with your user community.\n\nRemember that dashboards must be accurate to maintain credibility. A dashboard showing all green systems during a known outage will destroy user trust. Similarly, reported problems should always include resolution updates.\n\n### Email updates\nDespite inbox overload, email remains effective for periodic platform updates. Monthly newsletters help maintain awareness of your platform’s ongoing development and improvements.\n\nThese communications serve two purposes:\n- Informing users about new features, improvements, and upcoming changes\n- Demonstrating continuous momentum and investment in the platform\n\nRemember that most recipients will skim emails for just a few seconds. Make key points stand out with clear formatting, concise language, and visual hierarchy. The communication reinforces your team's active presence even if users don’t read every word.\n\n### Real-time messaging\nYour team should maintain a presence wherever your users naturally collaborate - which often means real-time chat platforms like Slack. Chat builds relationships with users through accessibility and responsiveness, creating a community around your platform. Here are a few golden rules teams can follow to ensure they’re building a good relationship with their users:\n\n**Respond to queries promptly**. Chat moves quickly. Teams should aim to respond to user questions within 30-60 minutes during business hours to maintain engagement and show users they’re valued. It’s not ideal if users are chatting in real time about your product and your team is nowhere to be found.\n\n**Present a consistent voice to users**. Think of your organization’s messaging systems as a “public” customer service channel. Maintain a separate “internal” channel where engineers can debate and discuss conflicting viewpoints. A user should never see two engineers debating with one another - they both lose credibility.\n\n**Document solutions publicly**. After resolving an inquiry, ensure that engineers update the channel with the outcome so other users can benefit from the knowledge.\n\n**Open support tickets for users**. Chat is great for quick questions, but more complicated requests should be tracked in issue management software. Instead of directing users to “open a ticket,” ensure your engineers can do this on behalf of the user.\n\n## Bringing it all together\n[Effective platform engineering](https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/) requires a holistic approach to communication that combines all these channels into a cohesive strategy. Each channel serves distinct purposes and reaches different segments of your audience.\n\nBy implementing this comprehensive framework, your platform team can build trust, demonstrate value, and drive adoption - ultimately ensuring that your technical capabilities translate into business impact.\n\nRemember that in enterprise environments, how you communicate about your platform often matters as much as the platform itself. Invest in communication with the same care you invest in your technical infrastructure.",[583,586,589,592,595],{"header":584,"content":585},"What role does communication play in successful platform engineering?","Communication is foundational to platform engineering success. Even the best technical platforms will fail if users don’t understand their value, know how to use them, or feel supported. Communication drives adoption, builds trust, and helps secure long-term investment.",{"header":587,"content":588},"Why do platform rollouts fail even when the tech is solid?","Rollouts often fail due to poor communication. If developers don’t see clear benefits, or if concerns around workflow disruption and tool integration aren't addressed, adoption stalls. Successful rollouts proactively explain value, anticipate objections, and include trusted advocates to build credibility.",{"header":590,"content":591},"What communication channels should every platform team use?","A strong communication strategy includes five core channels: detailed documentation, a team blog, a live platform health dashboard, periodic email updates, and real-time messaging on platforms like Slack. Each channel supports different user needs and helps ensure ongoing engagement.",{"header":593,"content":594},"How should platform teams communicate with technical vs. executive stakeholders?","Communication should be tailored to each audience. Developers need technical guidance and practical examples. Executives need clear demonstrations of platform impact, such as improved delivery speed or reduced support costs. One message rarely fits both groups.",{"header":596,"content":597},"What’s the benefit of having a health dashboard for your platform?","A transparent health dashboard builds trust by showing users what’s working and what’s not. It reduces support noise during issues, demonstrates accountability, and assures users that problems are known and being resolved.","building-a-communication-strategy-for-platform-engineering-teams","content:en-us:the-source:platform:building-a-communication-strategy-for-platform-engineering-teams:index.yml","en-us/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/index.yml","en-us/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/index",[603,619,632],{"_path":604,"_dir":605,"_draft":6,"_partial":6,"_locale":7,"config":606,"title":608,"description":609,"link":610,"_id":616,"_type":31,"_source":32,"_file":617,"_stem":618,"_extension":35},"/shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops","gated-assets",{"id":442,"formId":607},1002,"Navigating AI maturity in DevSecOps","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are incorporating AI into the software development lifecycle.",{"text":611,"config":612},"Read the report",{"href":613,"dataGaName":614,"dataGaLocation":615},"https://about.gitlab.com/developer-survey/2024/ai/","Navigating AI Maturity in DevSecOps","thesource","content:shared:en-us:the-source:gated-assets:navigating-ai-maturity-in-devsecops.yml","shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops.yml","shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops",{"_path":620,"_dir":605,"_draft":6,"_partial":6,"_locale":7,"config":621,"title":622,"description":623,"link":624,"_id":629,"_type":31,"_source":32,"_file":630,"_stem":631,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"id":443},"AI guide for enterprise leaders: Building the right approach","Download our guide for enterprise leaders to learn how to prepare your C-suite, executive leadership, and development teams for what AI can do today — and will do in the near future — to accelerate software development.",{"text":625,"config":626},"Read the guide",{"href":627,"dataGaName":628,"dataGaLocation":615},"https://about.gitlab.com/the-source/ai/ai-guide-for-enterprise-leaders-building-the-right-approach","AI Guide For Enterprise Leaders: Building the Right Approach","content:shared:en-us:the-source:gated-assets:source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach.yml","shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach.yml","shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"_path":633,"_dir":605,"_draft":6,"_partial":6,"_locale":7,"config":634,"title":635,"description":636,"link":637,"_id":642,"_type":31,"_source":32,"_file":643,"_stem":644,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development",{"id":441,"formId":607},"How to get started using AI in software development","Learn how to strategically implement AI to boost efficiency, security, and reduce context switching. Empower every member of your team with AI capabilities.",{"text":638,"config":639},"Download the guide",{"href":640,"dataGaName":641,"dataGaLocation":615},"https://about.gitlab.com/the-source/ai/getting-started-with-ai-in-software-development-a-guide-for-leaders","How to Get Started Using AI in Software Development","content:shared:en-us:the-source:gated-assets:source-lp-how-to-get-started-using-ai-in-software-development.yml","shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development.yml","shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development",[646,657,669],{"_path":533,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":647,"seo":648,"content":649,"type":418,"slug":563,"category":29,"_id":564,"_type":31,"title":7,"_source":32,"_file":565,"_stem":566,"_extension":35},{"layout":9,"template":386,"articleType":387,"author":388,"featured":6,"gatedAsset":484},{"title":536,"description":537,"ogImage":538},{"title":536,"date":540,"description":537,"timeToRead":541,"heroImage":538,"keyTakeaways":650,"articleBody":546,"faq":651},[543,544,545],[652,653,654,655,656],{"header":549,"content":550},{"header":552,"content":553},{"header":555,"content":556},{"header":558,"content":559},{"header":561,"content":562},{"_path":568,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":658,"seo":659,"content":661,"type":418,"slug":598,"category":29,"_id":599,"_type":31,"title":7,"_source":32,"_file":600,"_stem":601,"_extension":35},{"layout":9,"template":386,"articleType":387,"author":388,"featured":331,"gatedAsset":483},{"title":571,"description":572,"ogImage":573,"config":660},{"ignoreTitleCharLimit":331},{"title":571,"date":576,"description":572,"timeToRead":541,"heroImage":573,"keyTakeaways":662,"articleBody":581,"faq":663},[578,579,580],[664,665,666,667,668],{"header":584,"content":585},{"header":587,"content":588},{"header":590,"content":591},{"header":593,"content":594},{"header":596,"content":597},{"_path":670,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"config":671,"seo":673,"content":678,"type":418,"slug":702,"category":20,"_id":703,"_type":31,"title":7,"_source":32,"_file":704,"_stem":705,"_extension":35},"/en-us/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders",{"layout":9,"template":386,"articleType":387,"author":672,"featured":331,"gatedAsset":443},"emilio-salvador",{"title":674,"description":675,"ogImage":676,"config":677},"From vibe coding to agentic AI: A roadmap for technical leaders","Discover how to implement vibe coding and agentic AI in your development process to increase productivity while maintaining code quality and security.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463655/i6g9scccza0l35n6i1bf.png",{"ignoreTitleCharLimit":331},{"title":674,"date":679,"description":675,"timeToRead":680,"heroImage":676,"keyTakeaways":681,"articleBody":685,"faq":686},"2025-06-12","5 min read",[682,683,684],"AI-assisted development is transforming software creation, enabling teams to focus on business logic and user experience rather than syntax details, but requires proper governance to ensure quality.","Organizations should adopt an evolutionary approach to AI implementation — starting with basic assistance, then expanding across the development lifecycle, establishing governance frameworks, and gradually introducing autonomous agents.","The engineering landscape is shifting as AI handles routine coding tasks, creating demand for new specialized roles and requiring developers to focus on strategic thinking, architecture design, and effective AI collaboration.","A new wave of generative artificial intelligence (AI) tools is redefining how we build software and who can participate in the process. At the forefront of this revolution is \"vibe coding\" - using natural language prompts to generate functional code without having to fully understand how the code works.\n\n[According to GitLab research](https://about.gitlab.com/developer-survey/), 78% of teams have already integrated AI-assisted coding tools into software development workflows, and AI is demonstrating measurable efficiency improvements. Vibe coding lowers the barriers to entry for development. However, when software engineers use AI-generated code without critical evaluation or deep comprehension, that might also lead to lower quality and increased security vulnerabilities.\n\nTraditional development approaches rely heavily on specific programming languages and syntax rules. Vibe coding lowers the need to fully comprehend the nuances of every language and development pattern, but it does not eliminate that need. This tension between accessibility and quality reflects a broader transformation in software creation.\n\nAI is fundamentally shifting what development means. Team members can focus on desired outcomes rather than implementation details. Logic, business requirements, and user experience precede syntax correctness and language expertise. Organizations increasingly value professionals who can effectively bridge product vision with technical execution - often without writing traditional code.\n\nWhile vibe coding offers tremendous potential to accelerate development and democratize software creation, it must be implemented thoughtfully with proper governance to ensure that speed doesn't come at the expense of quality and maintainability.\n\n## Agentic AI and vibe coding\nVibe coding is about getting something to appear to work quickly rather than building a robust, efficient, and maintainable solution based on solid knowledge. This is where [agentic AI](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) can help. Agents can take abstract instructions like \"build a customer database\" and autonomously handle all the technical implementation details, bridging the gap between quick prototypes and properly engineered solutions.\n\nWhile vibe coding primarily focuses on code generation through natural language prompts, agentic AI expands these capabilities into an autonomous development ecosystem. Vibe coding involves a human developer using AI without requiring deep understanding, while agentic AI takes on a more proactive, autonomous role in building software based on a given goal.\n\nThe two approaches complement each other perfectly: vibe coding provides a solid foundation for human-AI interaction through natural language, while agentic systems build upon this foundation to create self-directed development partners that handle complex tasks by making independent decisions and taking action with minimal supervision.\n\nAgentic AI systems enhance vibe coding by integrating deeply into development workflows, conducting sophisticated code reviews, recommending infrastructure optimizations, and adapting to changing requirements. [Industry research from Deloitte](https://www2.deloitte.com/us/en/insights/industry/technology/technology-media-and-telecom-predictions/2025/autonomous-generative-ai-agents-still-under-development.html) indicates that 25% of companies using generative AI will implement agentic AI pilots in 2025, which is expected to double by 2027.\n\nSuccessfully implementing vibe coding and agentic AI together requires careful planning. Organizations must establish robust security protocols, ensure regulatory compliance, and create clear communication channels between AI systems and existing tools. Despite these challenges, the combined power of vibe coding and agentic AI delivers significant benefits in development speed, code quality, and resource optimization.\n\n## Implementation strategy for teams and leadership: An evolutionary approach\nDevelopment teams and technical leaders can follow this evolutionary path to effectively implement vibe coding and agentic AI:\n1. **Begin with AI assistance**: Introduce developers to AI tools that improve productivity for routine tasks. Focus on building familiarity, comfort, and confidence with AI assistance for coding, documentation, and simple problem-solving.\n1. **Expand AI assistance across the software development lifecycle**: Move beyond code generation tools to integrate AI into testing, debugging, code review, and documentation. Identify repetitive, time-intensive workflows where AI can create immediate value with minimal disruption.\n1. **Establish governance frameworks & interoperability standards**: Create clear policies for AI tool usage, including data access permissions, security protocols, and quality standards for AI-generated code. Define protocols for how AI systems will share information and collaborate across platforms, as well as the level of human input required when using AI tools.\n1. **Introduce autonomous AI agents for specific tasks**: Deploy agents to handle self-contained development tasks with a degree of autonomy. These agents take abstract goals like \"optimize this database query\" and handle the implementation details independently while maintaining code quality.\n1. **Scale agent implementation across the organization**: Expand the scope of tasks handled by agents and introduce multiple agents working together on complex projects. Integrate agents deeply into the end-to-end software development lifecycle and redesign team structures to create cross-functional groups combining technical expertise and domain knowledge.\n1. **Continuously improve through feedback and education**: Implement systems to monitor agent performance with clear metrics and correction protocols. Invest in organization-wide AI literacy through training programs for prompt engineering, AI collaboration techniques, and effective system oversight.\n\nThis evolutionary approach ensures technical implementation and organizational leadership progress together in the AI transformation journey, maximizing the benefits of vibe coding while building robust, efficient solutions.\n\n## The changing developer landscape\nThe engineering role is evolving as vibe coding and [agentic AI](https://about.gitlab.com/the-source/ai/emerging-agentic-ai-trends-reshaping-software-development/) handle more of the heavy lifting in software development. Less experienced developers face a steeper learning curve with fewer straightforward tasks available for initial skill-building. Simultaneously, senior engineers must adapt as AI takes over more complex tasks and traditional oversight responsibilities.\n\nBeyond the changing dynamics for existing roles, we’re seeing the emergence of entirely new positions like prompt engineers who guide and refine AI outputs. The most valuable engineering skills have shifted toward architecture design, strategic thinking, and effective AI collaboration.\n\nWhile this disruption creates uncertainty for some traditional roles and compensation models, it also opens doors for those who position themselves at the intersection of human creativity and machine efficiency. The most successful engineers will be those who strategically delegate routine work to AI while applying their uniquely human expertise to innovation and complex problem-solving.\n\nFor technical leaders, the strategic implications are clear: organizations that embrace vibe coding and agentic AI gain decisive competitive advantages through accelerated development cycles, improved code quality, and more efficient resource allocation. However, organizations will need to adopt AI responsibly, with governance frameworks to ensure that efficiency doesn’t come at the expense of security. Those who fail to do so may find themselves multiple innovation cycles behind in an increasingly AI-powered development landscape.",[687,690,693,696,699],{"header":688,"content":689},"What is vibe coding and how does it change the development process?","Vibe coding refers to the use of natural language prompts to generate functional code without needing deep knowledge of programming syntax. It shifts the focus from how code is written to what it achieves, allowing developers to prioritize business logic and user experience.",{"header":691,"content":692},"How does agentic AI complement vibe coding?","While vibe coding enables quick code generation, agentic AI takes it further by autonomously executing tasks based on goals. It bridges the gap between rapid prototyping and robust implementation, acting as a self-directed development partner that enhances productivity and quality.",{"header":694,"content":695},"What are the first steps organizations should take to implement AI in development workflows?","Start with AI-assisted tools that handle routine tasks like documentation, test creation, and debugging. As teams grow more confident, expand AI's role across the development lifecycle and introduce governance policies to manage its use responsibly.",{"header":697,"content":698},"How does the rise of AI change the skills developers need?","AI is reshaping engineering roles. Developers now need stronger architectural thinking, system design, and AI collaboration skills. Routine coding tasks are increasingly delegated to AI, so human expertise will focus more on oversight, creativity, and strategic problem-solving.",{"header":700,"content":701},"What are the risks of using AI without governance in software development?","Without governance, AI-generated code may introduce security vulnerabilities, lack maintainability, or violate compliance standards. Organizations must establish security protocols, clear usage policies, and quality checks to ensure responsible AI adoption.","from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders","content:en-us:the-source:ai:from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders:index.yml","en-us/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders/index.yml","en-us/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders/index",[707,719,755],{"_path":670,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"config":708,"seo":709,"content":711,"type":418,"slug":702,"category":20,"_id":703,"_type":31,"title":7,"_source":32,"_file":704,"_stem":705,"_extension":35},{"layout":9,"template":386,"articleType":387,"author":672,"featured":331,"gatedAsset":443},{"title":674,"description":675,"ogImage":676,"config":710},{"ignoreTitleCharLimit":331},{"title":674,"date":679,"description":675,"timeToRead":680,"heroImage":676,"keyTakeaways":712,"articleBody":685,"faq":713},[682,683,684],[714,715,716,717,718],{"header":688,"content":689},{"header":691,"content":692},{"header":694,"content":695},{"header":697,"content":698},{"header":700,"content":701},{"_path":720,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"config":721,"seo":724,"content":728,"type":418,"slug":751,"category":20,"_id":752,"_type":31,"title":7,"_source":32,"_file":753,"_stem":754,"_extension":35},"/en-us/the-source/ai/why-automotive-software-development-needs-human-centered-ai",{"layout":9,"template":386,"articleType":387,"author":722,"featured":331,"gatedAsset":723},"lee-faus","source-lp-transform-automotive-devops-secure-fast-future-ready",{"title":725,"description":726,"ogImage":727},"Why automotive software development needs human-centered AI","Learn why balancing AI assistance with human expertise is crucial for automotive embedded systems development and creating competitive advantages.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463704/u3dshy4qn6rtrklfalx7.png",{"title":725,"date":729,"description":726,"timeToRead":541,"heroImage":727,"keyTakeaways":730,"articleBody":734,"faq":735},"2025-06-02",[731,732,733],"AI in automotive embedded software development works best as a Level 2 assistant, meaning human expertise remains essential for effective embedded development in vehicles.","The right human-AI balance varies across different automotive software domains; teams that find the right balance between AI assistance and human expertise will gain competitive advantages.","Creating effective human-AI partnerships requires intentional processes such as mandatory human review checkpoints for safety-critical systems.","Software is an essential part of modern automobiles. This year, the lines of code in the average car are expected to reach [650 million](https://www.statista.com/statistics/1370978/automotive-software-average-lines-of-codes-per-vehicle-globally/), an increase from 200 million in 2020. What’s more, we’re seeing a shift from distributed architectures for vehicle firmware toward zonal architectures with central high-performance computers (HPCs). All of this creates complexity and novel software challenges.\n\nEmbedded systems developers are trying to adapt to this complexity. At the same, market pressures are forcing them to accelerate their development processes and ship innovation faster.\n\nArtificial intelligence (AI) can help address these challenges, but its implementation raises important questions. To what degree should AI tools autonomously generate and review code in automotive embedded systems? How much human oversight is advisable? Drawing from the automotive industry's vocabulary, I propose that embedded development requires Level 2 AI assistance - at least right now.\n\n## Understanding Level 2 automation for AI in embedded development\nIn automotive driving automation, [Level 2 systems](https://www.sae.org/blog/sae-j3016-update) represent partial automation: a carefully balanced human-machine collaboration. These systems can help control steering, acceleration, and braking in specific scenarios, but the driver must stay engaged. They must monitor the environment and be ready to take control at any moment. The human remains legally responsible for the vehicle's operation and must supervise the automation continually. In contrast, Level 4-5 systems aim to operate with minimal or no human oversight in defined conditions.\n\nThis framework provides a useful analogy for AI in embedded development. Current AI tools excel at providing suggestions and automating routine tasks, much like Level 2 driver assistance. They can suggest code, help with testing, and identify potential issues. However, their contextual understanding has limitations. Given the high stakes of automotive embedded systems, combining AI's capabilities with human wisdom and oversight is best.\n\n## Why AI excels as a development assistant\nAI shows remarkable capabilities across numerous areas of embedded development. Here are just a few examples from the growing list of applications:\n\nFirst, AI can [generate and complete code](https://docs.gitlab.com/user/project/repository/code_suggestions/) for common patterns in C/C++, reducing developers' time spent on routine programming tasks. And if prompted correctly, AI can respect embedded-specific constraints like memory limitations and hardware interfaces.\n\nSecond, AI can [generate tests](https://docs.gitlab.com/user/gitlab_duo_chat/examples/#write-tests-in-the-ide) that you can run on cloud-based ARM CPUs or virtual hardware. This helps teams \"shift left\" in testing their firmware and catch issues earlier in development when they're less expensive to fix. It also helps identify edge cases you might have otherwise overlooked.\n\nThird, AI can help [accelerate the remediation of security vulnerabilities](https://docs.gitlab.com/user/application_security/vulnerabilities/#explaining-a-vulnerability) in your code. AI tools can help interpret security findings from your security scanners. They can even suggest potential approaches to address issues, supporting development teams as they work to meet cybersecurity requirements in this highly regulated space. AI thus helps expedite remediation.\n\nBeyond these examples, AI is increasingly valuable for [root cause analysis](https://docs.gitlab.com/user/gitlab_duo_chat/examples/#troubleshoot-failed-cicd-jobs-with-root-cause-analysis) of complex issues, comprehensive [code reviews](https://docs.gitlab.com/user/project/merge_requests/duo_in_merge_requests/#have-gitlab-duo-review-your-code), automated [code refactoring](https://about.gitlab.com/blog/2024/08/26/refactor-code-into-modern-languages-with-ai-powered-gitlab-duo/) for optimization, [explaining](https://docs.gitlab.com/user/project/merge_requests/changes/#explain-code-in-a-merge-request) complex legacy code, and providing conversational assistance through [AI chat capabilities](https://docs.gitlab.com/user/gitlab_duo_chat/). As AI evolves, so will the ways in which it assists embedded development teams.\n\n## The essential human element\nThough these AI capabilities are quite powerful, they cannot - and should not - replace human expertise. Embedded developers bring domain knowledge that spans both software and hardware domains, understanding not just how to code, but how that code interacts with physical components under varying conditions.\n\nMoreover, embedded developers understand the intricate relationships between different vehicle subsystems. Far from replacing such expertise, AI must integrate with human beings' contextual knowledge.\n\nHumans also bring creativity and innovation to solving unique automotive challenges. When faced with conflicting requirements or novel problems, human engineers draw on experience and intuition that AI simply doesn't possess.\n\nThe human-centered approach is critical in automotive development, where safety and reliability cannot be compromised. Just as a driver must remain alert and ready to take control of a Level 2 automated vehicle, developers must maintain ultimate responsibility for AI-generated code. While valuable, AI suggestions require expert validation. Developers must review and verify that proposed solutions solve the problem correctly within the specific automotive context.\n\nThis human oversight becomes even more critical when considering the consequences of errors. In enterprise software, a bug might cause inconvenience; in automotive systems, it could potentially impact passenger safety. Developers bring ethical judgment and a holistic understanding of the operating environment that AI currently lacks. They can anticipate edge cases based on real-world driving conditions and evaluate AI recommendations against their practical experience with actual vehicle systems.\n\n## Creating an effective human-AI partnership\nBelow are some initial approaches to consider as you begin building productive partnerships between developers and AI.\n\nStart by identifying specific high-volume, low-risk tasks where AI can provide immediate value: unit test generation for non-safety-critical components, documentation updates, and routine code standardization are excellent entry points.\n\nImplement a tiered approach to AI integration based on system criticality. For infotainment or connectivity systems, teams might leverage more autonomous AI assistance. For safety-related systems, establish mandatory human review checkpoints with structured approval workflows. Create clear guidelines on which code components require senior engineer review versus those where junior developers can approve AI suggestions with minimal oversight.\n\nReview processes also need adaptation. Rather than having humans review AI-generated code in isolation, teams should implement collaborative workflows where AI assists with the review itself, highlighting potential issues for human evaluation. Consider adopting structured prompting techniques. For example, have developers specify constraints like memory requirements, coding standards, or performance parameters before generating AI suggestions.\n\nThese examples represent starting points for effective human-AI collaboration in embedded development.\n\n## Looking to the future\nThe human-AI partnership will evolve across different automotive domains as AI capabilities advance. Teams should prepare by focusing on higher-value skills that complement AI capabilities, such as systems architecture, integration expertise, and hardware-software design.\n\nThe teams that succeed will find the right balance, leveraging AI to handle routine tasks while keeping humans at the center of the development process. This is the path to realizing AI's productivity promise.\n\n_I'll be discussing topics like this and more with Dr. Felix Kortmann of Ignite by FORVIA HELLA in a webinar on June 11. The webinar will be on “Building the Future of Automotive Software.” Join us to learn how to effectively balance AI assistance with human expertise in your embedded development teams. [Register here](https://page.gitlab.com/webcasts-jun11-gitlab-ignite-by-foriva-hella-emea-amer.html?utm_medium=referral&utm_source=gmail&utm_campaign=20250611_global_cmp_webcast_speedsecurity_en_&utm_content=salespromo_x_auto)._",[736,739,742,745,748],{"header":737,"content":738},"What is Level 2 AI assistance in automotive software development?","Level 2 AI refers to a collaborative human-AI model where AI supports tasks like code generation and testing, but developers retain oversight and responsibility. Like Level 2 driving automation, the human stays in control, ensuring contextual accuracy and safety.",{"header":740,"content":741},"How does the role of AI differ across various automotive software domains?","AI adds value across all domains, but oversight levels vary. Safety-critical systems require stricter human validation, while infotainment systems allow more autonomous AI use. Teams should tailor AI workflows based on system risk and regulatory requirements.",{"header":743,"content":744},"How can teams establish effective AI review processes for embedded code?","Teams should use a tiered review structure. AI can perform initial quality checks — flagging syntax issues or common errors — while human experts review critical code sections and system interfaces. Clear guidelines should define when AI-generated suggestions require additional human verification or senior engineer approval to ensure safe integration within embedded systems.",{"header":746,"content":747},"What skills should embedded developers focus on as AI capabilities expand?","Embedded developers should deepen their understanding of systems architecture, hardware-software integration, and domain-specific safety requirements. Skills in prompt engineering and AI collaboration, such as framing effective prompts and interpreting model outputs, are also increasingly important. These competencies help developers remain effective evaluators and collaborators alongside AI systems.",{"header":749,"content":750},"How can AI help address the shortage of embedded software expertise in the automotive industry?","AI reduces the burden on experienced engineers by automating routine development tasks like boilerplate coding, unit testing, and documentation. This allows senior engineers to focus on high-impact projects and mentoring. At the same time, AI tools help junior developers ramp up faster by guiding them through embedded-specific best practices, accelerating onboarding and reducing skill barriers.","why-automotive-software-development-needs-human-centered-ai","content:en-us:the-source:ai:why-automotive-software-development-needs-human-centered-ai:index.yml","en-us/the-source/ai/why-automotive-software-development-needs-human-centered-ai/index.yml","en-us/the-source/ai/why-automotive-software-development-needs-human-centered-ai/index",{"_path":756,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"config":757,"seo":760,"content":764,"type":418,"slug":790,"category":20,"_id":791,"_type":31,"title":7,"_source":32,"_file":792,"_stem":793,"_extension":35},"/en-us/the-source/ai/how-agentic-ai-unlocks-platform-engineering-potential",{"layout":9,"template":386,"articleType":387,"author":758,"featured":331,"gatedAsset":759},"brian-wald","source-lp-getting-started-with-ai-in-software-development-a-guide-for-leaders",{"title":761,"description":762,"ogImage":763},"How agentic AI unlocks platform engineering potential","Explore how agentic AI elevates platform engineering by automating complex workflows and scaling standardization.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463908/zz7ifau6dya2fn2eyuij.png",{"title":761,"date":765,"description":762,"timeToRead":541,"heroImage":763,"keyTakeaways":766,"articleBody":770,"faq":771},"2025-05-12",[767,768,769],"Agentic AI systems go beyond code assistance, helping organizations overcome platform engineering challenges by automating complex workflows and scaling standardization efforts across development teams.","Technical leaders must consider interoperability, security governance, and workflow integration when implementing autonomous agents to ensure they work seamlessly within existing enterprise systems.","Organizations can leverage agentic systems to address “tech mandatory” initiatives like reducing technical debt and security vulnerabilities, where dense contexts have traditionally posed barriers to automation.","Many organizations have embraced artificial intelligence (AI) tools to boost developer productivity, typically in the form of code assistants that help individual developers write code faster. While these tools deliver welcome efficiency gains, they only scratch the surface of AI’s potential to transform your development organization.\n\nAt the same time, organizations are investing in platform engineering - building integrated toolchains, establishing workflows, and creating standardized processes for software development. However, platform engineering teams will inevitably run into issues with scale: traditional approaches to platform engineering are fundamentally limited by the capacity of human engineers to maintain the platform.\n\nThis is where [agentic AI](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) becomes a game-changer for your platform engineering investments.\n\n## Why your current platform engineering investment isn’t delivering its full potential\nImagine this: You’ve invested in a [platform engineering approach](https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/) with tightly integrated tools and processes. However, you’re not yet seeing the expected return on this investment due to challenges such as:\n- Manual processes that can’t scale across the organization\n- Difficulty maintaining and updating platform components\n- Inconsistent adoption of standards across different teams\n- Valuable engineering time spent on routine maintenance instead of innovation\n\nThese challenges exist because traditional approaches to platform engineering are fundamentally limited by human capacity. No matter how well-designed your platform is, you need human engineers to implement, maintain, and scale it.\n\nCode development in enterprise software is also highly context-dependent. Languages can have vastly different performance challenges. Junior developers may not have enough context to write prompts effectively. Security and compliance policies may also create unknown restrictions. No single platform engineer can fully grasp every security, network, and application-layer concern across all these scenarios.\n\n## How agentic AI transforms platform engineering\nAgentic AI systems fundamentally change the equation. Unlike traditional AI assistants that respond only to direct prompts, AI agents have full context into a team’s software development infrastructure. They can initiate actions based on triggers and states, making them the perfect complement to platform engineering frameworks. These autonomous systems can work with minimal human intervention to automate repetitive tasks while still allowing for human oversight on more critical issues.\n\nAI agents can:\n- **Automatically identify and implement standardization opportunities** across your entire organization, ensuring consistency without manual intervention\n- **Maintain and update platform components** by monitoring for security vulnerabilities, performance issues, or outdated dependencies\n- **Create issue descriptions, reusable templates, and implementation plans** based on your existing codebase\n- **Support developers in generating and updating documentation**, including README files, code flow diagrams, and architecture documentation\n\n> Learn how [agentic AI built on top of a comprehensive DevSecOps platform](https://about.gitlab.com/blog/2025/02/24/gitlab-duo-workflow-enterprise-visibility-and-control-for-agentic-ai/) can help development teams navigate everything from project bootstrapping and deployment to debugging and cross-team coordination.\n\n## What to keep in mind when implementing AI agents\nAsk yourself these questions when thinking about how to incorporate agentic AI into platform engineering workflows:\n\n### Interoperability, scalability, and reliability\n- How will AI agents communicate with other agents, including across third-party products?\n- How will agents self-correct when they produce unexpected or unwanted results?\n- Will the agents be capable of concurrency (working on multiple tasks at the same time)?\n\n### Security, governance, and observability\n- How will AI agents interact with existing network policies to define what they can and cannot access?\n- How will agents interact with multiple data sources?\n- Will the use of data by AI agents comply with existing data governance, security, and privacy policies?\n- How will agents’ telemetry data be collected, how will their performance be measured, and what will remediation look like when they behave incorrectly?\n\n### Developer workflows\n- How will developers adapt their processes to integrate with agent-based systems?\n- What human supervision mechanisms need to be in place for critical business processes?\n\n## Enabling team velocity with AI agents and platform engineering\nAs AI-powered agents mature, organizations can proactively use these tools to identify patterns, standardize practices, and share knowledge across different development teams without manual coordination.\n\nAfter participating in a recent early access program for [GitLab Duo with Amazon Q](https://about.gitlab.com/blog/2025/04/17/gitlab-duo-with-amazon-q-agentic-ai-optimized-for-aws/) - an agentic AI solution for the entire software development lifecycle - Osmar Alonso, DevOps Engineer at Volkswagen Digital Solutions, shared how AI agents have transformative potential for development workflows. “Even in its early stages, we saw how the deeper integration with autonomous agents could streamline our process, from code commit to production,” said Alonso. “We're excited to see how this technology empowers our team to focus on innovation and accelerate our digital transformation.”\n\nAgentic systems show particular promise in “tech mandatory” budget areas that most teams are committed to today, such as reducing technical debt, fixing security vulnerabilities, refactoring automation or infrastructure, and re-platforming legacy apps. These areas are filled with context-rich data and pose barriers to automation that agentic AI can help remove.\n\nFor example, platform engineering teams often create templates to standardize and automate processes such as CI pipelines. This traditionally involves significant manual work to identify the right processes to target - those that are widely used, have repeatable steps, and will have the most significant impact across teams. Agentic AI reduces those manual steps.\n\nRather than relying on human effort to identify processes for standardization, an agentic system can identify all Java-based projects from the past year, analyze the build processes across each, and identify the best candidates for AI-based automation. The system can then create draft templates the team can customize and build on.\n\nAgentic AI is also poised to transform how developers access organizational knowledge and tools. Many companies have invested in internal developer portals (IDPs) as abstraction layers to provide insights and portfolio visibility. However, IDPs are generally static artifacts - someone needs to maintain them and notify developers when new versions of reusable components are available. It's possible that AI agents, as part of a DevSecOps platform, will make IDPs increasingly irrelevant by proactively analyzing context across multiple data sources and tools to provide real-time insights directly within the platform. Agents will also be able to pair with the generative AI capabilities within the platform to deliver personalized, contextual information - such as vulnerability explanations or code suggestions - to each developer based on their role, project, and needs.\n\nPlatform engineering has delivered significant value, but many organizations have hit a ceiling in realizing its full potential. Agentic AI plays a crucial role in upgrading platform engineering efforts by automating complex processes, applying contextual understanding at scale, and enabling true team velocity rather than just individual productivity.",[772,775,778,781,784,787],{"header":773,"content":774},"What is agentic AI, and how does it differ from traditional AI assistants?","Agentic AI refers to autonomous systems that can make decisions, initiate actions, and adapt to context with minimal human input. Unlike traditional AI assistants that respond to prompts, agentic AI agents operate proactively within development workflows, enhancing efficiency and scalability across engineering teams.",{"header":776,"content":777},"Why is agentic AI important for platform engineering?","Agentic AI enhances platform engineering by automating routine and complex tasks such as template creation, vulnerability monitoring, and standardization across teams. This allows organizations to scale their DevSecOps efforts while reducing manual workload and accelerating delivery cycles.",{"header":779,"content":780},"How can agentic AI support standardization across development teams?","Agentic AI can analyze organizational codebases, identify repeatable patterns, and automatically generate templates or process improvements. This helps enforce consistency in CI pipelines, security practices, and documentation without requiring manual coordination across teams.",{"header":782,"content":783},"What should platform teams consider when implementing AI agents?","Successful implementation of agentic AI depends on factors such as interoperability across tools, secure data access, compliance with governance policies, and visibility into agent behavior. Teams must also ensure human oversight is embedded into workflows for critical processes.",{"header":785,"content":786},"Can agentic AI help reduce technical debt?","Yes, agentic AI is particularly effective in “tech mandatory” areas like refactoring outdated code, identifying security vulnerabilities, and automating infrastructure updates. By handling these context-heavy tasks, AI agents free up teams to focus on innovation and strategic initiatives.",{"header":788,"content":789},"Will agentic AI replace internal developer portals (IDPs)?","Agentic AI has the potential to augment or even replace static IDPs by delivering real-time, personalized insights directly within a DevSecOps platform. These agents can proactively provide relevant code suggestions, vulnerability analysis, and workflow guidance based on developer context.","how-agentic-ai-unlocks-platform-engineering-potential","content:en-us:the-source:ai:how-agentic-ai-unlocks-platform-engineering-potential:index.yml","en-us/the-source/ai/how-agentic-ai-unlocks-platform-engineering-potential/index.yml","en-us/the-source/ai/how-agentic-ai-unlocks-platform-engineering-potential/index",[795,815,853],{"_path":796,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":797,"seo":800,"content":804,"type":418,"slug":811,"category":24,"_id":812,"_type":31,"title":7,"_source":32,"_file":813,"_stem":814,"_extension":35},"/en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services",{"layout":9,"template":386,"articleType":798,"featured":6,"gatedAsset":799},"Guide","pf-the-key-to-innovation-and-compliance-in-financial-services",{"title":801,"description":802,"ogImage":803},"The key to innovation and compliance in financial services","Discover how financial services organizations can accelerate innovation while staying on top of complex regulatory requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463848/fap7fcimrxis5lyfnizg.png",{"title":801,"date":805,"description":802,"heroImage":803,"keyTakeaways":806,"articleBody":810},"2025-05-20",[807,808,809],"Modern financial services firms face a critical challenge: balancing innovation against complex compliance requirements and regulatory frameworks. A comprehensiveDevSecOps approach transforms this traditional trade-off into a competitive advantage.","Financial institutions with fragmented toolchains experience significant friction points where each tool boundary introduces potential compliance gaps and security vulnerabilities — ultimately increasing compliance risks and exposure to hefty fines.","Organizations embracing unified software delivery platforms report 50-70% faster time-to-delivery, dramatically reduced operational disruptions, stronger compliance posture, and enhanced protection against cyber threats and financial crimes.","Decision-makers in financial services organizations face mounting pressure from multiple directions. Client expectations for digital innovation continue to rise while financial regulators simultaneously impose increasingly stringent compliance requirements.\n\nMany institutions have unwittingly positioned themselves on a seesaw where improving one side necessarily diminishes the other. When innovation accelerates, compliance struggles to keep pace - and when compliance processes tighten, development velocity slows.\n\nThis perceived incompatibility is not an inherent truth but rather a symptom of fragmented technology architecture.\n\n## The high cost of fragmentation\nMost established financial institutions - from investment banks to insurance companies and credit unions - operate with sprawling software delivery stacks cobbled together from disparate tools. This patchwork approach creates significant vulnerabilities across the organization:\n- Each tool boundary represents a potential security vulnerability and compliance gap\n- Disjointed workflows frequently result in compliance breaches\n- Limited visibility across teams hampers ongoing compliance efforts\n- Increased complexity drives higher costs for maintaining regulatory compliance\n- Fragmented systems significantly increase exposure to financial losses and reputational damage\n\nWith the exponential rise in cyberattacks targeting the financial industry - 3,348 cyber incidents were reported worldwide in 2023, up from 1,829 the previous year - maintaining this fragmented approach is increasingly risky.\n\n## The DevSecOps transformation advantage\nForward-thinking organizations are discovering that DevSecOps isn't merely a technical methodology - it's a strategic business transformation that fundamentally changes how financial services organizations adhere to regulatory requirements  and prepare for audits.\n\nBy building security and compliance directly into the development process rather than treating them as reactive, separate functions, modern platforms transform what was once a painful trade-off into a competitive advantage:\n- Automated vulnerability detection in real time as developers write code\n- Continuous monitoring and compliance verification against regulatory standards\n- Comprehensive audit trails satisfying regulatory audit requirements\n- Pre-configured compliance templates tailored to financial services industry needs\n- Granular access control maintaining separation of duties while enabling collaboration\n- Version control and advanced workflow controls ensuring proper approval processes\n- Real-time metrics on development velocity, security posture, and compliance risks\n\n## Proven results from industry leaders\nFinancial institutions implementing unified DevSecOps approaches consistently report transformative business outcomes:\n- 50-70% reduction in time-to-delivery of new solutions\n- Dramatic simplification of toolchain complexity\n- Enhanced protection against cyber risks and financial crimes\n- Significant reductions in operational costs\n- Improved ability to attract and retain top technical talent\n- Better compliance posture with fewer security incidents and higher compliance scores\n\n## Seize the opportunity\nThe future of financial services technology is one where institutions no longer need to make painful choices between speed, security, and innovation. By evolving to a unified platform approach, your organization can deliver on all three objectives simultaneously while reducing risk, improving operational efficiency, and building a more agile foundation for future growth.\n\nDownload our comprehensive guide to discover how your organization can implement this transformative approach, with detailed implementation frameworks, critical success factors, and real-world case studies from leading financial services companies who have successfully navigated this journey.","the-key-to-innovation-and-compliance-in-financial-services","content:en-us:the-source:security:the-key-to-innovation-and-compliance-in-financial-services:index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index",{"_path":816,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":817,"seo":819,"content":823,"type":418,"slug":849,"category":24,"_id":850,"_type":31,"title":7,"_source":32,"_file":851,"_stem":852,"_extension":35},"/en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc",{"layout":9,"template":386,"articleType":387,"author":818,"featured":331,"gatedAsset":389},"ayoub-fandi",{"title":820,"description":821,"ogImage":822},"Compliance at the speed of AI: Reimagining GRC","Is your governance, risk, and compliance strategy keeping pace with AI-accelerated development? Learn how to prepare for secure software delivery at scale.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463857/sb6to0pyohg2ubpxf3ex.png",{"title":820,"date":824,"description":821,"timeToRead":541,"heroImage":822,"keyTakeaways":825,"articleBody":829,"faq":830},"2025-05-14",[826,827,828],"Traditional GRC approaches fail in modern development environments because they operate on quarterly/annual cycles while DevSecOps teams deploy code multiple times daily, creating a fundamental timing mismatch and compliance that exists only on paper.","Successful GRC modernization requires shifting from a project to a product mindset, building continuous compliance into development pipelines, and automating evidence collection as a byproduct of normal development activities.","Organizations must create unified information flows between security functions, replace manual processes with API-driven automation, and redefine metrics to focus on risk reduction rather than compliance artifacts.","The software release calendar has been replaced by a continuous flow of updates and innovations. Yet many organizations still approach compliance like it's 2010.\n\nThe adoption of DevOps practices fundamentally changed the game, compressing release cycles from months to days or even hours. Organizations that once celebrated quarterly releases now deploy to production dozens or hundreds of times daily. This acceleration has delivered enormous business value - faster time to market, quicker feedback loops, and increased competitive advantage.\n\nNow add AI-powered development tools to the mix. Large language models, AI coding assistants, and [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) have become sophisticated enough to generate substantial amounts of functional code with minimal human input.\n\nHowever, this creates a significant challenge for governance, risk, and compliance (GRC) teams, who are often still using approaches designed for a world where releases occur quarterly, rather than hourly. Traditional GRC approaches simply weren't designed for this velocity and scale - it’s like trying to monitor and track every car on every highway in the world with a pen and paper.\n\n## Why traditional GRC falls short\nThe fundamental mismatch between modern development and traditional GRC starts with timing. While DevSecOps teams operate continuously, traditional GRC functions typically operate on quarterly or annual cycles. Annual penetration tests, quarterly compliance control testing, and monthly risk assessments simply can't keep pace with environments that change hourly. By the time a traditional security assessment is complete, the system being evaluated may have undergone dozens of changes.\n\nThe gap between automated infrastructure and manual compliance processes compounds this timing mismatch. Cloud-native applications automatically scale resources up and down in response to demand. Infrastructure-as-code templates can spin up and tear down entire environments with a single command. Meanwhile, compliance verification still relies heavily on manual evidence collection and human review. GRC teams can spend days taking screenshots of configurations that were automatically changed minutes after they documented them.\n\nThe result is security compliance that exists largely on paper but bears little resemblance to operational reality. When your integrated DevSecOps platform supports hundreds of deployments daily, yet your GRC team still manually collects screenshots every quarter for audit purposes, you have a fundamental disconnect. Risk registers become outdated almost immediately. Compliance certifications verify controls that may no longer exist in the form originally documented. And security policies address threats to systems that have since been redesigned or replaced entirely.\n\n## Transforming GRC for modern DevSecOps\nI’ve seen this tension unfold in countless organizations. Here are a few steps you can take now to help GRC keep up:\n\n### Think about GRC as a product, not a project\nThe first step in transforming GRC for modern DevSecOps environments requires a fundamental shift in thinking. Traditional GRC operates as a project - a recurring set of activities with a defined beginning and end. Modern GRC needs to function as a product - a continuously evolving set of capabilities that deliver ongoing value.\n\nThis product mindset transforms how we approach compliance and security. Instead of preparing for an annual SOC 2 audit by scrambling to collect evidence in the weeks before the auditor arrives, think about building continuous compliance directly into your development pipeline. Instead of quarterly risk management assessments, aim for real-time visibility. And look for ways to embed governance in daily operations, with version-controlled policies managed like code using Markdown.\n\nWithin [a unified DevSecOps platform](https://about.gitlab.com/platform/), this product-based approach happens naturally. Security scans become part of the merge request process. Compliance requirements transform into pipeline rules that run with every commit. And audit evidence is automatically collected as a byproduct of normal development activities. The result? The focus shifts from \"passing the audit\" to \"[building securely by default](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/).\"\n\n### Create unified, automated information flows\nYou’ll also need to rethink both the architecture of your GRC program and the engineering approach behind it. Begin by establishing unified information flows among security, risk, and compliance functions. A vulnerability found in a security scan should automatically update your risk register and compliance status without manual intervention. This unified data model ensures everyone works from a single source of truth, breaking down siloes between security and development teams.\n\nThe next step is to replace manual evidence collection with API-driven automation. Instead of taking screenshots of access control settings, implement API calls that query your identity provider and generate access reports automatically. Rather than manually reviewing infrastructure settings, pull configuration data directly from your cloud providers. Every security setting that requires verification should be accessible programmatically.\n\nPerhaps most importantly, leverage the same pipeline-based approach for security that you use for code validation. [Integrated CI/CD pipelines](https://about.gitlab.com/blog/2025/01/06/ultimate-guide-to-ci-cd-fundamentals-to-advanced-implementation/) allow you to define security and compliance requirements as code, running automated validation with every change. This infrastructure-as-code approach ensures that security controls are implemented consistently and verified continuously, eliminating the gap between documented controls and operational reality.\n\n### Connect GRC to business value\nThe practical implementation of these changes doesn't happen overnight, but organizations can follow a clear path to transform their GRC approach.\n\nFirst, bridge the cultural and language gap between GRC and engineering teams. Security professionals need to understand how developers work, while engineers need to appreciate security requirements. This mutual understanding creates the foundation for effective collaboration. Create joint working sessions where compliance teams learn basic Git workflows while developers understand compliance requirements in concrete terms.\n\nNext, redefine success metrics to focus on risk reduction rather than compliance artifacts. Instead of tracking the number of policies documented or controls tested, measure actual security outcomes: vulnerability remediation times, security issues found in production versus development, and the number of compliance exceptions. These outcome-based metrics drive real improvements in security posture.\n\nThis transforms GRC from a necessary evil to a business enabler. When [security and compliance are built into development workflows](https://about.gitlab.com/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/), they stop being roadblocks and become competitive advantages. Organizations with integrated security can ship faster and with greater confidence than those with traditional bolted-on approaches.\n\nThis transformation becomes even more powerful within a unified platform. End-to-end visibility across the entire software development lifecycle creates unmatched transparency into security status. The same controls that verify code quality can enforce security requirements, creating a seamless experience for developers while maintaining strong governance for security teams.\n\n## Security as an enabler, not a bottleneck\nAs AI-accelerated development transforms software development, GRC must evolve from a checkpoint process to an integral part of the development workflow. Organizations can maintain strong governance without sacrificing speed by adopting a product mindset, reimagining GRC architecture, and implementing engineering solutions that match the pace of modern development. The future of GRC isn't about slowing down development - it's about building security and compliance into every step of the process, enabling teams to move faster with greater confidence.",[831,834,837,840,843,846],{"header":832,"content":833},"Why do traditional GRC models struggle in modern software environments?","Traditional GRC models operate on quarterly or annual cycles, but DevSecOps teams now deploy code multiple times a day. This timing mismatch means compliance efforts often lag behind actual development changes, making them ineffective in dynamic environments.",{"header":835,"content":836},"What does it mean to treat GRC as a product instead of a project?","Viewing GRC as a product means continuously evolving and embedding compliance into daily workflows, rather than treating it as a periodic event. It’s about creating always-on capabilities like automated evidence collection and policy enforcement through code.",{"header":838,"content":839},"How can automation improve governance and compliance?","Automation reduces the reliance on manual reviews and paperwork by using API calls and pipeline integrations to validate security settings and collect audit data. This makes compliance scalable, real-time, and aligned with the pace of software delivery.",{"header":841,"content":842},"What tools or strategies support continuous compliance?","Unified DevSecOps platforms with integrated CI/CD pipelines support continuous compliance. They allow you to define security policies as code, apply them automatically with every change, and log evidence of compliance as part of normal workflows.",{"header":844,"content":845},"How should success be measured in modern GRC programs?","Instead of counting controls or documented policies, success should be measured through real-world outcomes like faster vulnerability remediation, fewer security exceptions, and better security hygiene from development to production.",{"header":847,"content":848},"How can AI development practices coexist with compliance requirements?","By embedding guardrails and governance into the software pipeline, AI-powered development can align with compliance needs. Structured policies, automated validation, and continuous monitoring ensure security isn’t compromised while enabling fast iteration.","compliance-at-the-speed-of-ai-reimagining-grc","content:en-us:the-source:security:compliance-at-the-speed-of-ai-reimagining-grc:index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index",{"_path":854,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":855,"seo":856,"content":860,"type":418,"slug":886,"category":24,"_id":887,"_type":31,"title":7,"_source":32,"_file":888,"_stem":889,"_extension":35},"/en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain",{"layout":9,"template":386,"articleType":387,"author":722,"featured":331,"gatedAsset":389},{"title":857,"description":858,"ogImage":859},"Embedding risk intelligence into your software supply chain","Transform your security strategy by embedding risk assessment into development workflows instead of treating it as a final checkpoint.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463994/rexeefvqpj1xs8vq7ugl.jpg",{"title":857,"date":861,"description":858,"timeToRead":680,"heroImage":859,"keyTakeaways":862,"articleBody":866,"faq":867},"2025-04-22",[863,864,865],"Focus on business impact instead of vulnerability counts by targeting security threats that pose actual danger to your business rather than trying to fix every potential issue.","Embed risk checks throughout development by adding quality metrics and automated testing early in your software pipeline to catch issues when they’re easier to fix.","Create audit trails for security decisions through “breadcrumbed” processes that document who approved changes and why, creating accountability and improving future decisions.","It’s a nightmare scenario for any business: Hackers have exposed the personal information of millions of your users. What if this wasn’t due to critical vulnerabilities in your application but simply poorly configured API endpoints that hackers could abuse to farm user data? That’s precisely what happened to a popular tech company in 2023, and it’s more common than you might think.\n\nSecurity resources are finite, and [not all threats pose equal business risk](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/). Organizations that are laser-focused on technical severity ratings rather than actual business impact could be leaving themselves open to unanticipated risks.\n\nMeanwhile, the urgency for better risk quantification has never been greater. Threat actors can now leverage multiple AI systems to execute sophisticated, multi-pronged attacks targeting exploitable vulnerabilities. These AI-accelerated campaigns can quickly identify and exploit business-critical weaknesses that traditional security approaches might overlook or deprioritize - turning yesterday's “medium-risk” vulnerability into today’s multimillion-dollar breach.\n\nTo counter these evolving threats and navigate this growing complexity, leading organizations are fundamentally reimagining their approach. Instead of treating security as a separate function that happens after development, they’re embedding **risk intelligence** throughout their software supply chain. This approach allows them to focus resources where they matter most, reduce time-to-market for secure products, and demonstrate due diligence to regulators and customers.\n\nThe key is distinguishing between vulnerabilities that might cause harm and those that will cause damage in your specific business context. Companies can achieve stronger security and faster innovation by rethinking how risk is evaluated and managed across development and operations.\n\n## Limiting risk through data-driven change management\n**Risk intelligence helps you focus on threats that matter. It’s the difference between knowing you have 3,000 vulnerabilities and understanding which 50 could harm your business.**\n\nKey elements of risk intelligence include:\n\n**Exploitability assessment (reachability)**: Not all vulnerabilities can be weaponized. Risk intelligence evaluates which security findings have actual attack paths versus those that exist in code but cannot be reached by malicious actors.\n\n**Dependency context**: Risk-based security recognizes that a vulnerable package doesn’t just affect one application - it can impact dozens or hundreds across your organization. Modern approaches map dependencies across projects, enabling teams to understand the cascading impact of vulnerabilities throughout the organization. This ecosystem view provides critical context for prioritization decisions.\n\n**Continuous risk monitoring**: Instead of point-in-time assessments, risk intelligence requires ongoing monitoring that adjusts as threat landscapes evolve. A vulnerability that was low risk yesterday may become critical today based on emerging exploit techniques.\n\nSo how can you move from reactive security scanning to proactive risk intelligence? The journey begins where your software does - in the software factory itself.\n\n## The software factory: Quality gates and risk signals\nThe software factory is where code transforms from an idea to a deployable package. This phase encompasses everything from initial code commits to unit testing to packaging, creating the foundation for your entire software supply chain. By adding risk checks early, teams can find and fix issues before they spread. Just as critical is establishing clear attribution for every code change, knowing exactly who made each change (contractor, consultant, or employee), why, and when - creating an audit trail providing crucial risk assessment context.\n\nThe software factory offers three key opportunities to embed risk assessment into your development process:\n\n### Collaboration through quality intelligence\nEstablishing cross-functional quality metrics can help organizations create a shared understanding of risk across teams. Potential metrics include code coverage trends, security vulnerability density, technical debt accumulation, performance regression patterns, API compatibility scores, and documentation completeness.\n\n### Transparency through correlated data\nRisk intelligence requires connecting disparate data points into a comprehensive view. Quality intelligence dashboards with real-time metrics and trend visualization help teams spot emerging risk patterns, while documentation traceability creates auditable trails linking requirements, changes, and security findings. Automated data collection enables cross-system correlation between code changes and security findings, with pattern recognition algorithms identifying unusual behaviors that manual review might miss. This democratized intelligence empowers all stakeholders to make risk-informed decisions instead of siloing information within security teams.\n\n### Automation for quality assurance\nManual risk assessment can’t scale to modern development speeds. Continuous testing pipelines with automated security scans and performance tests provide early feedback on potential risks without slowing velocity. Automated quality gates enforce minimum standards throughout development, and risk threshold monitoring flags concerning trends before they become critical. These automated guardrails maintain consistent risk assessment while allowing development teams to maintain productivity and improve safety without sacrificing speed.\n\n## Software logistics: Risk management through team-based scorecards\nAfter code is packaged, it enters the logistics phase - provisioning, deployment, configuration, monitoring, and maintenance. Here, potential bugs meet real-world exposure. This makes assessing risk in actual operating conditions vital. However, traditional approaches to risk assessment at this stage are often inflexible and inefficient.\n\n> [Learn how effective software logistics can enable operations teams to efficiently support developers and accelerate delivery](https://about.gitlab.com/the-source/platform/why-software-logistics-is-key-to-accelerating-innovation/).\n\nEffective risk intelligence means helping teams focus on why they should deploy instead of why they shouldn’t - replacing the binary, inflexible assessment methods of the past with an automated, metrics-driven approach. Here are three critical aspects to keep in mind:\n\n### Collaborative assessment model\nModern risk approaches replace binary go/no-go decisions with multi-stakeholder evaluations, sometimes called a Change Advisory Board (CAB), incorporating diverse perspectives. Security teams evaluate vulnerability context and exploitability, operations teams assess deployment impact and rollback capabilities, and business stakeholders weigh customer impact against needs. This team-based approach builds consensus around acceptable risk rather than imposing rigid standards, allowing for nuanced decisions that balance security with business objectives.\n\n### Scorecard transparency\nEffective risk evaluation requires visible criteria that consider multiple dimensions of impact. Comprehensive scorecards include security risk factors that assess severity and real-world exploitability, operational metrics that evaluate system stability implications, compliance requirements for relevant regulations, and business impact on customers and revenue. This transparent approach creates a holistic risk profile that provides the context necessary for informed deployment decisions while ensuring all stakeholders understand the basis for security choices.\n\n### Automated scorecard processing\nManual risk assessment creates bottlenecks that slow deployment cycles. Modern approaches use real-time processing with automated score calculation and threshold monitoring to evaluate changes continuously. Integration with CI/CD pipelines, security tools, and compliance systems ensures risk data flows automatically between systems without manual intervention. This automation maintains consistent evaluation standards while eliminating the delays typically associated with security reviews.\n\n## From vulnerability counts to business impact: The future of software security\nThe future of application security isn’t about finding more vulnerabilities - it’s about understanding the risk those vulnerabilities pose. By embedding risk intelligence throughout your software supply chain, you can drive team collaboration to help you create secure software faster.\n\nEstablishing this risk assessment process across both your software factory and logistics phases has an added benefit: You’ll create an auditable trail that documents who made security decisions, what evidence they considered, when changes were approved, and why specific actions were taken. This transparency provides accountability across the entire software supply chain, builds institutional memory of risk management approaches, and creates data to inform future decisions. The resulting traceability transforms security from a point-in-time assessment to an ongoing, verifiable process demonstrating due diligence to auditors, regulators, and customers.",[868,871,874,877,880,883],{"header":869,"content":870},"What is risk intelligence in software development?","Risk intelligence is the practice of evaluating security threats based on their real-world business impact rather than just technical severity. It helps teams focus on exploitable and high-priority vulnerabilities, streamlining security efforts.",{"header":872,"content":873},"How does embedding risk checks early improve software security?","Introducing risk assessments during early development phases allows teams to catch and resolve issues sooner, reducing costs and complexity. This shift from reactive to proactive security enhances both speed and safety.",{"header":875,"content":876},"Why should organizations move beyond vulnerability counts?","Counting vulnerabilities doesn't reflect the true risk landscape. Many may be unreachable or irrelevant. Prioritizing based on exploitability and business context ensures limited security resources are used effectively.",{"header":878,"content":879},"How do audit trails contribute to better risk management?","Audit trails document who made a change, why, and when. These records provide accountability, aid compliance, and offer valuable insight for improving future decision-making and demonstrating due diligence.",{"header":881,"content":882},"What role does automation play in risk intelligence?","Automation enables consistent, scalable risk evaluation across CI/CD pipelines. It helps enforce security standards, reduces manual bottlenecks, and ensures timely responses to emerging risks without slowing development.",{"header":884,"content":885},"What’s the benefit of team-based scorecards for deployment decisions?","Team-based scorecards bring together inputs from security, operations, and business teams. This collaborative model replaces rigid go/no-go decisions with nuanced assessments that balance innovation and acceptable risk.","embedding-risk-intelligence-into-your-software-supply-chain","content:en-us:the-source:security:embedding-risk-intelligence-into-your-software-supply-chain:index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index",{"categoryNames":891},{"ai":357,"platform":364,"security":98},1751572790911]