1 Why the Traditional Software Lifecycle Is Being Rewritten
The software development lifecycle has always evolved around its main constraint. Waterfall addressed the need for predictability. Agile reduced the cost of changing requirements. DevOps shortened the gap between development and production. Cloud platforms automated infrastructure provisioning and scaling.
Generative AI changes a different constraint: the effort required to convert an engineering intention into a technical artifact.
AI coding assistants can generate functions, tests, documentation, queries, configuration, and infrastructure definitions. Coding agents can inspect repositories, create implementation plans, modify files, execute tools, and prepare pull requests for review. Current GitHub documentation, for example, describes coding agents that can research a repository, plan a change, work on a branch, and return a reviewable diff.
This does not remove the need for an SDLC. It changes what the lifecycle must control. When code and other artifacts can be produced rapidly, the difficult work shifts toward defining the correct problem, supplying reliable context, constraining agent behavior, and proving that the result is safe and correct.
1.1 The Traditional Lifecycle and Its Original Assumptions
The traditional lifecycle was built around several reasonable assumptions.
First, implementation capacity was limited by the number and experience of developers. A developer had to understand the requirement, design an approach, write the code, debug it, and prepare it for review. Increasing output usually meant adding engineers, reducing scope, or extending the schedule.
Second, analysis, design, development, testing, and deployment were treated as distinct activities. Agile made these activities more iterative, but the underlying hand-offs remained. Product owners wrote stories, architects created designs, developers implemented them, and testers verified the result.
Third, producing supporting artifacts was expensive. Test cases, interface specifications, architecture decision records, release notes, runbooks, and user documentation often competed with implementation work for the same engineering time.
Fourth, software quality depended heavily on individual attention. Code review, threat modelling, performance analysis, and edge-case discovery required experienced people to inspect a manageable volume of change.
Finally, the lifecycle assumed that implementation was mostly deterministic. A developer wrote logic that behaved according to explicit rules. Given the same input and system state, the application was expected to produce the same result.
These assumptions shaped team structures, estimation methods, governance processes, and delivery metrics. They also created familiar problems: incomplete requirements, documentation drift, slow reviews, test bottlenecks, and late discovery of architectural or security issues.
1.2 Which Assumptions AI Has Changed
AI has changed the cost of producing an initial technical artifact.
A developer can describe a validation rule and receive a reasonable implementation, unit tests, and documentation within minutes. A lead can ask an assistant to compare two design options or identify likely failure conditions. An agent can trace a repository, locate relevant files, implement a bounded change, and run the available tests.
This affects more than coding speed.
Requirements can be analysed continuously rather than only during formal discovery. Test cases can be drafted before implementation. Documentation can be generated from code changes. Migration scripts can be reviewed against schemas. Incident data can be summarized while responders investigate the underlying problem.
But AI has not removed uncertainty. It generates outputs from patterns and supplied context; it does not independently know which business rule is authoritative, which undocumented constraint matters, or which trade-off the organization is willing to accept.
The result is an important distinction:
- Artifact generation becomes cheaper.
- Correctness does not become automatic.
- Reviewable output becomes more abundant.
- Engineering attention remains limited.
- Implementation can accelerate.
- Organizational decision-making may not.
AI also introduces probabilistic behavior into areas that were previously deterministic. Two model calls may produce different explanations or implementation suggestions. A response may be plausible but incomplete. And an agent may choose an unexpected sequence of tools even when its final objective is clear.
The lifecycle must therefore manage both conventional software risk and model-related uncertainty.
1.3 Why Faster Code Generation Does Not Automatically Mean Faster Delivery
Writing code is only one step in delivering a production capability.
Consider a requirement to add automated refund processing. An AI assistant may quickly generate an endpoint, domain model, database migration, and test scaffolding. The feature is still not ready until the team resolves questions such as:
- Which roles may request, approve, and cancel a refund?
- Do large refunds require finance approval?
- What happens when the payment provider times out?
- Can a request be retried safely?
- How are duplicate requests detected?
- Which fields must be recorded for audit?
- How are partial failures reconciled?
These are not syntax problems. They are business, architecture, security, and operational decisions.
AI can also produce changes faster than the team can review them. If agents create ten pull requests where developers previously created three, review capacity can become the limiting factor. Large volumes of generated tests may increase pipeline duration without increasing meaningful coverage. Additional abstractions may make code look sophisticated while reducing maintainability.
Local productivity can therefore improve without reducing end-to-end delivery time.
A better measure is not lines of code generated or suggestions accepted. It is the elapsed time from an approved need to a verified production outcome. That includes requirement clarification, architecture review, implementation, testing, security validation, deployment, and confirmation that the expected user or business result was achieved.
1.4 The New Engineering Bottleneck
The new bottleneck is reliable verification and decision-making.
Teams must determine whether an AI-generated artifact:
- Implements the intended requirement
- Fits the existing architecture
- Preserves security boundaries
- Handles relevant failure scenarios
- Meets performance and reliability expectations
- Can be operated and supported
- Avoids unnecessary complexity
- Remains understandable to future maintainers
This makes the surrounding engineering system more important than the model alone.
A team with strong models but weak automated tests, outdated documentation, slow builds, and unclear ownership will struggle. Agents will produce changes faster than the organization can safely absorb them.
A team with clear service boundaries, current standards, small work items, reproducible environments, reliable CI/CD, and strong telemetry can use the same models more effectively. The organization can quickly reject bad changes and confidently accept good ones.
Verification must also expand beyond conventional testing. For deterministic code, teams use unit, integration, contract, performance, and security tests. For AI-enabled behavior, they may also need evaluation datasets, quality thresholds, groundedness checks, tool-use validation, cost limits, and human escalation tests.
The engineering challenge is no longer generating enough output. It is creating a system that can evaluate more output without lowering the quality bar.
1.5 From Code Production to Engineering Judgment
The value of experienced engineers increasingly moves toward judgment.
A senior developer must decide whether generated code is merely functional or genuinely maintainable. A tech lead must decompose work so that agents make small, controlled changes. An architect must distinguish between areas where probabilistic behavior is useful and areas where deterministic controls are mandatory.
For example, an AI component may summarize a support case or recommend a classification. It should not independently bypass authorization, modify financial records, or approve a production deployment because its response appears confident.
The practical principle is:
AI may propose, prepare, and execute bounded work, but the engineering system must constrain and verify it.
This requires stronger requirements, smaller changes, better tests, clearer ownership, and explicit approval points. The engineer’s role does not disappear. It becomes more focused on deciding what should be built, what evidence is sufficient, and what risks are acceptable.
2 Foundations of the AI-Native Software Lifecycle
An AI-native lifecycle does not mean adding a chat interface to an existing development process. It means designing the delivery environment so that AI tools can participate safely in analysis, implementation, verification, and operations.
The foundation consists of five elements: clear agent roles, a controlled engineering harness, reliable context, governed tool access, and bounded autonomy.
2.1 AI Assistants, Coding Agents, and Autonomous Workflows
An AI assistant responds to a user request. It may explain code, generate a method, suggest a query, or draft a test. The developer decides whether and how to use the result.
A coding agent performs a sequence of actions toward a defined goal. It may inspect files, search the repository, create a plan, edit code, execute tests, and prepare a pull request.
An autonomous workflow connects agents to triggers, tools, policies, and approval gates. For example, a defect workflow might:
- Read a newly created issue.
- Retrieve related logs and deployment history.
- Identify the likely affected component.
- Propose a reproduction test.
- Create a draft fix.
- Run validation.
- Request human approval.
These models should not be treated as equivalent. Risk increases with authority.
A code suggestion that must be manually copied has limited direct impact. An agent with repository write access has more influence. An agent that can change cloud configuration, query customer data, or trigger deployment requires much stronger controls.
Anthropic’s engineering guidance distinguishes fixed workflows from agents that dynamically choose their actions and recommends starting with the simplest approach that meets the requirement.
Use an assistant when the task is narrow and interactive. Use a coding agent when the work requires repository exploration and multiple tool calls. Use an autonomous workflow only when the process, permissions, failure handling, and escalation path are clearly defined.
2.2 The AI Engineering Harness
The engineering harness is the controlled environment surrounding the model. It defines the task, provides context, exposes approved tools, limits execution, and verifies the output.
A practical harness includes:
- A structured task description
- Repository and documentation access
- Architecture and coding standards
- An isolated branch or workspace
- Build, test, lint, and security tools
- Network and filesystem restrictions
- Time, cost, and token limits
- Change-size limits
- Execution traces
- Human approval gates
A vague task produces unpredictable work:
Improve the order service.
A bounded task is easier to execute and verify:
Add idempotency handling to POST /orders.
Constraints:
- Use the existing Redis client.
- Read the key from the Idempotency-Key header.
- Retain successful results for 24 hours.
- Do not change the public response schema.
- Return HTTP 409 when the key is reused with a different payload.
- Add unit and integration tests.
- Do not modify deployment configuration.
The second request defines scope, design constraints, expected behavior, and forbidden changes.
The harness should apply the same or stronger controls used for human-written code. Generated changes must pass compilation, tests, static analysis, dependency checks, secret scanning, policy validation, and human review.
The model proposes the implementation. The harness determines whether the proposal is acceptable.
2.3 Context Engineering and Organizational Knowledge
AI output quality depends heavily on the context available during execution.
Context engineering is the practice of selecting and structuring the instructions, evidence, examples, tools, and current state needed to complete a task. It is broader than prompt writing.
Useful context may include:
- Architecture decision records
- Coding and API standards
- Domain terminology
- Service ownership
- Approved libraries
- Security requirements
- Data classification rules
- Example implementations
- Known technical constraints
- Definition-of-done criteria
- Relevant source files and tests
The goal is not to load every organizational document into the model. Excessive context increases noise, latency, cost, and the chance of using obsolete information.
Context should be task-specific and authoritative. An agent modifying authentication logic needs security standards, identity architecture, existing middleware, and relevant tests. It probably does not need unrelated UI documentation or archived project plans.
Organizational knowledge also requires governance. Documents should have owners, version information, and a clear status such as approved, draft, or retired. Otherwise, the agent may treat contradictory documents as equally valid.
AI-native teams should consider architecture documentation part of the delivery system. A short, maintained decision record often provides more value than a large repository of uncurated documents.
2.4 Tool Access, Memory, Orchestration, and Observability
Agents become more useful when they can call tools. They also become more dangerous.
Tool access should follow least privilege. A repository analysis agent may require read-only access. A coding agent may need write access to an isolated branch and permission to run tests. Neither normally needs production credentials.
Tools should expose narrow, well-defined operations. An approveRefund tool with authorization checks, transaction limits, and audit logging is safer than unrestricted database access.
Memory should be separated by purpose:
- Task memory stores the current goal and progress.
- Repository memory stores indexed technical knowledge.
- Operational memory stores previous runs and results.
- User memory stores approved working preferences.
Persistent memory must not become an uncontrolled store for secrets, personal data, proprietary source code, or obsolete decisions.
Orchestration determines which steps use normal code and which use model reasoning. Deterministic operations such as schema validation, authorization, financial calculations, and deployment approval should remain in conventional code. Models are more appropriate for interpretation, classification, planning, summarization, and selecting among approved tools.
Observability should capture:
- Instructions and retrieved context
- Model and configuration
- Tool calls and responses
- Files changed
- Tests and checks executed
- Approval decisions
- Errors and retries
- Cost, token usage, and latency
- Final business outcome
Without this evidence, teams cannot reproduce failures, investigate unsafe actions, or improve the workflow.
2.5 Bounded Autonomy and Human Accountability
Autonomy should be based on risk, not on the maximum capability of the model.
A practical autonomy model has four levels:
- Suggest: The system recommends an action.
- Prepare: The system creates a draft artifact or change.
- Execute with approval: The system acts after authorized review.
- Execute within policy: The system acts automatically inside predefined limits.
A coding agent may automatically correct formatting or update generated documentation. It may require review before modifying application logic. Changes to identity, payments, infrastructure, or production data should require stronger approval.
OWASP identifies prompt injection, improper output handling, excessive agency, sensitive-information disclosure, and unbounded resource consumption among major risks for LLM applications.
Human approval must also be meaningful. Asking a reviewer to approve a 5,000-line generated change without an implementation plan, test evidence, or risk summary is not effective oversight.
Bounded autonomy requires:
- Small, reviewable changes
- Explicit permissions
- Transaction and cost limits
- Approved tool definitions
- Reversible operations
- Audit trails
- Clear escalation conditions
- Named human accountability
The organization remains responsible for the outcome, even when an agent performs the action.
3 From Business Intent to Executable Specifications
AI-assisted delivery becomes reliable when the team converts business intent into specifications that people, agents, tests, and pipelines can interpret consistently.
The objective is not to generate more documentation. It is to create a traceable chain from the required business outcome to production evidence.
3.1 Starting with Measurable Business and User Outcomes
A feature description is not the same as an outcome.
A weak requirement states:
Build an AI assistant for customer support.
A stronger requirement states:
Reduce median billing-case classification time from 12 minutes to
under 4 minutes while maintaining at least 95% accuracy on the
approved evaluation dataset.
Route low-confidence results to a human agent. Do not automatically
close or reassign cases.
The stronger version defines:
- The current baseline
- The expected improvement
- The measurement method
- A quality threshold
- A fallback path
- A limit on autonomy
These details allow architects to design the correct solution and allow the team to determine whether the capability succeeded after deployment.
3.2 Using AI During Discovery and Requirement Analysis
AI can support discovery by summarizing interviews, extracting business rules, identifying contradictions, grouping requirements, and generating clarification questions.
A practical workflow is:
- Collect stakeholder statements and process evidence.
- Use AI to create an initial process and rule summary.
- Ask it to identify conflicts, gaps, and ambiguous terms.
- Review the findings with business and technical owners.
- Record confirmed decisions separately from generated suggestions.
For example, AI may detect that one document permits managers to approve refunds while another requires finance approval above a specified value. That is useful analysis. The AI must not decide which policy is authoritative.
Discovery data may contain personal, confidential, or regulated information. Teams must define approved models, processing locations, retention rules, access controls, and data-minimization requirements before providing this material to an AI system.
NIST’s Generative AI Profile recommends incorporating risk management and trustworthiness considerations into the design, development, evaluation, and use of generative AI systems.
3.3 Converting Requirements into Executable Specifications
An executable specification connects a business rule to something the delivery system can verify.
For example:
Feature: Refund approval
Scenario: Refund below the manager threshold
Given an active order with a refundable balance of 800 USD
And the requester has the "SupportAgent" role
When the requester submits a refund for 500 USD
Then the refund status should be "PendingManagerApproval"
And no payment-provider request should be issued
Scenario: Refund above the finance threshold
Given an active order with a refundable balance of 8000 USD
When an authorized manager approves a refund for 6000 USD
Then the refund status should be "PendingFinanceApproval"
And the decision should be recorded in the audit log
The same specification can guide product review, implementation, test generation, and agent validation.
Executable specifications do not always require Gherkin. They may include:
- OpenAPI schemas
- Contract tests
- Database constraints
- Policy-as-code
- Infrastructure validation
- Static-analysis rules
- Service-level objectives
- AI evaluation datasets
- Security test cases
The correct format is the one that can be reviewed by the relevant owner and enforced by the delivery pipeline.
3.4 Defining Acceptance Criteria, Edge Cases, and Failure Scenarios
AI-generated implementations often handle the happy path well because that is usually the clearest part of the requirement. Production failures occur at the boundaries.
For each capability, define:
- Valid and invalid inputs
- Boundary values
- Authorization rules
- Duplicate and concurrent requests
- Dependency timeouts
- Retry and idempotency behavior
- Partial failure handling
- Audit requirements
- Recovery procedures
- Unsupported scenarios
For an AI-enabled capability, also define:
- Evaluation dataset
- Minimum quality threshold
- Confidence or abstention behavior
- Evidence requirements
- Human-review conditions
- Latency target
- Cost limit
- Prohibited actions
- Behavior when the model or retrieval service is unavailable
For example, “summarize the incident” is incomplete. The team should specify which sources may be used, which facts must appear, how uncertainty is shown, whether source references are required, and what happens when logs are missing.
Failure behavior is part of the requirement, not an implementation detail.
3.5 Maintaining End-to-End Requirement Traceability
Traceability should connect the complete delivery chain:
Business outcome
→ capability
→ requirement
→ architecture decision
→ implementation change
→ test or evaluation
→ deployment
→ production metric
A pull request should identify the requirement it implements. Tests should reference the relevant acceptance criteria. Architecture decisions should explain important design trade-offs. Deployment records should identify the approved change. Production monitoring should show whether the expected outcome was achieved.
AI can help create and maintain these links, but the authoritative identifiers must remain in controlled systems such as the backlog, source repository, test platform, architecture repository, and deployment pipeline.
This closes one of the largest gaps in the traditional lifecycle. The team can determine not only whether the application was deployed successfully, but whether the delivered change solved the original business problem.
An AI-native software development lifecycle therefore does not reduce the need for engineering discipline. It increases the value of precise outcomes, executable specifications, controlled context, automated verification, and accountable human decisions.
4 Architecture for AI-Assisted and Agentic Systems
The requirements and executable specifications defined in the earlier stages must now be translated into an architecture that can manage both conventional application behavior and probabilistic AI behavior. The main architectural mistake is to treat the model as the application rather than as one controlled component within it.
A production AI-enabled system still needs ordinary services, APIs, databases, identity controls, queues, audit records, monitoring, and deployment pipelines. The model adds interpretation and flexible decision support, but it should operate inside boundaries enforced by deterministic software.
4.1 Separating Deterministic and Probabilistic Components
Deterministic components execute explicit rules. Authorization checks, financial calculations, schema validation, workflow state transitions, and database transactions should produce predictable results for a given input and state.
Probabilistic components are appropriate where the application must interpret unstructured information, rank options, summarize content, classify ambiguous inputs, or create a draft response. Their output can vary and may be incomplete even when the input remains unchanged.
A support automation system illustrates the distinction. A model can classify an incoming ticket, summarize the issue, and recommend a queue. Conventional application code should verify the user’s permissions, confirm that the selected queue exists, apply routing policy, and record the final assignment.
A useful boundary looks like this:
Unstructured request
↓
AI interpretation and recommendation
↓
Schema and policy validation
↓
Deterministic authorization
↓
Approved business operation
↓
Audit record and outcome monitoring
The model should return structured proposals rather than directly controlling application state. For example, it can return a proposed action, confidence value, supporting evidence, and explanation. A deterministic service then validates that proposal against business rules.
This separation reduces the impact of model errors and allows critical controls to be tested through conventional methods.

Figure 1. AI proposes a structured action, while deterministic controls validate, authorize, execute, and audit it.
4.2 Reference Architecture for an AI-Enabled Application
A practical AI-enabled application normally contains several distinct layers:
User or upstream system
↓
Application/API layer
↓
AI orchestration service
├── Prompt and policy configuration
├── Retrieval service
├── Model gateway
├── Tool registry
├── Workflow state
└── Evaluation and guardrail services
↓
Business services and approved tools
↓
Enterprise systems and data stores
The application layer handles identity, sessions, rate limits, request validation, and the user experience. The orchestration service decides what context is required, which model should be called, whether a tool is needed, and when human approval is required.
A model gateway provides a controlled interface to one or more models. It can enforce model allowlists, request limits, logging rules, fallback behavior, and routing based on task complexity. This prevents individual application teams from embedding provider-specific calls throughout the codebase.
Retrieval services locate relevant enterprise knowledge without placing every document into every request. Tool services expose narrowly defined business operations such as retrieving an order, creating a draft case update, or checking available appointment slots.
The architecture should also include a durable workflow store for long-running or multi-step processes. Model context is temporary and should not be treated as the authoritative workflow state. The current step, approvals, tool results, retries, and final status should be persisted in an application-controlled data store.
4.3 Retrieval, Tool Use, Orchestration, and Human Approval Patterns
Retrieval-augmented generation is useful when the model needs current or organization-specific information. The retrieval layer should apply access control before content reaches the model, not after the response has been generated.
Retrieval quality depends on document selection, chunking, metadata, freshness, and ranking. A large vector index does not guarantee reliable answers. The system should prefer approved, current sources and retain the source identifiers used for each response.
Tool use should follow the same principle. Each tool needs a clear schema, narrow scope, authorization rules, timeout, and idempotency behavior. A tool named executeSql exposes too much authority. Separate tools such as getCustomerOrders and createRefundDraft are easier to secure and monitor.
Orchestration can follow several patterns:
- Sequential workflows for predictable multi-step processes
- Routing workflows for selecting a specialist model or service
- Parallel execution for independent analyses
- Evaluator loops for reviewing and refining an output
- Agent-driven planning for tasks where the required steps are not known in advance
Anthropic recommends using the simplest workflow that meets the requirement because additional agentic flexibility also increases cost, latency, and failure modes.
Human approval should be placed before consequential or irreversible actions. Approval interfaces should show the proposed action, source evidence, policy checks, affected records, and expected impact. A simple confirmation button without this information does not support informed review.
4.4 Architecture Decisions for Models, Data, Security, and Cost
Model selection should be based on the task rather than on a single preferred provider. A smaller model may be sufficient for classification, extraction, or routing. A more capable model may be justified for complex planning or analysis.
Architects should evaluate:
- Output quality on an approved dataset
- Structured-output reliability
- Tool-use accuracy
- Context limits
- Latency
- Regional availability
- Data handling terms
- Operational cost
- Provider dependency
- Fallback options
Data architecture decisions are equally important. The team must determine which information may be sent to a model, whether prompts and responses may be retained, how sensitive fields are filtered, and where embeddings or retrieved content are stored.
Security controls should cover the entire application path rather than only the model endpoint. Prompt injection, insecure output handling, sensitive-information disclosure, excessive agency, and uncontrolled resource consumption are recognized risks in current OWASP guidance for generative AI applications.
Cost controls should be architectural, not only financial. Limit context size, agent steps, retries, parallel calls, and tool execution. Cache safe reusable results and route simple work to lower-cost components. Monitor cost per completed business outcome rather than only cost per model call.
4.5 When Conventional Software Is Better Than an AI Agent
An AI agent is not the correct solution when the business process can be expressed reliably as ordinary rules.
Use conventional software when:
- The inputs and decision rules are well defined
- Exact repeatability is required
- The process is safety- or financially critical
- Latency must remain consistently low
- A database query or rules engine can solve the problem
- The operation must be formally verified
- Model uncertainty adds no practical value
For example, tax calculation, account-lockout policy, inventory deduction, and payment settlement should remain deterministic. AI may explain the result or help investigate an exception, but it should not replace the underlying control logic.
A rules engine is also preferable when business users need transparent policy configuration. An agent may appear simpler during a demonstration, but hidden probabilistic behavior can make future policy changes harder to test and audit.
The correct architecture uses AI where interpretation creates value and conventional software where precision creates safety.
5 Agent-Assisted Development and Continuous Verification
Once the architecture and specifications are established, coding agents can participate in implementation. Their value depends on how work is prepared, constrained, reviewed, and continuously verified.
The objective is not to delegate complete systems to an agent. It is to create a development process where bounded tasks can be completed faster without weakening engineering controls.
5.1 Planning and Decomposing Work for Coding Agents
Coding agents perform best when tasks have a clear objective, limited scope, relevant context, and observable completion conditions.
A large request such as “modernize the billing service” combines architecture, data migration, compatibility, security, testing, and deployment concerns. The agent may produce broad changes that are difficult to review.
A better decomposition is:
- Add a contract test for the existing billing API.
- Isolate payment-provider access behind an interface.
- Add the new provider implementation.
- Introduce configuration-based provider selection.
- Add failure and timeout tests.
- Update deployment configuration in a separate change.
Each task should identify affected components, constraints, expected tests, and prohibited changes. Dependencies between tasks should also be explicit.
Planning can be delegated partially. An agent may inspect the repository and propose a sequence of changes, but the lead should validate architectural impact and review boundaries before implementation begins.
5.2 Creating Small, Controlled, and Reviewable Changes
Small changes reduce both technical and cognitive risk.
A coding agent should work in an isolated branch or workspace. It should not combine dependency upgrades, refactoring, formatting, and feature development in one pull request unless those changes are inseparable.
Useful controls include:
- Maximum changed files
- Maximum diff size
- Restricted directories
- Required tests
- Forbidden configuration areas
- Automatic rollback of unrelated edits
- Separate approval for generated migrations
- Mandatory ownership review for sensitive code
GitHub advises reviewers to inspect agent-generated changes carefully, particularly workflow files, because CI workflows can have access to privileged secrets and execution environments.
The pull request should contain more than a diff. It should include the task, implementation summary, assumptions, tests executed, known limitations, and files requiring closer review.
Generated code should remain understandable without access to the original model conversation. The repository, tests, and pull request must provide enough evidence for future maintainers.
5.3 Treating AI-Generated Code as Untrusted Input
AI-generated code should enter the lifecycle with the same trust level as code received from an unknown external contributor.
It may contain insecure defaults, invented APIs, outdated patterns, missing authorization checks, unsafe parsing, inefficient queries, or unnecessary dependencies. It may also pass visible tests while failing under conditions not represented in the prompt.
The review process should verify:
- Correctness against the specification
- Authentication and authorization behavior
- Input and output validation
- Error and transaction handling
- Concurrency and idempotency
- Dependency provenance
- Secret exposure
- Logging of sensitive data
- Performance implications
- Compatibility with supported platforms
Model-generated comments and explanations are not evidence of correctness. Tests, static analysis, code inspection, and runtime behavior provide evidence.
Automated AI review can provide an additional perspective, but it should not be the only reviewer of code produced by another model. GitHub’s coding-agent controls include separate code-quality and security validation intended to identify issues before a pull request is completed, but human review remains necessary.
5.4 Combining Testing, Evaluation, and Human Review
Conventional tests verify deterministic behavior. AI evaluations measure the quality of probabilistic behavior. Production AI systems usually require both.
A document-processing service may need unit tests for parsing and access control, contract tests for downstream APIs, and evaluation cases for extraction accuracy. An agent may need scenario tests that verify tool selection, termination behavior, approval handling, and recovery from tool failures.
Evaluation datasets should include realistic examples, difficult edge cases, adversarial inputs, and previously observed failures. They should also represent different user groups, document types, and operational conditions relevant to the application.
Human review remains important where quality is subjective or risk is high. Reviewers can assess whether a summary omits important context, whether a recommendation is misleading, or whether an explanation could cause unsafe user behavior.
NIST’s AI resources emphasize testing, evaluation, verification, and validation as part of operational AI risk management.
5.5 Integrating AI Quality Gates into CI/CD
AI quality gates should be part of the normal delivery pipeline rather than a separate manual exercise performed before release.
A practical pipeline can include:
Build and dependency restoration
↓
Unit and integration tests
↓
Static analysis and secret scanning
↓
AI evaluation suite
↓
Prompt and policy regression tests
↓
Tool-permission validation
↓
Cost and latency thresholds
↓
Human approval
↓
Controlled deployment
Evaluation thresholds should be versioned with the application. A model, prompt, retrieval configuration, tool definition, or policy change can alter behavior even when application code remains unchanged.
The pipeline should compare results with an approved baseline and block changes that create significant regressions. Some variation is expected, so teams should use statistically meaningful evaluation sets rather than relying on a few exact string comparisons.
Release records should identify the model version, prompt version, retrieval index, tool configuration, evaluation result, and approval decision. This allows the production behavior to be traced back to the tested configuration.
6 Secure Delivery and Production Operations
AI-enabled software introduces new operational dependencies and attack paths. Secure delivery therefore requires controls across model access, retrieved data, tools, application services, user interfaces, and operational workflows.
The security model must assume that user input, retrieved content, model output, and agent-generated code may all be hostile or incorrect.
6.1 Security Risks Introduced by AI-Enabled Software
Prompt injection can cause a model to follow malicious instructions contained in user input, documents, webpages, emails, or tool results. The injected instruction may attempt to override system behavior, expose data, or trigger an unauthorized action.
Improper output handling creates another risk. Model output that is passed directly into a shell, browser, SQL query, template, or downstream API can become an injection path. Every model output must be treated as untrusted data and validated according to its destination.
Agents also create authorization risks when they receive broad tool access. A harmless classification error becomes more serious when the same model can update records, send messages, or invoke administrative operations.
Other risks include sensitive-data leakage, poisoned knowledge sources, insecure plugins, denial-of-wallet attacks, excessive logging, and dependence on unavailable model services.
6.2 Least Privilege, Sandboxing, and Controlled Tool Access
Each agent should receive only the tools and data required for its current task.
A coding agent should execute in an isolated environment with temporary credentials, restricted network access, and no production connectivity. A business agent should access records through authorized application APIs rather than through direct database credentials.
Tool calls should pass through a policy-enforcement layer that verifies:
- User identity
- Agent identity
- Requested operation
- Resource scope
- Transaction limits
- Approval status
- Rate limits
- Data classification
- Audit requirements
Sandboxing limits the impact of generated scripts, build commands, package installation, and malicious repository content. The sandbox should be disposable and should not share secrets or writable storage with trusted workloads.
Tool responses should also be filtered. A read operation may return more sensitive data than the model requires. Data minimization should occur before the result is placed into model context.
6.3 Safe Deployment Through Shadow Mode and Gradual Autonomy
AI-enabled behavior should rarely move directly from testing to full autonomous execution.
In shadow mode, the system processes real production inputs but does not affect the user or business process. Its recommendations are compared with actual human decisions or existing system outcomes.
The next stage may expose suggestions to users while requiring manual action. After sufficient evidence is collected, the system can prepare changes for approval. Limited automatic execution should occur only within clearly defined policy boundaries.
A progression may look like this:
Offline evaluation
→ Shadow mode
→ User-visible recommendation
→ Draft action with approval
→ Automatic low-risk action
→ Expanded autonomy after review
Each stage should have entry criteria, success thresholds, rollback conditions, and named ownership. Autonomy should be reduced when data quality changes, model behavior regresses, or operational incidents occur.
6.4 Observability for Models, Agents, Tools, and Outcomes
Traditional monitoring focuses on availability, latency, errors, and resource usage. AI systems also require visibility into behavior and outcomes.
Useful signals include:
- Model and configuration used
- Retrieval sources and relevance
- Tool selection and execution result
- Agent step count
- Approval and rejection rates
- Evaluation scores
- Abstention and escalation rates
- Cost per request and completed task
- Token and context usage
- User corrections
- Policy violations
- Business outcome measures
Tracing should connect the user request, retrieved context, model response, tool calls, application changes, and final outcome. Sensitive prompt or response content should be redacted or access-controlled rather than logged indiscriminately.
Operational teams need dashboards that distinguish infrastructure failure from model-quality failure. A service can remain technically available while producing poor recommendations or repeatedly selecting the wrong tool.
6.5 Production Feedback, Incident Response, and Continuous Improvement
Production feedback should feed directly into evaluation and delivery.
User corrections, rejected recommendations, failed tool calls, unexpected cost spikes, and support incidents should be converted into reproducible test or evaluation cases. This prevents the same failure from reappearing after a model or prompt update.
Incident response procedures should identify how to:
- Disable a model or tool
- Reduce agent permissions
- Switch to a fallback model
- return to recommendation-only mode
- revoke credentials
- preserve traces
- identify affected users or records
- reverse or reconcile completed actions
NIST organizes AI risk management around governing, mapping, measuring, and managing risk. That structure is useful operationally because it connects ownership, system context, measurable evidence, and corrective action.
Continuous improvement should not mean continually increasing autonomy. The correct result may be a better prompt, improved retrieval, stronger validation, a narrower tool, or removal of AI from a process that does not benefit from it.
A reliable AI-native lifecycle improves its evidence and controls alongside its models. Production experience then becomes an input to architecture, requirements, evaluations, and future delivery decisions.
7 Governance, Economics, and Engineering Roles
The controls described in the previous sections must be supported by clear ownership, funding decisions, and operating policies. Without these, individual teams may build capable AI solutions that cannot pass security review, meet legal obligations, or demonstrate business value.
Governance should not become a separate approval process that treats every AI use case as equally dangerous. It should help teams identify the level of risk, apply proportionate controls, and make accountable decisions throughout the lifecycle.
7.1 Risk-Based Governance for AI Systems
A risk-based governance model classifies systems according to what they can access, recommend, or change. A code-completion assistant operating on non-sensitive sample code does not require the same controls as an agent that reads customer records and initiates account actions.
A practical classification can consider:
- Business impact of an incorrect result
- Sensitivity of the data used
- Degree of system autonomy
- Reversibility of actions
- Exposure to external users
- Legal or contractual obligations
- Dependence on third-party models and services
Low-risk use cases may proceed through normal engineering review with approved tools and data-handling rules. Medium-risk systems may require documented evaluations, security review, human approval, and production monitoring. High-impact systems may require formal risk acceptance, independent validation, legal review, stronger audit evidence, and strict limits on autonomous action.
NIST structures AI risk management around four functions: Govern, Map, Measure, and Manage. This provides a useful operating model because it connects organizational responsibility, system context, measurable evidence, and risk treatment rather than treating governance as a one-time checklist.
The governance record for each system should identify its owner, intended users, approved models, data sources, evaluation results, known limitations, release status, and incident contact. It should be updated when the model, retrieval source, tool access, business process, or autonomy level changes.
7.2 Data Privacy, Intellectual Property, and Regulatory Concerns
AI-enabled applications often move data across boundaries that did not exist in the original system. Source code may be sent to a coding assistant, documents may be embedded into a retrieval index, and user requests may be transmitted to an external model provider.
The architecture and governance process should answer several questions before implementation:
- What information is sent to the model?
- Is personal or confidential data removed or masked?
- Where is the request processed and stored?
- Can the provider use the data for service improvement?
- How long are prompts, responses, and traces retained?
- Who can inspect logged content?
- Which source material may be used for grounding or training?
Intellectual-property review should cover both inputs and outputs. Teams must verify that code, documents, test data, and third-party content may be processed by the selected service. Generated code should still pass normal dependency, licence, provenance, and security review rather than being assumed original or safe.
Regulatory requirements depend on the use case and operating region. The European Union’s AI Act follows a risk-based structure and entered into force on August 1, 2024, with obligations applying in stages. General-purpose AI obligations began applying on August 2, 2025, while additional provisions continue to take effect according to the Act’s implementation schedule.
Architects should avoid embedding legal assumptions directly into technical designs. Instead, maintain a compliance mapping that links applicable requirements to controls such as data minimization, transparency notices, human oversight, logging, retention, testing, and vendor management.
7.3 Measuring the Real Cost of AI-Assisted Development
Model usage is only one part of the cost of an AI-native lifecycle. The complete cost includes platform engineering, integration, evaluation, security, observability, review time, data preparation, and operational support.
A useful cost model is:
Total AI delivery cost
=
Model and embedding usage
+ Engineering platform cost
+ Evaluation and review effort
+ Data preparation and maintenance
+ Security and governance effort
+ Production monitoring and support
+ Cost of failed or corrected outcomes
A low model price does not guarantee a low-cost solution. A cheaper model that produces more invalid tool calls, requires larger prompts, or increases manual correction may cost more per completed task. Similarly, an autonomous workflow may reduce handling time while increasing support and incident-management effort.
Teams should measure cost per successful business outcome. For a document-review assistant, this may be the cost per correctly reviewed document after human corrections. For coding agents, it may be the cost per merged change that passes production acceptance without reopening defects.
Cost controls should also identify waste. Repeated retrieval of the same material, uncontrolled retry loops, oversized context, unnecessary agent steps, and expensive models used for simple classification tasks can materially increase operating cost without improving results.
7.4 How Developer, Lead, Architect, QA, and Security Roles Will Change
Developers will spend more time defining tasks, validating generated changes, designing tests, and resolving integration issues. They will still write code, especially for complex domain logic, performance-sensitive components, and areas where the generated result requires substantial correction.
Tech leads will become responsible for making work agent-ready. This includes decomposing features, maintaining repository guidance, enforcing change boundaries, and ensuring that review capacity grows alongside generation capacity.
Solution architects will need to design both application architecture and the AI control plane around it. Their decisions will cover model gateways, retrieval boundaries, tool contracts, approval points, failure handling, observability, and the division between deterministic and probabilistic behavior.
QA engineers will expand from test execution into evaluation engineering. They will build representative datasets, design adversarial scenarios, define scoring criteria, investigate behavioral regressions, and connect production failures back to repeatable tests.
Security engineers will review prompt and retrieval paths, tool permissions, sandbox controls, model-provider risk, sensitive-data handling, and AI-specific abuse cases. Their involvement must begin during architecture and threat modelling rather than immediately before release.
These roles become more interconnected. Successful teams will not hand AI quality to a separate specialist group; they will integrate it into product, architecture, development, QA, security, and operations.
7.5 Measuring Engineering Outcomes Instead of Generated Code
Generated lines of code, accepted suggestions, prompt counts, and agent sessions are activity measures. They may help understand adoption, but they do not show whether delivery improved.
Engineering metrics should focus on outcomes such as:
- Lead time from approved requirement to production
- Pull-request review and merge time
- Change failure rate
- Escaped defect rate
- Rework caused by generated changes
- Test and evaluation coverage
- Mean time to restore service
- Developer time spent on routine work
- Cost per accepted production change
- User or business outcome achieved
A coding agent that generates many changes but increases review time and production defects is not improving the lifecycle. A smaller deployment that reduces repetitive maintenance while preserving quality may deliver greater value.
Metrics should be reviewed together. Faster lead time is useful only when reliability remains acceptable. Lower cost is useful only when human correction and incident effort do not rise elsewhere.
8 Practical Implementation Blueprint
An AI-native lifecycle should be introduced through a controlled implementation rather than through a company-wide tool rollout. The first objective is to prove that the organization can define, build, evaluate, deploy, and operate one useful AI-assisted workflow safely.
The blueprint below focuses on the minimum capabilities required to establish that pattern. It can then be reused for additional development, testing, support, and business workflows.
8.1 Selecting the Right Pilot Use Case
The best pilot is valuable enough to matter but limited enough to control. It should involve a real workflow, measurable outcomes, accessible data, and users who can provide frequent feedback.
Suitable pilots often share these characteristics:
- The current process is repetitive or analysis-heavy.
- A human can easily recognize a good result.
- Incorrect output can be reviewed before it causes harm.
- Required data is available and legally usable.
- The workflow has a clear owner.
- Success can be measured within several weeks.
- The initial tool permissions can remain limited.
A practical development pilot might use an agent to prepare small test additions for confirmed defects. The agent receives the defect, relevant repository context, existing test conventions, and permission to modify only test projects. A developer reviews the proposed reproduction test before any production-code change is attempted.
Avoid beginning with broad objectives such as autonomous application development, production incident remediation, or end-to-end customer case handling. These combine too many technical and organizational risks before the team has established its evaluation and operating model.
Before approval, write a one-page pilot charter containing the problem, baseline, target outcome, users, system boundaries, data classification, autonomy level, success measures, stop conditions, and accountable owner.
8.2 Building the Minimum AI Engineering Platform
The pilot should not create a large platform before the use case is proven. But it should establish reusable controls that prevent every team from connecting directly to models and tools in a different way.
A minimum platform can include:
Developer or business application
↓
API and identity layer
↓
Model gateway
↓
Workflow or agent service
├── Prompt and policy repository
├── Retrieval component
├── Approved tool adapters
├── Evaluation hooks
└── Human approval interface
↓
Enterprise APIs and data stores
Cross-cutting services:
- Secrets management
- Central logging and tracing
- Cost and rate controls
- CI/CD evaluation gates
- Audit and configuration history
The model gateway should centralize authentication, provider routing, model allowlists, rate limits, budgets, and request logging. LiteLLM is one current open-source option that provides a self-hosted, OpenAI-compatible gateway and a unified interface across multiple providers.
Prompts, system instructions, tool definitions, and evaluation cases should be version-controlled. Environment-specific secrets and model credentials should remain in the organization’s secrets-management service rather than in prompt files or application configuration.
The first platform version should support only the tools required by the pilot. A narrow tool set is easier to secure, test, and observe than a general connector framework with broad access to repositories, databases, cloud consoles, and collaboration platforms.
8.3 Creating Evaluation Datasets and Measurable Success Criteria
Evaluation development should begin before prompt tuning or agent implementation. Otherwise, the team will optimize the solution based on a few demonstrations and subjective impressions.
Start with real examples from the current workflow. Remove or protect sensitive information, then classify the cases into normal inputs, difficult cases, edge conditions, policy-sensitive cases, and known failures.
For each case, define what can be evaluated deterministically and what requires expert judgment. A coding-agent evaluation might check whether the project builds, whether the intended test fails before the fix, whether all tests pass afterward, whether prohibited files changed, and whether the pull request remains below an agreed size.
An evaluation record can use a simple structure:
case_id: defect-042
input:
issue: "Duplicate invoice created after request timeout"
expected:
reproduction_test_required: true
idempotency_behavior: "same request creates one invoice"
forbidden_changes:
- "deployment/"
- "database/schema/"
thresholds:
build_pass: true
all_tests_pass: true
changed_files_max: 6
review:
domain_approval_required: true
Include negative cases where the correct behavior is to ask for clarification, abstain, or escalate. A system that always produces an answer may appear productive while hiding uncertainty.
MLflow currently supports datasets, traces, code-based scorers, model-based judges, and production evaluation for LLM and agent applications. These capabilities can be used to retain evaluation history and compare application versions over time.
Success criteria should combine quality, delivery, economics, and user impact. For example: at least 85% of proposed reproduction tests accepted with minor or no changes, no unauthorized file modifications, no increase in escaped defects, and a 25% reduction in developer time spent preparing defect tests.
8.4 Recommended Open-Source Tools and Reference Stack
The reference stack should remain replaceable. Teams should select components by responsibility and avoid allowing one framework to own model access, orchestration, retrieval, evaluation, and observability unless that coupling is intentional.
A practical starting stack is:
- Model gateway: LiteLLM for centralized provider access, routing, budgets, and a compatible API.
- Workflow orchestration: ordinary application code for simple flows, or LangGraph for long-running, stateful agent workflows that require explicit transitions and checkpoints. LangGraph describes itself as a low-level framework for stateful agent orchestration.
- Retrieval store: PostgreSQL with pgvector when the organization already operates PostgreSQL and the retrieval scale fits that platform. pgvector adds vector similarity search while preserving normal PostgreSQL access patterns.
- Evaluation and experiment tracking: MLflow for dataset management, tracing, evaluation, prompt management, and comparison of application versions.
- Security testing: Promptfoo for repeatable prompt, RAG, agent, and red-team tests in local development and CI/CD. Its open-source CLI supports evaluation and security testing through declarative configurations.
- Telemetry: OpenTelemetry for vendor-neutral traces, metrics, and events. Its generative AI conventions cover model operations and related attributes, though teams should review the stability of individual conventions before standardizing production schemas.
This is a reference stack, not a mandatory product list. Existing API gateways, workflow engines, PostgreSQL services, CI/CD platforms, identity systems, and observability tools should be reused where they already meet the requirement.
The architecture should hide product-specific details behind internal interfaces. This allows the team to replace a model provider, evaluation tool, or orchestration framework without rewriting the business application.
8.5 A Practical 90-Day Adoption Roadmap
The first 30 days should establish the problem, controls, and baseline. Select one pilot, appoint a product owner and technical owner, document the current process, classify the data, define the autonomy level, and create the initial evaluation dataset. Build a thin model gateway and a sandboxed development environment rather than beginning with full enterprise integration.
During days 31–60, implement the workflow behind a feature flag. Add approved tool adapters, versioned prompts, trace collection, cost limits, and CI/CD evaluation gates. Run the solution on historical examples and then in shadow mode with real inputs. Review failures weekly and convert them into permanent evaluation cases.
During days 61–90, expose the capability to a limited user group. Keep consequential actions in draft or approval mode, measure correction rates and user time saved, and compare results with the original baseline. Conduct security review, operational readiness review, and an incident simulation before expanding usage.
At the end of the 90 days, make an evidence-based decision:

Figure 2. A controlled 90-day adoption path from pilot definition and validation to limited production use and an evidence-based proceed, revise, or stop decision.
Proceed
- Quality and safety thresholds met
- Users receive measurable benefit
- Operating cost is acceptable
- Support ownership is established
Revise
- Value is visible but quality or workflow design needs improvement
- Continue with narrower scope or stronger controls
Stop
- The task is better solved with conventional automation
- Data or governance constraints are unacceptable
- Review effort exceeds the benefit
The final deliverable should not be only a working prototype. It should include a reusable gateway pattern, evaluation process, security controls, operating runbook, governance record, cost model, and lessons for the next use case.
That is the practical starting point for an AI-native software development lifecycle: one bounded workflow, measurable evidence, controlled production use, and a platform that grows only when real outcomes justify it.



