← Back to Blog
AI Governance

The Gates Haven't Moved

I picked up Chip Huyen's AI Engineering over the Easter break. A few chapters in, and it crystallised something I've been chewing on for months.

There's no shortage of content on building features with AI — and rightly so. Agentic AI in 2026 has come a long way; multi-agent workflows can scaffold, test, and refine code faster than most teams imagined possible two years ago.

But I'm not going to add to that pile.

What I want to talk about is the other side of the gap: what happens after the code exists.

Build times have compressed from weeks to hours, driven by multiple agents working in parallel. But the gates haven't moved.

And I don't just mean organisations still stuck with manual change requests and weekly CAB meetings.

Even teams with mature CI/CD hit the same wall differently. Their pipelines are fast. Tests run, scans pass, deployments ship. But the review model wasn't designed for AI-era code volume. Line-by-line human review at the old pace. Blanket approval paths that don't differentiate risk. No production feedback loop validating what actually shipped.

The gates are different. The gap is the same.

The result? Shadow AI. Stalled pilots. "Demo in 45 minutes, production in 4 months."

Deloitte found that 74% of enterprises plan agentic AI within 2 years — but only 21% say their governance is ready for it. Okta reported that 91% of enterprises know agents are deployed in production, but only 10% are confident those agents are secured.

The Answer: Intelligent Gates

The answer isn't removing gates. It's replacing inherited gates with intelligent ones:

Layer 1 — Deterministic. Linting, tests, policy-as-code, DLP. Pass/fail. No opinions. Runs in seconds.

Layer 2 — Agentic pre-review. AI checks standards, conventions, security hints. Flags, doesn't approve.

Layer 3 — Human judgment. Scoped to blast radius, architecture, interfaces. Not line-by-line rubber-stamping.

Layer 4 — Production feedback. Observability, feature flags, rollback, audit trails. Because agreement is not truth — only production is reality.

Huyen makes a point that resonates: evaluation in production is where you learn whether your system actually works — not in the review chain before deployment.

What's Next

I'm putting together a one-page "Intelligent Gates" playbook for delivery and platform leaders in regulated orgs — a checklist you can score your pipeline against this week.

If that's useful to you, grab it here.

Sources & Further Reading

  • Deloitte — 2025 State of Generative AI in the Enterprise
  • Okta — Businesses at Work / Agent Security Report 2025
  • Chip Huyen — AI Engineering: Building Applications with Foundation Models (O'Reilly, 2025)