AI is generating code at speeds that were unimaginable three years ago. Unfortunately, the pace of deploying that code to production hasn’t kept up. In fact, AI coding has slowed delivery for many organizations.
The authors of the DORA State of DevOps Report identified this trend as far back as 2024 when they found that increased AI adoption correlated with lower software delivery throughput and stability. This pattern only intensifies as code volumes grow.
What explains this paradox? Coding represents only about 15% of the work involved in shipping software. The other 85% — code review, testing, security scanning, compliance, deployment — still relies on fragmented tools and manual processes. AI coding tools accelerate code creation while leaving the manual work downstream intact. More code translates to more bottlenecks.
Solving the AI paradox for software delivery requires a coordinated transformation across three interconnected journeys: DevOps modernization, Security modernization, and AI modernization.
DevOps modernization: The foundation
What is DevOps modernization?
Most engineering organizations are running a patchwork of tools that were never designed to work together. Each tool has its own contract, security review, and support overhead. That fragmentation is expensive to maintain, but the hidden cost is even larger: every handoff between disconnected systems introduces latency, context loss, and the risk of errors. Developers spend time chasing status across tools instead of building. Managers lack a clear picture of where work is stalled. The more code AI generates, the more those handoffs hurt.
DevOps modernization is the process of consolidating fragmented toolchains into a unified platform, automating manual processes, and standardizing how teams build and ship software. It tackles the infrastructure of the 85%: the pipelines, handoffs, and coordination overhead where AI-generated code gets stuck.
How do you progress?
Organizations typically start by auditing their current toolchain and identifying where handoffs introduce the most friction. Consolidation usually begins with source control and CI/CD — getting pipelines running consistently and replacing project-by-project configurations with shared templates and reusable components.
From there, the focus shifts to performance and scale: optimizing pipeline execution times, automating deployments across multiple environments, and standardizing practices across teams.
The final frontier is enterprise-scale automation, organization-wide standardization, and AI agents that automate routine tasks across the development lifecycle, freeing engineers to focus on the work that requires human judgment.
What outcomes can you expect?
Ericsson, the global telecommunications company, lived this reality before consolidating their toolchain. They were stuck in long release cycles, manual processes, and thousands of hours lost to coordination across disconnected systems. After unifying with a single DevSecOps platform, they saved 130,000 engineering hours in six months and cut release cycles from years to months.
For most organizations, the early payoff is visibility: a clear, real-time picture of where software is in the delivery pipeline and what’s slowing it down. Every manual step eliminated frees engineering capacity and accelerates the next stage of the journey.
Security modernization: The safeguard
What is Security modernization?
AI is rapidly generating staggering amounts of code while security reviews remain stuck at the old pace. All that code needs to be scanned, reviewed, and approved. Security teams simply can’t keep up. Things get worse when compliance evidence is scattered across multiple disconnected systems, requiring weeks of manual effort to aggregate for audits.
Security modernization means shifting security and compliance from manual checkpoints late in development to automated, continuous processes embedded earlier in the lifecycle. In a modernized security posture, scanning runs automatically inside CI/CD pipelines. Vulnerabilities surface to developers in context, at the moment they can most efficiently fix them, rather than arriving as a list of findings weeks after the code was written. Compliance evidence is collected continuously rather than assembled manually before each audit.
How do you progress?
Security modernization typically starts with embedding automated scanning (dependency scanning, SAST, and secret detection) directly into existing pipelines, beginning with the vulnerability types that carry the most regulatory or business risk.
As scanning becomes routine, the focus shifts to ownership and scale: moving from project-level to group-level security policies, establishing defined SLAs for vulnerability response, and putting findings in front of developers with enough context to act on them rather than routing everything through a security team bottleneck.
From there, the work becomes predictive — leveraging risk-based prioritization, automating compliance evidence collection, and deploying AI agents that can explain, triage, and remediate vulnerabilities automatically.
At the highest level of maturity, security is embedded enterprise-wide with policy-as-code enforcement across every project and executive dashboards that connect security posture directly to business outcomes.
What outcomes can you expect?
Ally Financial, one of the largest digital financial services companies in the U.S., shifted security left and embedded scanning directly into their DevOps platform. As a result, they were able to increase deployments by 55% while reducing downtime by 100 hours per month and saving $300,000 annually.
Speed and security improved in lockstep. Modernizing security removes the tradeoff between velocity and security by making security a built-in property of the delivery process rather than a gate at the end of it.
AI modernization: The multiplier
What is AI modernization?
Most organizations have deployed AI coding tools and seen individual developers get faster. But productivity at the individual level doesn't automatically translate into faster delivery at the organizational level. AI assistance that stops at code generation still leaves the downstream steps of the lifecycle running on manual processes. The gains stall. Worse, more code entering the pipeline can actively increase pressure on review, testing, and security processes that haven’t scaled to match.
AI modernization builds on top of DevOps and Security modernization. Once your DevOps workflows are unified and your security processes are continuous, you can extend AI from coding into the rest of the software lifecycle. AI modernization is the progression from individual developers using AI coding tools in isolation to teams orchestrating AI agents across every stage, from code review and testing to security remediation and deployment.
This is where you fully resolve the AI paradox.
How do you progress?
AI modernization typically begins with individual developers adopting pre-built AI capabilities such as code suggestions and agentic chat for code assistance, building confidence through hands-on experimentation.
From there, the focus shifts to the team level: creating custom agents tailored to specific workflows and coding standards, establishing governance and best practices, and building repeatable multi-step flows that automate handoffs between development stages. Integrating external tools through Model Context Protocol expands the context available to agents and enables more sophisticated orchestration across the broader toolchain.
The final stage is organization-wide deployment: autonomous agent workflows executing across the full software lifecycle. Agents execute traditionally manual processes in real time and in parallel across multiple teams, projects, and releases and always within enterprise-level governance. AI impact on organization-wide operational efficiency is measured in real time and can be closely associated with business outcomes.
What outcomes can you expect?
Barclays is scaling this approach to 18,000 team members, and their developers report that AI assistance across the full lifecycle is freeing them to focus on architecture, design, and customer-facing innovation rather than manual coordination. In organizations with a modernized AI approach, the work that genuinely requires human expertise gets more human attention, while agents handle the coordination, verification, and execution.
From incremental gains to wholesale transformation
Imagine an engineering organization operating at the intersection of all three journeys.
Developers work on a unified platform where AI agents handle routine code generation, documentation, and test creation. Engineers focus on architecture, design, and the work that genuinely requires creative problem-solving. Those agents are embedded in a delivery pipeline that runs in minutes, not hours, with automated testing at every stage and production deployments happening multiple times a day.
Security is continuous and invisible. Vulnerabilities are detected and often remediated before code even reaches review. Compliance evidence is collected automatically with every pipeline run. The security team focuses on threat modeling and policy, not triage.
When a developer opens a merge request, AI agents review the code, generate tests, run security scans, and flag issues — all before a human reviewer ever looks at it. When something breaks in production, agents diagnose the failure, identify the root cause, and recommend a fix. The cycle from incident to resolution is measured in minutes.
Across the organization, multiple teams ship releases in parallel, each supported by AI agents that maintain context across projects, enforce governance, and execute workflows end to end. Human engineers define the strategy and guardrails. Agents handle the execution.
Industry leaders are already building toward this vision. Those that move deliberately now will compound their advantage over those that wait.
Where to start
You can begin with whichever journey addresses your most pressing pain. A team drowning in toolchain complexity might start with DevOps consolidation. An organization under regulatory pressure might prioritize security. A team that has already unified their software lifecycle but wants to multiply output might lead with AI. The entry point matters less than recognizing that all three journeys are dimensions of the same transformation — and that progress in one accelerates the others.
We've created maturity assessments for each journey (DevOps, Security, and AI) that help you understand where you stand today and what steps will deliver the greatest impact. They take about five minutes and provide a personalized roadmap based on your results.
The AI coding gains are already here. Closing the delivery gap is what turns them into a competitive advantage.
Next steps
Research Report: The Intelligent Software Development Era
A global survey of 3,000+ DevSecOps practitioners reveals the skills, tools, and strategies that can make or break a team’s ability to deliver more secure software faster with AI in 2026 and beyond.
Frequently asked questions
Key takeaways
- AI coding tools accelerate code creation, but the work that happens downstream — review, testing, security, deployment — still relies on fragmented tools. More code going in means more pressure on bottlenecks that already exist.
- Closing the delivery gap requires three interconnected modernization journeys: DevOps (unified toolchains), Security (continuous and automated), and AI (agents across the full lifecycle, not just coding). Progress in one accelerates the others.
- Organizations like Ericsson, Ally Financial, and Barclays are already seeing results by addressing all three dimensions. Use GitLab's five-minute maturity assessments to identify where to start and build a personalized modernization roadmap.