[{"data":1,"prerenderedAt":878},["ShallowReactive",2],{"/en-us/the-source/":3,"footer-en-us":36,"the-source-navigation-en-us":344,"the-source-newsletter-en-us":371,"featured-article-en-us":383,"ai-categoryen-us":423,"security-categoryen-us":447,"platform-categoryen-us":468,"featured-authors-en-us":489,"category-authors-en-us":520,"hero-most-recent-articles-en-us":521,"platform-most-recent-articles-en-us":626,"the-source-resources-en-us":669,"ai-most-recent-articles-en-us":712,"security-most-recent-articles-en-us":780,"categories-en-us":876},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":10,"content":13,"_id":30,"_type":31,"title":7,"_source":32,"_file":33,"_stem":34,"_extension":35},"/en-us/the-source","en-us",false,"",{"layout":9},"the-source",{"title":11,"description":12},"The Source: Insights for the future of software development","Your decision-making partner for transformative strategies and expert technology advice.",[14,16,21,26],{"componentName":15},"TheSourceLandingHero",{"componentName":17,"componentContent":18},"TheSourceLandingCategory",{"config":19},{"category":20},"ai",{"componentName":17,"componentContent":22},{"config":23},{"category":24,"theme":25},"security","surface",{"componentName":17,"componentContent":27},{"config":28},{"category":29},"platform","content:en-us:the-source:index.yml","yaml","content","en-us/the-source/index.yml","en-us/the-source/index","yml",{"_path":37,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"data":38,"_id":340,"_type":31,"title":341,"_source":32,"_file":342,"_stem":343,"_extension":35},"/shared/en-us/main-footer",{"text":39,"source":40,"edit":46,"contribute":51,"config":56,"items":61,"minimal":332},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":41,"config":42},"View page source",{"href":43,"dataGaName":44,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":47,"config":48},"Edit this page",{"href":49,"dataGaName":50,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":52,"config":53},"Please contribute",{"href":54,"dataGaName":55,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":57,"facebook":58,"youtube":59,"linkedin":60},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[62,89,162,230,293],{"title":63,"links":64,"subMenu":70},"Platform",[65],{"text":66,"config":67},"DevSecOps platform",{"href":68,"dataGaName":69,"dataGaLocation":45},"/platform/","devsecops platform",[71],{"title":72,"links":73},"Pricing",[74,79,84],{"text":75,"config":76},"View plans",{"href":77,"dataGaName":78,"dataGaLocation":45},"/pricing/","view plans",{"text":80,"config":81},"Why Premium?",{"href":82,"dataGaName":83,"dataGaLocation":45},"/pricing/premium/","why premium",{"text":85,"config":86},"Why Ultimate?",{"href":87,"dataGaName":88,"dataGaLocation":45},"/pricing/ultimate/","why ultimate",{"title":90,"links":91},"Solutions",[92,97,102,107,112,117,122,127,132,137,142,147,152,157],{"text":93,"config":94},"Digital transformation",{"href":95,"dataGaName":96,"dataGaLocation":45},"/topics/digital-transformation/","digital transformation",{"text":98,"config":99},"Security & Compliance",{"href":100,"dataGaName":101,"dataGaLocation":45},"/solutions/security-compliance/","security & compliance",{"text":103,"config":104},"Automated software delivery",{"href":105,"dataGaName":106,"dataGaLocation":45},"/solutions/delivery-automation/","automated software delivery",{"text":108,"config":109},"Agile development",{"href":110,"dataGaName":111,"dataGaLocation":45},"/solutions/agile-delivery/","agile delivery",{"text":113,"config":114},"Cloud transformation",{"href":115,"dataGaName":116,"dataGaLocation":45},"/topics/cloud-native/","cloud transformation",{"text":118,"config":119},"SCM",{"href":120,"dataGaName":121,"dataGaLocation":45},"/solutions/source-code-management/","source code management",{"text":123,"config":124},"CI/CD",{"href":125,"dataGaName":126,"dataGaLocation":45},"/solutions/continuous-integration/","continuous integration & delivery",{"text":128,"config":129},"Value stream management",{"href":130,"dataGaName":131,"dataGaLocation":45},"/solutions/value-stream-management/","value stream management",{"text":133,"config":134},"GitOps",{"href":135,"dataGaName":136,"dataGaLocation":45},"/solutions/gitops/","gitops",{"text":138,"config":139},"Enterprise",{"href":140,"dataGaName":141,"dataGaLocation":45},"/enterprise/","enterprise",{"text":143,"config":144},"Small business",{"href":145,"dataGaName":146,"dataGaLocation":45},"/small-business/","small business",{"text":148,"config":149},"Public sector",{"href":150,"dataGaName":151,"dataGaLocation":45},"/solutions/public-sector/","public sector",{"text":153,"config":154},"Education",{"href":155,"dataGaName":156,"dataGaLocation":45},"/solutions/education/","education",{"text":158,"config":159},"Financial services",{"href":160,"dataGaName":161,"dataGaLocation":45},"/solutions/finance/","financial services",{"title":163,"links":164},"Resources",[165,170,175,180,185,190,195,200,205,210,215,220,225],{"text":166,"config":167},"Install",{"href":168,"dataGaName":169,"dataGaLocation":45},"/install/","install",{"text":171,"config":172},"Quick start guides",{"href":173,"dataGaName":174,"dataGaLocation":45},"/get-started/","quick setup checklists",{"text":176,"config":177},"Learn",{"href":178,"dataGaName":179,"dataGaLocation":45},"https://university.gitlab.com/","learn",{"text":181,"config":182},"Product documentation",{"href":183,"dataGaName":184,"dataGaLocation":45},"https://docs.gitlab.com/","docs",{"text":186,"config":187},"Blog",{"href":188,"dataGaName":189,"dataGaLocation":45},"/blog/","blog",{"text":191,"config":192},"Customer success stories",{"href":193,"dataGaName":194,"dataGaLocation":45},"/customers/","customer success stories",{"text":196,"config":197},"Remote",{"href":198,"dataGaName":199,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":201,"config":202},"GitLab Services",{"href":203,"dataGaName":204,"dataGaLocation":45},"/services/","services",{"text":206,"config":207},"TeamOps",{"href":208,"dataGaName":209,"dataGaLocation":45},"/teamops/","teamops",{"text":211,"config":212},"Community",{"href":213,"dataGaName":214,"dataGaLocation":45},"/community/","community",{"text":216,"config":217},"Forum",{"href":218,"dataGaName":219,"dataGaLocation":45},"https://forum.gitlab.com/","forum",{"text":221,"config":222},"Events",{"href":223,"dataGaName":224,"dataGaLocation":45},"/events/","events",{"text":226,"config":227},"Partners",{"href":228,"dataGaName":229,"dataGaLocation":45},"/partners/","partners",{"title":231,"links":232},"Company",[233,238,243,248,253,258,263,268,273,278,283,288],{"text":234,"config":235},"About",{"href":236,"dataGaName":237,"dataGaLocation":45},"/company/","company",{"text":239,"config":240},"Jobs",{"href":241,"dataGaName":242,"dataGaLocation":45},"/jobs/","jobs",{"text":244,"config":245},"Leadership",{"href":246,"dataGaName":247,"dataGaLocation":45},"/company/team/e-group/","leadership",{"text":249,"config":250},"Team",{"href":251,"dataGaName":252,"dataGaLocation":45},"/company/team/","team",{"text":254,"config":255},"Handbook",{"href":256,"dataGaName":257,"dataGaLocation":45},"https://handbook.gitlab.com/","handbook",{"text":259,"config":260},"Investor relations",{"href":261,"dataGaName":262,"dataGaLocation":45},"https://ir.gitlab.com/","investor relations",{"text":264,"config":265},"Environmental, social and governance (ESG)",{"href":266,"dataGaName":267,"dataGaLocation":45},"/environmental-social-governance/","environmental, social and governance",{"text":269,"config":270},"Diversity, inclusion and belonging (DIB)",{"href":271,"dataGaName":272,"dataGaLocation":45},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":274,"config":275},"Trust Center",{"href":276,"dataGaName":277,"dataGaLocation":45},"/security/","trust center",{"text":279,"config":280},"Newsletter",{"href":281,"dataGaName":282,"dataGaLocation":45},"/company/contact/","newsletter",{"text":284,"config":285},"Press",{"href":286,"dataGaName":287,"dataGaLocation":45},"/press/","press",{"text":289,"config":290},"Modern Slavery Transparency Statement",{"href":291,"dataGaName":292,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":294,"links":295},"Contact Us",[296,301,306,311,316,321,326],{"text":297,"config":298},"Contact an expert",{"href":299,"dataGaName":300,"dataGaLocation":45},"/sales/","sales",{"text":302,"config":303},"Get help",{"href":304,"dataGaName":305,"dataGaLocation":45},"/support/","get help",{"text":307,"config":308},"Customer portal",{"href":309,"dataGaName":310,"dataGaLocation":45},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":312,"config":313},"Status",{"href":314,"dataGaName":315,"dataGaLocation":45},"https://status.gitlab.com/","status",{"text":317,"config":318},"Terms of use",{"href":319,"dataGaName":320,"dataGaLocation":45},"/terms/","terms of use",{"text":322,"config":323},"Privacy statement",{"href":324,"dataGaName":325,"dataGaLocation":45},"/privacy/","privacy statement",{"text":327,"config":328},"Cookie preferences",{"dataGaName":329,"dataGaLocation":45,"id":330,"isOneTrustButton":331},"cookie preferences","ot-sdk-btn",true,{"items":333},[334,336,338],{"text":317,"config":335},{"href":319,"dataGaName":320,"dataGaLocation":45},{"text":322,"config":337},{"href":324,"dataGaName":325,"dataGaLocation":45},{"text":327,"config":339},{"dataGaName":329,"dataGaLocation":45,"id":330,"isOneTrustButton":331},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":345,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":346,"subscribeLink":351,"navItems":355,"_id":367,"_type":31,"title":368,"_source":32,"_file":369,"_stem":370,"_extension":35},"/shared/en-us/the-source/navigation",{"altText":347,"config":348},"the source logo",{"src":349,"href":350},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":352,"config":353},"Subscribe",{"href":354},"#subscribe",[356,360,363],{"text":357,"config":358},"Artificial Intelligence",{"href":359},"/the-source/ai/",{"text":98,"config":361},{"href":362},"/the-source/security/",{"text":364,"config":365},"Platform & Infrastructure",{"href":366},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":372,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":373,"description":374,"submitMessage":375,"formData":376,"_id":380,"_type":31,"_source":32,"_file":381,"_stem":382,"_extension":35},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":377},{"formId":378,"formName":379,"hideRequiredLabel":331},1077,"thesourcenewsletter","content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"_path":384,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"slug":385,"type":386,"category":29,"config":387,"seo":392,"content":396,"_id":420,"_type":31,"title":7,"_source":32,"_file":421,"_stem":422,"_extension":35},"/en-us/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first","beyond-the-portal-hype-why-you-need-a-platform-first","article",{"layout":9,"template":388,"featured":331,"articleType":389,"author":390,"gatedAsset":391},"TheSourceArticle","Regular","bryan-ross","source-lp-how-to-build-a-resilient-software-development-practice",{"title":393,"ogTitle":393,"description":394,"ogDescription":394,"ogImage":395},"Beyond the portal hype: Why you need a platform first","Discover why many internal developer portals fall short and why a platform-first approach is key to improving developer productivity.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1752086082/z2udikxenysukvroywvb.png",{"title":393,"description":394,"date":397,"timeToRead":398,"heroImage":395,"keyTakeaways":399,"articleBody":403,"faq":404},"2025-07-15","6 min read",[400,401,402],"Most portal initiatives struggle with adoption because organizations underestimate the product management effort required for successful implementation and ongoing maintenance.","Start by building a robust platform with streamlined workflows and automation before investing in a portal interface; the value of any portal is entirely dependent on the capabilities of the underlying platform.","Consider whether tool consolidation might be more effective than integration; end-to-end solutions can simplify your ecosystem and reduce the need for the complex integrations that portals attempt to solve.","When Spotify released Backstage as an open source project in 2020, it sparked a wave of enthusiasm across the platform engineering community. The promise was compelling: a unified dashboard where developers could discover, access, and consume everything they needed to build software efficiently. Who wouldn't want a sleek “shop front” to simplify the increasingly complex world of software development?\n\nFast forward to today, and the reality has proven more complicated. Despite the initial excitement, many organizations struggle to realize the promised benefits of internal developer portals. \n\n## Portals vs. platforms: What’s the difference?\nAn internal developer portal is a “front door” to your technical ecosystem. It sits atop your developer platform, which integrates different tools to provide standardized workflows and underlying infrastructure and helps enforce governance. While the platform handles the technical implementation of tooling and automation, the portal provides a single pane of glass that makes development resources discoverable and accessible.\n\nBefore we get to the challenges around portals, it’s worth acknowledging the very real challenges they aim to address:\n1. **Discovery obstacles**: Many organizations lack an API catalog, causing developers to struggle to find existing software components, documentation, best practices, and support channels. Portals attempt to solve this by creating a centralized catalog where developers can access these resources through a unified search and navigation experience.\n1. **Tool sprawl**: The modern software development lifecycle relies on numerous specialized tools, each with its own interface and learning curve. [GitLab research](https://about.gitlab.com/developer-survey/) found that 62% of teams use six or more separate tools for software development. Portals address this by integrating these disparate tools behind a consistent interface, reducing the cognitive load of context switching.\n1. **Siloed knowledge**: Teams focused on their specific challenges often create their own workflows and toolchains, hampering cross-team collaboration and leading to duplicated work. Portals aim to break down these silos by making team assets visible across the organization and promoting standardized workflows that encourage collaboration and reuse of existing solutions.\nThese challenges have a measurable business impact: According to the [2024 GitLab Global DevSecOps Report](https://about.gitlab.com/developer-survey/), 78% of developers spend at least a quarter of their time maintaining and integrating toolchains.\n\n## Why portal initiatives often fall short\nIf internal developer portals address genuine business problems, why do these initiatives regularly fail to gain traction? In my conversations with technical leaders at companies of all sizes, I’ve noticed several key factors:\n1. **Insufficient product management**: Many organizations underinvest in release announcements, internal enablement examples, training, and other adoption-fueling activities essential for portal success.\n1. **Dependency on platform capabilities**: A portal is only as valuable as its underlying platform. Without robust platform capabilities, a portal merely presents a unified view of dysfunction.\n1. **Technical complexity**: Organizations often underestimate that a portal is not simply a tool to install but a software development framework requiring significant engineering skills to build and maintain.\n1. **Ongoing investment requirements**: Building and maintaining a portal demands substantial continuous investment, which many organizations underestimate during initial planning stages.\n1. **Limited developer resonance**: Despite being highly discussed in platform engineering circles, a recent CNCF App Development Working Group survey revealed that many developers remain unaware of Backstage — suggesting it may not address problems developers consider material to their work.\n\nThese challenges are particularly acute when building the portal’s frontend interface. A portal essentially functions as a wrapper built around existing tools, aiming to become the single source of truth for developer interactions.\n\nBut here's the catch: If your portal doesn't mirror enough of the functionality of those underlying tools, developers will bypass it and go straight to the underlying tools, making your portal just another item in an already crowded toolchain. At the same time, trying to keep up with feature changes across a dozen backend tools requires a massive ongoing effort. Every time a backend system changes or releases a new capability, the portal team faces the same question: implement, integrate, or ignore?  Providing a single pane of glass is a significant, perpetual engineering investment that most organizations underestimate.\n\n[Netflix, which has deep experience in developer tooling, puts it bluntly](https://www.youtube.com/watch?v=qgFyb28NvlQ): “A common front door for existing tools is insufficient on its own to attract and keep a user base. Rather [it] needs end-to-end experiences not available in other tools to keep users coming back and discovering the additional features and capabilities.”\n\n## The platform-first approach\nOrganizations that have successfully improved developer productivity typically follow a platform-first approach rather than beginning with a portal. Here’s what this looks like in practice:\n1. **Start with developer needs**: Don’t assume what developers need. Speak directly with teams about their challenges and work closely with them to develop solutions that demonstrably improve their day-to-day experiences.\n1. **Focus on platform capabilities first**: Prioritize creating streamlined, automated workflows for regular tasks that incorporate best practices and corporate standards. Any future portal's value will entirely depend on these underlying capabilities.\n1. **Consider tool consolidation before integration**: Portals primarily solve integration issues between tools by abstracting authentication methods and bringing data sources together. Before investing in complex integrations, evaluate whether consolidating tools might simplify your ecosystem. End-to-end solutions across the software development lifecycle can reduce the need for extensive integration work.\n1. **Invest in product management**: Ensure strong product management to encourage platform adoption by new teams and drive new capability adoption by teams who have already embraced the platform.\n\n## When portals make sense\nThis isn’t to say that internal developer portals are inherently flawed. In fact, I’ve worked with several large, mature organizations that successfully use internal developer portals like Backstage, but with a crucial difference in approach and expectations.\n\nOne large financial institution I worked with recently has had tremendous feedback from their portal implementation. Rather than trying to create a single pane of glass for all development activities, their portal was built to serve two specific workflows: developer onboarding and new project scaffolding. When a developer joins a team, the portal guides them through account setup across six different systems, automatically provisioning access based on their team assignment. For new projects, the portal provides developers with an intuitive interface to select an appropriate template and configure it to their needs. The portal then triggers the necessary backend systems to build the required project scaffolding, including an initial code repository and a CI/CD pipeline with [policy-driven testing](https://about.gitlab.com/blog/how-to-use-gitlabs-custom-compliance-frameworks-in-your-devsecops/) and [infrastructure-as-code](https://about.gitlab.com/blog/using-ansible-and-gitlab-as-infrastructure-for-code/) to deploy the application.\n\nSuccessful implementations like this leverage portals for activities that genuinely benefit from a simplified point-and-click interface. The portal doesn't try to be the primary interface for all activity; developers still work directly in their IDEs, Git repositories, and monitoring dashboards.\nCritically, organizations with successful developer portals build solid, capable internal developer platforms first. They also have mature approaches to gathering developer feedback to direct their efforts to real-world points of friction.\n\n## The path forward\nThe message for technical leaders navigating the platform engineering landscape is clear: Start with a strong platform rather than focusing primarily on a portal. Prioritize creating tangible value for developers through automation, standardization, and simplified workflows. Once your platform capabilities mature and deliver measurable benefits, consider adding a portal as an enhancement if specific needs warrant it.\n\nBy taking this measured approach, you'll avoid the common pitfall of implementing a beautiful dashboard that sits atop dysfunction — and instead build developer tooling that genuinely improves productivity, reduces cognitive load, and accelerates innovation.",[405,408,411,414,417],{"header":406,"content":407},"What's the difference between an internal developer portal and a platform?","An internal developer portal is a \"front door\" interface that sits atop your developer platform. The platform handles technical implementation, tooling, and automation with standardized workflows, while the portal provides a single pane of glass that makes development resources discoverable and accessible.",{"header":409,"content":410},"How much time do developers spend on toolchain maintenance and integration?","According to the 2024 GitLab Global DevSecOps Report, 78% of developers spend at least a quarter of their time maintaining and integrating toolchains. GitLab research also found that 62% of teams use six or more separate tools for software development.",{"header":412,"content":413},"Why do internal developer portal initiatives often fail?","Portal initiatives fail due to insufficient product management, dependency on weak platform capabilities, underestimated technical complexity, ongoing investment requirements, and limited developer resonance. Many organizations underestimate that portals require significant continuous engineering investment to maintain feature parity with underlying tools.",{"header":415,"content":416},"What should organizations prioritize before building a developer portal?","Organizations should follow a platform-first approach: start with developer needs assessment, focus on platform capabilities with streamlined automated workflows, consider tool consolidation before integration, and invest in strong product management for adoption. Build robust platform capabilities before adding portal interfaces.",{"header":418,"content":419},"When do internal developer portals make sense to implement?","Portals work best for specific workflows like developer onboarding and new project scaffolding rather than trying to be a single pane of glass for all activities. Successful implementations focus on activities that genuinely benefit from simplified point-and-click interfaces while developers continue using specialized tools directly.","content:en-us:the-source:platform:beyond-the-portal-hype-why-you-need-a-platform-first:index.yml","en-us/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first/index.yml","en-us/the-source/platform/beyond-the-portal-hype-why-you-need-a-platform-first/index",{"_path":424,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":425,"config":426,"seo":427,"content":430,"slug":20,"_id":444,"_type":31,"title":7,"_source":32,"_file":445,"_stem":446,"_extension":35},"/en-us/the-source/ai","category",{"layout":9},{"title":357,"description":428,"ogImage":429},"Explore expert insights on how AI is transforming software development, and how organizations can get the most out of their AI investments.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463300/eoudcbj5aoucl0spsp0c.png",[431,436],{"componentName":432,"type":432,"componentContent":433},"TheSourceCategoryHero",{"title":357,"description":428,"image":434},{"config":435},{"src":429},{"componentName":437,"type":437,"componentContent":438},"TheSourceCategoryMainSection",{"config":439},{"gatedAssets":440},[441,442,443],"source-lp-how-to-get-started-using-ai-in-software-development","navigating-ai-maturity-in-devsecops","source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach","content:en-us:the-source:ai:index.yml","en-us/the-source/ai/index.yml","en-us/the-source/ai/index",{"_path":448,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":425,"config":449,"seo":450,"content":453,"slug":24,"_id":465,"_type":31,"title":7,"_source":32,"_file":466,"_stem":467,"_extension":35},"/en-us/the-source/security",{"layout":9},{"title":98,"description":451,"ogImage":452},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",[454,458],{"componentName":432,"type":432,"componentContent":455},{"title":98,"description":451,"image":456},{"config":457},{"src":452},{"componentName":437,"type":437,"componentContent":459},{"config":460},{"gatedAssets":461},[462,463,464],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age","content:en-us:the-source:security:index.yml","en-us/the-source/security/index.yml","en-us/the-source/security/index",{"_path":469,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":425,"config":470,"seo":471,"content":474,"slug":29,"_id":486,"_type":31,"title":7,"_source":32,"_file":487,"_stem":488,"_extension":35},"/en-us/the-source/platform",{"layout":9},{"title":364,"description":472,"ogImage":473},"Learn how to build a DevSecOps framework that sets your team up for success, from planning to delivery.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463263/bdz7hmhpbmgwvoybcaud.png",[475,479],{"componentName":432,"type":432,"componentContent":476},{"title":364,"description":472,"image":477},{"config":478},{"src":473},{"componentName":437,"type":437,"componentContent":480},{"config":481},{"gatedAssets":482},[483,484,485],"source-lp-the-ultimate-playbook-for-high-performing-devsecops-teams","source-lp-measuring-success-in-software-development-a-guide-for-leaders","source-lp-building-a-resilient-software-development-practice","content:en-us:the-source:platform:index.yml","en-us/the-source/platform/index.yml","en-us/the-source/platform/index",{"amanda-rueda":490,"andre-michael-braun":491,"andrew-haschka":492,"ayoub-fandi":493,"brian-wald":494,"bryan-ross":495,"chandler-gibbons":496,"dave-steer":497,"ddesanto":498,"derek-debellis":499,"emilio-salvador":500,"erika-feldman":501,"george-kichukov":502,"gitlab":503,"grant-hickman":504,"haim-snir":505,"iganbaruch":506,"jlongo":507,"joel-krooswyk":508,"josh-lemos":509,"julie-griffin":510,"kristina-weis":511,"lee-faus":512,"ncregan":513,"rschulman":514,"sabrina-farmer":515,"sandra-gittlen":516,"sharon-gaudin":517,"stephen-walters":518,"taylor-mccaslin":519},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Joel Krooswyk","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"amanda-rueda":490,"andre-michael-braun":491,"andrew-haschka":492,"ayoub-fandi":493,"brian-wald":494,"bryan-ross":495,"chandler-gibbons":496,"dave-steer":497,"ddesanto":498,"derek-debellis":499,"emilio-salvador":500,"erika-feldman":501,"george-kichukov":502,"gitlab":503,"grant-hickman":504,"haim-snir":505,"iganbaruch":506,"jlongo":507,"joel-krooswyk":508,"josh-lemos":509,"julie-griffin":510,"kristina-weis":511,"lee-faus":512,"ncregan":513,"rschulman":514,"sabrina-farmer":515,"sandra-gittlen":516,"sharon-gaudin":517,"stephen-walters":518,"taylor-mccaslin":519},[522,558,592],{"_path":523,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":524,"type":386,"category":20,"config":525,"seo":527,"content":531,"_id":555,"_type":31,"title":7,"_source":32,"_file":556,"_stem":557,"_extension":35},"/en-us/the-source/ai/three-ways-to-operationalize-ai-for-engineering-teams","three-ways-to-operationalize-ai-for-engineering-teams",{"layout":9,"template":388,"featured":331,"articleType":389,"author":526,"gatedAsset":441},"sabrina-farmer",{"title":528,"description":529,"ogImage":530},"Three ways to operationalize AI for engineering teams","Discover three actionable frameworks for engineering leaders to implement AI strategically, drive measurable ROI, and overcome adoption barriers.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751908411/i1mwfh3egxgbx5ijkowi.png",{"title":528,"description":529,"date":532,"timeToRead":533,"keyTakeaways":534,"articleBody":538,"faq":539,"heroImage":530},"2025-07-08","4 min read",[535,536,537],"AI adoption succeeds when positioned as a collaborative development partner — similar to pair programming — with specific applications like enhanced debugging, solution architecture, and code quality assurance rather than a replacement for engineers.","Strategic AI implementation requires role-specific applications with clear ROI targets, seamless workflow integration that minimizes friction, and structured feedback loops that connect AI initiatives directly to business outcomes.","Incremental implementation victories, rather than wholesale transformation, drive successful AI adoption — with success measured through problem-solving effectiveness and business impact instead of traditional productivity metrics.","Technical leaders face mounting pressure to adopt AI tools, but many struggle to move beyond experimentation to systematic implementation that delivers measurable ROI. While AI's potential for software development is clear, the path to operationalization remains challenging.\n\n[GitLab research](https://about.gitlab.com/developer-survey/2024/ai/) reveals that approximately half of organizations are still in the evaluation and exploration stage of AI maturity. These teams recognize AI's potential but haven't crystallized their implementation strategy, a common challenge I've observed when speaking with engineering executives.\n\n## Breaking through implementation barriers\n\nTwo critical obstacles stand in the way of successful AI adoption. First is the fear that AI will replace human engineers — a legitimate concern requiring transparent communication from leadership. Second, it is important to determine where to begin implementing AI when many engineers see limited value in disrupting established workflows.\n\nTechnical leaders must reframe AI’s value proposition by connecting AI capabilities directly to business outcomes. [Success metrics](https://about.gitlab.com/the-source/ai/4-steps-for-measuring-the-impact-of-ai/) should focus on problem-solving effectiveness and business impact rather than code volume or traditional individual productivity measures.\n\nRather than viewing AI as a threat to jobs, help your teams consider it through the lens of established collaborative practices like pair programming. This familiar framework provides clear entry points for AI integration:\n\n* **Enhanced debugging partner**: AI functions as a sophisticated \"[rubber duck](https://rubberduckdebugging.com/)\" that not only listens but responds with actionable insights\n* **Solution architect**: AI can generate multiple implementation approaches to complex problems within seconds\n* **Code quality guardian**: AI can help teams identify optimization opportunities and vulnerabilities before human review\n\nWhen positioned as an augmentation layer that eliminates repetitive tasks and amplifies human creativity, AI becomes an enabler rather than a threat.\n\n## A three-step implementation framework for technical leaders\n\nTo integrate AI into team workflows, leadership must first establish the context and then take a top-down approach to implementation. Specifically, leaders must define how teams will use AI, establish clear processes, and provide the necessary resources and support. Rather than overhauling your team's existing workflows entirely, apply AI to specific tasks or stages of the development process. This iterative approach allows teams to learn, adapt, and build confidence in AI over time.\n\n### 1. Define role-specific AI applications with clear ROI\n\nInstead of vague directives, specify exactly how different roles will leverage AI:\n\n* **Developers**: Ensure a consistent and thorough initial analysis and mandate AI-powered first code reviews and security scans before your human review. Leveraging AI first to analyze code for potential bugs, vulnerabilities, and performance issues can provide developers with actionable insights for remediation, while also creating learning moments.\n* **Quality assurance (QA) engineers**: Use AI to generate the first test for new code and analyze test results, freeing developers to focus on more complex testing scenarios and critical issues. Editing a proposed test is typically easier than generating it from scratch.\n* **Operations teams**: Implement AI to automate repetitive operational tasks such as deployments and infrastructure management and monitoring to free up operations teams' time for more strategic work.\n* **Team leads**: Leverage AI to assist with project planning, backlog prioritization, resource allocation, initial triage, and progress tracking, providing team leads with real-time insights into project health and potential risks.\n* **Product managers**: Use AI to analyze and summarize customer verticals, market trends, customer forums, and overall customer sentiment.\n\n### 2. Integrate AI seamlessly into existing workflows\n\nSelect AI solutions that seamlessly integrate into your existing development environment to avoid additional burdens on your developers. To avoid decision fatigue, develop clear guidelines for when and how to use AI tools, including:\n\n* When to rely on AI-generated suggestions\n* How to critically evaluate AI recommendations\n* What feedback mechanisms exist for improving AI outputs\n\n### 3. Create feedback loops and measure business impact\n\nEstablish structured communication channels for engineers to share AI wins and challenges. Create internal communities of practice around AI integration to accelerate knowledge sharing. Encourage developers to interact with the AI, provide feedback on generated code, refine test cases, and actively participate in the collaborative process.\n\nAfter implementation, quantify and communicate the business impact to executive stakeholders. It’s important to position AI not as experimental technology but as a strategic lever for competitive advantage and engineering excellence.\n\n## Moving beyond experimentation\n\nThe key to successful AI operationalization is targeted implementation with clear business objectives. By defining role-specific applications, creating seamless integration points, and establishing feedback mechanisms, engineering leaders can transform AI from an interesting curiosity to a foundational productivity multiplier.\n\nSuccess will not come from wholesale workflow transformation but through incremental victories demonstrating tangible value. With this structured approach, technical leaders can unlock AI's true potential while ensuring their teams feel empowered rather than threatened by this technological evolution.",[540,543,546,549,552],{"header":541,"content":542},"What percentage of organizations are still evaluating AI implementation?","Approximately half of organizations remain in the evaluation and exploration stage of AI maturity. These teams recognize AI's potential but haven't crystallized their implementation strategy, creating a common challenge for engineering executives moving beyond experimentation.",{"header":544,"content":545},"How should engineering leaders position AI to overcome adoption resistance?","Leaders should reframe AI as a collaborative development partner similar to pair programming rather than a replacement. Position AI as an enhanced debugging partner, solution architect, and code quality guardian that eliminates repetitive tasks while amplifying human creativity.",{"header":547,"content":548},"What are the three key steps for implementing AI in engineering workflows?","First, define role-specific AI applications with clear ROI for developers, QA engineers, operations teams, team leads, and product managers. Second, integrate AI seamlessly into existing development environments. Third, create feedback loops and measure business impact through structured communication channels.",{"header":550,"content":551},"How should AI success be measured in engineering teams?","Success metrics should focus on problem-solving effectiveness and business impact rather than code volume or traditional productivity measures. Quantify business impact for executive stakeholders and position AI as a strategic lever for competitive advantage and engineering excellence.",{"header":553,"content":554},"What AI applications work best for different engineering roles?","Developers use AI for code reviews and security scans. QA engineers leverage AI for test generation and result analysis. Operations teams implement AI for deployments and infrastructure monitoring. Team leads use AI for project planning and progress tracking. Product managers apply AI for customer sentiment analysis.","content:en-us:the-source:ai:three-ways-to-operationalize-ai-for-engineering-teams:index.yml","en-us/the-source/ai/three-ways-to-operationalize-ai-for-engineering-teams/index.yml","en-us/the-source/ai/three-ways-to-operationalize-ai-for-engineering-teams/index",{"_path":559,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":560,"seo":561,"content":565,"type":386,"slug":588,"category":29,"_id":589,"_type":31,"title":7,"_source":32,"_file":590,"_stem":591,"_extension":35},"/en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates",{"layout":9,"template":388,"articleType":389,"author":390,"featured":331,"gatedAsset":463},{"title":562,"description":563,"ogImage":564},"Transform your platform onboarding for higher adoption rates","Redesign your platform onboarding to boost adoption, reduce friction, and create seamless experiences for development teams.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463510/hm90bhwzptl1b2gwovhx.png",{"title":562,"date":566,"description":563,"timeToRead":533,"heroImage":564,"keyTakeaways":567,"articleBody":571,"faq":572},"2025-07-01",[568,569,570],"A weak onboarding experience can significantly impact platform adoption, with research showing that one-third of users consider abandoning platforms after poor experiences.","Simple improvements like creating an intuitive landing page, writing clear documentation, and automating access processes can dramatically increase user adoption and satisfaction.","Building effective support systems across multiple channels (chat, email, ticketing) creates trust and ensures users can quickly overcome obstacles during their onboarding journey.","In my work with platform teams across industries, from startups to enterprises, I’ve noticed a consistent blind spot: the onboarding experience. While teams focus intensely on building robust features, they often neglect how new users first encounter their platform - and this oversight can severely limit adoption.\n\nAccording to the [diffusion of innovations theory](https://en.wikipedia.org/wiki/Diffusion_of_innovations), most platforms achieve about 16% adoption before stagnating. That's because innovators and early adopters - representing about 16% of an organization - are often willing to tolerate rough edges, motivated by novelty or vision. The early majority, comprising 34%, is key to going mainstream. They prioritize proven reliability, a clear value proposition, and ease of use. This shift in expectations is the chasm where many platform teams stumble. Your early adopters might forgive a clunky onboarding process, but the early majority won’t.\n\n![Diffusion of Innovation](https://res.cloudinary.com/about-gitlab-com/image/upload/v1752176125/Blog/k6kxdtokv4laph4exsdt.png)\n\n## Start with a memorable, future-proof name\nThe platform's name is likely the first part of the platform that users will engage with. Choose something unique within your organization that’s easy to spell and not tied to specific technologies.\n\nEffective platform names often:\n\n**Reflect your value proposition** rather than the underlying technology. For example, try a name such as “Runway” that reflects the value proposition of helping teams launch faster instead of something more literal like “K8sPipeline.”\n\n**Use simple, memorable words** that evoke the platform’s purpose. Can someone easily understand and spell it after hearing it once? Choosing something simple and easy to remember, such as “Beacon,” will likely serve you better than a unique or creative option such as “Syzygy.”\n\nAvoid these common pitfalls:\n- **Version numbers in names** signal previous failures and raise doubts about longevity.\n- **Generic three-letter acronyms** become instantly forgettable in a sea of other TLAs.\n- **Technology-based names** suggest you prioritize tools over user needs.\n\n## Develop a multi-channel communication strategy\nEffective platform adoption requires deliberate communication planning across multiple channels, from a product website that clearly articulates your platform’s value proposition to user-centric documentation and email updates. Your communication strategy should also include a reliable health dashboard that gives users visibility into known issues and their resolution status. Remember that in enterprise environments, how you communicate about your platform often matters as much as the platform itself. Invest in communication with the same care you invest in your technical infrastructure.\n\n> [Learn more about building a comprehensive communication framework for platform engineering](https://about.gitlab.com/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/).\n\n## Simplify the access process\nTeams often spend months perfecting platform features while neglecting the most basic step: making it easy to access the platform.\n\nI’ve seen many examples of this at organizations of all sizes, across every industry. Common barriers include:\n\n**Manual onboarding processes** for supposedly self-service platforms. If you can’t fully automate the process, do your best to perform human-in-the-loop tasks asynchronously.\n\n**Time-consuming approval steps** or other barriers that delay initial exploration. One great solution to this is to offer immediate, temporary access to your platform for free for 30 days. This is long enough for someone to decide if your platform helps them and raise the necessary request to gain full access.\n\n**Mandatory training requirements** before users can begin. Training is valuable, but it should be required within a period of joining the platform rather than being a prerequisite.\n\n## Don’t neglect design and tone\nFirst impressions are largely visual. An outdated or inconsistent interface can deter users even if your functionality is excellent. Pay attention to branding, color schemes, and the tone of your messaging. These details might seem trivial, but they set the tone for user engagement.\n\nAim for clear, human communication rather than technical jargon. A user-friendly tone makes your platform more approachable to diverse stakeholders.\n\n## Build responsive support systems\nEven the best platforms need support, and nothing builds trust faster than responsive help when users encounter problems. Your primary goal during support interactions should be minimizing user frustration.\n\nCreate an effective support framework by leveraging multiple channels:\n- **Support tickets** provide accountability and integration with other systems.\n- **Email communication** works well for complex topics requiring clarity.\n- **Chat systems** enable real-time problem-solving when users are “in the flow.”\n\nBe present where your users are, even if that means monitoring multiple communication tools. Aim to answer chat queries within 30-60 minutes, and always follow up publicly so others can benefit from solutions.\n\n## The path to successful platform adoption\nOrganizations that prioritize user experience from day one gain significant advantages in adoption rates and user satisfaction. By creating intuitive onboarding processes, clear documentation, and responsive support systems, you transform the user journey from frustration to delight.\n\nRemember that your platform users are making a critical decision: whether your solution deserves their time and trust. A thoughtful onboarding experience tells them you value that investment - and dramatically increases your chances of widespread adoption.",[573,576,579,582,585],{"header":574,"content":575},"Why is platform onboarding so important to user adoption?","Poor onboarding experiences are a leading cause of stalled platform adoption. Research shows that one-third of users consider abandoning platforms after a frustrating first encounter. A thoughtful, streamlined onboarding process helps build trust and accelerates user engagement.",{"header":577,"content":578},"What are the most common onboarding mistakes platform teams make?","Teams often over-engineer platform features while neglecting usability basics. Common mistakes include clunky access processes, mandatory training before usage, poor visual design, inconsistent messaging, and weak support channels, all of which discourage adoption.",{"header":580,"content":581},"How can platform teams improve onboarding access without sacrificing control?","Offer temporary, self-service access, such as a 30-day trial, to remove early friction. If full automation isn’t possible, use asynchronous human-in-the-loop onboarding and avoid approval-heavy workflows that delay initial exploration and testing.",{"header":583,"content":584},"What role does naming and communication play in platform success?","A clear, future-proof name and consistent multi-channel communication strategy help build platform recognition and trust. Names should reflect user value, not technology, while communication must include user-focused documentation, health dashboards, and regular updates.",{"header":586,"content":587},"How should platform support be structured during onboarding?","Support should be fast, responsive, and multi-modal. Use tickets for tracking, email for clarity, and chat for real-time help. Aim for quick response times and always share publicly resolved issues to benefit all users.","transform-your-platform-onboarding-for-higher-adoption-rates","content:en-us:the-source:platform:transform-your-platform-onboarding-for-higher-adoption-rates:index.yml","en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/index.yml","en-us/the-source/platform/transform-your-platform-onboarding-for-higher-adoption-rates/index",{"_path":593,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":594,"seo":595,"content":599,"type":386,"slug":622,"category":29,"_id":623,"_type":31,"title":7,"_source":32,"_file":624,"_stem":625,"_extension":35},"/en-us/the-source/platform/unlock-developer-potential-with-effective-platform-teams",{"layout":9,"template":388,"articleType":389,"author":390,"featured":6,"gatedAsset":485},{"title":596,"description":597,"ogImage":598},"Unlock developer potential with effective platform teams","Discover how successful platform teams drive innovation by focusing on collaboration and developer experience rather than just technology.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463569/go1j065dkmpxh5qiabh1.png",{"title":596,"date":600,"description":597,"timeToRead":398,"heroImage":598,"keyTakeaways":601,"articleBody":605,"faq":606},"2025-06-24",[602,603,604],"Platform teams thrive when they measure success through developer velocity and adoption rates, not by technical complexity or feature count—creating value by removing obstacles rather than adding layers.","Building strong feedback loops between platform teams and developers creates a virtuous cycle where platforms evolve based on real needs, fostering higher adoption and greater business impact.","The most successful platform teams focus on making the right way the easy way, reducing cognitive load for developers and allowing them to concentrate on building features that matter to customers.","Developers are drowning in complexity while delivery dates keep slipping. Everyone’s talking about platform teams as the solution, but if you build it, will they come? The harsh reality is that most platform initiatives fail not because of technology choices but because they miss what truly matters: genuine collaboration. The most powerful platforms aren’t technology stacks - they’re relationship accelerators that fundamentally change how teams work together.\n\n## What are platform teams and what do they do?\nThe [Team Topologies](https://www.amazon.co.uk/Team-Topologies-Organizing-Business-Technology/dp/1942788819) framework defined the four fundamental types of teams involved in software development:\n1. **Stream-aligned teams**, who focus on a single stream of work\n1. **Enabling teams**, who provide specialized skills and expertise to support stream-aligned teams\n1. **Complicated-subsystem teams**, who build and maintain backend systems that require specialist knowledge\n1. **Platform teams**, who enable stream-aligned teams to operate more quickly and autonomously.\n\nOf these, platform teams often get the most attention - and for good reason. When done right, they can transform how quickly an organization delivers software.\n\nPlatform teams make developers’ jobs easier by handling complex technical work for them. They give developers everything they need to build, test, and deploy applications without worrying about the underlying technology. Think of the platform team as a product team creating an internal product - and developers are their customers.\n\nA platform team’s core goal is simple: enable developers to deliver software faster by simplifying complexity. Rather than having each development team figure out how to set up monitoring, security controls, CI/CD pipelines, and cloud resources, the platform team creates [standardized, well-documented solutions that work seamlessly together](https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/).\n\nBut here’s a nuance many leaders miss: The success of a platform team isn’t measured by the sophistication of its technology stack or the number of features it delivers - it’s measured by how effectively it enables other teams to deliver business value. Platform teams are defined by how they collaborate with the teams they serve.\n\nI’ve worked with organizations across industries, and the pattern is clear. When platform teams focus on reducing cognitive load for developers and creating self-service capabilities that feel effortless, everyone wins. The business delivers faster, developers stay focused on what matters, and customers get better products.\n\n## The restaurant model of platform excellence\nThink of a well-designed platform like a restaurant. The food might be excellent, but customers are unlikely to return if the service is slow, the staff is rude, and the environment lacks character.\n\nThe same applies to platform teams. The technology matters, but how it’s organized and presented to developers - the customers of the platform - matters just as much. Great platforms create an environment where software developers can focus on creating business value instead of wrestling with infrastructure concerns or reinventing workflows.\n\nJust as restaurant kitchens must evolve with changing culinary techniques and equipment, platform teams must continuously evolve their offerings to meet changing business requirements and development processes.\n\n## Three pillars of platform team success\n### Align priorities around outcomes\nThe most effective platform teams align their priorities with the outcomes developers need to achieve. This alignment isn’t always easy, especially when platform teams report through IT functions while development teams report through business units.\n\nBreaking this organizational pattern requires platform teams to focus on what developers truly need. The metrics that matter aren’t technical but outcome-based: How much faster can developers ship? How confidently can they release changes? Here are a few of the outcomes you should be measuring:\n\n- **Increasing adoption rates**: Teams choose your platform because it makes their lives easier\n- **Developer velocity**: Teams using your platform ship faster than those who don't\n- **Developer satisfaction**: Regular feedback shows developers enjoy using your platform\n- **Reduced support burden**: Support tickets decrease dramatically as developers can self-serve through well-designed interfaces and comprehensive documentation\n\nGreat platform leaders advocate upward to leadership about the direct connection between developer productivity and business outcomes, turning “developer experience” from a nice-to-have into a strategic imperative.\n\n### Build strong communication channels\nRemember, the platform is a product, and developers are the customers. This mindset shift changes everything.\n\nThe best platform teams create multiple channels for feedback:\n- Regular user research sessions\n- Developer experience surveys\n- “Office hours” where developers can get help\n- Champions programs that bring developer perspectives into platform planning\n\nEven the name matters. Teams with names like “Developer Enablement Platform” or “Developer Experience Team” send a clear signal about their purpose - they exist to serve developers, not to control them.\n\nDevelopers who feel heard and respected become collaborators rather than mere users. They bring insights that improve your platform because they know their needs will shape its evolution.\n\n> [Learn more about how to create a communication framework for platform engineering that increases adoption, builds trust, and shows value](https://about.gitlab.com/the-source/platform/building-a-communication-strategy-for-platform-engineering-teams/).\n\n### Focus on developer delight\nDeveloper experience isn't just about reducing friction - it’s about creating delight. Think of your platform as a product that has to compete for mindshare. At one major media and telecommunications company I worked with, the platform team would theme their developer interfaces to celebrate key holidays and events throughout the year. These seasonal themes - whether for Halloween, major sporting events, or end-of-year celebrations - added no functional improvements yet consistently generated positive developer feedback. This simple touch demonstrated that the platform team cared about the human experience, not just the technical capabilities.\n\nThe best platforms don’t just build features; they craft experiences where:\n- Error messages guide rather than confuse\n- Documentation anticipates questions\n- Interfaces feel natural and intuitive\n- Common tasks require minimal cognitive load\n\nPlatform engineering excellence comes from making complex things appear simple. It’s not about building the most sophisticated system - it’s about hiding complexity so developers can focus on creating business value.\n\n## The path forward\nTeam Topologies provides a valuable framework for understanding how platform teams should function. But the real magic happens when you combine that framework with a relentless focus on the developer experience.\n\nMy advice for platform leaders:\n1. **Measure what matters**: Track developer velocity and platform adoption as your primary metrics.\n1. **Find champions**: Every feature should have a customer champion who helps shape it.\n1. **Make the right way the easy way**: Success comes when developers choose your platform because it's genuinely better than alternatives.\n\nThe most successful organizations I’ve worked with understand that platforms are collaborative ecosystems that succeed or fail based on human factors as much as technical ones.\n\nBy focusing on outcomes, communication, and experience, your platform team can become a force multiplier, transforming how your organization builds software.",[607,610,613,616,619],{"header":608,"content":609},"What is the main responsibility of a platform engineering team?","A platform engineering team's primary responsibility is to reduce complexity for developers by providing standardized tools, services, and workflows that enable faster, safer software delivery. Their role is to empower development teams, not control them.",{"header":611,"content":612},"How do successful platform teams measure their impact?","Impact is measured by developer outcomes, not technical features. Key metrics include adoption rates, developer velocity, satisfaction scores, and a reduced support burden. The best platforms help teams ship faster and more confidently.",{"header":614,"content":615},"Why is collaboration critical for platform engineering success?","Platforms succeed when built with developer input and feedback. Strong communication loops, including surveys, office hours, and developer champions, help ensure the platform evolves in response to real user needs, increasing adoption and trust.",{"header":617,"content":618},"What’s the “restaurant model” in platform engineering?","The restaurant model suggests that, like a good dining experience, a great platform needs more than good \"food\" (features). It also needs friendly service (support), clear signage (documentation), and a welcoming environment (developer experience).",{"header":620,"content":621},"How can platform teams boost developer engagement?","Beyond functionality, teams can create delight through intuitive interfaces, thoughtful error messaging, and even small cultural touches like themed dashboards. These elements show empathy and build stronger emotional connections with developers.","unlock-developer-potential-with-effective-platform-teams","content:en-us:the-source:platform:unlock-developer-potential-with-effective-platform-teams:index.yml","en-us/the-source/platform/unlock-developer-potential-with-effective-platform-teams/index.yml","en-us/the-source/platform/unlock-developer-potential-with-effective-platform-teams/index",[627,638,649],{"_path":384,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"slug":385,"type":386,"category":29,"config":628,"seo":629,"content":630,"_id":420,"_type":31,"title":7,"_source":32,"_file":421,"_stem":422,"_extension":35},{"layout":9,"template":388,"featured":331,"articleType":389,"author":390,"gatedAsset":391},{"title":393,"ogTitle":393,"description":394,"ogDescription":394,"ogImage":395},{"title":393,"description":394,"date":397,"timeToRead":398,"heroImage":395,"keyTakeaways":631,"articleBody":403,"faq":632},[400,401,402],[633,634,635,636,637],{"header":406,"content":407},{"header":409,"content":410},{"header":412,"content":413},{"header":415,"content":416},{"header":418,"content":419},{"_path":559,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"config":639,"seo":640,"content":641,"type":386,"slug":588,"category":29,"_id":589,"_type":31,"title":7,"_source":32,"_file":590,"_stem":591,"_extension":35},{"layout":9,"template":388,"articleType":389,"author":390,"featured":331,"gatedAsset":463},{"title":562,"description":563,"ogImage":564},{"title":562,"date":566,"description":563,"timeToRead":533,"heroImage":564,"keyTakeaways":642,"articleBody":571,"faq":643},[568,569,570],[644,645,646,647,648],{"header":574,"content":575},{"header":577,"content":578},{"header":580,"content":581},{"header":583,"content":584},{"header":586,"content":587},{"_path":650,"_dir":29,"_draft":6,"_partial":6,"_locale":7,"slug":651,"type":386,"category":29,"config":652,"seo":655,"content":659,"_id":666,"_type":31,"title":7,"_source":32,"_file":667,"_stem":668,"_extension":35},"/en-us/the-source/platform/accelerate-embedded-development-in-software-defined-vehicles","accelerate-embedded-development-in-software-defined-vehicles",{"layout":9,"template":388,"featured":6,"articleType":653,"gatedAsset":654},"Guide","pf-accelerate-embedded-development-in-software-defined-vehicles",{"noIndex":6,"title":656,"ogTitle":656,"description":657,"ogDescription":657,"ogImage":658},"Accelerate embedded development in software-defined vehicles","Learn how DevSecOps transforms automotive embedded development. Reduce feedback cycles from weeks to hours while maintaining safety compliance.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1752239485/acehu4zl6nv8dntuafvx.png",{"title":656,"description":657,"date":660,"heroImage":658,"keyTakeaways":661,"articleBody":665},"2025-06-30",[662,663,664],"Modern automotive development faces unprecedented complexity with millions of lines of code across dozens of ECUs. Traditional approaches with weeks-long feedback cycles and manual processes cannot scale.","Leading manufacturers achieve dramatic improvements through DevSecOps: automated workflows reduce feedback from weeks to hours, integrated hardware testing eliminates bottlenecks, and compliance automation.","Real results include a reduction in feedback cycles from 4-6 weeks to 30 minutes, increased Linux build frequency, and simplified build systems.","The automotive industry is undergoing its most significant transformation since the assembly line. With the advent of electric vehicles (EVs) and software-defined vehicles (SDVs), software powers everything from advanced driver assistance to infotainment systems. However, the complexity of modern vehicles creates unprecedented development challenges that traditional approaches cannot address.\n\nToday's connected vehicles contain millions of lines of code across dozens of electronic control units. Autonomous vehicles push this complexity even further, requiring real-time processing, cybersecurity integration, and seamless coordination between hardware and software systems. Development teams struggle with feedback cycles measured in weeks, manual security testing processes, and disconnected compliance workflows that create bottlenecks and increase costs.\n\nForward-thinking automotive manufacturers are solving these challenges through comprehensive DevSecOps transformation. By integrating development, security, and operations into unified workflows, they're achieving remarkable results: feedback cycles reduced from weeks to hours, automated compliance with automotive cybersecurity standards, and development velocity that scales with business growth.\n\nThe transformation centers on end-to-end workflow automation that eliminates the inefficiencies of traditional embedded development. Instead of developers working in isolation with inconsistent build environments, leading companies implement automated pipelines that ensure consistency and reliability. \n\nCollaborative code review processes catch security vulnerabilities early when they're less expensive to fix — particularly critical for safety-critical vehicle security applications. And by codifying compliance requirements and enforcing them automatically through customizable frameworks, organizations can ensure compliance is built into the process rather than bolted on afterward.\n\nHardware testing integration represents another breakthrough. Unlike enterprise software, automotive embedded code must be tested on target hardware or accurate simulations. Innovative manufacturers are connecting cloud-based processors, virtual hardware simulators, and physical test benches directly to automated workflows. This eliminates manual scheduling bottlenecks and enables continuous testing, dramatically increasing utilization of expensive test hardware.\n\nThe results speak for themselves. With a comprehensive DevSecOps platform, one auto manufacturer is now able to process over 120,000 CI/CD jobs daily, supporting massive repositories while maintaining the rigorous security standards required for automotive industry applications.\n\nAs SDVs and EVs reshape the competitive landscape, software development capability becomes a strategic differentiator. Companies that successfully transform their embedded development practices through comprehensive DevSecOps approaches position themselves to lead in the software-defined future, while those that don't risk falling behind as the industry accelerates into its next chapter.\n\nDownload the complete guide to discover real-world implementations, detailed case studies, and proven strategies for transforming your automotive embedded development practices.","content:en-us:the-source:platform:accelerate-embedded-development-in-software-defined-vehicles:index.yml","en-us/the-source/platform/accelerate-embedded-development-in-software-defined-vehicles/index.yml","en-us/the-source/platform/accelerate-embedded-development-in-software-defined-vehicles/index",[670,686,699],{"_path":671,"_dir":672,"_draft":6,"_partial":6,"_locale":7,"config":673,"title":675,"description":676,"link":677,"_id":683,"_type":31,"_source":32,"_file":684,"_stem":685,"_extension":35},"/shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops","gated-assets",{"id":442,"formId":674},1002,"Navigating AI maturity in DevSecOps","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are incorporating AI into the software development lifecycle.",{"text":678,"config":679},"Read the report",{"href":680,"dataGaName":681,"dataGaLocation":682},"https://about.gitlab.com/developer-survey/2024/ai/","Navigating AI Maturity in DevSecOps","thesource","content:shared:en-us:the-source:gated-assets:navigating-ai-maturity-in-devsecops.yml","shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops.yml","shared/en-us/the-source/gated-assets/navigating-ai-maturity-in-devsecops",{"_path":687,"_dir":672,"_draft":6,"_partial":6,"_locale":7,"config":688,"title":689,"description":690,"link":691,"_id":696,"_type":31,"_source":32,"_file":697,"_stem":698,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"id":443},"AI guide for enterprise leaders: Building the right approach","Download our guide for enterprise leaders to learn how to prepare your C-suite, executive leadership, and development teams for what AI can do today — and will do in the near future — to accelerate software development.",{"text":692,"config":693},"Read the guide",{"href":694,"dataGaName":695,"dataGaLocation":682},"https://about.gitlab.com/the-source/ai/ai-guide-for-enterprise-leaders-building-the-right-approach","AI Guide For Enterprise Leaders: Building the Right Approach","content:shared:en-us:the-source:gated-assets:source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach.yml","shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach.yml","shared/en-us/the-source/gated-assets/source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"_path":700,"_dir":672,"_draft":6,"_partial":6,"_locale":7,"config":701,"title":702,"description":703,"link":704,"_id":709,"_type":31,"_source":32,"_file":710,"_stem":711,"_extension":35},"/shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development",{"id":441,"formId":674},"How to get started using AI in software development","Learn how to strategically implement AI to boost efficiency, security, and reduce context switching. Empower every member of your team with AI capabilities.",{"text":705,"config":706},"Download the guide",{"href":707,"dataGaName":708,"dataGaLocation":682},"https://about.gitlab.com/the-source/ai/getting-started-with-ai-in-software-development-a-guide-for-leaders/","How to Get Started Using AI in Software Development","content:shared:en-us:the-source:gated-assets:source-lp-how-to-get-started-using-ai-in-software-development.yml","shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development.yml","shared/en-us/the-source/gated-assets/source-lp-how-to-get-started-using-ai-in-software-development",[713,724,743],{"_path":523,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":524,"type":386,"category":20,"config":714,"seo":715,"content":716,"_id":555,"_type":31,"title":7,"_source":32,"_file":556,"_stem":557,"_extension":35},{"layout":9,"template":388,"featured":331,"articleType":389,"author":526,"gatedAsset":441},{"title":528,"description":529,"ogImage":530},{"title":528,"description":529,"date":532,"timeToRead":533,"keyTakeaways":717,"articleBody":538,"faq":718,"heroImage":530},[535,536,537],[719,720,721,722,723],{"header":541,"content":542},{"header":544,"content":545},{"header":547,"content":548},{"header":550,"content":551},{"header":553,"content":554},{"_path":725,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"slug":726,"type":386,"category":20,"config":727,"seo":729,"content":733,"_id":740,"_type":31,"title":7,"_source":32,"_file":741,"_stem":742,"_extension":35},"/en-us/the-source/ai/transform-automotive-embedded-development-with-ai","transform-automotive-embedded-development-with-ai",{"layout":9,"template":388,"featured":6,"articleType":653,"gatedAsset":728},"pf-transform-automotive-embedded-development-with-ai",{"description":730,"ogTitle":731,"title":731,"ogDescription":730,"ogImage":732,"noIndex":6},"Discover 10 AI use cases that accelerate automotive embedded development cycles, from ECU code generation to HIL testing and security optimization.","Transform automotive embedded development with AI","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463713/gelqfjmbdqaschyh5ban.png",{"title":731,"description":730,"heroImage":732,"keyTakeaways":734,"articleBody":738,"date":739},[735,736,737],"AI-powered code generation and automated testing reduce manual effort while maintaining quality standards for safety-critical automotive systems.","Automated vulnerability detection and resolution help embedded systems meet functional safety and cybersecurity regulations faster.","AI systems provide root cause analysis for failed tests and optimize resource utilization in constrained embedded environments.","The automotive industry stands at a pivotal transformation point. By 2035, every vehicle will be software-defined and AI-powered, and the average car is expected to contain 650 million lines of code by the end of 2025. The shift toward electric vehicles and software-defined vehicles demands a fundamental change in how original equipment manufacturers (OEMs) approach embedded development.\n\nToday's vehicles are essentially computers on wheels, packed with sophisticated embedded systems that control everything from infotainment to critical safety systems. The complexity of modern automotive embedded systems requires new approaches to development, testing, and deployment that can keep pace with fierce market competition.\n\nArtificial intelligence (AI) is emerging as the key accelerator for embedded development teams. Recent industry data shows that 66% of development teams in the automotive industry already use AI in their software development lifecycle — the highest adoption rate among all industries surveyed. This technology is revolutionizing how teams approach fundamental challenges in the development of autonomous and connected vehicles.\n\nAI transforms traditional embedded development workflows across multiple dimensions. Code generation capabilities help developers write firmware for electronic control units (ECUs) in C/C++ more efficiently, reducing the time spent on boilerplate code while maintaining consistency across complex automotive systems. These AI systems understand the context of existing codebases and can suggest relevant implementations for standard functions.\n\nTesting and validation represent another critical area where AI delivers substantial value. AI can automatically generate comprehensive unit tests for ECU functions, covering edge cases that human developers might miss. This capability proves essential for safety systems where thorough testing is mandatory for regulatory compliance.\n\nSecurity remains paramount in modern vehicle development. AI-powered vulnerability analysis helps embedded developers understand and resolve security issues detected in their code. These systems can explain potential risks in clear terms and suggest appropriate remediation strategies optimized for resource-constrained microcontrollers.\n\nHardware-in-the-loop (HIL) testing, crucial for validating autonomous driving systems, benefits significantly from AI-driven root cause analysis. When HIL tests fail, AI can parse extensive log files and identify error patterns, dramatically reducing debugging time and accelerating the overall testing cycle.\n\nLegacy code management poses ongoing challenges as teams transition between ECU generations. AI-powered code explanation capabilities help developers understand older codebases, reducing the risk of breaking critical pathways during migration. This proves especially valuable when documentation is incomplete or outdated.\n\nResource optimization for severely constrained environments also becomes more manageable with AI assistance. These systems can identify memory leaks, inefficient algorithms, and CPU-intensive operations that need optimization, ensuring firmware meets strict resource requirements while maintaining real-time performance.\n\nFinally, visual interface development for infotainment systems using frameworks like Qt/QML benefits from AI-enhanced code reviews that catch issues early in development. This prevents costly delays and integration problems that often occur late in the development process.\n\nThe future of automotive embedded development belongs to organizations that successfully integrate AI throughout their development lifecycle. As technology complexity grows, AI becomes not just an advantage but a necessity for maintaining competitive position in the rapidly evolving automotive market.\n\nDownload the complete guide to explore all 10 AI use cases and discover how to implement these transformative solutions in your embedded development workflow.","2025-07-03","content:en-us:the-source:ai:transform-automotive-embedded-development-with-ai:index.yml","en-us/the-source/ai/transform-automotive-embedded-development-with-ai/index.yml","en-us/the-source/ai/transform-automotive-embedded-development-with-ai/index",{"_path":744,"_dir":20,"_draft":6,"_partial":6,"_locale":7,"config":745,"seo":747,"content":752,"type":386,"slug":776,"category":20,"_id":777,"_type":31,"title":7,"_source":32,"_file":778,"_stem":779,"_extension":35},"/en-us/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders",{"layout":9,"template":388,"articleType":389,"author":746,"featured":331,"gatedAsset":443},"emilio-salvador",{"title":748,"description":749,"ogImage":750,"config":751},"From vibe coding to agentic AI: A roadmap for technical leaders","Discover how to implement vibe coding and agentic AI in your development process to increase productivity while maintaining code quality and security.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463655/i6g9scccza0l35n6i1bf.png",{"ignoreTitleCharLimit":331},{"title":748,"date":753,"description":749,"timeToRead":754,"heroImage":750,"keyTakeaways":755,"articleBody":759,"faq":760},"2025-06-12","5 min read",[756,757,758],"AI-assisted development is transforming software creation, enabling teams to focus on business logic and user experience rather than syntax details, but requires proper governance to ensure quality.","Organizations should adopt an evolutionary approach to AI implementation — starting with basic assistance, then expanding across the development lifecycle, establishing governance frameworks, and gradually introducing autonomous agents.","The engineering landscape is shifting as AI handles routine coding tasks, creating demand for new specialized roles and requiring developers to focus on strategic thinking, architecture design, and effective AI collaboration.","A new wave of generative artificial intelligence (AI) tools is redefining how we build software and who can participate in the process. At the forefront of this revolution is \"vibe coding\" - using natural language prompts to generate functional code without having to fully understand how the code works.\n\n[According to GitLab research](https://about.gitlab.com/developer-survey/), 78% of teams have already integrated AI-assisted coding tools into software development workflows, and AI is demonstrating measurable efficiency improvements. Vibe coding lowers the barriers to entry for development. However, when software engineers use AI-generated code without critical evaluation or deep comprehension, that might also lead to lower quality and increased security vulnerabilities.\n\nTraditional development approaches rely heavily on specific programming languages and syntax rules. Vibe coding lowers the need to fully comprehend the nuances of every language and development pattern, but it does not eliminate that need. This tension between accessibility and quality reflects a broader transformation in software creation.\n\nAI is fundamentally shifting what development means. Team members can focus on desired outcomes rather than implementation details. Logic, business requirements, and user experience precede syntax correctness and language expertise. Organizations increasingly value professionals who can effectively bridge product vision with technical execution - often without writing traditional code.\n\nWhile vibe coding offers tremendous potential to accelerate development and democratize software creation, it must be implemented thoughtfully with proper governance to ensure that speed doesn't come at the expense of quality and maintainability.\n\n## Agentic AI and vibe coding\nVibe coding is about getting something to appear to work quickly rather than building a robust, efficient, and maintainable solution based on solid knowledge. This is where [agentic AI](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) can help. Agents can take abstract instructions like \"build a customer database\" and autonomously handle all the technical implementation details, bridging the gap between quick prototypes and properly engineered solutions.\n\nWhile vibe coding primarily focuses on code generation through natural language prompts, agentic AI expands these capabilities into an autonomous development ecosystem. Vibe coding involves a human developer using AI without requiring deep understanding, while agentic AI takes on a more proactive, autonomous role in building software based on a given goal.\n\nThe two approaches complement each other perfectly: vibe coding provides a solid foundation for human-AI interaction through natural language, while agentic systems build upon this foundation to create self-directed development partners that handle complex tasks by making independent decisions and taking action with minimal supervision.\n\nAgentic AI systems enhance vibe coding by integrating deeply into development workflows, conducting sophisticated code reviews, recommending infrastructure optimizations, and adapting to changing requirements. [Industry research from Deloitte](https://www2.deloitte.com/us/en/insights/industry/technology/technology-media-and-telecom-predictions/2025/autonomous-generative-ai-agents-still-under-development.html) indicates that 25% of companies using generative AI will implement agentic AI pilots in 2025, which is expected to double by 2027.\n\nSuccessfully implementing vibe coding and agentic AI together requires careful planning. Organizations must establish robust security protocols, ensure regulatory compliance, and create clear communication channels between AI systems and existing tools. Despite these challenges, the combined power of vibe coding and agentic AI delivers significant benefits in development speed, code quality, and resource optimization.\n\n## Implementation strategy for teams and leadership: An evolutionary approach\nDevelopment teams and technical leaders can follow this evolutionary path to effectively implement vibe coding and agentic AI:\n1. **Begin with AI assistance**: Introduce developers to AI tools that improve productivity for routine tasks. Focus on building familiarity, comfort, and confidence with AI assistance for coding, documentation, and simple problem-solving.\n1. **Expand AI assistance across the software development lifecycle**: Move beyond code generation tools to integrate AI into testing, debugging, code review, and documentation. Identify repetitive, time-intensive workflows where AI can create immediate value with minimal disruption.\n1. **Establish governance frameworks & interoperability standards**: Create clear policies for AI tool usage, including data access permissions, security protocols, and quality standards for AI-generated code. Define protocols for how AI systems will share information and collaborate across platforms, as well as the level of human input required when using AI tools.\n1. **Introduce autonomous AI agents for specific tasks**: Deploy agents to handle self-contained development tasks with a degree of autonomy. These agents take abstract goals like \"optimize this database query\" and handle the implementation details independently while maintaining code quality.\n1. **Scale agent implementation across the organization**: Expand the scope of tasks handled by agents and introduce multiple agents working together on complex projects. Integrate agents deeply into the end-to-end software development lifecycle and redesign team structures to create cross-functional groups combining technical expertise and domain knowledge.\n1. **Continuously improve through feedback and education**: Implement systems to monitor agent performance with clear metrics and correction protocols. Invest in organization-wide AI literacy through training programs for prompt engineering, AI collaboration techniques, and effective system oversight.\n\nThis evolutionary approach ensures technical implementation and organizational leadership progress together in the AI transformation journey, maximizing the benefits of vibe coding while building robust, efficient solutions.\n\n## The changing developer landscape\nThe engineering role is evolving as vibe coding and [agentic AI](https://about.gitlab.com/the-source/ai/emerging-agentic-ai-trends-reshaping-software-development/) handle more of the heavy lifting in software development. Less experienced developers face a steeper learning curve with fewer straightforward tasks available for initial skill-building. Simultaneously, senior engineers must adapt as AI takes over more complex tasks and traditional oversight responsibilities.\n\nBeyond the changing dynamics for existing roles, we’re seeing the emergence of entirely new positions like prompt engineers who guide and refine AI outputs. The most valuable engineering skills have shifted toward architecture design, strategic thinking, and effective AI collaboration.\n\nWhile this disruption creates uncertainty for some traditional roles and compensation models, it also opens doors for those who position themselves at the intersection of human creativity and machine efficiency. The most successful engineers will be those who strategically delegate routine work to AI while applying their uniquely human expertise to innovation and complex problem-solving.\n\nFor technical leaders, the strategic implications are clear: organizations that embrace vibe coding and agentic AI gain decisive competitive advantages through accelerated development cycles, improved code quality, and more efficient resource allocation. However, organizations will need to adopt AI responsibly, with governance frameworks to ensure that efficiency doesn’t come at the expense of security. Those who fail to do so may find themselves multiple innovation cycles behind in an increasingly AI-powered development landscape.",[761,764,767,770,773],{"header":762,"content":763},"What is vibe coding and how does it change the development process?","Vibe coding refers to the use of natural language prompts to generate functional code without needing deep knowledge of programming syntax. It shifts the focus from how code is written to what it achieves, allowing developers to prioritize business logic and user experience.",{"header":765,"content":766},"How does agentic AI complement vibe coding?","While vibe coding enables quick code generation, agentic AI takes it further by autonomously executing tasks based on goals. It bridges the gap between rapid prototyping and robust implementation, acting as a self-directed development partner that enhances productivity and quality.",{"header":768,"content":769},"What are the first steps organizations should take to implement AI in development workflows?","Start with AI-assisted tools that handle routine tasks like documentation, test creation, and debugging. As teams grow more confident, expand AI's role across the development lifecycle and introduce governance policies to manage its use responsibly.",{"header":771,"content":772},"How does the rise of AI change the skills developers need?","AI is reshaping engineering roles. Developers now need stronger architectural thinking, system design, and AI collaboration skills. Routine coding tasks are increasingly delegated to AI, so human expertise will focus more on oversight, creativity, and strategic problem-solving.",{"header":774,"content":775},"What are the risks of using AI without governance in software development?","Without governance, AI-generated code may introduce security vulnerabilities, lack maintainability, or violate compliance standards. Organizations must establish security protocols, clear usage policies, and quality checks to ensure responsible AI adoption.","from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders","content:en-us:the-source:ai:from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders:index.yml","en-us/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders/index.yml","en-us/the-source/ai/from-vibe-coding-to-agentic-ai-a-roadmap-for-technical-leaders/index",[781,800,838],{"_path":782,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":783,"seo":785,"content":789,"type":386,"slug":796,"category":24,"_id":797,"_type":31,"title":7,"_source":32,"_file":798,"_stem":799,"_extension":35},"/en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services",{"layout":9,"template":388,"articleType":653,"featured":6,"gatedAsset":784},"pf-the-key-to-innovation-and-compliance-in-financial-services",{"title":786,"description":787,"ogImage":788},"The key to innovation and compliance in financial services","Discover how financial services organizations can accelerate innovation while staying on top of complex regulatory requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463848/fap7fcimrxis5lyfnizg.png",{"title":786,"date":790,"description":787,"heroImage":788,"keyTakeaways":791,"articleBody":795},"2025-05-20",[792,793,794],"Modern financial services firms face a critical challenge: balancing innovation against complex compliance requirements and regulatory frameworks. A comprehensiveDevSecOps approach transforms this traditional trade-off into a competitive advantage.","Financial institutions with fragmented toolchains experience significant friction points where each tool boundary introduces potential compliance gaps and security vulnerabilities — ultimately increasing compliance risks and exposure to hefty fines.","Organizations embracing unified software delivery platforms report 50-70% faster time-to-delivery, dramatically reduced operational disruptions, stronger compliance posture, and enhanced protection against cyber threats and financial crimes.","Decision-makers in financial services organizations face mounting pressure from multiple directions. Client expectations for digital innovation continue to rise while financial regulators simultaneously impose increasingly stringent compliance requirements.\n\nMany institutions have unwittingly positioned themselves on a seesaw where improving one side necessarily diminishes the other. When innovation accelerates, compliance struggles to keep pace - and when compliance processes tighten, development velocity slows.\n\nThis perceived incompatibility is not an inherent truth but rather a symptom of fragmented technology architecture.\n\n## The high cost of fragmentation\nMost established financial institutions - from investment banks to insurance companies and credit unions - operate with sprawling software delivery stacks cobbled together from disparate tools. This patchwork approach creates significant vulnerabilities across the organization:\n- Each tool boundary represents a potential security vulnerability and compliance gap\n- Disjointed workflows frequently result in compliance breaches\n- Limited visibility across teams hampers ongoing compliance efforts\n- Increased complexity drives higher costs for maintaining regulatory compliance\n- Fragmented systems significantly increase exposure to financial losses and reputational damage\n\nWith the exponential rise in cyberattacks targeting the financial industry - 3,348 cyber incidents were reported worldwide in 2023, up from 1,829 the previous year - maintaining this fragmented approach is increasingly risky.\n\n## The DevSecOps transformation advantage\nForward-thinking organizations are discovering that DevSecOps isn't merely a technical methodology - it's a strategic business transformation that fundamentally changes how financial services organizations adhere to regulatory requirements  and prepare for audits.\n\nBy building security and compliance directly into the development process rather than treating them as reactive, separate functions, modern platforms transform what was once a painful trade-off into a competitive advantage:\n- Automated vulnerability detection in real time as developers write code\n- Continuous monitoring and compliance verification against regulatory standards\n- Comprehensive audit trails satisfying regulatory audit requirements\n- Pre-configured compliance templates tailored to financial services industry needs\n- Granular access control maintaining separation of duties while enabling collaboration\n- Version control and advanced workflow controls ensuring proper approval processes\n- Real-time metrics on development velocity, security posture, and compliance risks\n\n## Proven results from industry leaders\nFinancial institutions implementing unified DevSecOps approaches consistently report transformative business outcomes:\n- 50-70% reduction in time-to-delivery of new solutions\n- Dramatic simplification of toolchain complexity\n- Enhanced protection against cyber risks and financial crimes\n- Significant reductions in operational costs\n- Improved ability to attract and retain top technical talent\n- Better compliance posture with fewer security incidents and higher compliance scores\n\n## Seize the opportunity\nThe future of financial services technology is one where institutions no longer need to make painful choices between speed, security, and innovation. By evolving to a unified platform approach, your organization can deliver on all three objectives simultaneously while reducing risk, improving operational efficiency, and building a more agile foundation for future growth.\n\nDownload our comprehensive guide to discover how your organization can implement this transformative approach, with detailed implementation frameworks, critical success factors, and real-world case studies from leading financial services companies who have successfully navigated this journey.","the-key-to-innovation-and-compliance-in-financial-services","content:en-us:the-source:security:the-key-to-innovation-and-compliance-in-financial-services:index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index",{"_path":801,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":802,"seo":804,"content":808,"type":386,"slug":834,"category":24,"_id":835,"_type":31,"title":7,"_source":32,"_file":836,"_stem":837,"_extension":35},"/en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc",{"layout":9,"template":388,"articleType":389,"author":803,"featured":331,"gatedAsset":463},"ayoub-fandi",{"title":805,"description":806,"ogImage":807},"Compliance at the speed of AI: Reimagining GRC","Is your governance, risk, and compliance strategy keeping pace with AI-accelerated development? Learn how to prepare for secure software delivery at scale.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463857/sb6to0pyohg2ubpxf3ex.png",{"title":805,"date":809,"description":806,"timeToRead":398,"heroImage":807,"keyTakeaways":810,"articleBody":814,"faq":815},"2025-05-14",[811,812,813],"Traditional GRC approaches fail in modern development environments because they operate on quarterly/annual cycles while DevSecOps teams deploy code multiple times daily, creating a fundamental timing mismatch and compliance that exists only on paper.","Successful GRC modernization requires shifting from a project to a product mindset, building continuous compliance into development pipelines, and automating evidence collection as a byproduct of normal development activities.","Organizations must create unified information flows between security functions, replace manual processes with API-driven automation, and redefine metrics to focus on risk reduction rather than compliance artifacts.","The software release calendar has been replaced by a continuous flow of updates and innovations. Yet many organizations still approach compliance like it's 2010.\n\nThe adoption of DevOps practices fundamentally changed the game, compressing release cycles from months to days or even hours. Organizations that once celebrated quarterly releases now deploy to production dozens or hundreds of times daily. This acceleration has delivered enormous business value - faster time to market, quicker feedback loops, and increased competitive advantage.\n\nNow add AI-powered development tools to the mix. Large language models, AI coding assistants, and [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) have become sophisticated enough to generate substantial amounts of functional code with minimal human input.\n\nHowever, this creates a significant challenge for governance, risk, and compliance (GRC) teams, who are often still using approaches designed for a world where releases occur quarterly, rather than hourly. Traditional GRC approaches simply weren't designed for this velocity and scale - it’s like trying to monitor and track every car on every highway in the world with a pen and paper.\n\n## Why traditional GRC falls short\nThe fundamental mismatch between modern development and traditional GRC starts with timing. While DevSecOps teams operate continuously, traditional GRC functions typically operate on quarterly or annual cycles. Annual penetration tests, quarterly compliance control testing, and monthly risk assessments simply can't keep pace with environments that change hourly. By the time a traditional security assessment is complete, the system being evaluated may have undergone dozens of changes.\n\nThe gap between automated infrastructure and manual compliance processes compounds this timing mismatch. Cloud-native applications automatically scale resources up and down in response to demand. Infrastructure-as-code templates can spin up and tear down entire environments with a single command. Meanwhile, compliance verification still relies heavily on manual evidence collection and human review. GRC teams can spend days taking screenshots of configurations that were automatically changed minutes after they documented them.\n\nThe result is security compliance that exists largely on paper but bears little resemblance to operational reality. When your integrated DevSecOps platform supports hundreds of deployments daily, yet your GRC team still manually collects screenshots every quarter for audit purposes, you have a fundamental disconnect. Risk registers become outdated almost immediately. Compliance certifications verify controls that may no longer exist in the form originally documented. And security policies address threats to systems that have since been redesigned or replaced entirely.\n\n## Transforming GRC for modern DevSecOps\nI’ve seen this tension unfold in countless organizations. Here are a few steps you can take now to help GRC keep up:\n\n### Think about GRC as a product, not a project\nThe first step in transforming GRC for modern DevSecOps environments requires a fundamental shift in thinking. Traditional GRC operates as a project - a recurring set of activities with a defined beginning and end. Modern GRC needs to function as a product - a continuously evolving set of capabilities that deliver ongoing value.\n\nThis product mindset transforms how we approach compliance and security. Instead of preparing for an annual SOC 2 audit by scrambling to collect evidence in the weeks before the auditor arrives, think about building continuous compliance directly into your development pipeline. Instead of quarterly risk management assessments, aim for real-time visibility. And look for ways to embed governance in daily operations, with version-controlled policies managed like code using Markdown.\n\nWithin [a unified DevSecOps platform](https://about.gitlab.com/platform/), this product-based approach happens naturally. Security scans become part of the merge request process. Compliance requirements transform into pipeline rules that run with every commit. And audit evidence is automatically collected as a byproduct of normal development activities. The result? The focus shifts from \"passing the audit\" to \"[building securely by default](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/).\"\n\n### Create unified, automated information flows\nYou’ll also need to rethink both the architecture of your GRC program and the engineering approach behind it. Begin by establishing unified information flows among security, risk, and compliance functions. A vulnerability found in a security scan should automatically update your risk register and compliance status without manual intervention. This unified data model ensures everyone works from a single source of truth, breaking down siloes between security and development teams.\n\nThe next step is to replace manual evidence collection with API-driven automation. Instead of taking screenshots of access control settings, implement API calls that query your identity provider and generate access reports automatically. Rather than manually reviewing infrastructure settings, pull configuration data directly from your cloud providers. Every security setting that requires verification should be accessible programmatically.\n\nPerhaps most importantly, leverage the same pipeline-based approach for security that you use for code validation. [Integrated CI/CD pipelines](https://about.gitlab.com/blog/2025/01/06/ultimate-guide-to-ci-cd-fundamentals-to-advanced-implementation/) allow you to define security and compliance requirements as code, running automated validation with every change. This infrastructure-as-code approach ensures that security controls are implemented consistently and verified continuously, eliminating the gap between documented controls and operational reality.\n\n### Connect GRC to business value\nThe practical implementation of these changes doesn't happen overnight, but organizations can follow a clear path to transform their GRC approach.\n\nFirst, bridge the cultural and language gap between GRC and engineering teams. Security professionals need to understand how developers work, while engineers need to appreciate security requirements. This mutual understanding creates the foundation for effective collaboration. Create joint working sessions where compliance teams learn basic Git workflows while developers understand compliance requirements in concrete terms.\n\nNext, redefine success metrics to focus on risk reduction rather than compliance artifacts. Instead of tracking the number of policies documented or controls tested, measure actual security outcomes: vulnerability remediation times, security issues found in production versus development, and the number of compliance exceptions. These outcome-based metrics drive real improvements in security posture.\n\nThis transforms GRC from a necessary evil to a business enabler. When [security and compliance are built into development workflows](https://about.gitlab.com/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/), they stop being roadblocks and become competitive advantages. Organizations with integrated security can ship faster and with greater confidence than those with traditional bolted-on approaches.\n\nThis transformation becomes even more powerful within a unified platform. End-to-end visibility across the entire software development lifecycle creates unmatched transparency into security status. The same controls that verify code quality can enforce security requirements, creating a seamless experience for developers while maintaining strong governance for security teams.\n\n## Security as an enabler, not a bottleneck\nAs AI-accelerated development transforms software development, GRC must evolve from a checkpoint process to an integral part of the development workflow. Organizations can maintain strong governance without sacrificing speed by adopting a product mindset, reimagining GRC architecture, and implementing engineering solutions that match the pace of modern development. The future of GRC isn't about slowing down development - it's about building security and compliance into every step of the process, enabling teams to move faster with greater confidence.",[816,819,822,825,828,831],{"header":817,"content":818},"Why do traditional GRC models struggle in modern software environments?","Traditional GRC models operate on quarterly or annual cycles, but DevSecOps teams now deploy code multiple times a day. This timing mismatch means compliance efforts often lag behind actual development changes, making them ineffective in dynamic environments.",{"header":820,"content":821},"What does it mean to treat GRC as a product instead of a project?","Viewing GRC as a product means continuously evolving and embedding compliance into daily workflows, rather than treating it as a periodic event. It’s about creating always-on capabilities like automated evidence collection and policy enforcement through code.",{"header":823,"content":824},"How can automation improve governance and compliance?","Automation reduces the reliance on manual reviews and paperwork by using API calls and pipeline integrations to validate security settings and collect audit data. This makes compliance scalable, real-time, and aligned with the pace of software delivery.",{"header":826,"content":827},"What tools or strategies support continuous compliance?","Unified DevSecOps platforms with integrated CI/CD pipelines support continuous compliance. They allow you to define security policies as code, apply them automatically with every change, and log evidence of compliance as part of normal workflows.",{"header":829,"content":830},"How should success be measured in modern GRC programs?","Instead of counting controls or documented policies, success should be measured through real-world outcomes like faster vulnerability remediation, fewer security exceptions, and better security hygiene from development to production.",{"header":832,"content":833},"How can AI development practices coexist with compliance requirements?","By embedding guardrails and governance into the software pipeline, AI-powered development can align with compliance needs. Structured policies, automated validation, and continuous monitoring ensure security isn’t compromised while enabling fast iteration.","compliance-at-the-speed-of-ai-reimagining-grc","content:en-us:the-source:security:compliance-at-the-speed-of-ai-reimagining-grc:index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index",{"_path":839,"_dir":24,"_draft":6,"_partial":6,"_locale":7,"config":840,"seo":842,"content":846,"type":386,"slug":872,"category":24,"_id":873,"_type":31,"title":7,"_source":32,"_file":874,"_stem":875,"_extension":35},"/en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain",{"layout":9,"template":388,"articleType":389,"author":841,"featured":331,"gatedAsset":463},"lee-faus",{"title":843,"description":844,"ogImage":845},"Embedding risk intelligence into your software supply chain","Transform your security strategy by embedding risk assessment into development workflows instead of treating it as a final checkpoint.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463994/rexeefvqpj1xs8vq7ugl.jpg",{"title":843,"date":847,"description":844,"timeToRead":754,"heroImage":845,"keyTakeaways":848,"articleBody":852,"faq":853},"2025-04-22",[849,850,851],"Focus on business impact instead of vulnerability counts by targeting security threats that pose actual danger to your business rather than trying to fix every potential issue.","Embed risk checks throughout development by adding quality metrics and automated testing early in your software pipeline to catch issues when they’re easier to fix.","Create audit trails for security decisions through “breadcrumbed” processes that document who approved changes and why, creating accountability and improving future decisions.","It’s a nightmare scenario for any business: Hackers have exposed the personal information of millions of your users. What if this wasn’t due to critical vulnerabilities in your application but simply poorly configured API endpoints that hackers could abuse to farm user data? That’s precisely what happened to a popular tech company in 2023, and it’s more common than you might think.\n\nSecurity resources are finite, and [not all threats pose equal business risk](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/). Organizations that are laser-focused on technical severity ratings rather than actual business impact could be leaving themselves open to unanticipated risks.\n\nMeanwhile, the urgency for better risk quantification has never been greater. Threat actors can now leverage multiple AI systems to execute sophisticated, multi-pronged attacks targeting exploitable vulnerabilities. These AI-accelerated campaigns can quickly identify and exploit business-critical weaknesses that traditional security approaches might overlook or deprioritize - turning yesterday's “medium-risk” vulnerability into today’s multimillion-dollar breach.\n\nTo counter these evolving threats and navigate this growing complexity, leading organizations are fundamentally reimagining their approach. Instead of treating security as a separate function that happens after development, they’re embedding **risk intelligence** throughout their software supply chain. This approach allows them to focus resources where they matter most, reduce time-to-market for secure products, and demonstrate due diligence to regulators and customers.\n\nThe key is distinguishing between vulnerabilities that might cause harm and those that will cause damage in your specific business context. Companies can achieve stronger security and faster innovation by rethinking how risk is evaluated and managed across development and operations.\n\n## Limiting risk through data-driven change management\n**Risk intelligence helps you focus on threats that matter. It’s the difference between knowing you have 3,000 vulnerabilities and understanding which 50 could harm your business.**\n\nKey elements of risk intelligence include:\n\n**Exploitability assessment (reachability)**: Not all vulnerabilities can be weaponized. Risk intelligence evaluates which security findings have actual attack paths versus those that exist in code but cannot be reached by malicious actors.\n\n**Dependency context**: Risk-based security recognizes that a vulnerable package doesn’t just affect one application - it can impact dozens or hundreds across your organization. Modern approaches map dependencies across projects, enabling teams to understand the cascading impact of vulnerabilities throughout the organization. This ecosystem view provides critical context for prioritization decisions.\n\n**Continuous risk monitoring**: Instead of point-in-time assessments, risk intelligence requires ongoing monitoring that adjusts as threat landscapes evolve. A vulnerability that was low risk yesterday may become critical today based on emerging exploit techniques.\n\nSo how can you move from reactive security scanning to proactive risk intelligence? The journey begins where your software does - in the software factory itself.\n\n## The software factory: Quality gates and risk signals\nThe software factory is where code transforms from an idea to a deployable package. This phase encompasses everything from initial code commits to unit testing to packaging, creating the foundation for your entire software supply chain. By adding risk checks early, teams can find and fix issues before they spread. Just as critical is establishing clear attribution for every code change, knowing exactly who made each change (contractor, consultant, or employee), why, and when - creating an audit trail providing crucial risk assessment context.\n\nThe software factory offers three key opportunities to embed risk assessment into your development process:\n\n### Collaboration through quality intelligence\nEstablishing cross-functional quality metrics can help organizations create a shared understanding of risk across teams. Potential metrics include code coverage trends, security vulnerability density, technical debt accumulation, performance regression patterns, API compatibility scores, and documentation completeness.\n\n### Transparency through correlated data\nRisk intelligence requires connecting disparate data points into a comprehensive view. Quality intelligence dashboards with real-time metrics and trend visualization help teams spot emerging risk patterns, while documentation traceability creates auditable trails linking requirements, changes, and security findings. Automated data collection enables cross-system correlation between code changes and security findings, with pattern recognition algorithms identifying unusual behaviors that manual review might miss. This democratized intelligence empowers all stakeholders to make risk-informed decisions instead of siloing information within security teams.\n\n### Automation for quality assurance\nManual risk assessment can’t scale to modern development speeds. Continuous testing pipelines with automated security scans and performance tests provide early feedback on potential risks without slowing velocity. Automated quality gates enforce minimum standards throughout development, and risk threshold monitoring flags concerning trends before they become critical. These automated guardrails maintain consistent risk assessment while allowing development teams to maintain productivity and improve safety without sacrificing speed.\n\n## Software logistics: Risk management through team-based scorecards\nAfter code is packaged, it enters the logistics phase - provisioning, deployment, configuration, monitoring, and maintenance. Here, potential bugs meet real-world exposure. This makes assessing risk in actual operating conditions vital. However, traditional approaches to risk assessment at this stage are often inflexible and inefficient.\n\n> [Learn how effective software logistics can enable operations teams to efficiently support developers and accelerate delivery](https://about.gitlab.com/the-source/platform/why-software-logistics-is-key-to-accelerating-innovation/).\n\nEffective risk intelligence means helping teams focus on why they should deploy instead of why they shouldn’t - replacing the binary, inflexible assessment methods of the past with an automated, metrics-driven approach. Here are three critical aspects to keep in mind:\n\n### Collaborative assessment model\nModern risk approaches replace binary go/no-go decisions with multi-stakeholder evaluations, sometimes called a Change Advisory Board (CAB), incorporating diverse perspectives. Security teams evaluate vulnerability context and exploitability, operations teams assess deployment impact and rollback capabilities, and business stakeholders weigh customer impact against needs. This team-based approach builds consensus around acceptable risk rather than imposing rigid standards, allowing for nuanced decisions that balance security with business objectives.\n\n### Scorecard transparency\nEffective risk evaluation requires visible criteria that consider multiple dimensions of impact. Comprehensive scorecards include security risk factors that assess severity and real-world exploitability, operational metrics that evaluate system stability implications, compliance requirements for relevant regulations, and business impact on customers and revenue. This transparent approach creates a holistic risk profile that provides the context necessary for informed deployment decisions while ensuring all stakeholders understand the basis for security choices.\n\n### Automated scorecard processing\nManual risk assessment creates bottlenecks that slow deployment cycles. Modern approaches use real-time processing with automated score calculation and threshold monitoring to evaluate changes continuously. Integration with CI/CD pipelines, security tools, and compliance systems ensures risk data flows automatically between systems without manual intervention. This automation maintains consistent evaluation standards while eliminating the delays typically associated with security reviews.\n\n## From vulnerability counts to business impact: The future of software security\nThe future of application security isn’t about finding more vulnerabilities - it’s about understanding the risk those vulnerabilities pose. By embedding risk intelligence throughout your software supply chain, you can drive team collaboration to help you create secure software faster.\n\nEstablishing this risk assessment process across both your software factory and logistics phases has an added benefit: You’ll create an auditable trail that documents who made security decisions, what evidence they considered, when changes were approved, and why specific actions were taken. This transparency provides accountability across the entire software supply chain, builds institutional memory of risk management approaches, and creates data to inform future decisions. The resulting traceability transforms security from a point-in-time assessment to an ongoing, verifiable process demonstrating due diligence to auditors, regulators, and customers.",[854,857,860,863,866,869],{"header":855,"content":856},"What is risk intelligence in software development?","Risk intelligence is the practice of evaluating security threats based on their real-world business impact rather than just technical severity. It helps teams focus on exploitable and high-priority vulnerabilities, streamlining security efforts.",{"header":858,"content":859},"How does embedding risk checks early improve software security?","Introducing risk assessments during early development phases allows teams to catch and resolve issues sooner, reducing costs and complexity. This shift from reactive to proactive security enhances both speed and safety.",{"header":861,"content":862},"Why should organizations move beyond vulnerability counts?","Counting vulnerabilities doesn't reflect the true risk landscape. Many may be unreachable or irrelevant. Prioritizing based on exploitability and business context ensures limited security resources are used effectively.",{"header":864,"content":865},"How do audit trails contribute to better risk management?","Audit trails document who made a change, why, and when. These records provide accountability, aid compliance, and offer valuable insight for improving future decision-making and demonstrating due diligence.",{"header":867,"content":868},"What role does automation play in risk intelligence?","Automation enables consistent, scalable risk evaluation across CI/CD pipelines. It helps enforce security standards, reduces manual bottlenecks, and ensures timely responses to emerging risks without slowing development.",{"header":870,"content":871},"What’s the benefit of team-based scorecards for deployment decisions?","Team-based scorecards bring together inputs from security, operations, and business teams. This collaborative model replaces rigid go/no-go decisions with nuanced assessments that balance innovation and acceptable risk.","embedding-risk-intelligence-into-your-software-supply-chain","content:en-us:the-source:security:embedding-risk-intelligence-into-your-software-supply-chain:index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index",{"categoryNames":877},{"ai":357,"platform":364,"security":98},1752683412601]