The 2025 DORA report found that most developers now use AI tools and individual productivity is up, yet organizational delivery metrics remain flat. AI acts as an amplifier: it magnifies the strengths of high-performing organizations and the dysfunctions of struggling ones. The tools aren't the bottleneck. The underlying practices are.
Security is one of those practices.
DORA's core capability model includes pervasive security: integrating security into daily development work rather than treating it as a final gate. Their research shows high-performing teams spend significantly less time remediating security issues. That's time returned to shipping features. The report is blunt: AI productivity gains are "swallowed by bottlenecks in testing, security reviews, and complex deployment processes." Automate the security, and you remove a bottleneck.
What this looks like in practice
This past week I needed to deploy and integrate a new API across two cloud providers. Nobody asked for fully automated IaC, a CI/CD pipeline, or security hardening. That's just how the work got delivered.
Everything is defined in code. Infrastructure lives in Terraform: IAM policies, VPC rules, security groups, TLS configuration. New environments inherit the security posture automatically. No checklist, no drift, no ClickOps replication between staging and production.
The application layer follows the same principle. Authentication is passwordless by default: IAM-based database auth and JWT service auth for cross-cloud API calls, no shared secrets anywhere in the stack. Network egress is locked to private ranges, with outbound traffic routed through known IPs so both sides can audit and whitelist every connection. TLS everywhere. CI/CD workflows are version-controlled and hardened the same way.
The security review happens in the code review. On a small team, the engineer designing the infrastructure might also be the one making the security decisions. On a larger team, that's your InfoSec team in the room during design, shaping the posture before a line of code is written. Either way, it's shifting left. The security decisions are human. The enforcement is automated.
Why this matters for compliance
Every infrastructure change is versioned, peer-reviewed, and auditable. In regulated industries like healthcare, that traceability supports your HIPAA compliance posture and gives SOC 2 auditors exactly what they ask for: evidence that controls are in place and changes are tracked. The pipeline generates that evidence end-to-end: who proposed the change, who implemented it, who approved it, and who triggered the deploy. No separate compliance workflow. No after-the-fact documentation. The delivery pipeline is the audit trail.
Why this matters for resilience
There's no such thing as perfect security. Something will eventually get through, and when it does, it becomes unplanned work that competes with everything else on the roadmap. The faster you can respond, the less it costs. A recent supply chain incident proved the point. The automation is what made the response fast: hardened the entire pipeline across all projects in hours, including agent skills that now enforce security practices on every future build.
Your response time is part of your security posture. In DORA terms, your MTTR is a security metric, not just an operations one. Pervasive security and continuous delivery aren't separate capabilities. They reinforce each other.
Humans decide the security posture. Automation enforces it. That's the accelerator.
Top comments (0)