<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Improving</title>
    <description>The latest articles on DEV Community by Improving (@improving).</description>
    <link>https://dev.to/improving</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3657055%2F82901aed-d6be-441b-880a-358715e70583.jpg</url>
      <title>DEV Community: Improving</title>
      <link>https://dev.to/improving</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/improving"/>
    <language>en</language>
    <item>
      <title>Observability-Driven Development</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 11:03:45 +0000</pubDate>
      <link>https://dev.to/improving/observability-driven-development-50pa</link>
      <guid>https://dev.to/improving/observability-driven-development-50pa</guid>
      <description>&lt;p&gt;At almost every conversation around observability, I've noticed a pattern. Teams have metrics and logs in place but the moment tracing comes up, there's a pause. Either it's on the backlog, or it was set up partially and never completed, or nobody owns it.&lt;/p&gt;

&lt;p&gt;Tracing is treated as the optional third pillar of observability, until an incident happens where it's the only metric that would have actually helped.&lt;/p&gt;

&lt;p&gt;Lack of tracing isn't really the problem, instead it's a symptom. The deeper issue is that observability is still treated as something you wire up after the application is built. It's either an ops concern or a post-deployment checklist, but not a design decision.&lt;/p&gt;

&lt;p&gt;There is a better way to approach this, and in this blog post, we will explore observability driven development, where observability is securely tied to the application from day 1.&lt;/p&gt;

&lt;h2&gt;
  
  
  Observability Paradox: More Tools, Worse Outcomes
&lt;/h2&gt;

&lt;p&gt;The cost of hourly downtime exceeds $300,000 for 90% of firms, and 41% of enterprises say hourly downtime costs $1 million to over $5 million. As a result, observability is being discussed in every room and 70% engineers admitted that observability budgets have increased in the past year in a research done by Dynatrace in 2025. But yet there are downtimes and teams scramble through multiple dashboards to find the root cause. Mean time to resolution (MTTR) during production incidents has trended in the wrong direction for four consecutive years. In 2021, 47% of teams reported MTTR over an hour and by 2024, that number had climbed to 82%.&lt;/p&gt;

&lt;p&gt;So, there's more investment happening, newer tools and AI being added, yet recovery is slower.&lt;/p&gt;

&lt;p&gt;The cost of that slowdown is not just technical. High-impact outages carry huge losses, with median cost of $2 million per hour. Teams with full-stack observability reduces the downtime cost in half. The gap between those two outcomes is not about which tools you bought but it is about how you use them and when you bring them in development.&lt;/p&gt;

&lt;p&gt;41% of leaders still learn about service interruptions through inefficient means including customer complaints, incident tickets, or manual checks, even as organizations continue investing in observability. Your dashboards are green, but your users are already affected. That is a visibility gap baked into how the system was built.&lt;/p&gt;

&lt;h2&gt;
  
  
  When Observability Is an Afterthought
&lt;/h2&gt;

&lt;p&gt;Most teams start by building the service, writing the code, and shipping it to production. Then someone raises a ticket to setup monitoring dashboards and alerts. That's because monitoring is the last item on the launch checklist and not the first item on the design document.&lt;/p&gt;

&lt;p&gt;Even if the team implements visibility from the start, things aren't helpful until an incident comes to light. For instance, a team building a new payments microservice does the right things at deployment time. Scraping Prometheus metrics, forwarding the logs to the aggregation stack and building dashboards, seems to cover the observability.&lt;/p&gt;

&lt;p&gt;However, what a healthy request flow looks like end to end is not defined. Nobody mapped out which integration points needed tracing, and error budget was not set before the service went live.&lt;/p&gt;

&lt;p&gt;It's only when the first real incident hits, the gaps show up immediately:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Metrics show something is wrong but not where&lt;/li&gt;
&lt;li&gt;Logs require manual correlation across multiple services to build any picture&lt;/li&gt;
&lt;li&gt;Third-party payment gateway sitting at the edge of the system has no instrumentation at all&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You'll have a few engineers to spend hours finding the root cause to fix it. This happens because observability was never part of the initial design and architectural conversations. Observability was treated as something ops handles after the application is built, not something engineers designed for while building it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Observability-Driven Development (ODD): Designing to Be Observed
&lt;/h2&gt;

&lt;p&gt;Observability Driven Development (ODD) is a development practice that shifts observability left, treating it as a design concern from day one rather than an afterthought. Teams define their observability requirements the same way they define their functional requirements. To set up observability properly, a teams should note down answers to specific questions before any code is written:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What does a healthy request flow look like end to end?&lt;/li&gt;
&lt;li&gt;Which integration points carry the most risk and need tracing?&lt;/li&gt;
&lt;li&gt;What failure modes are possible, and how will they surface?&lt;/li&gt;
&lt;li&gt;What does degraded performance look like versus a hard failure?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Test-driven development (TDD) changed how teams used to think about code quality, by making testing a design activity. ODD does the same for operational visibility. You are designing a system that is observable.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key Aspects of ODD
&lt;/h2&gt;

&lt;p&gt;Here's how ODD differs from standard observability practices:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Telemetry is a design requirement, not a deployment task:&lt;/strong&gt; Logs, metrics, and traces are scoped during design the same way API contracts and data models are.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;SLOs come before code:&lt;/strong&gt; Error budgets and service level objectives are defined at the start, giving the team clear signals to build toward and clear thresholds to alert on.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;OpenTelemetry as the instrumentation standard:&lt;/strong&gt; OpenTelemetry is now the second largest CNCF project after Kubernetes. It has become the default choice for vendor-neutral, portable instrumentation.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Observability gaps are treated as bugs:&lt;/strong&gt; If a critical path cannot be observed, that is a defect to fix, not a gap to live with.&lt;/p&gt;

&lt;h3&gt;
  
  
  Implementing ODD in Practice
&lt;/h3&gt;

&lt;p&gt;A complete overhaul of your existing tooling is not required to implement ODD in your software development lifecycle (SDLC) processes. It only requires shifting a few things within the process.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Identify&lt;/strong&gt; what needs to be observable during the design phase. Map critical paths, define instrumentation touchpoints, and set SLOs before writing code.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Instrument&lt;/strong&gt; observability during your development phase as you build. Treat observability gaps the same way you treat failing tests - something to fix before the PR merges, not after the service ships.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Validate&lt;/strong&gt; that telemetry actually works as a pre-launch item. Confirm traces are flowing, metrics are accurate, and alerts fire under the right conditions before go-live, not after the first incident.&lt;/p&gt;

&lt;h2&gt;
  
  
  Benefits of ODD That Show Up in the Business
&lt;/h2&gt;

&lt;p&gt;Implementing ODD doesn't just improve your reliability metrics and product quality, but it directly affects your customer satisfaction and shows up in your financials.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Faster incident resolution:&lt;/strong&gt; Teams that design for observability upfront cut MTTR by 40-50%. When traces are in place and instrumentation covers critical paths, engineers can find root causes in minutes. The difference between a 20-minute fix taking 20 minutes versus taking 3 hours is almost always a visibility gap, not a complexity gap.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Developers building instead of firefighting:&lt;/strong&gt; Cisco research found developers spend more than 57% of their time pulled into war rooms for performance issues. ODD changes it as when a system is built to surface its own failures, lesser efforts are spent to diagnose them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Business cost of downtime shrinks:&lt;/strong&gt; Full-stack observability halves the median cost of a high-impact outage. Getting there requires designing for observability from the start, not layering tools on top after the fact.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Less noise, lower spend:&lt;/strong&gt; Nearly 70% of observability data most teams collect is unnecessary. Intentional instrumentation at design time means teams collect the signals that matter, not everything available, which directly reduces observability spend and alert fatigue.&lt;/p&gt;

&lt;h2&gt;
  
  
  ODD in the Age of AI
&lt;/h2&gt;

&lt;p&gt;AI has transformed software development. Codes are written by AI agents, reviewed by AI agents, and even validated by AI agents. AI also changes the observability problem in a fundamental way.&lt;/p&gt;

&lt;p&gt;Traditional applications fail in predictable ways, like a service crashed, a query timed out or an API returned a 500. These were observable with standard tooling. But AI systems fail differently, like a model may return a confident but wrong answer, and a prompt can produce inconsistent outputs under similar conditions. Latency varies in ways that are difficult to attribute to any single component. These are subtle and silent failures and often challenging to catch reactively.&lt;/p&gt;

&lt;p&gt;This is why ODD isn't optional for AI-powered applications. Designing for observability from day one means teams define upfront what they need to see - prompt and response logging, model latency tracking, token usage, output quality signals - and build the instrumentation to surface it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;The correct sequence to implement ODD is:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Bring observability into the design conversation&lt;/li&gt;
&lt;li&gt;Define what the system needs to surface before building it&lt;/li&gt;
&lt;li&gt;Treat instrumentation gaps the same way you treat bugs.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This sequencing refines the type and speed of outcomes. Less engineering time is lost to correlating logs and finding the root cause, and cost of downtime reduces due to leaner intentional telemetry.&lt;/p&gt;

&lt;p&gt;As AI gets embedded deeper into application stacks, observability becomes complicated. The teams with a foundation built on ODD will be better positioned to handle that complexity than those trying to retrofit visibility after the fact.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Why AI Skills Are Now Part of the Product Owner’s Playbook</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 11:02:10 +0000</pubDate>
      <link>https://dev.to/improving/why-ai-skills-are-now-part-of-the-product-owners-playbook-3m9p</link>
      <guid>https://dev.to/improving/why-ai-skills-are-now-part-of-the-product-owners-playbook-3m9p</guid>
      <description>&lt;p&gt;Product Owners have always been managers of information, i.e. translators. They sit between what the business needs and what the engineering team builds. They write specifications, refine backlogs, prioritize features.&lt;/p&gt;

&lt;p&gt;AI changes the economics of work. Not by replacing the PO, but by compressing the parts of the role that used to consume weeks into hours. The result isn't a smaller role. It's a role that finally has time for the work that matters most: understanding the problem, validating whether the solution is right, and making sure the team is building towards impact rather than output.&lt;/p&gt;

&lt;p&gt;I've started thinking of this as the shift from &lt;strong&gt;Information Technology to Impact Technology&lt;/strong&gt;. To survive this shift, the Product Owners must master the Impact Technology cycle, transitioning from raw inputs to human value:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Data:&lt;/strong&gt; Raw and unstructured building blocks.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Knowledge:&lt;/strong&gt; Information processed, synthesized, and understood.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Insights:&lt;/strong&gt; Identification of actionable patterns and connections.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Wisdom:&lt;/strong&gt; Strategic application of those insights to navigate complex problems.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Positive Impact:&lt;/strong&gt; Solving human needs and creating actual value.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We've spent years collecting data, organizing it, reporting on it. The industry is good at information. What it's not good at is turning that information into something that changes an outcome for a user. That's where the PO's value lives now: not in managing information, but in driving the cycle from data to knowledge to insight to impact.&lt;/p&gt;

&lt;h2&gt;
  
  
  Fifteen Years of Procrastination, Resolved in an Afternoon
&lt;/h2&gt;

&lt;p&gt;I have a blog with over 600 posts spanning 20 years. For 15 of those years, the taxonomy was a mess. Overlapping categories, one-off tags, inconsistent naming. "Personal Growth" and "Personal Development" coexisted as separate categories. Posts sat uncategorized. The work to clean it up was always obvious and always deferred, because it was boring and manual and nobody wanted to spend weeks on it.&lt;/p&gt;

&lt;p&gt;With AI, the cleanup took an afternoon.&lt;/p&gt;

&lt;p&gt;I started by defining the rules: consolidate overlapping categories, remove one-off tags with fewer than three posts, flatten the hierarchy to under ten top-level themes. Then I ran frequency analysis across all posts to map where the overlaps lived.&lt;/p&gt;

&lt;p&gt;For the execution, I used Python scripts through &lt;strong&gt;LM Studio&lt;/strong&gt;, which let me run local models without sending data to a cloud API. I toggled between DeepSeek (7B parameters) for speed on straightforward categorization and a larger GPT OSS 20B model for posts that required more reasoning about where they belonged. Every script ran in &lt;strong&gt;dry-run mode&lt;/strong&gt; first. For any post where the model's confidence was below 85%, it generated a CSV for manual review instead of making the change automatically.&lt;/p&gt;

&lt;p&gt;Out of one batch of 210 posts, 182 were categorized at high confidence. The final taxonomy landed at nine core themes. The 15-year backlog was gone in an afternoon.&lt;/p&gt;

&lt;p&gt;This is what AI does for a PO: it collapses the timeline on work that was always worth doing but never worth the manual cost. The PO's job in this workflow wasn't typing or categorizing. It was defining the rules, reviewing the edge cases, and making the judgment calls the model couldn't. That's the same skill set a PO uses when refining a backlog or validating acceptance criteria. The tool changed but the judgment didn't.&lt;/p&gt;

&lt;h2&gt;
  
  
  Describing the "What," Not the "How"
&lt;/h2&gt;

&lt;p&gt;One of the shifts AI enables for Product Owners is moving from writing specifications to describing outcomes in natural language and watching them materialize.&lt;/p&gt;

&lt;p&gt;This is where Behavior-Driven Development becomes a different kind of tool. The "In order to / As a / I want to" format paired with Gherkin scenarios (Given / When / Then) has been around for years. What's new is that an LLM can take those scenarios and produce working code from them directly. The PO writes the intent and the model generates the implementation. The PO reviews whether the output matches the intent.&lt;/p&gt;

&lt;p&gt;I call the moment it clicks the "30-Second Wow," which means showing something concrete quickly and let the visuals make the point. We can take that prototype to stakeholders first. When stakeholders can see the thing and start saying "can we move this here?" or "could it also do that?", they stop evaluating and start contributing. That is where validated intent comes from. Once intent is confirmed, the prototype hands the Scrum Team something grounded to build against and improve their productivity much better than a 40-page specification document.&lt;/p&gt;

&lt;p&gt;The PO's value in this loop is making sure outcome drives the work, not output. That requires understanding the user's problem deeply enough to recognize when the solution misses, even if it looks correct on the surface. AI handles the translation from intent to code. The PO handles the validation that the intent was correct in the first place.&lt;/p&gt;

&lt;h2&gt;
  
  
  Getting a Second Opinion
&lt;/h2&gt;

&lt;p&gt;One discipline I've adopted: never trust a single AI session for anything that matters.&lt;/p&gt;

&lt;p&gt;When I use an AI to help build a plan, a product strategy, a sprint scope, a prioritization framework, I spin up a separate instance and give it an adversarial prompt. "Find the holes in this plan. What am I not seeing? What assumptions haven't been tested?"&lt;/p&gt;

&lt;p&gt;The reason for a separate instance is that the first session has context bias. It helped build the plan, so it's predisposed to defend it. A fresh instance approaches the work cold, the way a skeptical colleague would. The PO's role here isn't to accept either model's opinion as final. It's to hold both outputs and make the judgment call.&lt;/p&gt;

&lt;h2&gt;
  
  
  Game You're Playing
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;The resistance to AI in product roles usually comes from the same place it comes from everywhere: fear that the tool replaces the person. But the PO who thinks AI replaces them is confusing the output with the outcome.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;AI can generate a specification. It can categorize 600 blog posts. It can produce a working prototype from a Gherkin scenario. It cannot tell you whether any of those outputs solve the right problem for the right user.&lt;/p&gt;

&lt;p&gt;That judgment is the PO's job. AI makes product owners faster at everything around it. The Product Owner of the future is not a "human typewriter" transcribing requirements. You are a &lt;strong&gt;"Badass Maker"&lt;/strong&gt; (in the spirit of Kathy Sierra). Your goal is not to master the tool, but to use the tool to make your users and your team awesome.&lt;/p&gt;

&lt;p&gt;I keep coming back to a question: what is the prize of the game you're playing? Are you playing to produce output, or are you playing to create impact? If it's impact, then AI is the best tool a PO has ever been handed. Not because it does the work, but because it clears the path to the work that only a human can do.&lt;/p&gt;

&lt;p&gt;As for me: I do not play to win. I play to learn. If you focus on learning and impact, the win takes care of itself.&lt;/p&gt;




&lt;h2&gt;
  
  
  Learn More
&lt;/h2&gt;

&lt;p&gt;If your product team is exploring how to build AI into their workflow, &lt;a href="https://www.improving.com/services/training/ai/" rel="noopener noreferrer"&gt;Improving's AI training programs&lt;/a&gt; are designed for exactly this—practical, role-based, and focused on adoption that sticks.&lt;/p&gt;

&lt;p&gt;For any comments or suggestions on this article, find Claudio on &lt;a href="https://www.linkedin.com/in/claudiolassala/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Mexico, Memories, and my Improving 100 Experience</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 11:00:53 +0000</pubDate>
      <link>https://dev.to/improving/mexico-memories-and-my-improving-100-experience-1160</link>
      <guid>https://dev.to/improving/mexico-memories-and-my-improving-100-experience-1160</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Mexico in June with +1 😄 Congrats!"&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That was the message my manager sent me at midnight back in February after an All-Hands Meeting concluded. I remember I had a late-night client call that day and was planning to catch up on the AHM the next morning.&lt;/p&gt;

&lt;p&gt;Well, I didn't know that I had missed something really important in the AHM. Turns out I was selected as one of the &lt;strong&gt;winners for the Improving 100 award&lt;/strong&gt; under community impact category - &lt;em&gt;first one from Improving India&lt;/em&gt;. And the reward was an &lt;strong&gt;all-expense paid trip to Cancun&lt;/strong&gt; - &lt;em&gt;I had to open Google Maps to find where it was!&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;While finding a +1 was the most challenging task (&lt;em&gt;spoiler, I went solo&lt;/em&gt;), the travel blogger in me was already planning the itinerary to Teotihuacan and Chichen Itza!&lt;/p&gt;

&lt;h2&gt;
  
  
  Improving100 - What is it?
&lt;/h2&gt;

&lt;p&gt;Improving100 is Improving's employee recognition program where they select and reward best performing individuals for the year across 22+ offices around the globe in the following categories:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Community Impact&lt;/li&gt;
&lt;li&gt;Business Growth&lt;/li&gt;
&lt;li&gt;Delivery Excellence&lt;/li&gt;
&lt;li&gt;Technical Innovation&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One of the highlights of this program is that employees nominate their peers - &lt;em&gt;so anyone can nominate anyone&lt;/em&gt; - and the decision comes from leadership, who does the due diligence. That makes the recognition even more special.&lt;/p&gt;

&lt;h2&gt;
  
  
  India to Mexico - My 18th Country
&lt;/h2&gt;

&lt;p&gt;I've been fortunate that my work has provided me opportunities to travel across the world - &lt;em&gt;USA, France, Netherlands, UK and Sri Lanka&lt;/em&gt; - to name a few. Mexico was never in the cards, so, I was super excited for this trip.&lt;/p&gt;

&lt;p&gt;There are no direct flights from India to Mexico, so you either do a stopover in the US or Europe. I chose to go via US and did a stopover in New York - &lt;em&gt;where I facilitated a &lt;a href="https://www.linkedin.com/posts/atulpriyasharma_kcdnewyork-kcd-platformengineering-ugcPost-7470655041188835328-6kkB" rel="noopener noreferrer"&gt;round table on Platform Engineering at Kubernetes Community Days New York&lt;/a&gt;&lt;/em&gt; - before heading to Mexico City.&lt;/p&gt;

&lt;p&gt;That's where I was joined by my other teammates from Improving India - &lt;em&gt;Bhavin Gandhi, Deeksha Sharma and Shehbaz Pathan&lt;/em&gt; - who had also won the Improving100 award.&lt;/p&gt;

&lt;p&gt;We all spent a few days in Mexico City exploring the pyramids at Teotihuacan, tasting some Tequila, eating some authentic Tacos and Enchiladas and soaking in the 2026 Fifa world cup fever before heading to Cancun for the retreat.&lt;/p&gt;

&lt;h2&gt;
  
  
  Improving100 Gathering - The Best One Can Ask For
&lt;/h2&gt;

&lt;p&gt;We work remotely here at Improving India, which means we see most of our colleagues on our 15inch displays on a Teams call. So, this opportunity to meet people in person was exciting. For most of us from Improving India, it was our first time in the country, and also the first-time meeting Improvers from across the globe.&lt;/p&gt;

&lt;p&gt;We were put up in one the fanciest resorts that I had ever been to. A sea facing room with plush amenities, anyone would want to work hard to earn that luxury. There was a dedicated check-in only for Improvers as it was a massive group coming in. We were handed over our goody bags that included snacks, electrolytes, sunscreen and a cap - everything that one would need for Cancun.&lt;/p&gt;

&lt;p&gt;Later in the evening, we had the welcome reception hosted by our US Managing Director Scott McMichael and CEO Curtis Hite. I was fortunate to have met Scott earlier in Atlanta, and he has an infectious energy! I also got to meet so many people during the welcome reception, some of them who I was meeting for the first time and a few who I had already interacted with virtually.&lt;/p&gt;

&lt;h3&gt;
  
  
  Excursions - Mexican Cooking Experience
&lt;/h3&gt;

&lt;p&gt;One of the best things about the Improving100 outing was the excursion activities that each Improver had to choose from. These included deep sea fishing, sailing, golfing and Mexican cooking to name a few. For those of you who don't know, I love cooking and the moment I got the list to choose my activity, I opted for Mexican Cooking.&lt;/p&gt;

&lt;p&gt;We were about 20 of us for this activity, some of them familiar faces while some new who I interacted with during the day. The activity started by Margarita making and me being a teetotaller, made a non-alcoholic one. That was followed by group salsa making activity which was super fun! The ingredients and utensils used were very Indian, so I'm going to make one at home soon! I also learned to make tortillas, which is very similar to the Indian Roti, but with a different dough.&lt;/p&gt;

&lt;p&gt;Later, we hopped on a bus to go on a taco tour. We headed to one of the popular taco places in downtown. We started with a Cantarito making session followed by taco tasting. Being a vegetarian, I was served a cactus taco, and these were delicious! It was my first time have cactus, and it felt so much like &lt;em&gt;Ivy Gourd, Tindora or Dondakaya&lt;/em&gt; that we have back in India. We completed the tour by playing a game of Loteria, which is the Mexican variant of Bingo.&lt;/p&gt;

&lt;h3&gt;
  
  
  Award Night - Sky Full of Stars
&lt;/h3&gt;

&lt;p&gt;It was the last day and the most important one, as it was the award night. We had Improvers coming in their best outfits for the ultimate night of the outing. The stage was set in the beautiful resort with &lt;a href="https://www.youtube.com/watch?v=VPRjCeoBqrI" rel="noopener noreferrer"&gt;A Sky Full of Stars&lt;/a&gt; - &lt;em&gt;I saw the setup and had this song playing on loop in my head!&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Scott started the proceedings, followed by the recognitions. It was great to see the energy and genuine appreciation by everyone present there. We had group and individual photos taken post the award session, after which the dance floor was open.&lt;/p&gt;

&lt;p&gt;The DJ started with some English music, and we were just stepping around the dance floor. And just then we heard a familiar beat, and our DJ decided to play a popular Hindi song. That's when us India Improvers all got in the groove and taught some Bollywood moves to other Improvers, some of whom were already fans of Shah Rukh and Aamir Khan!&lt;/p&gt;

&lt;p&gt;It was surely one of the best evenings of the event.&lt;/p&gt;

&lt;h2&gt;
  
  
  More Than Just a Trip
&lt;/h2&gt;

&lt;p&gt;Looking back, this Mexico experience wasn't just about the stunning landscapes, vibrant culture, or unforgettable food. It was about what it represented. It stood as a reminder that meaningful recognition goes beyond certificates or awards; it creates memories, builds connections, and leaves a lasting impact. A huge shout out to Emily Rosselle and the larger team for planning such a beautiful event!&lt;/p&gt;

&lt;p&gt;Without a doubt, this has been one of the best employee recognition programs I've ever experienced.&lt;/p&gt;

&lt;p&gt;From exploring new places to stepping outside my everyday routine, this trip gave me a chance to reflect, recharge, and truly appreciate the journey - &lt;em&gt;both personal and professional&lt;/em&gt; - that led here.&lt;/p&gt;

&lt;p&gt;If you'd like to experience Mexico through my lens, I've shared highlights and moments from the trip on my &lt;a href="https://instagram.com/atulmaharaj" rel="noopener noreferrer"&gt;Instagram&lt;/a&gt;. Do check out the highlights - &lt;em&gt;I've tried to capture not just the places, but the energy, the people, and the stories that made this trip unforgettable.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;If you're interested in following what I'm working on next - &lt;em&gt;across tech, travel, and everything in between&lt;/em&gt; - let's connect on &lt;a href="https://linkedin.com/in/atulpriyasharma" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;. I'd love to stay in touch and share more of the journey.&lt;/p&gt;

&lt;p&gt;Here's to more such experiences, more stories, and more reasons to celebrate the work we do. If you like this, &lt;a href="https://www.improving.com/careers/open-positions/" rel="noopener noreferrer"&gt;join our team&lt;/a&gt;, as we are always looking for talented, fun folks to join us.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://www.improving.com/thoughts/mexico-memories-improving-100-experience/" rel="noopener noreferrer"&gt;Improving.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Your Prompt Is a Cross-Border Data Transfer</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 10:59:13 +0000</pubDate>
      <link>https://dev.to/improving/your-prompt-is-a-cross-border-data-transfer-39k9</link>
      <guid>https://dev.to/improving/your-prompt-is-a-cross-border-data-transfer-39k9</guid>
      <description>&lt;p&gt;Every time you hit Enter on an AI chatbot, you are signing off on a data transfer with your prompt. Most probably, you have no idea where that data went, which tools it touched, or whether it crossed a border on its way to receive the response.&lt;/p&gt;

&lt;p&gt;In this blog post, I will walk you through this observability problem and solution in details, including why AI sovereignty is suddenly an architecture concern, why on-prem alone does not solve it, what OpenTelemetry's GenAI semantic conventions actually give you today, and how an "AI Receipt" demo I built turns the black box into something you can audit.&lt;/p&gt;

&lt;h2&gt;
  
  
  GenAI Stack: Four Capabilities, Growing Data Footprint
&lt;/h2&gt;

&lt;p&gt;GenAI is not a chatbot anymore. What we deploy in production today is a stack of four capabilities, and each one widens the data footprint:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Chatbot:&lt;/strong&gt; The model reasons for your prompt and answers from its weights alone.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;RAG:&lt;/strong&gt; The model retrieves context from your documents first, then answers grounded in what it found.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;MCP:&lt;/strong&gt; The model uses &lt;a href="https://modelcontextprotocol.io/" rel="noopener noreferrer"&gt;external tools&lt;/a&gt; - APIs, search engines, and databases, to do real work in external systems.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Agents:&lt;/strong&gt; The model plans which of the above to invoke, chains them together, and acts without a human in the loop.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;By the time you are running an agent, a single user prompt can fan out into a dozen calls across vector stores, internal APIs, and third-party services. That fan-out is where the sovereignty question gets uncomfortable.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Data is Already Moving. Quietly.
&lt;/h2&gt;

&lt;p&gt;Data movement without visibility is already happening in the data sensitive places: government services, banking chatbots, telecom log analysis, healthcare claims processing, and the customer support bots you talked to yesterday.&lt;/p&gt;

&lt;p&gt;One user request fans out into multiple data transfers, and most of them leave the home region without the user (or often the operator) noticing.&lt;/p&gt;

&lt;p&gt;According to &lt;a href="https://go.layerxsecurity.com/hubfs/LayerX_Enterprise_AI_and_SaaS_Data_Security_Report.pdf" rel="noopener noreferrer"&gt;LayerX's 2025 Enterprise AI and SaaS Data Security Report&lt;/a&gt;, based on real browser telemetry from enterprises:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;45% of enterprise users are actively using AI tools.&lt;/li&gt;
&lt;li&gt;77% of employees paste data into GenAI tools.&lt;/li&gt;
&lt;li&gt;40% of files uploaded into GenAI tools contain PII or PCI data.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The report calls GenAI the single largest channel for corporate-to-personal data exfiltration, accounting for 32% of all such movement. 67% of that AI usage happens through unmanaged personal accounts, which means most enterprises cannot see it even when it is happening on their own networks.&lt;/p&gt;

&lt;p&gt;This is the unmanaged surface. The managed surface, where you are deliberately building agents for production, is bigger and more invisible, because the data movement happens inside your own stack instead of on someone's laptop.&lt;/p&gt;

&lt;p&gt;For companies shipping in AI regulated industries, the residency and visibility of the data become a central architecture question.&lt;/p&gt;

&lt;p&gt;Pressing Enter feels local, but it is not. Your prompt may hit a model hosted in another region, get enriched by an MCP tool calling a SaaS API in a third region, and return through a logging pipeline in a fourth. Each of those hops is, technically and legally, a cross-border data transfer.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Sovereignty, Why Now?
&lt;/h2&gt;

&lt;p&gt;Three things have collided in the last eighteen months: public trust in AI is shaky, regulators are no longer waiting, and enterprises are realizing that their AI roadmaps are tied to providers they cannot fully audit.&lt;/p&gt;

&lt;p&gt;On the trust side, the &lt;a href="https://assets.kpmg.com/content/dam/kpmgsites/xx/pdf/2025/05/trust-attitudes-and-use-of-ai-global-report.pdf" rel="noopener noreferrer"&gt;2025 KPMG and University of Melbourne global study&lt;/a&gt; found that:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;54% of respondents are wary about trusting AI.&lt;/li&gt;
&lt;li&gt;70% believe regulation is necessary.&lt;/li&gt;
&lt;li&gt;Only 43% believe current laws are adequate.&lt;/li&gt;
&lt;li&gt;76% expect international laws to govern AI.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The mandate for visible, accountable AI is not coming from a niche advocacy corner; it is the default public position.&lt;/p&gt;

&lt;p&gt;On the regulatory side, the rules are arriving faster than most architecture reviews can absorb.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The EU AI Act's high-risk obligations begin to apply in August 2026.&lt;/li&gt;
&lt;li&gt;The European Commission tabled the &lt;a href="https://www.grosswald.org/european-commission-cloud-ai-development-act-four-level-sovereignty-framework-defence-procurement/" rel="noopener noreferrer"&gt;Cloud and AI Development Act&lt;/a&gt; on 3 June 2026.&lt;/li&gt;
&lt;li&gt;In India, the &lt;a href="https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf" rel="noopener noreferrer"&gt;DPDP Act and the DPDP Rules 2025&lt;/a&gt; were notified in November 2025 and are now rolling out in phases.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.morganlewis.com/pubs/2025/06/china-issues-new-national-standard-on-security-requirements-for-sensitive-personal-information" rel="noopener noreferrer"&gt;China continues to tighten&lt;/a&gt; data export controls, and the US is moving in a different direction with deregulation pushes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The net effect for any multinational is that there is no longer one global AI policy; there are several, and they are not aligned.&lt;/p&gt;

&lt;h3&gt;
  
  
  Real-World Cases
&lt;/h3&gt;

&lt;p&gt;A handful of concrete cases make the pattern visible:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;HPCL (India, oil and gas)&lt;/strong&gt; moved &lt;a href="https://www.youtube.com/watch?v=sY3TfVBQVb8&amp;amp;t=1957s" rel="noopener noreferrer"&gt;AI workloads on-premise&lt;/a&gt;. The headline reason is security around National Critical Information Infrastructure, but the two reasons that surprised me were cost predictability (per-token cloud pricing made budgeting impossible at scale) and avoiding lock-in to any single hyperscaler's pricing curve.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;NABARD (India, agricultural finance)&lt;/strong&gt; &lt;a href="https://www.youtube.com/watch?v=sY3TfVBQVb8&amp;amp;t=1957s" rel="noopener noreferrer"&gt;went on-prem for what their CGM called "strategic independence,"&lt;/a&gt; and to comply with the financial data localization requirements of the DPDP Act. They did not want their agri-finance data sitting in someone else's region, and they did not want their AI roadmap held hostage to a foreign provider's API decisions.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;The Bundeswehr (Germany, defence)&lt;/strong&gt; &lt;a href="https://www.grosswald.org/european-commission-cloud-ai-development-act-four-level-sovereignty-framework-defence-procurement/" rel="noopener noreferrer"&gt;declined to use Palantir&lt;/a&gt; for its military cloud and AI project and is actively examining European alternatives - a decision driven less by capability than by the desire for non-US-controlled tooling for sensitive workloads.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;EU public-sector procurement&lt;/strong&gt; is being restructured around the four-level sovereignty framework, which means any vendor selling into critical European workloads will need an answer to "where exactly does the data go" that holds up to audit.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The &lt;a href="https://www.linuxfoundation.org/hubfs/Research%20Reports/lfr_sovereign_ai25_082525a.pdf" rel="noopener noreferrer"&gt;Linux Foundation's 2025 Sovereign AI research report&lt;/a&gt; and &lt;a href="https://huggingface.co/blog/frimelle/sovereignty-and-open-source" rel="noopener noreferrer"&gt;Hugging Face's writing on sovereignty and open source&lt;/a&gt; reach the same conclusion from different angles: control over models, data, and infrastructure is now a first-class architectural concern, not a procurement footnote.&lt;/p&gt;

&lt;h2&gt;
  
  
  Four Layers of Sovereignty
&lt;/h2&gt;

&lt;p&gt;There are four layers of AI sovereignty, and when people say, "sovereign AI", they usually mean one of these four things. Treating them as one bucket is what gets architectures into trouble.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Four Layers
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Data sovereignty:&lt;/strong&gt; Does the data stay inside our borders? This is the question your local data protection law - whether that is GDPR, CCPA, LGPD, PIPL, or DPDP - is designed to answer.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Tech sovereignty:&lt;/strong&gt; Do we own the IP, or are we renting it? If the vendor changes terms, can we keep operating?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Operational sovereignty:&lt;/strong&gt; Can a foreign entity switch our tech off? If a major hosted-AI provider has a regional outage tomorrow, does your critical service degrade with it?&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;AI sovereignty:&lt;/strong&gt; Does the model understand our context, our languages, our values? A model trained predominantly on one language and culture will not serve a government or enterprise operating in a different linguistic and regulatory context well, no matter where the weights are stored.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;You can get data sovereignty right and still fail on operational sovereignty. You can host your own model and still leak data through a tool call. These layers need to be reasoned about separately.&lt;/p&gt;

&lt;h2&gt;
  
  
  Build vs Buy: The Practical Path
&lt;/h2&gt;

&lt;p&gt;Once you take care of four layers of sovereignty, the next step could be to build everything from scratch: your own model, your own infrastructure, your own toolchain. It gives you complete control, but it also stalls every other engineering priority while you reinvent commodity infrastructure that hosted providers have already polished for years.&lt;/p&gt;

&lt;p&gt;The opposite reaction is what most teams actually do. They pick the fastest hosted API, ship the feature, and treat sovereignty as a problem for next quarter. Velocity stays high, but it leaves you with no real answer when the auditor or security team asks where the data actually went on each request.&lt;/p&gt;

&lt;p&gt;The practical path is to make different choices at different layers of the stack.&lt;/p&gt;

&lt;h3&gt;
  
  
  Bringing it In-house: BYO-GPU
&lt;/h3&gt;

&lt;p&gt;The Bring-Your-Own-GPU pattern has matured over the last year for the layers where you want maximum control. Deploy the model on your own hardware, your own Kubernetes cluster, and route prompts it the same way you would route any other internal service.&lt;/p&gt;

&lt;p&gt;The toolchain for this is now genuinely good:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Kubernetes&lt;/strong&gt; for orchestration&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.vllm.ai/" rel="noopener noreferrer"&gt;&lt;strong&gt;vLLM&lt;/strong&gt;&lt;/a&gt; for high-throughput inference serving&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developer.nvidia.com/nim" rel="noopener noreferrer"&gt;&lt;strong&gt;NVIDIA NIM&lt;/strong&gt;&lt;/a&gt; for packaged, production-ready model microservices&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/ai-dynamo/dynamo" rel="noopener noreferrer"&gt;&lt;strong&gt;NVIDIA Dynamo&lt;/strong&gt;&lt;/a&gt; for multi-node, disaggregated inference at scale&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The operating rule is simple: prompts and training data never leave the data center.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Infrastructure Gap: We Have the Infrastructure. We Lack the Trace.
&lt;/h3&gt;

&lt;p&gt;You can host your model locally, lock down your VPC, and still leak data on every request. Why? Because the moment you put an agent in front of that model, the agent starts calling MCP tools including a web search tool, weather API, third-party CRM, and SaaS knowledge base. Each of those calls can, and often does, leave your region.&lt;/p&gt;

&lt;p&gt;The local LLM is not the leak. The agent's tool calls are. And without instrumentation at the request level, you have no idea it is happening.&lt;/p&gt;

&lt;h2&gt;
  
  
  What OpenTelemetry's GenAI Semantic Conventions Actually Give You
&lt;/h2&gt;

&lt;p&gt;OpenTelemetry GenAI special interest group has been filling in the gaps for AI workloads specifically. As of writing, the umbrella &lt;a href="https://opentelemetry.io/docs/specs/semconv/" rel="noopener noreferrer"&gt;Semantic Conventions release&lt;/a&gt; is at v1.41.0, but the &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/" rel="noopener noreferrer"&gt;GenAI conventions&lt;/a&gt; inside it is still marked &lt;strong&gt;Development&lt;/strong&gt; status, with v1.36.0 acting as the stability baseline for existing instrumentations. That said, even in its current form it gives you enough vocabulary to instrument a real agent pipeline.&lt;/p&gt;

&lt;h3&gt;
  
  
  Five Signal Categories
&lt;/h3&gt;

&lt;p&gt;The spec covers five signal categories for GenAI observability:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Model spans:&lt;/strong&gt; A span for every call to an LLM. Operation name (chat, text_completion, embeddings, generate_content), model name, provider, token usage, parameters.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Agent spans:&lt;/strong&gt; A span for the agent layer itself. Distinguishes create_agent and invoke_agent from a raw chat completion, so an orchestrator's reasoning step is visible separately from the underlying LLM call.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Events:&lt;/strong&gt; Per-step lifecycle records captured as span events, useful when you want fine-grained timeline data without bloating span attributes.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Metrics:&lt;/strong&gt; Token usage histograms, request duration, time to first token, all as proper OTel metrics you can chart in Prometheus or Grafana.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Exceptions:&lt;/strong&gt; Standard semantic conventions for capturing GenAI errors (timeouts, model errors, tool errors) with a consistent error type vocabulary.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;There are vendor-specific conventions on top of this for &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/anthropic/" rel="noopener noreferrer"&gt;Anthropic&lt;/a&gt;, &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/openai/" rel="noopener noreferrer"&gt;OpenAI&lt;/a&gt;, &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/aws-bedrock/" rel="noopener noreferrer"&gt;AWS Bedrock&lt;/a&gt;, and &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/azure-ai-inference/" rel="noopener noreferrer"&gt;Azure AI Inference&lt;/a&gt;, so instrumentation for those providers can layer system-specific detail (request IDs, finish reasons, system fingerprints) without diverging from the core spec.&lt;/p&gt;

&lt;h3&gt;
  
  
  Attributes That Matter
&lt;/h3&gt;

&lt;p&gt;In practice, a handful of attributes do most of the work. The ones I instrumented in the demo below, all directly from the spec, are:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.request.model&lt;/code&gt; - The model name&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.request.model.id&lt;/code&gt; - Model version or full identifier&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.request.top_k&lt;/code&gt;, &lt;code&gt;gen_ai.request.top_p&lt;/code&gt; - Sampling parameters&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.response.model.id&lt;/code&gt; - Response model identifier&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.usage.input_tokens&lt;/code&gt; - Tokens consumed&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.usage.output_tokens&lt;/code&gt; - Tokens generated&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.operation.name&lt;/code&gt; - chat, text_completion, embeddings, etc.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Tracing Tool Calls: MCP Semantic Conventions
&lt;/h3&gt;

&lt;p&gt;The OpenTelemetry project has &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/mcp/" rel="noopener noreferrer"&gt;a dedicated semantic conventions spec for Model Context Protocol&lt;/a&gt; as a sub-area of the GenAI conventions, and this is the part that is most directly useful for the cross-border data transfer problem.&lt;/p&gt;

&lt;p&gt;The MCP conventions define a Client span and a Server span for every MCP request. Both carry the same core attributes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;mcp.method.name&lt;/code&gt; - The JSON-RPC method (tools/call, initialize, prompts/get, resources/read, and so on)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;mcp.session.id&lt;/code&gt; - So you can group every call from one MCP session together&lt;/li&gt;
&lt;li&gt;&lt;code&gt;mcp.protocol.version&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gen_ai.tool.name&lt;/code&gt; and &lt;code&gt;gen_ai.operation.name = execute_tool&lt;/code&gt; when the call is a tool invocation&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;mcp.resource.uri&lt;/code&gt; when a resource is being read&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The detail that most teams miss is &lt;strong&gt;context propagation&lt;/strong&gt;. MCP runs on top of &lt;a href="https://www.jsonrpc.org/specification" rel="noopener noreferrer"&gt;JSON-RPC&lt;/a&gt;, and JSON-RPC has no native trace context mechanism. The OTel spec recommends injecting traceparent and tracestate (and baggage, if you use it) into the MCP request's params._meta field, so the receiving server can pick up the parent context and continue the trace, following the &lt;a href="https://www.w3.org/TR/trace-context/" rel="noopener noreferrer"&gt;W3C Trace Context&lt;/a&gt; standard.&lt;/p&gt;

&lt;h3&gt;
  
  
  What You Still Have to Add Yourself
&lt;/h3&gt;

&lt;p&gt;OpenTelemetry does not currently define a "where did this data go geographically" attribute set. That is the gap we're most interested in. The standard resource attributes (cloud.region, cloud.provider, service.name) get you part of the way for the services you own, but they say nothing about whether a span represents a cross-border movement.&lt;/p&gt;

&lt;p&gt;For the demo below, I added a small custom namespace on top of the standard GenAI attributes:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight properties"&gt;&lt;code&gt;&lt;span class="err"&gt;data.sovereignty.source_region&lt;/span&gt;        &lt;span class="c"&gt;# US-EAST
&lt;/span&gt;&lt;span class="err"&gt;data.sovereignty.destination_region&lt;/span&gt;   &lt;span class="c"&gt;# IN-MUMBAI
&lt;/span&gt;&lt;span class="err"&gt;data.sovereignty.cross_border&lt;/span&gt;         &lt;span class="c"&gt;# true
&lt;/span&gt;&lt;span class="err"&gt;data.sovereignty.alert&lt;/span&gt;                &lt;span class="c"&gt;# "Data crosses border: US-EAST -&amp;gt; IN-MUMBAI"
&lt;/span&gt;&lt;span class="err"&gt;data.sovereignty.home_region&lt;/span&gt;          &lt;span class="c"&gt;# US-EAST (resource attribute)
&lt;/span&gt;&lt;span class="err"&gt;data.classification&lt;/span&gt;                   &lt;span class="c"&gt;# internal | pii | confidential
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Five attributes, derived from comparing the prefix of source and destination regions. Nothing fancy. But together with the standard gen_ai.* and mcp.* attributes, it is enough to flag every span where data left the home region, and to produce a per-request compliance verdict. This is the kind of layer that belongs to a community-driven standard eventually.&lt;/p&gt;

&lt;h2&gt;
  
  
  "AI Receipt" Demo
&lt;/h2&gt;

&lt;p&gt;I built a working demo that puts all of the above together. The point of the project is to treat AI traces the way payment systems treat transactions. Every prompt gets a receipt that tells you exactly what happened on the data's journey.&lt;/p&gt;

&lt;h3&gt;
  
  
  Architecture
&lt;/h3&gt;

&lt;p&gt;The demo runs as a small set of Docker Compose services, all instrumented with OTel:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;You → AI Gateway (8000) → Agent Service (8004) → MCP Server (8002) ─┐
                       └→ LLM Router (8003) → Ollama (local) / Gemini (cloud)
                       └→ RAG Service (8001)                          │
All services → OTLP → OTel Collector → Jaeger ←──── AI Gateway parses
                                                     → AI Receipt JSON
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The AI Gateway does intent detection and orchestration. The Agent Service is the multi-agent variant: it spawns three sub-agents (Policy Advisor, Document Analyst, Action Processor) that run in parallel and each call different MCP tools. The MCP server hosts nine functional tools (policy lookup, currency conversion, document search, PII scanning, GDPR compliance check, timezone conversion, port checking, log analysis, metrics calculation). Each tool is tagged with a deliberate region: most are US-EAST, but pii_scanner and compliance_checker sit in EU-FRANKFURT, and timezone_converter and port_checker sit in US regions, so the demo can actually demonstrate cross-border flows.&lt;/p&gt;

&lt;p&gt;The LLM Router toggles between Ollama (local, US-EAST, runs on your host) and Gemini (cloud, US-EAST-1). Traces flow through a &lt;a href="https://opentelemetry.io/docs/collector/" rel="noopener noreferrer"&gt;OpenTelemetry Collector&lt;/a&gt; configured with the standard OTLP gRPC receiver and a Jaeger exporter, plus a small attributes processor that stamps a demo version onto every span.&lt;/p&gt;

&lt;h3&gt;
  
  
  What Happens When You Send a Prompt
&lt;/h3&gt;

&lt;p&gt;Each request walks through the same sequence:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;You submit a prompt&lt;/strong&gt; through the frontend chat panel.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;AI Gateway receives the request,&lt;/strong&gt; opens a root OTel span tagged with the home region (US-EAST-1), and runs a quick intent-detection step to decide whether the prompt needs the multi-agent path, the RAG path, or a direct LLM call.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Agent Service plans the work,&lt;/strong&gt; spawns its sub-agents in parallel, and each sub-agent issues with MCP tool calls. Every MCP call gets its own child span with gen_ai.operation.name = execute_tool, gen_ai.tool.name, and sovereignty annotations describing the tool's region.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;LLM Router picks the model.&lt;/strong&gt; If the Local LLM toggle is on, the call goes to Ollama on the host (US-EAST-1). If it is off, the call goes to Gemini (for e.g, europe-west1), and the span is tagged data.sovereignty.cross_border = true with the destination region.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;All spans are exported&lt;/strong&gt; via OTLP to the OTel Collector, which adds the demo version attribute and forwards them to Jaeger.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;AI Gateway closes the loop.&lt;/strong&gt; Once the trace flushes, it queries Jaeger's HTTP API for the trace ID, walks the spans, and filters to the ones carrying sovereignty, GenAI, or MCP attributes. From those spans it computes the receipt.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Receipt is returned&lt;/strong&gt; to the frontend, where the chat panel renders the natural-language answer and the receipt tab renders the structured compliance report.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  What the Receipt Actually Shows
&lt;/h3&gt;

&lt;p&gt;When you send a prompt with tracing enabled, the AI Gateway waits for the trace to flush, queries Jaeger's HTTP API for the trace ID, and walks the spans. It filters to spans that carry sovereignty annotations, GenAI attributes, or MCP attributes (so it ignores generic auto-instrumentation noise), then builds a structured report:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Total steps:&lt;/strong&gt; Every meaningful span in the trace.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;In-region count:&lt;/strong&gt; How many stayed in US_EAST.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cross-border count:&lt;/strong&gt; How many had data.sovereignty.cross_border = true, with the destination region.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PII detected:&lt;/strong&gt; Whether the prompt itself contained PII patterns (Aadhaar, PAN, email, phone, SSN).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Compliance verdict:&lt;/strong&gt; FULL, PARTIAL, or NON-COMPLIANT against DPDPA, GDPR, and data localization rules.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Running It
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Prerequisites:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Docker&lt;/li&gt;
&lt;li&gt;Docker Compose&lt;/li&gt;
&lt;li&gt;Ollama (runs on your host, not inside Docker)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Start it up by running the following commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ollama pull qwen2.5:1.5b
docker compose up &lt;span class="nt"&gt;--build&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You can access the frontend at &lt;a href="http://localhost:3000" rel="noopener noreferrer"&gt;http://localhost:3000&lt;/a&gt;, Jaeger UI at &lt;a href="http://localhost:16686" rel="noopener noreferrer"&gt;http://localhost:16686&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The frontend has a chat panel, a Data Flow visualization that animates the agent's tool calls, and a receipt tab that decodes the trace into the sovereignty report. Flip DEMO_MODE=false in .env and add a GEMINI_API_KEY to see real cloud calls.&lt;/p&gt;

&lt;p&gt;The demo repository is here: &lt;a href="https://github.com/sudhanshu456/ai-sovereignty-demo" rel="noopener noreferrer"&gt;AI Sovereignty Demo&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Beyond the Trace: Confidential Computing
&lt;/h2&gt;

&lt;p&gt;OpenTelemetry tells you where the data went. It does not protect the data while it is in flight or in memory at the destination. For workloads where even a verified destination is not enough (the agent runs inside a trusted region but on a multi-tenant GPU node, for example), confidential computing is the layer that comes next. The Confidential Computing Consortium has a recent piece on &lt;a href="https://confidentialcomputing.io/2026/01/20/protecting-agentic-ai-workloads-with-confidential-computing/" rel="noopener noreferrer"&gt;protecting agentic AI workloads with confidential computing&lt;/a&gt; that pairs well with the observability story here. Trace what moves; encrypt what is in use.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where This is Heading
&lt;/h2&gt;

&lt;p&gt;AI Receipt is one proof-of-concept of a broader pattern. The pattern itself is what matters more than the specific implementation: &lt;strong&gt;sovereignty observability&lt;/strong&gt; is becoming a first-class layer of the AI stack, alongside model serving, retrieval, and agent orchestration.&lt;/p&gt;

&lt;p&gt;A few things look likely from here:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Cross-border attributes will become standard:&lt;/strong&gt; OpenTelemetry already has resource attributes for cloud regions; what is missing is a community-driven attribute set that says, per span, whether the operation crossed a regulatory boundary and which one. That work will probably happen inside the OTel GenAI SIG over the next year, and the sooner enterprises start emitting their own attributes (whatever you call them), the easier the migration will be when the standard lands.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Receipts will move from afterthought to contract:&lt;/strong&gt; Today, most AI systems generate a response and call it done. Regulated industries will start expecting a verifiable artefact per request: span-level, signed, and inspectable by the auditor without needing access to the underlying system. Payment networks did this thirty years ago; AI invocations are heading the same way.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Trace what moves, encrypt what is in use:&lt;/strong&gt; Observability tells you where the data went. Confidential computing protects the data while it is being processed at the destination. The two layers are complements, not alternatives. Expect them to converge into a single sovereignty-and-attestation story over the next couple of years.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Audit layer will be open by default:&lt;/strong&gt; No regulated enterprise wants its compliance posture to depend on a single vendor's proprietary dashboard. Open standards (OpenTelemetry), open instrumentation, and open audit logic are how this stays workable across jurisdictions and providers.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;You do not have to choose between shipping AI and being sovereign. You do have to be willing to instrument what you ship, so that when the regulator, the auditor, or your own security team asks where the data went, you can answer with a receipt.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Don't just trust your AI. Trace it.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Keep the Conversation Going
&lt;/h2&gt;

&lt;p&gt;If you found this useful, the &lt;a href="https://github.com/sudhanshu456/ai-sovereignty-demo" rel="noopener noreferrer"&gt;demo repo&lt;/a&gt; is open, contributions and issues are welcome. You can connect with me on &lt;a href="https://www.linkedin.com/in/sudhanshu212/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt; to discuss sovereign AI, GenAI observability, or where any of this falls apart in your environment.&lt;/p&gt;

&lt;p&gt;Data sovereignty is a critical consideration as organizations begin integrating AI into their operations. Decisions around where data resides, how it is processed, and who has access to it can have significant implications for security, compliance, and governance. Our AI and &lt;a href="https://www.improving.com/expertise/data/" rel="noopener noreferrer"&gt;data experts&lt;/a&gt; work with organizations navigating these challenges every day, helping them evaluate architectures and deployment models that align with their requirements.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/" rel="noopener noreferrer"&gt;OpenTelemetry GenAI semantic conventions&lt;/a&gt; and the &lt;a href="https://opentelemetry.io/docs/specs/semconv/gen-ai/mcp/" rel="noopener noreferrer"&gt;MCP-specific conventions&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="https://confidentialcomputing.io/2026/01/20/protecting-agentic-ai-workloads-with-confidential-computing/" rel="noopener noreferrer"&gt;Confidential Computing Consortium: Protecting Agentic AI Workloads&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.linuxfoundation.org/hubfs/Research%20Reports/lfr_sovereign_ai25_082525a.pdf" rel="noopener noreferrer"&gt;Linux Foundation 2025 Sovereign AI research report&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://huggingface.co/blog/frimelle/sovereignty-and-open-source" rel="noopener noreferrer"&gt;Hugging Face: Sovereignty and Open Source&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://go.layerxsecurity.com/hubfs/LayerX_Enterprise_AI_and_SaaS_Data_Security_Report.pdf" rel="noopener noreferrer"&gt;LayerX Enterprise AI and SaaS Data Security Report 2025&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://assets.kpmg.com/content/dam/kpmgsites/xx/pdf/2025/05/trust-attitudes-and-use-of-ai-global-report.pdf" rel="noopener noreferrer"&gt;KPMG and University of Melbourne: Trust, Attitudes and Use of AI 2025 Global Report&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.reuters.com/legal/litigation/governments-regulators-increase-scrutiny-deepseek-2026-01-06/" rel="noopener noreferrer"&gt;Reuters: Governments and regulators increase scrutiny of DeepSeek&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.improving.com/thoughts/your-prompt-is-a-cross-border-data-transfer/" rel="noopener noreferrer"&gt;Improving&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Stop Treating Legacy Systems as the Enemy</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 10:55:39 +0000</pubDate>
      <link>https://dev.to/improving/stop-treating-legacy-systems-as-the-enemy-4fai</link>
      <guid>https://dev.to/improving/stop-treating-legacy-systems-as-the-enemy-4fai</guid>
      <description>&lt;p&gt;Many legacy software are built using "rapid application development" (RAD) tools like FoxPro or Microsoft Access. At that time, the senior engineers around, the ones who had spent decades with punch cards and mainframe batch jobs, looked at what FoxPro users were doing and called it cheating. FoxPro was too easy and high-level. It abstracted away the real work. A tool like that couldn't produce anything serious.&lt;/p&gt;

&lt;p&gt;They were wrong as those FoxPro applications were able to run businesses and created the bedrock of successful enterprises. Some of them are still running today, decades later. The people who dismissed the tools could never dismiss the results.&lt;/p&gt;

&lt;p&gt;I've watched this pattern repeat through every generation of technology I've worked in. Visual Basic was too simple for C++ developers. .NET was too abstracted for the Visual Basic crowd. And now, AI-assisted development gets the same skepticism from the previous generation. Every era's tools get treated as cheating by the people who built the last era.&lt;/p&gt;

&lt;p&gt;The pattern isn't just about tools, though. It shows up in how we talk about the systems those tools produced. We call them "legacy" and mean it as an insult. That's a mistake.&lt;/p&gt;

&lt;h2&gt;
  
  
  What "Legacy" Actually Means
&lt;/h2&gt;

&lt;p&gt;A system that has been running for fifteen years didn't survive by accident. It survived because it solved a real problem for real people, and it kept solving that problem through market shifts, leadership changes, and at least two or three technology cycles that were supposed to replace it. That's not a failure. That's evidence of success.&lt;/p&gt;

&lt;p&gt;The problem isn't that legacy systems exist. The problem is that we approach them with contempt instead of curiosity. When the default attitude is "Rip and Replace," we lose something. Buried in that old code is business logic that nobody documented, edge cases that took years to discover, and decisions that were made for reasons the current team may not even know about.&lt;/p&gt;

&lt;p&gt;Treating a legacy system like an enemy means treating your organization's history like a liability. I'd rather treat it like a foundation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Refueling the Plane While It's Still in the Air
&lt;/h2&gt;

&lt;p&gt;The urge to do a total rewrite is one of the most dangerous instincts in enterprise software. I have seen too many systems fail because they were 'Ground-and-Rewritten' instead of evolved. A total rewrite introduces massive risk and ignores the nuanced business rules embedded in the existing code.&lt;/p&gt;

&lt;p&gt;I compare modernization to refueling a plane in mid-flight. The business cannot stop generating revenue because the technology underneath needs an upgrade. You can't land the plane to refuel the engines. You have to do it while it's still moving, and that demands a different discipline than a greenfield build.&lt;/p&gt;

&lt;p&gt;The discipline is evolutionary maintenance: systematic, incremental, and protected by automated tests.&lt;/p&gt;

&lt;h3&gt;
  
  
  A Real-World Example
&lt;/h3&gt;

&lt;p&gt;A recent example: migrating from Fluent Assertions to Shouldly across a large .NET codebase including over 3,000 tests. Deprecated APIs scattered through years of accumulated work. The process started with Context7, feeding the AI current library documentation that post-dates its training data. Without that step, the model works from stale knowledge and confidently introduces errors. With it, the AI reasons about actual API changes rather than guessing at them.&lt;/p&gt;

&lt;p&gt;What surfaced next was something a purely manual process would likely have missed: Lamar and Marten shared a dependency. Updating one without the other would have broken the build in ways that wouldn't show up immediately. The AI found the link during the initial dependency scan.&lt;/p&gt;

&lt;p&gt;Rather than forcing a full rewrite of existing test code, the AI generated custom extension methods to bridge the gap, preserving the developer experience on top while changing the underlying library beneath it. What would have been a multi-week manual effort compressed into two days with AI-assisted workflows.&lt;/p&gt;

&lt;p&gt;The safety net is the non-negotiable part. Without automated tests, evolutionary maintenance is just a polite name for changing things and hoping nothing breaks. With them, you can refuel the plane with confidence, one engine at a time, the passengers never noticing.&lt;/p&gt;

&lt;p&gt;The teams that get this right don't frame modernization as a one-time event. They treat it as ongoing technical hygiene, closer to changing the oil regularly than waiting for the engine to seize.&lt;/p&gt;

&lt;h2&gt;
  
  
  What You Find When You Look With Respect
&lt;/h2&gt;

&lt;p&gt;Something happens when you approach a legacy codebase as archaeology rather than demolition. You find things! I've lost count of how many modernization projects have surfaced buried business logic that was still correct, still needed, and completely undocumented.&lt;/p&gt;

&lt;p&gt;For examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;An edge case handler that prevents a specific error nobody remembers anymore&lt;/li&gt;
&lt;li&gt;A validation rule that catches a regulatory requirement the compliance team forgot was encoded in software&lt;/li&gt;
&lt;li&gt;A workflow that routes exceptions to the right person because someone five years ago spent three weeks figuring out who that person should be&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These are what I call 'little gems' in the overlooked. When you modernize with contempt, you demolish them along with everything else. When you modernize with respect, you discover them, and you carry them forward into the new system deliberately, rather than rediscovering the need for them six months after launch through a production incident.&lt;/p&gt;

&lt;p&gt;This is the part of modernization that rarely makes the project plan. The plan says "migrate module X." It doesn't say "discover why module X has forty-seven edge cases that nobody can explain." But that discovery is where real value lives.&lt;/p&gt;

&lt;p&gt;The teams who do it well are the ones who treat the legacy code as an artifact that encodes organizational knowledge, not just syntax waiting to be replaced.&lt;/p&gt;

&lt;h2&gt;
  
  
  A Different Starting Question
&lt;/h2&gt;

&lt;p&gt;Most modernization conversations start with "How do we get rid of this old system?"&lt;/p&gt;

&lt;p&gt;That's already the wrong question because it assumes the system is the problem. Majority of the time, the system isn't the problem, the system is the accumulated answer to problems the organization has faced over the years. The real question is: what has this system been holding together, and how do we keep that intact while we evolve everything around it?&lt;/p&gt;

&lt;p&gt;The organizations that modernize well don't treat their legacy systems as enemies to defeat. They treat them as foundations to build on. The code changes. The infrastructure changes. But the business logic, the hard-won edge cases, and the organizational knowledge encoded in software carries forward.&lt;/p&gt;

&lt;p&gt;If your team is facing a legacy modernization challenge, the first step isn't picking a new tech stack. It's understanding what you already have, and what it's been doing for you all along.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;For more discussion, connect with Claudio on &lt;a href="https://www.linkedin.com/in/claudiolassala/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>discuss</category>
      <category>programming</category>
      <category>softwaredevelopment</category>
      <category>softwareengineering</category>
    </item>
    <item>
      <title>Closing the AuthZ Gap in MCP: Policy-Driven Tool Invocation Control</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 10:54:26 +0000</pubDate>
      <link>https://dev.to/improving/closing-the-authz-gap-in-mcp-policy-driven-tool-invocation-control-1oc5</link>
      <guid>https://dev.to/improving/closing-the-authz-gap-in-mcp-policy-driven-tool-invocation-control-1oc5</guid>
      <description>&lt;p&gt;Model Context Protocol (MCP) tools give AI agents direct access to production databases, internal APIs, and third-party platforms. But most teams deploying MCP today have no answer to a simple question: &lt;strong&gt;who authorized that tool call?&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  MCP Changed How Agents Talk to the World, But Not Who Controls It
&lt;/h2&gt;

&lt;p&gt;With over 17,000 MCP servers available to use, according to &lt;a href="https://zuplo.com/mcp-report" rel="noopener noreferrer"&gt;Zuplo's report&lt;/a&gt;, &lt;a href="https://www.improving.com/thoughts/best-mcp-servers-for-software-developers-and-engineers/" rel="noopener noreferrer"&gt;momentum around MCP is quite real&lt;/a&gt;, and it is becoming the de-facto standard for how AI agents connect to external services. It functions like a USB cable for AI to eliminate the need for developers to write custom integrations for every single AI application.&lt;/p&gt;

&lt;p&gt;The same report shows that 50% of professionals find MCP security or access-control a big challenge. MCP queries AI models with the help of agents for tool discovery, invocation and response handling. It lacks a native mechanism to control who invokes which tool, with what parameters and in whose context. Authorization at the invocation layer is still a problem.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the Auth Model Covers Today and What it Doesn't
&lt;/h2&gt;

&lt;p&gt;MCP's current authorization model covers connectivity and authentication. Servers can require OAuth 2.0 tokens, validate that an agent has valid identity and restrict which clients can connect. This becomes very useful since one cannot impersonate an agent and connect to your MCP server.&lt;/p&gt;

&lt;p&gt;What it does not cover is authorization at the tool invocation layer. Once an agent is authenticated to the MCP server, there is no native spec primitive that controls which tools it can call, what parameters it can pass.&lt;/p&gt;

&lt;p&gt;What happens at invocation reflects this gap directly. The agent resolves the tool from the server and makes a call with parameters. The MCP server executes downstream resources like a database, an internal API, etc.&lt;/p&gt;

&lt;p&gt;The runtime does not ask: is this agent allowed to call this tool? Are these parameters acceptable? Does the tenant context and agent context match?&lt;/p&gt;

&lt;h2&gt;
  
  
  Where Security Breaks Down
&lt;/h2&gt;

&lt;p&gt;In single tenant environments, teams rely on application-level checks or custom middleware that inspects calls before they reach the server. These approaches break down as the tool surface grows - checks drift out of sync with tool updates and need to be maintained per tool, per team. Neither scales across a shared platform serving multiple agent teams.&lt;/p&gt;

&lt;p&gt;In multi-tenant environments, the stakes are even higher. The threat surface looks like this:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Cross-tenant tool calls&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Agent A running in Tenant A's context invokes a tool that operates on Tenant B's data. There is no enforcement at the invocation layer to catch it before the call is executed.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. Phantom agent identity&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Your audit trail shows a service account, but the human who triggered the agent chain - the person who typed the prompt that started everything - is invisible by the time the tool call lands in your logs.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. Unconstrained parameters&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
A tool calling a production database accepts query parameters. Nothing gets validated at the invocation layer.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4. Privilege escalation chains&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Agent A calls Agent B, which invokes a tool. Each hop loses context and permission. By the time the tool is called, nobody can trace whose authority it is actually acting under.&lt;/p&gt;

&lt;p&gt;What makes these more interesting is that the agent is not doing anything unauthorized in a traditional sense. It has permission and it uses it. The platform has no vocabulary for the fine-grained question: should this specific agent call this specific tool with these specific parameters right now or not?&lt;/p&gt;
&lt;h2&gt;
  
  
  Why Kubernetes RBAC Has No Answer Here
&lt;/h2&gt;

&lt;p&gt;Most platform teams point to Kubernetes RBAC as their solution; it's already there and mature enough as well. But RBAC has a hard limit. It only controls access to Kubernetes API resources. You can control whether a "service account can list pods in this namespace or not". But you can't control "this agent can call the create_*record tool and not the delete_*record tool".&lt;/p&gt;

&lt;p&gt;RBAC operates on resource-verb pairs at the Kubernetes API surface whereas MCP tool calls live at the application layer. They carry semantic context: which tool, which agent, which tenant, which parameters, what time. There is no medium between the two without something that understands the nature of tool invocation and can make policy-based decisions against runtime. It can be achieved by policy-as-code.&lt;/p&gt;
&lt;h2&gt;
  
  
  Policy-as-Code as the Enforcement Layer
&lt;/h2&gt;

&lt;p&gt;The solution is to model your MCP tool invocations as Kubernetes custom resources and put a policy engine in the admission path. Enforce rules on every invocation before it is executed. The tool call becomes a first-class object that the platform can inspect, validate, mutate, and audit.&lt;/p&gt;

&lt;p&gt;Kyverno is the strong option for this as it already sits in the Kubernetes admission path. It can inspect any arbitrary JSON structure in any custom resource. It supports both validating webhooks that can accept or block a call and mutating webhooks that can annotate a call before it proceeds.&lt;/p&gt;

&lt;p&gt;This enforcement model has three layers, and each one solves a different problem related to your platform.&lt;/p&gt;
&lt;h3&gt;
  
  
  Three Patterns that Close the Gap
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Pattern 1: Tool allowlisting per agent identity&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A validating Policy that restricts which tools a given agent Service Account can invoke. It is denied by default and allows explicitly per agent-tool pair. If the agent's identity isn't in the allowlist for that tool, the call is blocked at admission before it ever reaches the MCP server.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;validationActions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Deny&lt;/span&gt;
  &lt;span class="na"&gt;matchConstraints&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;resourceRules&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;apiGroups&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;mcp.security.io"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;apiVersions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;v1alpha1"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;operations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;  &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;CREATE"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;mcptoolinvocations"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
  &lt;span class="na"&gt;validations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;expression&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
        &lt;span class="s"&gt;has(object.spec.agentId) &amp;amp;&amp;amp; object.spec.agentId != ""&lt;/span&gt;
      &lt;span class="na"&gt;message&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
        &lt;span class="s"&gt;MCPToolInvocation must include a non-empty agentId in spec&lt;/span&gt;

    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;expression&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
        &lt;span class="s"&gt;!(object.spec.agentId == "sre-agent") ||&lt;/span&gt;
        &lt;span class="s"&gt;object.spec.toolName in [&lt;/span&gt;
          &lt;span class="s"&gt;"pods_list",&lt;/span&gt;
          &lt;span class="s"&gt;"pods_list_in_namespace",&lt;/span&gt;
          &lt;span class="s"&gt;"pods_get",&lt;/span&gt;
          &lt;span class="s"&gt;"pods_log",&lt;/span&gt;
          &lt;span class="s"&gt;"pods_top",&lt;/span&gt;
          &lt;span class="s"&gt;"events_list",&lt;/span&gt;
          &lt;span class="s"&gt;"namespaces_list",&lt;/span&gt;
          &lt;span class="s"&gt;"nodes_top",&lt;/span&gt;
          &lt;span class="s"&gt;"configuration_view"&lt;/span&gt;
        &lt;span class="s"&gt;]&lt;/span&gt;
      &lt;span class="na"&gt;messageExpression&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
        &lt;span class="s"&gt;"sre-agent is not permitted to invoke '" + object.spec.toolName + "'. " +&lt;/span&gt;
        &lt;span class="s"&gt;"Allowed tools: pods_list, pods_list_in_namespace, pods_get, pods_log, " +&lt;/span&gt;
        &lt;span class="s"&gt;"pods_top, events_list, namespaces_list, nodes_top, configuration_view"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Pattern 2: Multi-tenant isolation&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A validating Policy that checks whether the tenant context in the invocation matches the agent's namespace or annotation. If they don't match, the call is denied. Cross-tenant invocations are blocked structurally, not by trusting the agent to behave correctly.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;validationActions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Deny&lt;/span&gt;
  &lt;span class="na"&gt;matchConstraints&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;resourceRules&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;apiGroups&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;mcp.security.io"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;apiVersions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;v1alpha1"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;operations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;  &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;CREATE"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;mcptoolinvocations"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
  &lt;span class="na"&gt;validations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="c1"&gt;# Require tenantId to be present and non-empty&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;expression&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
        &lt;span class="s"&gt;has(object.spec.tenantId) &amp;amp;&amp;amp; object.spec.tenantId != ""&lt;/span&gt;
      &lt;span class="na"&gt;message&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
        &lt;span class="s"&gt;MCPToolInvocation must include a non-empty tenantId in spec.&lt;/span&gt;
        &lt;span class="s"&gt;Invocations without tenant context are rejected.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Pattern 3: Human identity injection&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A mutating Policy that annotates every tool invocation with the identity of the human who triggered the agent chain, the timestamp, and the agent chain ID. The audit trail always has a person attached to it, not just a service account.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;matchConstraints&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;resourceRules&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;apiGroups&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;mcp.security.io"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;apiVersions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;v1alpha1"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;operations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;  &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;CREATE"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
        &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;mcptoolinvocations"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
  &lt;span class="na"&gt;mutations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;patchType&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ApplyConfiguration&lt;/span&gt;
      &lt;span class="na"&gt;applyConfiguration&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;expression&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;&amp;gt;-&lt;/span&gt;
          &lt;span class="s"&gt;Object{&lt;/span&gt;
            &lt;span class="s"&gt;metadata: Object.metadata{&lt;/span&gt;
              &lt;span class="s"&gt;annotations: {&lt;/span&gt;
                &lt;span class="s"&gt;"mcp.security.io/triggered-by":&lt;/span&gt;
                  &lt;span class="s"&gt;has(object.spec.triggeredBy) &amp;amp;&amp;amp; object.spec.triggeredBy != ""&lt;/span&gt;
                    &lt;span class="s"&gt;? object.spec.triggeredBy&lt;/span&gt;
                    &lt;span class="s"&gt;: request.userInfo.username,&lt;/span&gt;
                &lt;span class="s"&gt;"mcp.security.io/triggered-at":&lt;/span&gt;
                  &lt;span class="s"&gt;string(now()),&lt;/span&gt;
                &lt;span class="s"&gt;"mcp.security.io/agent-id":&lt;/span&gt;
                  &lt;span class="s"&gt;has(object.spec.agentId) ? object.spec.agentId : request.userInfo.username,&lt;/span&gt;
                &lt;span class="s"&gt;"mcp.security.io/tenant-id":&lt;/span&gt;
                  &lt;span class="s"&gt;has(object.spec.tenantId) ? object.spec.tenantId : object.metadata.namespace,&lt;/span&gt;
                &lt;span class="s"&gt;"mcp.security.io/policy-version": "v1"&lt;/span&gt;
              &lt;span class="s"&gt;}&lt;/span&gt;
            &lt;span class="s"&gt;}&lt;/span&gt;
          &lt;span class="s"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Seeing the Policies in Action
&lt;/h2&gt;

&lt;p&gt;The patterns described above are not theoretical. Here is what enforcement looks like against a real MCPToolInvocation custom resource, with &lt;a href="https://github.com/containers/kubernetes-mcp-server" rel="noopener noreferrer"&gt;kubernetes-mcp-server&lt;/a&gt; running in a Kubernetes cluster and Kyverno evaluating admission.&lt;/p&gt;

&lt;h3&gt;
  
  
  Before: No Mutating Policy
&lt;/h3&gt;

&lt;p&gt;A remediation agent scales a deployment. The CR lands in etcd with no audit context.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# kubectl get mcptoolinvocation proxy-resources-scale-3a7a61 -n tenant-acme -o yaml&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;proxy-resources-scale-3a7a61&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;tenant-acme&lt;/span&gt;
  &lt;span class="c1"&gt;# no annotations&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;agentId&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;remediation-agent&lt;/span&gt;
  &lt;span class="na"&gt;toolName&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;resources_scale&lt;/span&gt;
  &lt;span class="na"&gt;triggeredBy&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bob@acme.com&lt;/span&gt;   &lt;span class="c1"&gt;# agent-supplied - can be forged or omitted&lt;/span&gt;
  &lt;span class="na"&gt;tenantId&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;tenant-acme&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;triggeredBy&lt;/code&gt; lives only in &lt;code&gt;spec&lt;/code&gt; - it is what the agent chooses to send. Nothing confirms when this happened or which policy evaluated it.&lt;/p&gt;

&lt;h3&gt;
  
  
  After: mcp-inject-human-identity Mutating Policy Applied
&lt;/h3&gt;

&lt;p&gt;Same call, same CR structure. Kyverno writes five annotations at admission time before the object reaches etcd.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;proxy-resources-scale-9f2c84&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;tenant-acme&lt;/span&gt;
  &lt;span class="na"&gt;annotations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;mcp.security.io/triggered-by&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;bob@acme.com"&lt;/span&gt;          &lt;span class="c1"&gt;# from spec.triggeredBy&lt;/span&gt;
    &lt;span class="na"&gt;mcp.security.io/triggered-at&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;   &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;2026-06-10T14:32:01Z"&lt;/span&gt;   &lt;span class="c1"&gt;# Kyverno did it&lt;/span&gt;
    &lt;span class="na"&gt;mcp.security.io/agent-id&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;       &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;remediation-agent"&lt;/span&gt;
    &lt;span class="na"&gt;mcp.security.io/tenant-id&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;      &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;tenant-acme"&lt;/span&gt;
    &lt;span class="na"&gt;mcp.security.io/policy-version&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;v1"&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;agentId&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;remediation-agent&lt;/span&gt;
  &lt;span class="na"&gt;toolName&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;resources_scale&lt;/span&gt;
  &lt;span class="na"&gt;triggeredBy&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bob@acme.com&lt;/span&gt;
  &lt;span class="na"&gt;tenantId&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;tenant-acme&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;These annotations are written by Kyverno - neither by the agent nor by proxy. The agent cannot set or alter them after admission. Even if the CR is later deleted, the Kubernetes audit log retains the creation record with the full annotation set.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Get Started
&lt;/h2&gt;

&lt;p&gt;The right approach is to build incrementally, instrument first, enforce second, and tighten over time. Below is the practical sequence that works without breaking production agents.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Audit what your agents are actually calling&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Before writing a single policy, spend a week in observation. Enable Kyverno in Audit mode and let it log every tool invocation. You will find tools being called that nobody knew about, parameters that nobody intended to allow, and service accounts with scope far wider than their function requires.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. Model your MCPToolInvocation CRD deliberately&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The shape of your custom resource determines what Kyverno can inspect. Put toolName, tenantId, and agentId in spec, not in labels or annotations. Policy JMESPath expressions are cleaner and easier to read in audit events when the fields live in spec.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. Start with human identity propagation, not blocking&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The mutating webhook that injects the triggering human identity has lower risk than a validating webhook that can deny invocations. Deploy the mutation pattern first. Get your audit trail working and verified. Compliance teams will often sign off on shared MCP infrastructure once they can answer "who triggered this" - give them that before you move to enforcement.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4. Flip one policy to Enforce at a time&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Use the audit log data from step 1 to build your allowlists. Flip &lt;code&gt;validationFailureAction&lt;/code&gt; to &lt;code&gt;Enforce&lt;/code&gt; for one agent, one tool category at a time. Agent chains fail in surprising ways when a mid-chain call is denied - give yourself at least two weeks of audit coverage per policy before enforcing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;5. Propagate human context at the orchestration layer, not as an afterthought&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The agent framework including LangGraph and AutoGen must stamp the triggering human identity onto the invocation before it reaches the admission webhook. This is an architectural decision that cannot be retrofitted cleanly. Make it a requirement before any agent gets write access to production tools.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrap Up
&lt;/h2&gt;

&lt;p&gt;The AuthZ gap in MCP is a gap in the adoption curve. The spec is moving, the ecosystem is maturing, and native authorization primitives will come. But production agents are running right now, and the enforcement layer has to exist today.&lt;/p&gt;

&lt;p&gt;In this blog post, we have described how MCP changed the way agents talk to the world, but not who controls it. The MCP's current authorization model ensures connectivity and authentication but not the authorization at the tool invocation layer.&lt;/p&gt;

&lt;p&gt;Policy-as-code gives platform teams a concrete, uniform, auditable answer to the question: &lt;strong&gt;who authorized that tool call?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Kyverno's Policy model is one strong path to that answer, as it is forkable, framework-agnostic, and compliance-ready out of the box. However, using it in practice in production comes with its own set of challenges, which the Improving team is experienced in solving.&lt;/p&gt;

&lt;p&gt;If you would like to discuss this article and have any suggestions, you can connect with &lt;a href="https://www.linkedin.com/in/oshi-gupta-512716178/" rel="noopener noreferrer"&gt;Oshi Gupta&lt;/a&gt; and &lt;a href="https://www.linkedin.com/in/sonali-srivastava-530782ab/" rel="noopener noreferrer"&gt;Sonali Srivastava&lt;/a&gt; on LinkedIn.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://www.improving.com/thoughts/mcp-authorization-policy-driven-tool-invocation-control/" rel="noopener noreferrer"&gt;Improving&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Data Debt Is the Real Reason Your AI Predictions Don't Improve</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 09 Jul 2026 10:49:49 +0000</pubDate>
      <link>https://dev.to/improving/data-debt-is-the-real-reason-your-ai-predictions-dont-improve-5boa</link>
      <guid>https://dev.to/improving/data-debt-is-the-real-reason-your-ai-predictions-dont-improve-5boa</guid>
      <description>&lt;p&gt;The recommendation system was working perfectly six months ago. Now engagement is dropping, predictions feel inconsistent, and nobody can explain why. Accuracy improves slightly in staging once the ML team retrains the model, but production still looks unstable. Another experiment starts with larger model, better Embeddings, and more tuning and GPUs.&lt;/p&gt;

&lt;p&gt;A week later, someone discovers the actual issue.&lt;/p&gt;

&lt;p&gt;One upstream service changed how "active users" were calculated. A feature pipeline continued serving stale values for nearly a month. Half the training data was generated using the old definition, while inference was using the new one. The pipelines stayed green as nothing technically failed, and dashboards kept updating. The model simply learned from a distorted version of reality.&lt;/p&gt;

&lt;p&gt;Many AI systems fail in production through slow reliability decay that hides inside data pipelines, feature stores, vector databases, APIs, and transformation layers. The invisible decay creates a false sense of optimization. Teams continue investing in experimentation while the actual bottleneck exists upstream in the data layer. Three patterns usually indicate this problem:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The model looks accurate during testing, but users still complain that predictions feel wrong in production.&lt;/li&gt;
&lt;li&gt;Teams keep retraining the model, yet the same issues keep returning after every deployment.&lt;/li&gt;
&lt;li&gt;Different dashboards show different numbers for the same metric because each system defines the data differently.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What Is Data Debt?
&lt;/h2&gt;

&lt;p&gt;Before understanding data debt, it is important to understand the role data plays in AI systems. Data is the raw information collected from applications, users, transactions, APIs system interactions, etc. AI models learn patterns, make predictions, and generate outputs based entirely on this data.&lt;/p&gt;

&lt;p&gt;In many ways, data acts as the foundation layer of an AI system. Just as a skyscraper depends on the strength of its foundation or a car depends on its engine, AI systems depend on the quality and reliability of the data flowing through them. If the underlying data is inconsistent, outdated, or poorly managed, the behavior of the entire system eventually becomes unreliable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Data debt is the accumulated operational cost of unreliable, inconsistent, or poorly governed data systems.&lt;/strong&gt; It emerges gradually through ignoring data quality, schema drift, weak lineage tracking, fragmented ownership, low-quality labeling processes, and brittle transformation pipelines.&lt;/p&gt;

&lt;p&gt;In simple terms, data debt builds up when organizations continue scaling AI and data systems without maintaining the quality, consistency, and traceability of the underlying data. The systems may continue functioning, but the data slowly becomes harder to validate, debug, and trust over time.&lt;/p&gt;

&lt;p&gt;Like technical debt, the problem compounds gradually. Small inconsistencies that seem manageable early on eventually spread across datasets, pipelines, feature stores, APIs, and AI workflows, making the entire system more difficult to maintain and optimize.&lt;/p&gt;

&lt;h3&gt;
  
  
  How Data Debt Affects AI Systems
&lt;/h3&gt;

&lt;p&gt;Unlike infrastructure failures, data debt rarely causes immediate outages. AI pipelines continue functioning while reliability slowly degrades underneath. Models still train, dashboards still render, and pipelines still execute, but the outputs become increasingly difficult to trust.&lt;/p&gt;

&lt;p&gt;Over time, data debt creates compounding downstream effects across AI systems:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Feature stores, the systems responsible for storing and serving ML features consistently across training and production environments, begin serving inconsistent feature distributions between inference and training workflows.&lt;/li&gt;
&lt;li&gt;Pipeline dependencies become opaque, making debugging and root-cause analysis significantly slower.&lt;/li&gt;
&lt;li&gt;Silent data quality failures propagate into production models without triggering infrastructure-level alerts.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The longer these issues remain unresolved, the harder they become to isolate because the dependency graph across datasets, services, and models keeps expanding.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Enterprises Accumulate Data Debt
&lt;/h2&gt;

&lt;p&gt;SMBs and enterprise data systems evolve faster than governance models can keep up. New services, ingestion pipelines, analytics layers, and ML workflows are introduced continuously, often without standardized validation or ownership boundaries.&lt;/p&gt;

&lt;p&gt;In distributed architectures, every system generates its own representation of business entities, events, and state transitions. Over time, those representations diverge. A "customer," "transaction," or "active user" may have entirely different definitions across operational systems, analytics pipelines, and ML feature stores.&lt;/p&gt;

&lt;p&gt;The problem becomes significantly harder in AI workloads because models depend on historical consistency, not just raw availability.&lt;/p&gt;

&lt;p&gt;Three structural factors accelerate data debt accumulation:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Large volumes of unstructured enterprise data such as logs, documents, support tickets, and chat records lack standardized schemas and validation layers.&lt;/li&gt;
&lt;li&gt;Pipeline complexity increases exponentially as data moves across streaming systems, warehouses, feature stores, vector databases, and inference services.&lt;/li&gt;
&lt;li&gt;Ownership fragmentation prevents consistent enforcement of quality controls, lineage tracking, and transformation standards.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Data debt is rarely caused by a single architectural mistake. It is usually the result of continuous optimization of trade-offs made under delivery pressure.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where Data Debt Shows Up in AI Systems
&lt;/h2&gt;

&lt;p&gt;Data debt shows up wherever AI systems depend on unreliable, inconsistent, or poorly governed data. It appears across training datasets, feature stores, retrieval pipelines, vector databases, APIs, and inference workflows. While the symptoms differ across architectures, the underlying issue is usually the same: the system is operating data that lacks consistency, traceability, or validation.&lt;/p&gt;

&lt;p&gt;Forecasting models and traditional ML pipelines rely heavily on historical datasets and feature engineering, while Retrieval Augmented Generation (RAG) systems and autonomous agents continuously pull context from APIs, embeddings, or external systems during inference.&lt;/p&gt;

&lt;p&gt;The failure patterns vary by architecture:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Forecasting and ML systems&lt;/strong&gt; struggle with schema drift, missing historical records, and inconsistent feature generation across training and production environments.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;RAG and LLM applications&lt;/strong&gt; degrade because of stale embeddings, duplicated context, corrupted documents, or outdated vector stores serving irrelevant information.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tool-using agents&lt;/strong&gt; become unreliable when APIs expose conflicting definitions, incomplete state information, or inconsistent response formats across services.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In most cases, the visible issue appears at the model layer, but the actual failure originates much earlier in the data pipeline.&lt;/p&gt;

&lt;h2&gt;
  
  
  Anatomy of Data Debt
&lt;/h2&gt;

&lt;p&gt;Data debt appears in predictable layers across modern AI systems. It usually starts upstream with inconsistent schemas, fragmented ownership, and weak validation controls, then spreads across pipelines, feature systems, and inference workflows. These problems are not limited to relational databases. They exist across feature stores, event streams, document systems, vector databases, and retrieval pipelines. Over time, inconsistencies become deeply embedded into the operational behavior of AI systems.&lt;/p&gt;

&lt;p&gt;The most common forms of data debt include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Data modeling issues&lt;/strong&gt;: Different teams define the same entity differently. For example, marketing may define an "active_user" based on email engagement, while product defines it using session activity, resulting in conflicting churn predictions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Data quality failures&lt;/strong&gt;: Stale, incomplete, or noisy datasets silently affect model behavior. A delayed 'label refresh job' can introduce output drift for weeks before anyone notices.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Lineage and traceability gaps&lt;/strong&gt;: Tracing predictions back to their original data source becomes increasingly difficult in complex AI systems. In RAG systems, a hallucinated response may ultimately come from a single corrupted PDF indexed into the vector store.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Pipeline fragility&lt;/strong&gt;: Modern AI pipelines depend on multiple upstream systems. A schema change in a source table can silently break feature generation without triggering alerts or validation failures.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Individually, these issues seem manageable. Combined, they create systems where prediction reliability gradually deteriorates even when the models themselves remain unchanged.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Better Models Don't Fix Data Debt
&lt;/h2&gt;

&lt;p&gt;Better AI models do not fix bad inputs because models cannot distinguish between a genuinely useful pattern and a flawed one unless the underlying data provides that context correctly. They learn statistical relationships from the data they receive. If the data contains noisy labels, stale features, inconsistent definitions, or biased signals, the model treats those patterns as valid during training.&lt;/p&gt;

&lt;p&gt;Models with poor data create a dangerous illusion during evaluation. Offline metrics may improve because the model becomes highly optimized for flawed historical patterns, but production reliability continues to degrade under real-world conditions.&lt;/p&gt;

&lt;p&gt;The result is overfitting at the system level:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Models learn operational noise as if it were a valid signal.&lt;/li&gt;
&lt;li&gt;Evaluation pipelines reinforce flawed assumptions already present in the data.&lt;/li&gt;
&lt;li&gt;Prediction instability increases as upstream inconsistencies propagate through training and inference workflows.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Paying Down Data Debt: What Works and Where It Fits
&lt;/h2&gt;

&lt;p&gt;The bottleneck in modern AI systems has shifted from model capability to data reliability, consistency, and observability as model architectures become easier to access and standardize. As models become easier to access and deploy, long-term performance improvements increasingly depend on the quality and consistency of the underlying data systems.&lt;/p&gt;

&lt;p&gt;This is the core idea behind &lt;strong&gt;data-centric AI&lt;/strong&gt;, an approach popularized by Andrew Ng, where the focus moves from endlessly tuning models to improving datasets, validation, and data operations. In production environments, stable data systems usually lead to fewer regressions, faster debugging, and more reliable outputs than model experimentation alone.&lt;/p&gt;

&lt;p&gt;Paying down data debt requires controls across multiple stages of the AI lifecycle:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Data contracts&lt;/strong&gt; at producer-consumer boundaries prevent schema and definition mismatches before they propagate downstream.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Validation at ingestion&lt;/strong&gt; catches stale records, malformed events, and missing fields before data reaches training or inference systems.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Observability and lineage&lt;/strong&gt; make it possible to trace outputs back through features, embeddings, pipelines, and source systems during debugging.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These practices improve model accuracy and reduce operational instability across the entire AI stack:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Faster root-cause analysis during prediction failures&lt;/li&gt;
&lt;li&gt;Fewer silent regressions caused by upstream pipeline changes&lt;/li&gt;
&lt;li&gt;Easier auditing and reproducibility across ML workflows&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Self-Check Questions for Data Maturity
&lt;/h3&gt;

&lt;p&gt;Here are questions to ask for a simple self-check for data maturity:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Can production predictions be traced back to their original data source?&lt;/li&gt;
&lt;li&gt;Are feature definitions and datasets versioned consistently?&lt;/li&gt;
&lt;li&gt;Is there a clear source of truth for critical business entities?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If the answer to these questions is unclear, the system likely has accumulated data debt regardless of model sophistication. AI maturity is ultimately constrained by data maturity. Most organizations continue optimizing the visible model layer while the underlying data foundation remains unstable. The teams that build reliable AI systems are usually the ones investing most heavily in data discipline.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;AI systems rarely fail because the models are weak. In most cases, the real issue exists much earlier in the pipeline. Inconsistent schemas, unreliable feature generation, stale datasets, missing lineage, and fragmented ownership quietly reduce the quality of predictions over time.&lt;/p&gt;

&lt;p&gt;Many organizations are shifting toward more data-centric approaches to AI engineering by investing in validation, observability, lineage, and stronger data governance practices alongside model development. The goal is to ensure that models operate on reliable foundations.&lt;/p&gt;

&lt;p&gt;The long-term challenge in AI is building systems with stronger data discipline. Teams that prioritize it tend to spend less time debugging unpredictable behavior and more time improving real-world outcomes.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Original article:&lt;/strong&gt; &lt;a href="https://www.improving.com/thoughts/data-debt-ai-predictions/" rel="noopener noreferrer"&gt;https://www.improving.com/thoughts/data-debt-ai-predictions/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Author:&lt;/strong&gt; Sarvani Yallapragada, Developer Advocate at Improving&lt;br&gt;&lt;br&gt;
&lt;strong&gt;Social:&lt;/strong&gt; &lt;a href="https://www.linkedin.com/in/ysspriya/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Agent Memory Systems: Building Long-Term Context for AI</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Thu, 28 May 2026 09:27:33 +0000</pubDate>
      <link>https://dev.to/improving/agent-memory-systems-building-long-term-context-for-ai-5d2i</link>
      <guid>https://dev.to/improving/agent-memory-systems-building-long-term-context-for-ai-5d2i</guid>
      <description>&lt;p&gt;AI is almost everywhere now from agentic coding, autonomous workflows to day-to-day engineering tasks that you want to delegate to an agent. In many cases, an agent looks impressive in a single turn: you dump all the details of your pipeline or cluster issue into one prompt, and it responds with clean reasoning and a plausible plan.&lt;/p&gt;

&lt;p&gt;The trouble starts when you try to work like a human does, iteratively over multiple turns.&lt;/p&gt;

&lt;p&gt;Suddenly the agent forgets what you decided earlier, why you chose a certain approach, and sometimes even who is talking to it (SRE? platform engineer? backend dev?).&lt;/p&gt;

&lt;p&gt;Agent memory fills this gap. Without a memory system, your agent behaves like a goldfish, it can only remember what fits inside a fixed context window, and once that window is saturated or a new session begins, the continuity breaks.&lt;/p&gt;

&lt;p&gt;Memory is how you turn a one-shot chatbot into something that can maintain state, learn from outcomes, and stay aligned with your constraints over time.&lt;/p&gt;

&lt;p&gt;Let’s start with understanding how context engineering solves this goldfish problem.&lt;/p&gt;




&lt;h2&gt;
  
  
  What is Context Engineering?
&lt;/h2&gt;

&lt;p&gt;Context engineering refers to the set of strategies for curating and maintaining the optimal set of tokens (information) during LLM inference, including all the other information that may land there outside of the prompts.&lt;/p&gt;

&lt;p&gt;It includes techniques such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Prompt engineering&lt;/li&gt;
&lt;li&gt;Structured outputs&lt;/li&gt;
&lt;li&gt;State handling&lt;/li&gt;
&lt;li&gt;RAG (Retrieval-Augmented Generation)&lt;/li&gt;
&lt;li&gt;Memory (short-term + long-term)&lt;/li&gt;
&lt;li&gt;Context packing / token budgeting&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Why Agentic Memory Matters
&lt;/h2&gt;

&lt;p&gt;Let’s understand from an example.&lt;/p&gt;

&lt;p&gt;You’re building a DevOps pipeline, and you ask the agent to add one more step, and it replies with &lt;em&gt;“I don’t know what you’re talking about.”&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;That does not mean the model you’re using is not good or capable. It’s because it has no context. It doesn’t know about your previous step in a single-turn conversation system.&lt;/p&gt;

&lt;p&gt;If your system recalls previous conversation state, evidence, and decisions, the agent can understand exactly what pipeline you mean and what step should be added, even if you were referring in different sessions.&lt;/p&gt;

&lt;p&gt;Without memory, the AI agent behaves like Dory from &lt;em&gt;Finding Nemo&lt;/em&gt;. It might remember a few recent turns, and then it stops, especially if the context window is small, or you cross a certain token limit.&lt;/p&gt;

&lt;p&gt;Once you restart a conversation or start a new session, it forgets nearly everything unless you build persistence.&lt;/p&gt;

&lt;p&gt;Agentic memory is required for workflows that are iterative, multi-step, and long-running, helping achieve:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Continuity&lt;/strong&gt;: Enables agents to remember previous turns in a conversation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Learning and adaptation&lt;/strong&gt;: Allows agents to learn from past successes and failures.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Advanced reasoning&lt;/strong&gt;: Supports planning, personalization, and maintaining state.&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Memory Architecture Patterns
&lt;/h2&gt;

&lt;p&gt;Agent memory is not a single bucket where you dump everything from chat history.&lt;/p&gt;

&lt;p&gt;In practice, it is layered because different information has different lifetimes, retrieval needs, and failure modes.&lt;/p&gt;

&lt;p&gt;A useful mental model is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Short-term memory&lt;/strong&gt;: What the agent needs right now to finish the current task.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Long-term memory&lt;/strong&gt;: What should persist across sessions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Long-term memory typically splits into:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Episodic memory&lt;/li&gt;
&lt;li&gt;Semantic memory&lt;/li&gt;
&lt;li&gt;Procedural memory&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Short-term Memory (Session / Working Memory)
&lt;/h3&gt;

&lt;p&gt;Short-term memory is generally considered an agent session buffer. It holds recent conversation plus the immediate working state needed to complete the current task.&lt;/p&gt;

&lt;p&gt;It prevents the agent from resetting mid-debug or mid-execution and is typically implemented as a sliding window of messages plus a state object containing plans, variables, tool outputs, and assumptions.&lt;/p&gt;

&lt;p&gt;Once the task ends or the buffer grows too large, short-term memory is summarized, pruned, or selectively promoted into long-term memory.&lt;/p&gt;

&lt;h3&gt;
  
  
  Long-term Memory (Persistent Memory)
&lt;/h3&gt;

&lt;p&gt;Long-term memory can be divided into three categories:&lt;/p&gt;

&lt;h4&gt;
  
  
  Episodic Memory
&lt;/h4&gt;

&lt;p&gt;Stores past interactions as events with outcomes.&lt;/p&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What happened&lt;/li&gt;
&lt;li&gt;What failed&lt;/li&gt;
&lt;li&gt;What worked&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Useful when revisiting the same system over time because it preserves continuity and prevents repeating dead ends.&lt;/p&gt;

&lt;h4&gt;
  
  
  Semantic Memory
&lt;/h4&gt;

&lt;p&gt;Stores stable facts and constraints about the user, project, and environment.&lt;/p&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Deployment conventions&lt;/li&gt;
&lt;li&gt;User preferences&lt;/li&gt;
&lt;li&gt;Team policies&lt;/li&gt;
&lt;li&gt;Architecture decisions&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This keeps the agent consistent and personalized across sessions.&lt;/p&gt;

&lt;h4&gt;
  
  
  Procedural Memory
&lt;/h4&gt;

&lt;p&gt;Stores repeatable how-to knowledge.&lt;/p&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Workflows&lt;/li&gt;
&lt;li&gt;Runbooks&lt;/li&gt;
&lt;li&gt;Checklists&lt;/li&gt;
&lt;li&gt;Operational procedures&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This allows the agent to execute proven processes instead of improvising each time.&lt;/p&gt;




&lt;h2&gt;
  
  
  How Agentic Memory Systems Work
&lt;/h2&gt;

&lt;p&gt;Memory-enabled agents mimic the practical shape of human memory.&lt;/p&gt;

&lt;p&gt;Humans have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Sensory intake&lt;/li&gt;
&lt;li&gt;Working memory&lt;/li&gt;
&lt;li&gt;Long-term storage&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Agents recreate this through an operational loop.&lt;/p&gt;

&lt;h3&gt;
  
  
  Practical Agent Loop
&lt;/h3&gt;

&lt;p&gt;Imagine you ask an agent:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Deploy payments service to the Kubernetes staging cluster using Helm. Enable HPA and make sure rollout is healthy.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The agent will generally follow these steps:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Read&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Parse the goal, target, constraints, and current state.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Retrieve&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Pull relevant semantic, procedural, and episodic memories.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Assemble&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Build a token-budgeted context with only the relevant information.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Act&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Execute deployment steps and inspect failures.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Evaluate&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Verify rollout health, pod status, and deployment success.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Write-back&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Store durable learnings, fixes, and operational insights.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The write-back phase is what turns chat into learning.&lt;/p&gt;

&lt;p&gt;Without it, you are only doing retrieval, not memory.&lt;/p&gt;




&lt;h2&gt;
  
  
  Agent Memory vs RAG (Retrieval-Augmented Generation)
&lt;/h2&gt;

&lt;p&gt;RAG is about retrieving external knowledge such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Documentation&lt;/li&gt;
&lt;li&gt;Tickets&lt;/li&gt;
&lt;li&gt;Wikis&lt;/li&gt;
&lt;li&gt;Runbooks&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It is fundamentally a stateless retrieval workflow.&lt;/p&gt;

&lt;p&gt;Memory, in contrast, is about persistent internal context:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;User preferences&lt;/li&gt;
&lt;li&gt;Constraints&lt;/li&gt;
&lt;li&gt;Decisions&lt;/li&gt;
&lt;li&gt;Outcomes&lt;/li&gt;
&lt;li&gt;Historical interactions&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  What Should Become Memory?
&lt;/h3&gt;

&lt;p&gt;Memory should contain information that improves future performance without introducing noise.&lt;/p&gt;

&lt;p&gt;Examples include:&lt;/p&gt;

&lt;h4&gt;
  
  
  Explicit “remember this” instructions
&lt;/h4&gt;

&lt;blockquote&gt;
&lt;p&gt;Remember that all production deployments must go through manual approval in ArgoCD.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h4&gt;
  
  
  Stable preferences
&lt;/h4&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Uses Argo CD for GitOps&lt;/li&gt;
&lt;li&gt;Prefers YAML over Helm templates&lt;/li&gt;
&lt;li&gt;Follows strict naming conventions&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Decisions and milestones
&lt;/h4&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Migrated from Jenkins to GitHub Actions&lt;/li&gt;
&lt;li&gt;Standardized observability with Prometheus + Grafana&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  User corrections
&lt;/h4&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The API endpoint is &lt;code&gt;/v2/orders&lt;/code&gt;, not &lt;code&gt;/v1/orders&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;We’re running on EKS, not GKE&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Outcomes and lessons learned
&lt;/h4&gt;

&lt;p&gt;Examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Terraform state locking issues resolved by moving to S3 + DynamoDB backend&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  RAG and Memory Together
&lt;/h3&gt;

&lt;p&gt;The most effective AI systems use both RAG and memory together.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;RAG&lt;/strong&gt; provides organizational knowledge.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Memory&lt;/strong&gt; provides personalized context.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Together they create agents that are both knowledgeable and context-aware.&lt;/p&gt;




&lt;h2&gt;
  
  
  Vector Stores for Semantic Memory
&lt;/h2&gt;

&lt;p&gt;Semantic memory stores stable facts, preferences, and knowledge.&lt;/p&gt;

&lt;p&gt;As agents accumulate hundreds or thousands of facts, scalable retrieval becomes necessary.&lt;/p&gt;

&lt;p&gt;This is where vector stores become useful.&lt;/p&gt;

&lt;p&gt;Vector databases convert text into embeddings represented as numerical vectors.&lt;/p&gt;

&lt;p&gt;When the agent needs information:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The current query is embedded.&lt;/li&gt;
&lt;li&gt;Similar vectors are retrieved.&lt;/li&gt;
&lt;li&gt;Relevant memories are injected into context.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Retrieval Strategies
&lt;/h3&gt;

&lt;p&gt;Common strategies include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Similarity search (top-k)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Re-ranking&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Recency bias&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Filtering by scope&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Popular Vector Databases
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Pinecone&lt;/li&gt;
&lt;li&gt;Weaviate&lt;/li&gt;
&lt;li&gt;Milvus&lt;/li&gt;
&lt;li&gt;Qdrant&lt;/li&gt;
&lt;li&gt;Chroma&lt;/li&gt;
&lt;li&gt;pgvector&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Context Window Management and Token Accounting
&lt;/h2&gt;

&lt;p&gt;The context window is the model’s working memory.&lt;/p&gt;

&lt;p&gt;Even though modern models support huge windows, effective context management is still difficult.&lt;/p&gt;

&lt;p&gt;Adding too much information:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Degrades reasoning quality&lt;/li&gt;
&lt;li&gt;Increases cost&lt;/li&gt;
&lt;li&gt;Adds latency&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Long-Running vs Short-Running Agents
&lt;/h3&gt;

&lt;p&gt;Short-running agents may fit everything into a single context window.&lt;/p&gt;

&lt;p&gt;Long-running agents operating across sessions accumulate far more information than any window can hold.&lt;/p&gt;

&lt;p&gt;These agents require selective retrieval strategies.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Context Stuffing Trap
&lt;/h3&gt;

&lt;p&gt;A common mistake is including all available information without curation.&lt;/p&gt;

&lt;p&gt;This introduces noise and buries critical information.&lt;/p&gt;

&lt;p&gt;Helpful techniques include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Semantic chunking&lt;/li&gt;
&lt;li&gt;Memory buffering&lt;/li&gt;
&lt;li&gt;Just-in-time retrieval&lt;/li&gt;
&lt;li&gt;Hierarchical summarization&lt;/li&gt;
&lt;li&gt;Progressive disclosure&lt;/li&gt;
&lt;li&gt;Sliding windows&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Packing Order Matters
&lt;/h3&gt;

&lt;p&gt;Models pay more attention to the beginning and end of the context.&lt;/p&gt;

&lt;p&gt;Recommended ordering:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;System instructions and high-priority context&lt;/li&gt;
&lt;li&gt;Immediate user query and relevant memories&lt;/li&gt;
&lt;li&gt;Avoid burying critical information in the middle&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  Memory Management: Pruning and Compression
&lt;/h2&gt;

&lt;p&gt;As memory grows, it requires active management.&lt;/p&gt;

&lt;p&gt;Without management:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Retrieval slows down&lt;/li&gt;
&lt;li&gt;Storage grows indefinitely&lt;/li&gt;
&lt;li&gt;Old memories conflict with newer information&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Pruning Strategies
&lt;/h3&gt;

&lt;p&gt;Pruning selectively forgets irrelevant information.&lt;/p&gt;

&lt;p&gt;Common strategies include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;TTL (time-to-live)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Least Recently Used (LRU)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Relevance scoring&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;User-requested deletion&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Most production systems combine several of these techniques.&lt;/p&gt;

&lt;h3&gt;
  
  
  Memory Compression
&lt;/h3&gt;

&lt;p&gt;Compression stores information in more compact forms.&lt;/p&gt;

&lt;p&gt;Useful techniques include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Rolling summaries&lt;/li&gt;
&lt;li&gt;Hierarchical summarization&lt;/li&gt;
&lt;li&gt;Topic clustering&lt;/li&gt;
&lt;li&gt;Deduplication&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Measuring Compression Quality
&lt;/h3&gt;

&lt;p&gt;Compression should preserve critical information.&lt;/p&gt;

&lt;p&gt;Quality checks include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Ensuring important facts remain retrievable&lt;/li&gt;
&lt;li&gt;Detecting contradictions&lt;/li&gt;
&lt;li&gt;Avoiding over-compression&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Final Thoughts
&lt;/h2&gt;

&lt;p&gt;We are entering the era of personalized AI agents, where memory becomes foundational infrastructure.&lt;/p&gt;

&lt;p&gt;Without memory, agents lose continuity across sessions and interactions.&lt;/p&gt;

&lt;p&gt;With memory, they can:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Learn from outcomes&lt;/li&gt;
&lt;li&gt;Maintain long-term context&lt;/li&gt;
&lt;li&gt;Personalize interactions&lt;/li&gt;
&lt;li&gt;Execute workflows more reliably&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In this article, we explored:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Context engineering&lt;/li&gt;
&lt;li&gt;Memory architecture patterns&lt;/li&gt;
&lt;li&gt;Agent loops&lt;/li&gt;
&lt;li&gt;RAG vs memory&lt;/li&gt;
&lt;li&gt;Semantic retrieval systems&lt;/li&gt;
&lt;li&gt;Context management&lt;/li&gt;
&lt;li&gt;Pruning and compression&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;After working on 250+ projects and helping companies generate billions, one thing is clear and that is that most organizations don't fail at AI because of technology. They fail because they skip the trust-building stages like developing agentic memory systems that make AI safe to scale.&lt;/p&gt;

&lt;p&gt;In the next part of this blog, we will be implementing memory patterns and learning how all these pieces come together to form a sophisticated agentic system. That system will make sure that agents not only talk in one session but also across sessions and remember all the past events.&lt;/p&gt;

</description>
      <category>agents</category>
      <category>agenticmemory</category>
      <category>ai</category>
    </item>
    <item>
      <title>Embedding AI Into Daily Development: What Software Engineers Actually Learn</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Fri, 15 May 2026 06:06:04 +0000</pubDate>
      <link>https://dev.to/improving/embedding-ai-into-daily-development-what-software-engineers-actually-learn-5c3j</link>
      <guid>https://dev.to/improving/embedding-ai-into-daily-development-what-software-engineers-actually-learn-5c3j</guid>
      <description>&lt;p&gt;The industry is currently obsessed with "Vibe Coding," but that framing misses the point for working engineers. As architects, we need to look past the trend and towards the outcome.&lt;/p&gt;

&lt;p&gt;We have spent decades coupled to our tools, often mistaking the act of typing for the act of engineering. AI is the latest evolution of that tension. Professional engineers must shift from a code-first to an outcome-first mindset. The move is from &lt;em&gt;Vibe Coding&lt;/em&gt; to &lt;em&gt;Vibe Solving&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Vibe Coding focuses on the engine: the syntax, the generation, the satisfying feeling of code appearing on screen. Vibe Solving focuses on the destination: the business problem resolved, the user served, the system more maintainable than before. We are not syntax curators — we are problem solvers with better tools than we have ever had.&lt;/p&gt;

&lt;p&gt;AI is no longer an experiment for software engineers. It is becoming part of daily development workflows, from writing specs to maintaining legacy systems. In this post I want to cover what that shift looks like in practice: how to kill the cold start, where AI delivers its highest return, how to keep the work auditable, and why transparency with clients is no longer optional.&lt;/p&gt;




&lt;h2&gt;
  
  
  Beyond the Blank Page
&lt;/h2&gt;

&lt;p&gt;Thousands of hours disappear every year to the friction of sitting down to write a technical spec, a project plan, or even a well-scoped ticket — and having nothing come out.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;The greatest tax on engineering productivity is the cold start.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;To address this, I use a &lt;strong&gt;Voice-to-Insight&lt;/strong&gt; workflow. The idea is simple: move into forward-only mode by capturing thoughts out loud, bypassing the internal critic that stalls written work.&lt;/p&gt;

&lt;p&gt;The key unit in this workflow is the &lt;strong&gt;30-second Wow&lt;/strong&gt;. Instead of trying to convince people through abstract language, you quickly create something tangible — a rough sketch, a narrated idea, a snapshot — and use AI to turn it into a visible output like user stories or a working prototype. The idea moves from concept to something people can see and react to, which breaks resistance and builds shared understanding.&lt;/p&gt;

&lt;p&gt;By using MacWhisper for speaker-diarized transcription and local models, you can process raw thoughts into a &lt;strong&gt;Voice Vault&lt;/strong&gt;: a structured folder of transcripts and summaries. From there, tools like Windsurf (any LLM works here) help convert raw thinking into actionable backlogs or technical outlines — without a single minute of manual typing.&lt;/p&gt;

&lt;p&gt;The raw material already exists in your own words. AI's job is to preserve it and reshape it into something a team can act on.&lt;/p&gt;




&lt;h2&gt;
  
  
  AI in Software Maintenance
&lt;/h2&gt;

&lt;p&gt;Maintenance is the graveyard of most engineering backlogs. The work is pattern-heavy, rule-heavy, and boring in a way humans have always been bad at sustaining. That is also precisely why AI returns its highest ROI there.&lt;/p&gt;

&lt;p&gt;A concrete example: I recently oversaw a migration of &lt;strong&gt;3,000 tests&lt;/strong&gt; from &lt;em&gt;Fluent Assertions&lt;/em&gt; to &lt;em&gt;Shouldly&lt;/em&gt;, alongside a major version update of the &lt;em&gt;Marten&lt;/em&gt; and &lt;em&gt;Lamar&lt;/em&gt; libraries. Historically, that is a multi-week job — one that gets deferred until it becomes a crisis.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;With AI, it took two days.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The key technique was solving the LLM's training cutoff problem. The model did not know the latest breaking API changes in Marten. Ask it to migrate your tests and it will confidently produce syntax from two versions ago. To close that gap, I used &lt;strong&gt;Context7&lt;/strong&gt;: an MCP Server that provides up-to-date documentation for libraries and frameworks. The AI is no longer working from stale training data — it is working from the version of reality I just handed it.&lt;/p&gt;

&lt;p&gt;Two things are worth being honest about here.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnuo56wrts6i930nxlmac.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnuo56wrts6i930nxlmac.png" alt="AI" width="800" height="315"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;First, the developer role changed, not disappeared. My value those two days was architectural review and verification. Second, the risk profile is not automatically lower. A model operating at scale can introduce a subtle error across thousands of tests just as easily as it introduces a correct pattern. &lt;strong&gt;Oversight is non-negotiable.&lt;/strong&gt; Without it, AI-assisted maintenance just compresses the time to failure.&lt;/p&gt;




&lt;h2&gt;
  
  
  Investigation Markdown for AI Context
&lt;/h2&gt;

&lt;p&gt;When AI is doing heavy lifting on a codebase, you cannot treat it as a black box. I require an &lt;strong&gt;Investigation Markdown&lt;/strong&gt; file for every non-trivial task.&lt;/p&gt;

&lt;p&gt;Investigation MD is a ledger that captures which decision paths were tried, which were abandoned, and why. It records the questions asked, the answers accepted, and the ones overridden. When an LLM's context window clears — and it will — that Markdown file is the only thing that tells the next human or the next AI instance where the team actually stands.&lt;/p&gt;

&lt;p&gt;I call this managing the &lt;strong&gt;binary hands&lt;/strong&gt;: the AI is fast and capable, but it does not remember yesterday, does not know why a prior approach was abandoned, and does not carry the context that exists only in the heads of your team. The Investigation Markdown makes that context explicit and persistent.&lt;/p&gt;

&lt;p&gt;A few operating rules I hold teams to when AI is in the loop:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Plan before touching files.&lt;/strong&gt; Use Plan Mode in Windsurf (or Claude Code) to audit the AI's intended changes before it touches the file system.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Get a second opinion.&lt;/strong&gt; Spin up a separate model instance with an adversarial prompt. Ask it to find holes in the first model's plan.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ground the citations.&lt;/strong&gt; Prompt the LLM to trace claims back to source transcripts. If the AI cannot point to an origin, the claim does not belong in the strategy.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;AI also starts paying back at the leadership level when you analyze Daily Scrum transcripts for blind spots: the technical concerns that surfaced and then got ignored, the risks buried under routine updates. A human lead cannot catch all of that across several minutes of conversation per day. A model can. The limitation is honest: this is only as good as the transcripts feeding it and the prompts guiding it. It does not replace an engineer, but it makes a sharp engineering manager sharper.&lt;/p&gt;




&lt;h2&gt;
  
  
  Professional Obligation
&lt;/h2&gt;

&lt;p&gt;Using AI goes beyond improving productivity — it is a professional obligation. A consultant not using AI is showing up to a construction site with a manual screwdriver when power tools are available: slower, less accurate, and billing the client for the difference.&lt;/p&gt;

&lt;p&gt;Transparency with clients follows from that. I do not hide that I use AI. I frame it around what they actually care about: that their budget is buying judgment rather than typing, that the oil change is happening while the car is still moving. That framing earns more trust than hiding the tool ever could.&lt;/p&gt;




&lt;h2&gt;
  
  
  What the Time Buys
&lt;/h2&gt;

&lt;p&gt;We are drowning in data and starving for wisdom. We need to stop thinking of IT as Information Technology. The real shift is toward &lt;strong&gt;Impact Technology&lt;/strong&gt;: using judgment, experience, and the best tools available to deliver outcomes that actually matter.&lt;/p&gt;

&lt;p&gt;AI's real return is not the code it writes. It is the time it gives back. Time for the things AI cannot do: empathy with a client under pressure, design decisions that account for constraints not found in any repository, the hard conversation with a team about a risk they have been avoiding.&lt;/p&gt;

&lt;p&gt;What else will you find if you stop putting off the cleanup and start using the tools?&lt;/p&gt;

&lt;p&gt;For comments or suggestions on this article, find me on &lt;a href="https://www.linkedin.com/in/claudiolassala/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Why Most AI Training Fails</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Mon, 11 May 2026 09:38:18 +0000</pubDate>
      <link>https://dev.to/improving/why-most-ai-training-fails-5dlb</link>
      <guid>https://dev.to/improving/why-most-ai-training-fails-5dlb</guid>
      <description>&lt;p&gt;I have taken more online AI courses than I care to count. And I am going to be honest with you: most of them followed the exact same pattern. A long walk through the history of AI, a glossary of terminology, a bunch of model names and acronyms, maybe some screenshots of someone else using ChatGPT, and then a list of prompts to take home. I would finish a course and realize I could not remember half of what I had just watched. Not because the content was wrong. Because none of it connected to anything I actually do at work.&lt;/p&gt;

&lt;p&gt;Sound familiar?&lt;/p&gt;

&lt;p&gt;If it does, you are not alone. &lt;a href="https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai" rel="noopener noreferrer"&gt;McKinsey's 2025 Global Survey&lt;/a&gt; found that 78% of organizations now use AI in at least one business function. But a &lt;a href="https://www.walkme.com/blog/enterprise-ai-adoption/" rel="noopener noreferrer"&gt;WalkMe study from August 2025&lt;/a&gt; reported that only 7.5% of employees have received any extensive AI training, and &lt;a href="https://www.manpowergroup.com/en/news-releases/news/global-talent-barometer-2026-ai-use-accelerates-as-worker-confidence-falls-and-job-hugging-takes-hold" rel="noopener noreferrer"&gt;ManpowerGroup's 2026 Global Talent Barometer&lt;/a&gt; found that 56% of workers globally received no AI training of any kind. So the tools are everywhere, but the ability to use them well? That is a completely different story.&lt;/p&gt;

&lt;p&gt;For managers and individual contributors, the friction shows up in the same places: meetings that produce unclear outcomes, writing that takes too long to start, and decisions that require pulling together information under time pressure. The courses that are supposed to help with this — don't. They teach information that is easy to absorb during the session and just as easy to forget by the next morning.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why AI "Doesn't Work" for Most People
&lt;/h2&gt;

&lt;p&gt;AI fails for most professionals not because the technology is broken, but because nobody showed them a different way to approach it.&lt;/p&gt;

&lt;p&gt;Someone pastes a meeting transcript into an AI tool and asks for a summary. The output sounds confident, but it includes decisions that were never actually made. The immediate reaction? &lt;em&gt;This thing cannot be trusted.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Or someone asks AI to draft a response to a client. The words are technically fine, but the tone is off. And then for the trivial stuff — someone asks if you are going to be at the meeting on Friday — the answer is just "Yep, I'll be there." You do not need AI for that. The challenge is knowing which messages are worth involving AI in and which ones are not.&lt;/p&gt;

&lt;p&gt;These experiences pile up, and pretty soon you start wondering: everybody seems excited about AI, so why am I just continually frustrated with it? I hear that question a lot. And the answer is almost always the same: &lt;strong&gt;nobody taught you a different way to interact with the tool.&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  The Trust Problem No One Addresses Well
&lt;/h2&gt;

&lt;p&gt;When people first sit down to work with AI in any kind of structured way, the number one concern is trust. Not whether AI is useful in theory, but a very practical worry: &lt;em&gt;"I don't know if it's just going to lie to me."&lt;/em&gt; I hear some version of that in almost every conversation.&lt;/p&gt;

&lt;p&gt;And the concern is grounded. Language models can fabricate. But here is what most training programs miss: they either ignore the trust problem entirely, or they spend an hour explaining the technical reasons behind hallucinations without ever showing you what to do about it.&lt;/p&gt;

&lt;p&gt;The practical fix is not asking you to trust AI. It is teaching you how to &lt;strong&gt;challenge it&lt;/strong&gt;. Ask where a claim came from. Ask for direct quotes from the source material. Ask what assumptions were made. Once you learn how to provide the right inputs and ask for the receipts, trust stops being a yes-or-no question and becomes conditional: trust it when you can verify it.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why Treating AI Like a Search Engine Fails
&lt;/h2&gt;

&lt;p&gt;Most people approach AI the way they approach Google: type something, get a result, move on. But AI works through interaction, and the first response is almost never the one you should keep. A lot of professionals figure this out the first time they push back on an AI response and watch it get better. The realization is uncomfortable, because the problem was not the tool. It was how they were using it.&lt;/p&gt;

&lt;p&gt;A single vague prompt almost guarantees disappointment. The more context you give AI, the better the response it will give. Sometimes that context emerges through a back-and-forth conversation as your intent and goals surface through feedback on what you like and don't like. That one reframe changes everything that comes after it.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why Learning AI Now Matters More Than Later
&lt;/h2&gt;

&lt;p&gt;A lot of professionals are waiting, figuring they will pick up AI skills once the tools stabilize. I understand that instinct. But I think it is a mistake.&lt;/p&gt;

&lt;p&gt;Imagine the 100-meter dash at the Summer Olympics. The starting pistol fires and every runner launches off the blocks. But one runner stands up, watches everyone else, studies their techniques, and decides to join once they understand the field. By the time they start running, the race is over.&lt;/p&gt;

&lt;p&gt;AI adoption is following that same pattern. &lt;a href="https://www.gallup.com/workplace/691643/work-nearly-doubled-two-years.aspx" rel="noopener noreferrer"&gt;Gallup's Q3 2025 workforce survey&lt;/a&gt; found that 45% of U.S. employees now use AI at work, nearly doubling from 21% in 2023. And &lt;a href="https://www.ey.com/en_gl/newsroom/2025/11/ey-survey-reveals-companies-are-missing-out-on-up-to-40-percent-of-ai-productivity-gains-due-to-gaps-in-talent-strategy" rel="noopener noreferrer"&gt;EY's Work Reimagined Survey&lt;/a&gt; found that companies are missing out on up to 40% of potential AI productivity gains because of gaps in talent strategy.&lt;/p&gt;

&lt;p&gt;People who start earlier build intuition. They recognize when an output is fragile. They know how to recover without starting over. Waiting does not give you a better starting position. It just puts you further behind.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Think about what it would feel like to hire someone today who says, "So am I going to have to use this Internet thing?" Nobody asks that question anymore. But AI is heading in the same direction. Right now, learning AI is still seen as getting ahead. Soon enough, not knowing it will just be falling behind.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Why This Is a Training Problem, Not a Tool Problem
&lt;/h2&gt;

&lt;p&gt;Most AI frustration has nothing to do with missing features. It comes from missing habits.&lt;/p&gt;

&lt;p&gt;The numbers back this up. &lt;a href="https://www.datacamp.com/blog/the-ai-skills-gap-in-2026-why-most-ai-training-isn-t-translating-to-workforce-capability" rel="noopener noreferrer"&gt;DataCamp's 2026 State of Data and AI Literacy Report&lt;/a&gt; found that 82% of enterprise leaders say they provide AI training, yet 59% still report an AI skills gap. The most common format is video-based courses, and 23% of leaders say video training does not translate to real-world application. Organizations are investing in training that is not changing how people work.&lt;/p&gt;

&lt;p&gt;When I was designing our AI training, I made a very deliberate decision: I am not just going to &lt;strong&gt;tell&lt;/strong&gt; you about a thing. I am going to have you &lt;strong&gt;do&lt;/strong&gt; the thing. Because the difference between watching someone use AI and actually using it yourself is the difference between a forgettable session and a skill that sticks.&lt;/p&gt;

&lt;p&gt;Knowing what a hallucination is does not help you when a meeting summary misrepresents a decision. What helps is learning how to provide context, how to demand evidence, and how to refine output without starting over. Prompt libraries promise shortcuts, but real work rarely fits templates. The durable skill is &lt;strong&gt;structured thinking&lt;/strong&gt;: learning how to frame your requests with enough context and constraints that the system responds appropriately, regardless of which tool you are using.&lt;/p&gt;




&lt;h2&gt;
  
  
  Three Skills That Change Day-to-Day Work
&lt;/h2&gt;

&lt;p&gt;When I was building the curriculum, I asked AI itself to research what professionals are most frequently asking for help with. The answer kept pointing to three areas.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Uncovering Insights from Messy Inputs
&lt;/h3&gt;

&lt;p&gt;Meetings generate noise. Transcripts run long. Reports have more detail than anyone can process quickly. AI can help condense and organize all of that — but only if you stay accountable for verifying what comes back.&lt;/p&gt;

&lt;p&gt;Asking for a summary is the easy part. The harder and more valuable skill is asking AI to show its sources. If it claims a decision was made, ask it to point to the exact passage. If a takeaway does not sound right, push back: &lt;em&gt;"I don't remember that from the meeting. Show me where that is."&lt;/em&gt; That habit is the difference between speed and error.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Generating Ideas Without the Blank Page
&lt;/h3&gt;

&lt;p&gt;The most paralyzing moment in any task is the beginning — staring at a blank page, trying to figure out where to start. AI solves this not by writing the final version but by giving you something to react to. Once you are reacting instead of creating from nothing, you are moving.&lt;/p&gt;

&lt;p&gt;Here is a technique I share in every session: &lt;strong&gt;ask for multiple options rather than a single answer.&lt;/strong&gt; Ask for five ideas. Review them. The first two might be terrible. The third might have something worth exploring. Tell AI to go deeper on that one and throw the rest away. That sets up an iteration cycle, and iteration is where the real value lives.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Drafting Communication with Accountability
&lt;/h3&gt;

&lt;p&gt;AI can get you 90% of the way on a piece of writing that would have taken significant time to start from scratch. I have never had a situation where AI gave me something I did not have to tweak at all — it never gets it 100% right. But that remaining 10% — the nuance, the tone, the judgment about what to include — that is your job. AI handles the heavy lifting and you focus on the part that requires your expertise.&lt;/p&gt;

&lt;p&gt;I draw a clear line here: &lt;strong&gt;AI can draft, but it does not send.&lt;/strong&gt; The human owns tone, intent, and consequences. The discomfort people feel about AI handling communications entirely? That is well-placed. Having AI prepare a draft for your review is a fundamentally different thing from having it respond on your behalf.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why Hands-On Practice Changes Outcomes
&lt;/h2&gt;

&lt;p&gt;There is a difference between seeing AI used and using it yourself. Demos look clean, but real work does not. When you actually practice with AI, you see where your inputs were too vague, where constraints were missing, and where the first confident-sounding response was wrong.&lt;/p&gt;

&lt;p&gt;And then something shifts. You structure a real interaction with clear context and constraints, and the output actually works. The realization is blunt: &lt;em&gt;it did not fail randomly. It failed predictably.&lt;/em&gt; That is the moment you stop blaming the tool and start changing how you interact with it.&lt;/p&gt;

&lt;p&gt;When you provide context, set boundaries, and iterate, AI produces drafts that hold together. Trust becomes conditional instead of binary, and the rework drops. Someone who spent 45 minutes writing a client update discovers that with clear context and two rounds of iteration, AI produces a usable draft in minutes. The remaining time goes to judgment: refining tone, checking accuracy, deciding what to leave out.&lt;/p&gt;

&lt;p&gt;The professionals who make AI stick are the ones who apply it to their own problems early. Someone tackles a proposal outline they have been putting off. Someone else feeds in a meeting transcript and pulls action items. When the stakes feel real, the learning sticks faster.&lt;/p&gt;




&lt;h2&gt;
  
  
  Does Teaching AI Fundamentals Actually Change Anything?
&lt;/h2&gt;

&lt;p&gt;This is a fair question. Professionals are busy, AI changes fast, and it is reasonable to ask why anyone should invest in learning the basics when the tool will be different in six months. The argument holds up &lt;em&gt;if&lt;/em&gt; fundamentals training means memorizing features, watching demos, and leaving with a list of prompts. That kind of training does not change behavior.&lt;/p&gt;

&lt;p&gt;But fundamentals defined as &lt;strong&gt;interaction discipline&lt;/strong&gt; — how to structure context, how to iterate, how to verify — are not tied to any particular model or release cycle. They work the same way in ChatGPT as they do in Copilot, and they will work in whatever ships next year. The interface changes. The thinking does not.&lt;/p&gt;

&lt;p&gt;The gap most professionals are stuck in is not between basic and advanced knowledge. It is between &lt;em&gt;occasional use and reliable use&lt;/em&gt;. You have tried AI, gotten mixed results, and not changed your interaction patterns. That gap closes by practicing a different way of working, not by learning more theory.&lt;/p&gt;

&lt;p&gt;Even experienced users pick up useful techniques in fundamentals-focused settings, because knowing a lot about AI and using it effectively are two different things. For the large population using AI occasionally and inconsistently, the bottleneck is almost always interaction habits — not technical depth.&lt;/p&gt;




&lt;h2&gt;
  
  
  Applying AI to Real Work
&lt;/h2&gt;

&lt;p&gt;Training fails when it stays abstract. Real work has constraints: policies, customers, tone, and risk. Shorter, focused sessions tied to real tasks tend to produce more lasting change than marathon lectures.&lt;/p&gt;

&lt;p&gt;A practical starting point? &lt;strong&gt;Look at what frustrates you.&lt;/strong&gt; Tasks that are slow or mentally draining often contain parts AI can compress. Someone who spends two hours each week writing status updates can likely compress that to 20 minutes with the right interaction structure, freeing up time for work that actually requires their judgment.&lt;/p&gt;

&lt;p&gt;And the applications go beyond text. AI can generate images, create visual aids for presentations, and produce supporting content. Once you see that you can describe a concept and have AI produce a working version, the range of tasks you consider using AI for expands.&lt;/p&gt;

&lt;p&gt;Early use tends to focus on low-risk situations: notes, options, internal drafts. Over time, some uses stick and others disappear. The professionals who make AI part of how they work going forward are the ones who found two or three use cases where it reliably saved them time and built those into their routine.&lt;/p&gt;




&lt;h2&gt;
  
  
  Key Takeaways
&lt;/h2&gt;

&lt;p&gt;AI does not underdeliver because the technology is broken. It underdelivers because most people were never taught how to interact with it. That is a training problem, and 56% of workers globally have not received any AI training at all.&lt;/p&gt;

&lt;p&gt;Three skills make the biggest difference for professionals adopting AI:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Uncovering insights from messy inputs&lt;/strong&gt; — and staying accountable for verifying what comes back&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Generating ideas by pushing past the blank page&lt;/strong&gt; — through iteration, not one-shot prompts&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Drafting communication where AI does the heavy lifting&lt;/strong&gt; — and you own the final 10%&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The skills that actually stick — structured thinking, iteration, verification — are not tied to any specific tool or model. They work regardless of what platform you are using. But if your organization is waiting to build those skills, that wait has a price: EY's research found that companies are leaving up to 40% of their potential AI productivity gains on the table because of gaps in how they develop talent.&lt;/p&gt;




&lt;h2&gt;
  
  
  AI as a Professional Skill
&lt;/h2&gt;

&lt;p&gt;None of this is complicated. But it does require a different approach than most professionals have been taught. And the longer teams wait to build these habits, the more time gets lost to rework, rechecking, and correcting mistakes that did not have to happen.&lt;/p&gt;

&lt;p&gt;If any of this resonated — or if you have your own AI training stories (the good, the bad, and the frustrating) — I would genuinely enjoy hearing about them. You can find me on &lt;a href="https://www.linkedin.com/in/blakemcmillan/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>OWASP Top 10 for LLMs: A Practitioner’s Implementation Guide</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Mon, 11 May 2026 09:35:40 +0000</pubDate>
      <link>https://dev.to/improving/owasp-top-10-for-llms-a-practitioners-implementation-guide-4ec8</link>
      <guid>https://dev.to/improving/owasp-top-10-for-llms-a-practitioners-implementation-guide-4ec8</guid>
      <description>&lt;p&gt;Large Language Models (LLMs) are becoming a core part of modern applications — from copilots and chatbots to AI agents connected to tools and internal systems. As adoption grows, so do the security risks.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/" rel="noopener noreferrer"&gt;OWASP Top 10 for LLM Applications (2025)&lt;/a&gt; highlights the most common security issues teams must address when building AI-powered systems. These risks go beyond traditional application security because LLMs interact with prompts, external data, tools, and autonomous workflows.&lt;/p&gt;

&lt;p&gt;In this post, we'll cover a practical overview of each risk and how teams can detect, prevent, and test for them.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM01:2025 — Prompt Injection
&lt;/h2&gt;

&lt;p&gt;Prompt injection is when an attacker slips malicious instructions into user input or content the model reads, tricking it into doing something it shouldn't.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Direct injection:&lt;/strong&gt; A user directly tells the model to ignore its rules.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Indirect injection:&lt;/strong&gt; The model reads an external document or web page that secretly contains instructions and follows them without realizing it.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; An LLM connected to internal tools retrieves a document containing hidden instructions telling it to export database credentials. The model follows the instruction and triggers a data leak.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Watch for phrases like "ignore previous instructions" or "pretend you are" in user input&lt;/li&gt;
&lt;li&gt;Compare inputs against known malicious prompt patterns&lt;/li&gt;
&lt;li&gt;Alert on unusual tool calls — especially ones fetching or exporting data unexpectedly&lt;/li&gt;
&lt;li&gt;Log all inputs and outputs so you can trace what happened after an incident&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Make sure system-level rules can't be overridden by user messages&lt;/li&gt;
&lt;li&gt;Sanitize and validate any external content before passing it to the model&lt;/li&gt;
&lt;li&gt;Use clear separators between instructions and data in your prompts&lt;/li&gt;
&lt;li&gt;Apply least-privilege access — the model should only be able to call what it needs&lt;/li&gt;
&lt;li&gt;Add output filters to block unsafe responses before they reach users&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Run red-team tests that simulate both direct and indirect injection attempts. Use automated prompt fuzzing to probe edge cases. After any prompt changes, run regression tests to confirm your safety rules still hold.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM02:2025 — Sensitive Information Disclosure
&lt;/h2&gt;

&lt;p&gt;This happens when an LLM leaks personal data, API keys, credentials, or internal documents in its responses. It can occur through direct questions, indirect prompt injection, or a retrieval system that doesn't properly restrict access to sensitive documents.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; An internal HR assistant retrieves employee salary records during a broad query and includes them in its response — even though the user asking had no right to see them.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Scan model outputs for PII (names, emails, ID numbers) and secrets (API keys, passwords)&lt;/li&gt;
&lt;li&gt;Monitor what documents the retrieval system is fetching and whether they match the user's access level&lt;/li&gt;
&lt;li&gt;Flag responses with unusual patterns like long random strings, which could be tokens or keys&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Redact sensitive data before it gets indexed or fed into the model&lt;/li&gt;
&lt;li&gt;Only retrieve documents the current user is actually allowed to see&lt;/li&gt;
&lt;li&gt;Add an output filter that blocks responses containing classified data&lt;/li&gt;
&lt;li&gt;Keep sensitive data stores separate from general knowledge sources&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Try prompting the system to extract personal records or credentials through indirect queries. Verify that restricted data can't be retrieved through similarity-based tricks. Check that access controls on your retrieval system are actually working end-to-end.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM03:2025 — Supply Chain Vulnerabilities
&lt;/h2&gt;

&lt;p&gt;LLM applications depend on many third-party components — base models, plugins, vector databases, MCP servers, and embedding providers. Any one of these can be a weak link. A malicious or compromised dependency can manipulate outputs, steal data, or take unexpected actions.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; An application uses a third-party MCP server for document processing. A malicious update modifies the server's tool responses to inject hidden instructions, causing the app to expose sensitive data.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Keep a full inventory of every model, plugin, connector, and tool your application uses&lt;/li&gt;
&lt;li&gt;Generate and maintain a Software Bill of Materials (SBOM) so you know what's inside&lt;/li&gt;
&lt;li&gt;Watch for unexpected changes in model or tool behavior after updates&lt;/li&gt;
&lt;li&gt;Correlate version upgrades with any new security anomalies&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Vet vendors before integrating their tools — check their security practices and update history&lt;/li&gt;
&lt;li&gt;Verify model weights and tool packages using checksums and cryptographic signing&lt;/li&gt;
&lt;li&gt;Give third-party tools the minimum permissions they need, nothing more&lt;/li&gt;
&lt;li&gt;Isolate external services in controlled network segments where possible&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Regularly scan dependencies for known vulnerabilities. Test that third-party tools behave exactly as documented with no hidden inputs and no unexpected outputs. Before upgrading a dependency in production, simulate the upgrade in a test environment first.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM04:2025 — Data and Model Poisoning
&lt;/h2&gt;

&lt;p&gt;Data poisoning happens when malicious data is introduced into training datasets or the retrieval corpus. In fine-tuning, poisoned samples can embed hidden behaviors that activate on specific triggers. In RAG systems, an attacker can insert crafted documents into the vector store so the model retrieves and trusts corrupted context.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; A RAG system indexes public documentation. An attacker adds a document with hidden instructions that changes how the model responds whenever a specific keyword is used.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Track where every piece of data comes from before it enters your pipeline&lt;/li&gt;
&lt;li&gt;Look for documents that appear in retrieval results far more often than you'd expect&lt;/li&gt;
&lt;li&gt;Monitor for sudden shifts in model behavior after a dataset update&lt;/li&gt;
&lt;li&gt;Check embeddings for outliers that don't fit the rest of your corpus&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Control who can write to your vector store — don't allow open ingestion&lt;/li&gt;
&lt;li&gt;Require human review for any high-impact data before it's added&lt;/li&gt;
&lt;li&gt;Version your datasets so you can roll back if something goes wrong&lt;/li&gt;
&lt;li&gt;Don't automatically ingest content from untrusted external sources&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Use canary data — known triggers — to check whether the model has been altered. Compare model behavior before and after dataset updates. Periodically audit your retrieval corpus for documents that don't belong.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM05:2025 — Improper Output Handling
&lt;/h2&gt;

&lt;p&gt;Output risk occurs when LLM responses are used directly — rendered as HTML, inserted into SQL queries, or passed to shell commands — without any validation. Because model output is probabilistic, it can contain unexpected characters or code-like content. Treating it as trusted input is the mistake.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Scan model outputs for suspicious patterns: script tags, SQL special characters, shell operators&lt;/li&gt;
&lt;li&gt;Watch downstream systems for unexpected queries or commands&lt;/li&gt;
&lt;li&gt;Enable Content Security Policy (CSP) violation reporting to catch injected scripts&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Always encode output before rendering it — treat it the same way you'd treat user-submitted content&lt;/li&gt;
&lt;li&gt;Never pass model output directly to a shell command, SQL query, or code evaluator&lt;/li&gt;
&lt;li&gt;Use parameterized queries instead of string concatenation&lt;/li&gt;
&lt;li&gt;Validate outputs against a strict schema — for example, require JSON with defined fields&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Deliberately include injection payloads in model responses during testing and verify they are neutralized before rendering. Review all code paths where LLM output flows into execution layers or sensitive APIs.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM06:2025 — Excessive Agency
&lt;/h2&gt;

&lt;p&gt;When an LLM agent is given too much autonomy — access to APIs, databases, or infrastructure without proper guardrails — it can chain together actions that were never intended. This can cause real damage: deleted records, unexpected transactions, or service disruptions, often triggered by an ambiguous instruction or injected prompt.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Log every action the agent takes, including its reasoning steps&lt;/li&gt;
&lt;li&gt;Alert when an agent exceeds a set number of actions in a sequence&lt;/li&gt;
&lt;li&gt;Track cross-system changes that could indicate the agent acted beyond its scope&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Require human approval before the agent takes any high-risk or irreversible action&lt;/li&gt;
&lt;li&gt;Limit how many steps an agent can chain together&lt;/li&gt;
&lt;li&gt;Give agents time-limited credentials with the minimum permissions needed&lt;/li&gt;
&lt;li&gt;Keep planning and execution separate — don't let the model decide and act in one step&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Test agents against adversarial and ambiguous prompts to identify how they behave under pressure. Verify that kill switches actually stop an agent mid-task. Run stress tests to observe what happens when objectives conflict.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM07:2025 — System Prompt Leakage
&lt;/h2&gt;

&lt;p&gt;The system prompt often contains safety rules, tool schemas, internal logic, and operational details that were never meant to be visible. If an attacker can get the model to reveal this content, they learn exactly how to bypass your controls.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; A user repeatedly asks the model to repeat its hidden instructions. After several attempts, the model partially reveals the safety rules embedded in its system message.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Watch for responses that look like internal instructions or policy text&lt;/li&gt;
&lt;li&gt;Flag repeated meta-questions like "what are your instructions" or "ignore your rules"&lt;/li&gt;
&lt;li&gt;Use automated red-teaming tools to simulate extraction attempts&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Don't store credentials, API endpoints, or secrets inside the system prompt&lt;/li&gt;
&lt;li&gt;Use output filters that block responses referencing hidden instructions&lt;/li&gt;
&lt;li&gt;Keep policy logic separate from natural language instructions&lt;/li&gt;
&lt;li&gt;Structure prompts so system rules cannot be disclosed in response to user requests&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Run structured extraction prompts specifically designed to coerce the model into revealing system content. After every prompt update, re-test to confirm that nothing new has leaked. Rotate system prompts if exposure is confirmed.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM08:2025 — Vector and Embedding Weaknesses
&lt;/h2&gt;

&lt;p&gt;RAG systems rely on vector similarity to retrieve relevant documents. Attackers can craft documents with embeddings specifically designed to dominate retrieval results, hijacking the context the model receives. Poorly secured vector stores can also expose source content through embedding inversion — where attackers attempt to reconstruct original content from stored embeddings.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; A malicious document inserted into a public knowledge base is embedded to closely match frequent queries, causing it to be consistently retrieved and influence the model's output.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Monitor for documents appearing far more often than expected across unrelated queries&lt;/li&gt;
&lt;li&gt;Check for sudden shifts in the distribution of your embedding space&lt;/li&gt;
&lt;li&gt;Audit who can write to your vector store and when changes were made&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Restrict write access to the vector store — require authentication for all ingestion&lt;/li&gt;
&lt;li&gt;Combine semantic similarity with keyword or rule-based filtering as a second check&lt;/li&gt;
&lt;li&gt;Encrypt embeddings at rest and isolate vector infrastructure&lt;/li&gt;
&lt;li&gt;Periodically re-index and validate your corpus to catch tampered documents&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Simulate retrieval hijacking by inserting adversarial documents and checking whether they surface in results. Compare retrieval output from a clean corpus against your live one. Audit ingestion logs to see when and what was added.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM09:2025 — Misinformation
&lt;/h2&gt;

&lt;p&gt;LLMs can confidently generate content that is factually wrong — fabricated statistics, non-existent citations, and outdated information. In applications used for decision-making, legal work, or reporting, this can cause serious real-world harm.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Cross-check claims against trusted knowledge sources or retrieval results&lt;/li&gt;
&lt;li&gt;Flag responses that make factual claims without citations in high-stakes domains&lt;/li&gt;
&lt;li&gt;Monitor for contradictions across multi-turn conversations&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Ground responses in retrieved, verifiable sources rather than relying on the model's memory&lt;/li&gt;
&lt;li&gt;Require citations for any regulated or high-stakes use case&lt;/li&gt;
&lt;li&gt;Add confidence indicators so users know when the model is less certain&lt;/li&gt;
&lt;li&gt;Require human review before allowing the model to publish in high-impact contexts — do not permit autonomous publishing&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Run benchmark evaluations using fact-sensitive datasets. Test with adversarial prompts designed to produce hallucinated references and measure how often they appear. Put corrections in place and notify affected parties if fabricated content has already been published.&lt;/p&gt;




&lt;h2&gt;
  
  
  LLM10:2025 — Unbounded Consumption
&lt;/h2&gt;

&lt;p&gt;Without limits, LLM interactions can spiral into excessive token usage, recursive agent loops, or rapid API call chains. The result is infrastructure strain, massive cost overruns, or denial of service — sometimes triggered accidentally, sometimes by a malicious user probing for weaknesses.&lt;/p&gt;

&lt;h3&gt;
  
  
  How to Detect It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Track token usage per session and per user against expected baselines&lt;/li&gt;
&lt;li&gt;Alert on recursive tool calls or unusually deep action chains&lt;/li&gt;
&lt;li&gt;Use cost anomaly detection on your API and compute bills&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Prevent It
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Set hard token limits and cap response lengths&lt;/li&gt;
&lt;li&gt;Apply rate limiting per user, per tenant, or per session&lt;/li&gt;
&lt;li&gt;Limit how deep an agent can chain actions&lt;/li&gt;
&lt;li&gt;Require confirmation before the model starts a high-cost operation&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  How to Test It
&lt;/h3&gt;

&lt;p&gt;Simulate recursive prompts and measure whether your safeguards kick in. Test rate limiting and quota enforcement under high concurrency. After any incident, audit usage logs to understand the financial and operational impact.&lt;/p&gt;




&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;LLM security is an engineering discipline, not an afterthought. The OWASP Top 10 for LLM Applications highlights that securing AI systems requires more than traditional application security practices. Teams must also address risks related to prompts, training data, external dependencies, and autonomous agents.&lt;/p&gt;

&lt;p&gt;Building secure LLM systems requires layered protections, careful data management, strong observability, and continuous testing. The table below summarizes the key controls across all ten risk categories as a quick-reference checklist for teams designing, deploying, or operating LLM-enabled systems.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Risk&lt;/th&gt;
&lt;th&gt;Detect&lt;/th&gt;
&lt;th&gt;Prevent&lt;/th&gt;
&lt;th&gt;Respond&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Prompt Injection&lt;/td&gt;
&lt;td&gt;Log inputs, pattern match&lt;/td&gt;
&lt;td&gt;Sanitize inputs, least-privilege&lt;/td&gt;
&lt;td&gt;Trace and remediate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sensitive Disclosure&lt;/td&gt;
&lt;td&gt;Scan outputs for PII/secrets&lt;/td&gt;
&lt;td&gt;Redact data, enforce access controls&lt;/td&gt;
&lt;td&gt;Block and audit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Supply Chain&lt;/td&gt;
&lt;td&gt;SBOM, behavior monitoring&lt;/td&gt;
&lt;td&gt;Vet vendors, verify checksums&lt;/td&gt;
&lt;td&gt;Rollback, isolate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data Poisoning&lt;/td&gt;
&lt;td&gt;Track data provenance, monitor embeddings&lt;/td&gt;
&lt;td&gt;Control ingestion, version datasets&lt;/td&gt;
&lt;td&gt;Roll back corpus&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Improper Output Handling&lt;/td&gt;
&lt;td&gt;Scan for injection patterns&lt;/td&gt;
&lt;td&gt;Encode outputs, parameterized queries&lt;/td&gt;
&lt;td&gt;Review execution paths&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Excessive Agency&lt;/td&gt;
&lt;td&gt;Log agent actions, action limits&lt;/td&gt;
&lt;td&gt;Human approval, least-privilege creds&lt;/td&gt;
&lt;td&gt;Kill switch, audit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;System Prompt Leakage&lt;/td&gt;
&lt;td&gt;Watch for meta-questions&lt;/td&gt;
&lt;td&gt;No secrets in prompts, output filters&lt;/td&gt;
&lt;td&gt;Rotate prompts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Vector/Embedding Weaknesses&lt;/td&gt;
&lt;td&gt;Monitor retrieval patterns&lt;/td&gt;
&lt;td&gt;Restrict write access, encrypt embeddings&lt;/td&gt;
&lt;td&gt;Re-index, audit logs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Misinformation&lt;/td&gt;
&lt;td&gt;Cross-check claims, flag unsourced content&lt;/td&gt;
&lt;td&gt;Ground in retrieval, require citations&lt;/td&gt;
&lt;td&gt;Notify, correct&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unbounded Consumption&lt;/td&gt;
&lt;td&gt;Track token usage, cost anomalies&lt;/td&gt;
&lt;td&gt;Rate limits, hard token caps&lt;/td&gt;
&lt;td&gt;Audit usage, throttle&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Understanding these risks is the first step. For edge cases and complex deployments, consider working with security experts who specialise in AI systems.&lt;/p&gt;

&lt;p&gt;If you found this post useful or have real-world experiences to share, feel free to connect on &lt;a href="https://www.linkedin.com/in/ysspriya/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>llm</category>
      <category>security</category>
    </item>
    <item>
      <title>Everyone Talks About Golden Paths. Nobody Talks About Building Them.</title>
      <dc:creator>Improving</dc:creator>
      <pubDate>Mon, 11 May 2026 09:32:33 +0000</pubDate>
      <link>https://dev.to/improving/everyone-talks-about-golden-paths-nobody-talks-about-building-them-5gh2</link>
      <guid>https://dev.to/improving/everyone-talks-about-golden-paths-nobody-talks-about-building-them-5gh2</guid>
      <description>&lt;p&gt;Everyone's talking about Platform Engineering lately. Walk into any major technical conference like KubeCon, and you're bombarded with talks on "Golden Paths" and "IDPs." And it's great that the industry is finally focusing on developer experience instead of just more YAML.&lt;/p&gt;

&lt;p&gt;But there's a massive gap between the conference talks and your terminal.&lt;/p&gt;

&lt;p&gt;You leave these sessions feeling inspired, only to sit back down at your desk and stare at a mess of legacy deployment scripts. Most of the advice out there tells you &lt;em&gt;why&lt;/em&gt; you need a platform, but almost nobody shows you how to actually build one without a massive team or a million-dollar budget.&lt;/p&gt;

&lt;p&gt;That's exactly what I spoke about at the &lt;a href="https://colocatedeventseu2026.sched.com/event/2DY6g/build-your-golden-path-construction-playbook-a-maturity-first-implementation-approach-atulpriya-sharma-improving" rel="noopener noreferrer"&gt;Platform Engineering Day co-located event at KubeCon Europe 2026&lt;/a&gt;. This post is a written version of that talk, with everything you need to go from zero to a working golden path — without needing a big platform team or expensive tooling.&lt;/p&gt;

&lt;p&gt;  &lt;iframe src="https://www.youtube.com/embed/2U9mj9EM_aA"&gt;
  &lt;/iframe&gt;
&lt;/p&gt;




&lt;h2&gt;
  
  
  What is a Golden Path?
&lt;/h2&gt;

&lt;p&gt;A golden path is just the "opinionated" route your org sets up to get code into production.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;It's about making the right way the easiest way.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;I like to think of it as a product, not a mandate. You aren't forcing teams into a cage; you're giving them a well-lit highway with the guardrails already bolted on. If a team really needs to go off-road and hack together something custom, they can — but 99% of the time, they'll choose the highway because it's faster and safer.&lt;/p&gt;

&lt;p&gt;A golden path isn't "done" unless it hits these four marks:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Opinionated:&lt;/strong&gt; You've already made the boring decisions so the developer doesn't have to and can focus on shipping features.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Self-service:&lt;/strong&gt; If a developer has to ping someone on Slack or open a Jira ticket, it's not a golden path. It's a hurdle.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Safe by default:&lt;/strong&gt; Security and health checks aren't "extra steps" — they're just part of the plumbing.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Progressive:&lt;/strong&gt; You don't build the whole highway at once. You start with a single paved mile.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;When this works, the ROI is immediate. You stop seeing people copy-pasting crusty YAML from a repo last touched in 2022. New hires actually ship code on day one instead of day ten.&lt;/p&gt;

&lt;p&gt;But here's where most organisations get stuck.&lt;/p&gt;

&lt;p&gt;They understand what a golden path is. They've seen the talks, read the blog posts, maybe even drawn the diagram on a whiteboard. But when it's time to actually build one, the question is always the same: &lt;strong&gt;where do we start?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The problem is that a lot of teams assume they need a full platform in place before they can build a golden path — a proper IDP, a self-service portal, the whole thing. So they wait. And nothing gets built.&lt;/p&gt;

&lt;p&gt;You don't need a full platform to start paving a golden path.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Gap Nobody Talks About
&lt;/h2&gt;

&lt;p&gt;Most teams aren't lacking a Golden Path because they're lazy or "don't get it." They're stuck because they can't find the starting line. Most advice from talks and blog posts assumes you're either part of a 50-person platform team or starting a greenfield project. In the real world? You have neither.&lt;/p&gt;

&lt;p&gt;What you &lt;em&gt;do&lt;/em&gt; have is a folder with a bunch of deployment scripts. Some are six months old; others were written three years ago by someone who hasn't worked at the company since 2023. Every team is doing their own thing — same task, but a dozen different, messy ways to get it done.&lt;/p&gt;

&lt;p&gt;That isn't a platform problem; it's a fragmentation problem. And you don't need to buy a shiny new tool to fix it.&lt;/p&gt;

&lt;p&gt;The other myth that kills progress is the &lt;strong&gt;"Big Bang" approach&lt;/strong&gt; — sitting in a room, architecting the perfect platform, getting stakeholder approval, and buying three new SaaS tools before shipping a single thing. That's a recipe for a six-month roadmap that ends in a "deprioritized" project.&lt;/p&gt;

&lt;p&gt;Building a Golden Path isn't a project with a deadline. It's an evolution. It matters less where you're starting and more that you're actually moving.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;The good news?&lt;/strong&gt; Your deployment scripts, messy as they are, are already your Phase 0. You are closer than you think.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  A Maturity-First Approach to Building Golden Paths
&lt;/h2&gt;

&lt;p&gt;You don't have to reinvent the wheel here. The &lt;a href="https://cloudnativeplatforms.com/whitepapers/platform-eng-maturity-model/" rel="noopener noreferrer"&gt;CNCF Platform Engineering Maturity Model&lt;/a&gt; already gives us a roadmap.&lt;/p&gt;

&lt;p&gt;This model breaks things down across five pillars — &lt;strong&gt;investment&lt;/strong&gt;, &lt;strong&gt;adoption&lt;/strong&gt;, &lt;strong&gt;interfaces&lt;/strong&gt;, &lt;strong&gt;operations&lt;/strong&gt;, and &lt;strong&gt;measurement&lt;/strong&gt; — to help you figure out exactly where you're standing.&lt;/p&gt;

&lt;p&gt;We take that model and map it directly to golden path construction. Instead of asking &lt;em&gt;"how do we build a golden path?"&lt;/em&gt;, you ask &lt;em&gt;"what does the next maturity level look like for us?"&lt;/em&gt; That shift makes the whole thing much less overwhelming.&lt;/p&gt;

&lt;p&gt;Each phase builds on the previous one. You can find the complete demo in the &lt;a href="https://github.com/techmaharaj/golden-path-construction-demo" rel="noopener noreferrer"&gt;Golden Path Construction Demo Git Repo&lt;/a&gt; that maps out these phases with actual code — designed as a template you can fork and adapt to your own organisation.&lt;/p&gt;




&lt;h3&gt;
  
  
  Phase 0: The Chaos
&lt;/h3&gt;

&lt;p&gt;This is where most teams are, even if they won't admit it.&lt;/p&gt;

&lt;p&gt;Every team has their own deployment script. Same goal, different approach. One team uses inline &lt;code&gt;kubectl&lt;/code&gt; commands; another has a YAML file that's been copied and modified so many times nobody knows what the original looked like. Images are pinned to &lt;code&gt;latest&lt;/code&gt;, resource limits are missing, health checks are broken or absent.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="s"&gt;kubectl apply -f - &amp;lt;&amp;lt;EOF&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;apps/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Deployment&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;myapp&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;replicas&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
  &lt;span class="na"&gt;selector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;myapp&lt;/span&gt;
  &lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;labels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;myapp&lt;/span&gt;
    &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;myapp&lt;/span&gt;
        &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;nginx:latest&lt;/span&gt;        &lt;span class="c1"&gt;# ❌ latest tag&lt;/span&gt;
        &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;containerPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;80&lt;/span&gt;
        &lt;span class="c1"&gt;# ❌ no resource limits&lt;/span&gt;
        &lt;span class="c1"&gt;# ❌ no health checks&lt;/span&gt;
        &lt;span class="c1"&gt;# ❌ no namespace&lt;/span&gt;
&lt;span class="s"&gt;EOF&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Nothing is wrong with any individual script. The problem is there are ten of them, and none of them talk to each other.&lt;/p&gt;




&lt;h3&gt;
  
  
  Phase 1: Standardize
&lt;/h3&gt;

&lt;p&gt;This is the most important phase — and also the easiest one to ship.&lt;/p&gt;

&lt;p&gt;You pick one script. One template. Every team uses it. That's it.&lt;/p&gt;

&lt;p&gt;The template enforces the basics by default: resource limits, health checks, proper labels, a namespace. Nobody has to remember to add them. They're just there.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;labels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;${APP_NAME}&lt;/span&gt;
      &lt;span class="na"&gt;managed-by&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;platform-team&lt;/span&gt;
  &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;${APP_NAME}&lt;/span&gt;
      &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;${IMAGE}&lt;/span&gt;
      &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;containerPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;80&lt;/span&gt;
      &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;requests&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;memory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;64Mi"&lt;/span&gt;
          &lt;span class="na"&gt;cpu&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;50m"&lt;/span&gt;
        &lt;span class="na"&gt;limits&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;memory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;128Mi"&lt;/span&gt;
          &lt;span class="na"&gt;cpu&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;100m"&lt;/span&gt;
      &lt;span class="na"&gt;livenessProbe&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;httpGet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/&lt;/span&gt;
          &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;80&lt;/span&gt;
        &lt;span class="na"&gt;initialDelaySeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;10&lt;/span&gt;
      &lt;span class="na"&gt;readinessProbe&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;httpGet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/&lt;/span&gt;
          &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;80&lt;/span&gt;
        &lt;span class="na"&gt;initialDelaySeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;5&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Developers just pass the necessary values; everything else is governed by the template.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What changes from Phase 0:&lt;/strong&gt; instead of ten different scripts with ten different outcomes, you have one script with one consistent output.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What you gain:&lt;/strong&gt; predictability. Every deployment looks the same. Debugging becomes faster. Onboarding becomes easier. And you've done this without any new tooling or platform investment.&lt;/p&gt;

&lt;p&gt;This is also your first win to show leadership. You haven't built a platform. You've standardised how your teams deploy. That's already valuable.&lt;/p&gt;




&lt;h3&gt;
  
  
  Phase 2: Validate
&lt;/h3&gt;

&lt;p&gt;Standardization tells teams what to do. Validation makes sure they actually do it.&lt;/p&gt;

&lt;p&gt;In this phase, you move from a shell script to a config-driven approach. Teams fill in a YAML file with their app details. A validation layer checks the inputs before anything touches the cluster. Bad configs are rejected early, with a clear error message — not a cryptic Kubernetes failure three minutes later.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;validate&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;config&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;errors&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[]&lt;/span&gt;

    &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;field&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;name&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;image&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;team&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;]:&lt;/span&gt;
        &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;config&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;field&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
            &lt;span class="n"&gt;errors&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;❌ &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;field&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt; is required&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="n"&gt;name&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;config&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;name&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;""&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;name&lt;/span&gt; &lt;span class="ow"&gt;and&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;re&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;match&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;r&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;^[a-z][a-z0-9-]*$&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="n"&gt;errors&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;❌ &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;name&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt; must be lowercase and DNS-compatible (got: &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;)&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="n"&gt;image&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;config&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;image&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;""&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;image&lt;/span&gt; &lt;span class="ow"&gt;and&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;:latest&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;image&lt;/span&gt; &lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;image&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="n"&gt;errors&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;❌ &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;image&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt; must use a specific version tag, not &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;:latest&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt; (got: &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;image&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;)&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="n"&gt;env&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;config&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;environment&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;dev&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;env&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;ENV_DEFAULTS&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;errors&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;❌ &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;environment&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt; must be one of &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="nf"&gt;list&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ENV_DEFAULTS&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;keys&lt;/span&gt;&lt;span class="p"&gt;())&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s"&gt; (got: &lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;env&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;)&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;errors&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;What changes from Phase 1:&lt;/strong&gt; the interface is now declarative, not imperative. Teams describe what they want, not how to do it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What you gain:&lt;/strong&gt; fewer misconfigurations, faster feedback loops, and a foundation that's ready to scale.&lt;/p&gt;




&lt;h3&gt;
  
  
  Phase 3: GitOps
&lt;/h3&gt;

&lt;p&gt;This phase is a single change with a big impact.&lt;/p&gt;

&lt;p&gt;Everything from Phase 2 stays exactly the same — the validation, the manifest generation, the standards. The only thing that changes is the last step. Instead of &lt;code&gt;kubectl apply&lt;/code&gt;, you do a &lt;code&gt;git push&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;A CD tool like ArgoCD watches the repository and deploys automatically when it sees a change. Every deployment is now a commit. You get a full audit trail for free. Rollback is just a &lt;code&gt;git revert&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What changes from Phase 2:&lt;/strong&gt; humans are no longer directly touching the cluster.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What you gain:&lt;/strong&gt; traceability, consistency across environments, and the groundwork for everything that comes next. Git becomes your single source of truth.&lt;/p&gt;




&lt;h3&gt;
  
  
  Phase 4: IDP and Self-Service
&lt;/h3&gt;

&lt;p&gt;This is where the golden path becomes fully self-service.&lt;/p&gt;

&lt;p&gt;Everything underneath is the same as Phase 3. The validation still runs. The manifest is still generated. ArgoCD still deploys. The developer just doesn't see any of it.&lt;/p&gt;

&lt;p&gt;Instead, they open a portal, fill in a form with their app name, image tag, team, and environment, and hit deploy. No YAML. No terminal. No kubectl.&lt;/p&gt;

&lt;p&gt;The platform carries all the knowledge so the developer doesn't have to.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What changes from Phase 3:&lt;/strong&gt; the interface. That's it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What you gain:&lt;/strong&gt; any developer in your organisation can now deploy safely and correctly, regardless of their Kubernetes experience. The platform enforces everything. The developer just ships.&lt;/p&gt;

&lt;p&gt;This is the line from the talk that captures the whole framework best:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;The interface changes. The logic doesn't.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;From Phase 1 to Phase 4, the core logic is the same. You're just wrapping it in a better interface at each step. That's what makes this approach so practical — you're not rebuilding from scratch at every phase. You're building on what you already have.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why This Approach Works
&lt;/h2&gt;

&lt;p&gt;Most platform initiatives fail because they try to boil the ocean. They treat a golden path like a destination you reach after eighteen months of development. By the time the platform is "ready," the requirements have changed, the budget is gone, and developers have already moved on to their own shadow IT solutions.&lt;/p&gt;

&lt;p&gt;This maturity-first approach flips the script.&lt;/p&gt;

&lt;h3&gt;
  
  
  You get ROI on Day One
&lt;/h3&gt;

&lt;p&gt;When you start at Phase 1 by just standardizing a single template, you aren't waiting for a portal to be built. You are solving the "copy-paste YAML" problem immediately.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Every hour a developer doesn't spend debugging a bad deployment script is an hour they spend shipping features.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;You don't need a UI to prove that value to leadership.&lt;/p&gt;

&lt;h3&gt;
  
  
  It reduces cognitive load, not just tickets
&lt;/h3&gt;

&lt;p&gt;A common mistake is thinking a golden path is just about automation. It's actually about psychology. When a developer knows there is a "safe" way to deploy, they stop worrying about breaking the cluster. That confidence leads to faster iterations. By building progressively, you lower the barrier to entry for new hires without overwhelming your existing team with a massive new toolset to learn.&lt;/p&gt;

&lt;h3&gt;
  
  
  It earns developer trust
&lt;/h3&gt;

&lt;p&gt;Developers are naturally skeptical of "mandated" platforms. They've seen too many internal tools that make their lives harder. By evolving your existing scripts into a golden path, you are meeting them where they already live — fixing their current pain points instead of forcing them to adopt a whole new workflow overnight. Trust is built in increments, not in a grand reveal.&lt;/p&gt;

&lt;h3&gt;
  
  
  Leadership loves predictable growth
&lt;/h3&gt;

&lt;p&gt;For a CTO or VP of Engineering, "we are building a platform" sounds like a high-risk, high-cost gamble. "We are maturing our deployment lifecycle from Phase 1 to Phase 2" sounds like a predictable, measurable improvement. This model gives you a language to speak to leadership that justifies the investment without making impossible promises.&lt;/p&gt;




&lt;h2&gt;
  
  
  Get Started
&lt;/h2&gt;

&lt;p&gt;Building a golden path isn't about hitting a finish line. It's about building a culture where the right way to work is also the easiest way.&lt;/p&gt;

&lt;p&gt;By following a maturity-based approach, you stop treating "The Platform" as a project and start treating it as a product that evolves with your team. You don't need to wait for a massive budget or a greenfield project. You just need to look at your current Phase 0 and decide which piece of logic is worth standardizing today.&lt;/p&gt;

&lt;p&gt;The rewards are worth the effort: faster onboarding, fewer outages, and developers who actually enjoy their deployment process.&lt;/p&gt;

&lt;p&gt;If you're currently staring at a mess of scripts and wondering how to map out your own Phase 1, I'd love to hear about it — reach out to me on &lt;a href="https://www.linkedin.com/in/atulpriyasharma/" rel="noopener noreferrer"&gt;LinkedIn&lt;/a&gt; to discuss your platform journey or share what's working for your team.&lt;/p&gt;

</description>
    </item>
  </channel>
</rss>
