AD AgentDLC
For companies becoming agent-ready

AgentDLC

AgentDLC is the operating doctrine, workshop system, and team-development model for companies that want agents inside delivery without losing ownership, safety, evidence, or release discipline.

Book ADLC workshop Check team readiness See programs
Intent Ready Plan Sandbox Evidence Human gate Operate
Why this exists

Adding agents without a lifecycle increases blast radius.

The current SDLC leaks money because requirements are vague, evidence arrives late, security and SRE become serial gates, and every developer re-discovers brownfield context. AgentDLC fixes the operating model before it asks agents to move faster.

Cost leak 01

Rework loops

Defects caught in UAT or production cost 10-30x more than defects caught at planning. ADLC turns late discoveries into early constraints.

Cost leak 02

Serial specialists

Architecture, security, SRE, and release review happen after the diff. ADLC moves ADRs, threat-model deltas, canary plans, and runbooks into the work packet.

Cost leak 03

Evidence drift

Runbooks, SBOMs, API docs, release notes, screenshots, and logs are treated as afterthoughts. ADLC makes them first-class artifacts.

Read this as a production system

AgentDLC is for teams that need agent speed without losing release discipline.

This page is now organized around the questions a real buyer asks before trusting autonomous software work: who owns decisions, what evidence is produced, what blocks release, how brownfield systems are protected, and what must exist before production use.

Executive reader

What changes commercially?

Cost-of-change drops when rework, escaped defects, late review, and documentation drift are reduced. The promise is capacity and quality, not headcount replacement.

Engineering reader

What changes operationally?

Every task carries intent, context, plan, tests, scans, release notes, rollback, and support context. Agents execute inside those constraints.

Security reader

What stops bad autonomy?

Sandbox boundaries, SAST/SCA, policy-as-code, data classification, named approvals, and gate overrides that become audit findings.

The delivery stack

When agents join delivery, every discipline needs one shared operating layer.

Modern teams already have cadence, pipelines, platforms, reliability practices, security controls, and model evaluation. ADLC gives those disciplines a common protocol for delegated agent work.

01 / Agile

Cadence and customer learning

Agile made teams organize around increments, feedback, product ownership, and working software.

Agent gap: vague stories become fast wrong work.
02 / DevOps and CI/CD

Flow and release automation

DevOps shortened the path from change to deployment with pipelines, automation, and shared ownership.

Agent gap: fast commits still need proof, permissions, and rollback.
03 / SRE and platform

Reliability and paved roads

SRE and platform teams gave delivery teams guardrails, observability, incident discipline, and reusable paths.

Agent gap: agents need bounded environments and operability criteria.
04 / Security, risk, governance

Trust, policy, and accountability

Security and governance define what cannot be exposed, bypassed, merged, or released without judgment.

Agent gap: autonomy must have refusal gates and audit trails.
05 / MLOps and LLMOps

Evaluation for probabilistic systems

MLOps and LLMOps bring evals, monitoring, prompt/version control, drift checks, and model risk thinking.

Agent gap: model quality is not enough; delegated work needs lifecycle control.
06 / ADLC

The lifecycle for human-agent delivery

ADLC turns intent into packets, packets into bounded agent work, and agent work into evidence that humans can approve, reject, operate, and improve.

Workshop output: your first agent-ready operating model.
The message:

Agents create a new coordination problem. ADLC gives companies the rituals, artifacts, and gates to solve it.

Manifesto

The unit of progress is not generated code. It is verified, auditable, deployable change.

AgentDLC is not "let the model ship." It is a delivery constitution for autonomous software work: sandboxed execution, traceable actions, refusal gates, and named human accountability.

Shift-left. Security, quality, compliance, cost, scale, accessibility, and operability enter before implementation.

Evidence. Agents do not ask for trust. They attach tests, scans, diffs, traces, screenshots, logs, and signed artifacts.

Containment. Sandboxes, short-lived credentials, policy-as-code, and rollback paths make agent mistakes survivable.

Traceability. Jira, Linear, Notion, Git, CI, release records, and incidents form one chain of custody.

01 / Plan

Every ticket becomes ready for agents.

Definition of Ready means owner, customer impact, acceptance criteria, NFRs, dependencies, risk class, data sensitivity, and expected evidence are explicit.

02 / Prove

Every claim requires an artifact.

Code, tests, scan reports, logs, screenshots, traces, performance notes, review comments, and rollback paths travel with the PR.

03 / Refuse

Every gate can stop the release.

Quality, security, policy, operational readiness, and human approvals are not ceremonies. They are explicit refusal mechanisms.

Maturity model

Three levels of AgentDLC adoption.

The right answer is not instant autonomy. Most enterprises live in Level 1 and Level 2 for years: the same people, the same product, and much more verified output.

L1 / Agent-augmented teams

Existing roles get agent pods.

Planners draft crisp AC and risk registers. Architects review machine-drafted HLD, LLD, ADRs, and contracts. Developers generate bounded code, tests, docs, and impact analysis. QA designs regression matrices. Managers receive delivery telemetry.

L2 / Forward-deployed 10x engineers

One owner runs the full ADLC loop.

An AI-native FDE owns a product slice end-to-end: intent, plan, implementation, QA, security, release, support, evidence, and escalation. Agents act as a staffed delivery pod; humans own judgment.

L3 / Autonomous AgentDLC cloud

Specialists run under policy.

Planner, architect, coder, tester, security, compliance, SRE, release, and support agents operate as a supervised graph with least privilege, short-lived environments, immutable audit logs, and promotion gates.

Existing roleWhat changes after Phase 1Brownfield example
DeveloperPairs with a coding agent that drafts implementation, tests, refactors, docs, and rollback steps. The engineer reviews diffs and owns the merge.An old auth flow moves to OAuth2 with migration plan, regression tests, and rollback notes produced before PR approval.
QA / SDETBecomes test strategy lead. Agents generate regression matrices and test code from acceptance criteria.A legacy reporting module gets coverage-gap mapping, property tests, integration tests, and exploratory charters.
ArchitectReviews ADRs, threat-model deltas, dependency maps, and cross-boundary options instead of writing boilerplate documents.A monolithic billing split is mapped with call graph, boundary options, tradeoffs, and ADR rationale.
SRE / DevOpsReviews canary plans, SLO deltas, dashboards, alert rules, and runbooks created alongside the PR.A third-party dependency addition ships with rollout plan, dashboards, rollback notes, and operational sign-off.
PM / BAConverts customer intent into Definition-of-Ready tickets with AC, edge cases, risk, data sensitivity, and scope tradeoffs.A billing export request becomes classified work with audit requirements, edge cases from logs, and approved scope.
Lifecycle

From requirement to recovery, with gates and evidence at every step.

Each phase produces artifacts that feed the next phase and gates that prevent downstream cleanup. The lifecycle is designed so specialists review drafts in parallel, not after release pressure has built.

01ReadyRequirements, AC, NFRs, risk 02DesignHLD, LLD, ADR, threat model 03BuildBranch, patch, stubs, fixtures 04VerifyUnit, contract, e2e, scans 05PromoteSBOM, signed artifact, rollout 06OperateSLO, dashboard, alerts, runbook 07RecoverRCA, support, learning loop
Agent rails

Markdown, work systems, skills, and Git become the operating system.

Agents perform best when the environment is explicit. AgentDLC turns scattered context into a file-based, ticket-linked, versioned surface that people can read and agents can execute.

Rail 01 / ADLC folder

Readable by people. Executable by agents. Diffable in Git.

The ADLC folder is the canonical planning surface: portable across coding agents, review agents, CI, and internal delivery tools.

Files
manifest.md, requirements.md, acceptance.md, nfr.md, plan.md, tasks.md, risk-register.md, ADRs, test matrices, runbooks, release notes.
Gate
Planning is not complete until the agent proves it understands scope, dependencies, data sensitivity, non-functional requirements, verification, and rollout constraints.
Dissect the packet Check production controls
Ask for these outputs
Starter folderIntent, NFRs, tasks, risks.
Gate checklistProof required before work starts.
Runbook stubSupport context from day one.
ADLC production stack

The doctrine becomes real through controls, orchestration, and repeatable delivery kits.

Layer 1 / Control plane

Approvals, budgets, and audit

The runtime must expose contracts for goals, plans, actions, approvals, memory, traces, skills, costs, and escalation.

Controls
Budget caps, checkpoints, retries, cancellation, pause/resume, scoped memory, tool gateways, security boundaries, and traceable approvals.
Layer 2 / Agent graph

Specialists with handoffs

Planner, architect, implementer, tester, security, release, SRE, and support agents should operate as a supervised graph, not as one opaque chat session.

Controls
Context routing, fallback, failure recovery, brownfield analysis, dependency maps, scoped memory, skill versions, and trust scoring.
Layer 3 / Delivery kit

Reusable ADLC folder

Teams need a consistent folder, command set, evidence matrix, HITL gates, ROI tracking, and principal-level review prompts from day one.

Commands
/plan, /council, /architecture-review, /threat-model, /generate, /review, /verify, /deploy, /debug, /refactor.
What AgentDLC refuses

No replacement story.

  • No layoffs, no headcount-reduction promise, no "the AI owns it."
  • No agent touches production credentials, customer data, or live infrastructure directly.
  • No gate bypass under time pressure without a named human approver and audit finding.
  • No auto-merge for customer-facing, security-sensitive, or architecture-changing work.
What AgentDLC upgrades

Sharper human accountability.

  • Humans own customer intent, business value, architecture tradeoffs, security edges, and production go/no-go.
  • Agents absorb mechanical work: drafting, generation, regression design, scan triage, docs, ticket hygiene.
  • Escalation is a feature. When risk exceeds policy, agents stop and ask.
  • Capacity is reinvested into delivery, tech-debt paydown, modernization, and customer-facing work.
Release packet

What ships is not just code. What ships is proof.

A story is not done when the code compiles. It is done when the change is traceable to intent, satisfies its evidence matrix, survives security and quality gates, deploys cleanly, and can be supported under pressure.

Intent

Owner, business outcome, customer impact, scope, risk class, data sensitivity, acceptance criteria.

Design

HLD, LLD, ADR, sequence diagram, schema/API contracts, dependency impact, threat-model delta.

Execution

Branch, commits, diff summary, commands run, files changed, generated artifacts, residual risk.

Evidence

Unit, integration, contract, e2e, a11y, perf, resiliency, migration tests, screenshots, traces, logs.

Gates

Sonar, SAST, SCA, IaC, DAST, policy-as-code, code owner review, human approvals, override records.

Operate

Signed artifact, SBOM, canary plan, rollback plan, SLOs, dashboards, alerts, runbook, RCA template.

Packet fields
  1. Task identityRequester, owner, affected users, risk class, data sensitivity.
  2. Planning trailDefinition of Ready, plan, rejected options, risk register, rollback.
  3. Execution trailBranch, commits, tools, prompts, commands, changed contracts.
  4. Evidence trailTests, scans, screenshots, logs, traces, perf notes, failures.
  5. Release trailApprovals, canary, runbook, rollback owner, support memory.
Example packet excerpt 
intent.owner: product/ba
intent.outcome: billing CSV export with audit trail
risk.class: customer-visible / financial data
adlc.files: manifest.md, acceptance.md, plan.md
human.gates: product, security, sre, release
evidence: csv fixtures, e2e export, pii scan, audit log
ops: dashboard, alert, runbook, rollback flag
release: signed artifact, SBOM, canary criteria
No direct path to damage

Autonomy becomes acceptable when the execution surface is disposable, measurable, governed, and reversible.

GateBlocks whenUnlocks when
Sandbox containmentThe agent can reach production secrets, live data, or broad network surfaces.Ephemeral workspace, mock services, fixture data, short-lived credentials, and no direct production access.
Pre-commit disciplineFormat, lint, typecheck, unit tests, secret scan, commit policy, or forbidden-pattern checks fail.The branch proves local hygiene before the PR exists.
Quality gatesMaintainability, duplication, coverage, complexity, or reliability thresholds are missed.SonarQube or equivalent quality gates pass with touched-line evidence.
SAST / SCASource, dependency, container, license, or SBOM risk is unresolved.Semgrep, CodeQL, Snyk, Trivy, OWASP DC, or approved scanners pass or have signed exceptions.
IaC policyInfrastructure violates cloud policy, OPA/Kyverno/Gatekeeper, Checkov, tfsec, or data boundary rules.Policy-as-code evidence is attached to the PR.
Test evidenceAcceptance criteria are not tied to unit, integration, contract, e2e, a11y, perf, resiliency, or migration tests.Claims are backed by fresh, reproducible evidence from the current branch.
Release promotionSigned artifacts, SBOM, release notes, deployment manifests, canary plan, rollback, or approval record is missing.The packet is ready to promote with supportable release context.
Operational readinessSLOs, dashboards, traces, logs, alerts, runbooks, support scripts, or RCA templates are missing.The change is deployed, defended, diagnosable, and reversible.
Brownfield economics

Same headcount. More capacity. Fewer escaped defects.

The SPA model frames a representative 50K LOC brownfield product with ~6K LOC of yearly change and an 8-person team. The claim is not cheaper tokens. The savings come from fewer rework loops, fewer escaped defects, shorter waits, and better first-time-right work.

Throughput

2x by Year 2

FDE-style pods let the same team produce roughly twice the verified, auditable, deployable change.

Cost of change

~50% lower

Cost per ticket drops as rework, defect closure, release prep, and review queues shrink.

Defects

~65% fewer escapes

Evidence-first PRs, regression backfill, SAST/SCA, threat-model deltas, and runbooks make quality go up.

Cycle time

18 days to 4

Specialists review drafts in parallel; agents prepare evidence; sandboxes remove environment waits.

Production-ready ADLC

Before an agentic delivery program is trusted in production, these controls must exist.

Production readiness is the difference between an impressive demo and a defensible operating model. The launch standard is explicit, testable, monitored, and owned.

Governance

Named owners and escalation

Every gate has an accountable human, every override has a recorded approver, and every agent has a bounded scope, budget, and allowed tool surface.

Security

No direct path to damage

Secrets, customer data, production credentials, destructive migrations, and live infrastructure stay behind policy boundaries and human approvals.

Evidence

Proof attached to every claim

Tests, scans, traces, logs, screenshots, SBOMs, release notes, and rollback plans are captured as artifacts, not summarized from memory.

Operations

Designed to be supported

SLOs, dashboards, alerts, runbooks, incident notes, RCA templates, and ownership records are created before the work is called done.

Measurement

Outcome metrics, not vibes

Track cycle time, first-time-right, defect escape, MTTR, gate pass rate, rework, cost-per-change, and audit coverage before expanding autonomy.

Change control

Small slices, reversible releases

Agent work moves through branch-per-ticket, signed artifacts, canary criteria, rollout notes, and rollback plans before broader promotion.

Human-in-the-loop contract

The more autonomous the agent, the more explicit the responsibility model must become.

AgentDLC separates who proposes, who executes, who verifies, who approves, and who owns the outcome. That separation is the foundation of the program.

Product

Owns business intent, customer impact, prioritization, and scope tradeoffs. Agents draft AC, edge cases, and risk registers.

Architecture

Owns cross-boundary decisions, schema migrations, new third parties, and ADR approval. Agents draft options and tradeoffs.

Security

Owns data classification, secrets boundaries, regulated flows, threat-model deltas, and policy exceptions.

SRE

Owns SLOs, capacity, canaries, rollback strategy, runbook quality, incident command, and production gates.

Release

Owns go/no-go, customer-facing change approval, support readiness, and audit record. Agents never approve production alone.

Agent readiness drill

Before a company buys more AI tools, test whether the team can absorb agentic work.

The first workshop should expose the operating gaps: unclear tickets, no agent boundaries, weak evidence, late security review, no reusable playbooks, or no executive metric model.

Current state Unscored

Select the conditions your team can prove today. The drill will map the likely starting point.

Request readiness audit Choose a program
Agency programs

Workshops and team-development programs for agent-ready delivery.

Start with shared language, then leave with operating rituals, artifacts, governance, training, and a real pilot that changes how work moves through the company.

01 / Leadership

ADLC manifesto workshop

Align executives, engineering, product, security, and operations around what agentic delivery changes and what must remain human-owned.

Output: shared doctrine, risks, first slice.
02 / Assessment

Agent readiness audit

Map current SDLC, toolchain, review queues, release gates, agent usage, policy gaps, and evidence quality.

Output: readiness score and gap map.
03 / Team development

Agent-ready team bootcamp

Train product, engineering, QA, architecture, SRE, and security on ADLC packets, gates, skills, and review rituals.

Output: role-specific working model.
04 / Pilot

Messy-ticket conversion lab

Take one ugly real ticket and convert it into an ADLC folder, gate matrix, evidence plan, agent workflow, and release packet.

Output: first usable ADLC packet.
05 / Operating model

Gate and governance design

Define where autonomy stops: secrets, data, architecture, security, production, regulated flows, and override records.

Output: policy and escalation map.
06 / Scale

Train-the-trainer program

Create internal champions who can run readiness drills, review ADLC packets, maintain skills, and coach new teams.

Output: repeatable enablement kit.
Start the engagement

Book the first ADLC workshop.

Send the request with the team size, current agent usage, and one workflow that feels messy today. The first call should decide whether to run a manifesto workshop, readiness audit, bootcamp, or pilot lab.

Prepare a clean request brief, then send it to hello@agentdlc.com.

Fastest brownfield paybacks

Start where the existing SDLC hurts.

AgentDLC is easiest to believe when a team watches the lifecycle fix familiar pain: legacy modules, defects, dependencies, test debt, and release readiness.

Example 01

Legacy module hardening

/analyze maps coverage gaps, security smells, and complexity hotspots. Agents generate tests, refactor risky patterns, and draft ADRs. Typical payback: 6-10 weeks per module.

Example 02

Defect closure pipeline

Agents ingest logs and traces, reproduce a P1/P2 failure in a sandbox, draft a fix, add regression tests, and update the runbook. Median closure moves from ~5 days toward ~1 day.

Example 03

Dependency and CVE upgrades

The orchestrator plans the upgrade graph, agents apply patches branch-per-bump, run compatibility checks, produce SBOMs, and prepare evidence for security approval.

Example 04

Release readiness backfill

Runbooks, SLOs, dashboards, alerts, rollback notes, API docs, and customer support notes are generated from the same evidence chain before the change is done.

12-month adoption arc

Augment, forward-deploy, then supervise bounded autonomy.

Weeks 0-4

Baseline

Map SDLC, change economics, review queues, defect escapes, release gates, and the first product slice.

Output: gap report
Weeks 5-12

Augment

Roll out ADLC folder, HITL gates, Sonar/SAST/SCA/IaC scans, secret scanning, coverage thresholds, and training.

Output: Level 1 teams
Weeks 8-28

Forward deploy

Stand up 2-4 FDE pods, deploy the 21-agent roster, tune skill packs, and re-baseline cycle time and defect escape.

Output: product-slice pods
Weeks 24-52

Bounded autonomy

Promote low-risk ticket classes such as docs, lint cleanup, dependency patches, test backfill, and perf tuning.

Output: supervised autonomy
Quarterly

Measure

Track cost-per-change, first-time-right, MTTR, defect escape, audit trail coverage, gate bypasses, and outcome deltas.

Output: executive metric pack
How to start

A practical first engagement does not start with autonomy. It starts with baselining.

01

Pick the slice.

Choose a brownfield area with real work: auth, billing, reporting, dependency upgrades, or defect closure.

02

Run analysis.

Map codebase surfaces, coverage gaps, security smells, complexity hotspots, release gates, and support pain.

03

Name the packet.

Define the ADLC folder, packet fields, gate owners, evidence requirements, and escalation policy.

04

Wire controls.

Connect ticket systems, Git, CI, Sonar, SAST/SCA, IaC scanning, secret scanning, and observability links.

05

Train roles.

Teach planners, developers, QA, architects, SRE, security, and managers how their work changes with agent pods.

06

Measure outcomes.

Compare cycle time, first-time-right, defect escape, MTTR, cost-per-change, and gate-pass rate against the baseline.

07

Promote pods.

Move internal seniors into FDE-style ownership after the first evidence-backed slice proves itself.

08

Bound autonomy.

Only promote low-risk ticket classes after stable gate-pass evidence and named human approval boundaries exist.

Executive questions

What customers need to understand before they believe AgentDLC.

Is AgentDLC a replacement for SDLC?

No. It is an agent-native operating layer over SDLC, DevOps, security review, and release management. It makes autonomous work fit the controls teams already need.

Where does the money actually move?

Not primarily from token cost. The savings come from lower rework, fewer escaped defects, shorter review queues, less documentation drift, and faster recovery.

What stays human-owned?

Intent, customer value, architecture inflection points, data classification, secrets boundaries, regulated flows, production go/no-go, rollback decisions, and any gate override.

What can be autonomous first?

Low-risk, well-defined classes: doc fixes, lint cleanup, generated-file regeneration, certain dependency patches, test backfill, and bounded performance tuning.

Why make the manifesto playable?

Because this is a new way of thinking about software work. The footer game lets visitors feel the loop: intent enters, specialists move, evidence appears, gates open or block.