Sign in Subscribe
By Srujan in Engineering๐Ÿ‘จโ€๐Ÿ’ป โ€”

The pipeline grows...

The pipeline grows...
A sky with clouds and birds soaring in height

There was a time when CI/CD was simple. Two jobs. One rule: new code shouldn't break old code, and new code should ship. You pushed a commit, the pipeline ran, the green check appeared, and you went home.

Then we started adding things. Code style. Unit tests. Integration tests. Security scans. Licence checks. DevOps became DevSecOps. DevSecOps is quietly becoming Dev...Fin...Sec...Compliance...Ops. Nobody's quite sure where the pipeline ends anymore.

But that expansion wasn't feature creep. The fundamental idea of DevOps was always to shorten the feedback loop...how quickly do we know when something goes wrong? Every new gate was just an answer to that question, broadening the definition of "something" over time. We started with correctness. Then security. Then the cost. Now compliance. The philosophy hasn't changed. The scope has.

Compliance used to be episodic. Audit season would arrive, evidence would be frantically collected, screenshots of dashboards nobody had looked at in between would be taken, and the checkbox would turn green. Then everyone exhaled until next year. It wasn't malicious. It just reflected how compliance was structured...point-in-time assessments proving you were compliant on the day someone checked, not the day before or after.

AI doesn't get that luxury. The model changes, the data changes, the regulatory surface changes. An AI company on an annual compliance cycle is like a car that only gets inspected in odd years. You're not safe in between. You're just unchecked.

And here's the thing: GitOps isn't a new concept. Mature engineering teams have run this way for years. Git is the source of truth. Changes through pull requests. The repo reflects reality. What's shifting now is that the same pattern is extending to things that used to live outside the repo: compliance posture, security controls, cost guardrails. When everything is code, evidence doesn't live in a folder someone emails to an auditor. It lives in the repository. The pipeline becomes the audit trail.

CI/CD pipelines were always the physical entity of trust but verify. Every gate you add operationalises a trust claim. Extending that to compliance isn't a leap... it's the same pattern, applied to a broader definition of what working software means. Not just passing tests, but the system behaving the way you told regulators, customers, and finance it would.

Compliance can be a destination. Trust can't. It's an infrastructure problem. And infrastructure problems get solved the same way they always have... continuous, automated, impossible to skip.

The pipeline grew up. It's just doing what it always did.

Previous

Shift-left with AI

You might also like...