- The focus for DevOps teams has shifted from how quickly they can deliver to how can they govern increasingly agentic delivery safely, transparently and accountably.
- The Cyber Resilience Act (CRA) has three expectations: traceability, accountability and incident response.
- Compliance is becoming an engineering problem in reviewing and governing code at machine scale.
- The organisations best prepared for this next phase of software delivery will be those that build systems humans can confidently trust, govern, and remain accountable for, as delivery becomes increasingly autonomous.
For over a decade, DevOps has been defined by one core principle: speed. The ability to ship code quickly, iterate continuously, and respond to user needs in near real-time has become the benchmark of high-performing software teams – made possible by end-to-end ownership and accountability.
But that benchmark is changing. A new wave of regulation in Europe, the Cyber Resilience Act (CRA) and the Product Liability Directive, is introducing stricter expectations around how software is built, deployed, and maintained. Crucially, this legislation is putting the liability back onto engineering teams in charge of deploying software.
We’re seeing and hearing about more incidents where autonomous AI agents are making errors. Now, new legislation is giving clarity that the responsibility for any errors ultimately sits with human teams. This is forcing organisations to rethink what they ship, as well as how they control, monitor and account for it in production.
The focus for DevOps teams has shifted from how quickly they can deliver to how can they govern increasingly agentic delivery safely, transparently and accountably.
What we can expect from new regulations
At a high level, regulations like the CRA aim to improve the security and resilience of digital products. In practice, they introduce concrete expectations for engineering teams. Three areas stand out.
- Traceability. Organisations must be able to identify what code is running in production, where it originated, and how it has changed over time. This goes far beyond version control. While ITIL has long emphasised CMDBs as a system of record, modern DevOps teams now need a true chain of custody for software delivery – tracking changes, ownership, and provenance from development through to production.
- Accountability. There needs to be clear ownership over software components and processes. This means being able to demonstrate who made changes, why they were made, how they were validated and who remains accountable for outcomes – even if those changes were AI-assisted or agent-driven.
- Incident response. Teams must be able to detect issues quickly, report them where necessary, and remediate them fast. In highly regulated environments this must be automatic, with little time for manual review or deliberation. Organisations therefore need systems that offer clarity, control and measurable accountability in real-time.
These aren’t box-ticking exercises. They demand a level of operational visibility and control that many organisations still lack.
Why this is an engineering challenge
In the past, regulation may have been viewed as a compliance issue handled by legal or risk teams. But in the age of AI agents, new legislation has made it clear that these requirements sit with engineering.
Software delivery today is highly distributed. Code moves through complex pipelines, across multiple environments, often supported by a fragmented toolchain, and releases are frequent, sometimes continuous. As AI accelerates software creation further, traditional human review processes quickly become bottlenecks.
Many teams still rely on manual processes for approvals, reporting, or rollback decisions, but these approaches no longer scale. As release velocity increases through agentic workflows, manual governance risks becoming an operational and regulatory liability.
As a result, compliance is becoming an engineering problem. The problem is reviewing and governing code at machine scale. While delivery pipelines can be parallelised to support this pace, organisations still need clear visibility into dependencies, ownership, and control across the software lifecycle.
Evolving DevOps for a regulated world
To meet these new expectations, DevOps practices need to evolve. The most effective organisations are embedding compliance into the delivery lifecycle. This builds on the ‘continuous compliance’ practices pioneered during the cloud era, where leading teams used monitoring, observability, and automated remediation to respond to issues in real time.
That starts with integrating security and governance into CI/CD pipelines. Automated checks, policy enforcement, and validation steps ensure that code meets required standards before it ever reaches production.
Visibility is equally important. Teams need real-time insight into what is deployed, how it is performing, and how it relates back to specific changes or features. Without that, accountability becomes difficult to maintain at scale.
Another critical capability is controlled release management. Techniques such as feature flags and progressive delivery allow teams to limit exposure, test changes in production safely, and respond quickly if something goes wrong. Instead of relying on large, high-risk deployments, organisations can manage feature availability dynamically at runtime, enabling faster reactions, incremental change, and rapid rollback when needed.
Finally, there’s a cultural shift. Responsibility for compliance can’t sit with a single team. It needs to be shared across engineering, security, and platform functions, supported by automated guardrails, rather than relying on humans to enforce policy manually after the fact.
Control, visibility, and the ability to act
If there’s one unifying theme across these changes, it’s control. In a regulated environment, it’s no longer enough to deploy code and monitor what happens. Teams need to be able to answer critical questions at any moment: What is currently live? Who approved it? What impact is it having? And if something goes wrong, how quickly can we fix it?
The ability to act and control software in production is just as important as the ability to observe. Fast rollback mechanisms, the option to disable features without redeploying, and tight feedback loops all contribute to reducing risk without slowing delivery.
Done well, these capabilities enable teams to move faster, with greater confidence and less exposure.
A competitive advantage for those who move early
With compliance deadlines approaching, many organisations are still trying to interpret requirements and assess gaps. Those that act early have an opportunity to do more than just meet regulatory standards.
The organisations best prepared for this next phase of software delivery will be those that build systems humans can confidently trust, govern, and remain accountable for – even as delivery becomes increasingly autonomous.
Success will increasingly depend on teams being able to deliver quickly and safely, with complete confidence in what they’ve put into production.
Cameron Etezadi is chief technology officer at LaunchDarkly.
Read more
From generative to agentic AI – now the real transformation begins – Node4’s Mark Skelton takes us through the move from generative to agentic AI and how to approach it in your organisation
Small Language Models (SLMs) as the gold standard for trust in AI – Stephen Edginton of Dext explains why Small Language Models (SLMs) should be the next stage in your evolving AI strategy
Quantum is coming. Here’s what CTOs can be doing today – Ginna Raahauge of WWT talks us through quantum strategy and what you as a CTO should be doing to prepare your organisation
