Platform · 10 min read · Updated 2026-06-18

CI/CD, DevOps, DevSecOps, FinOps: The Convergence into Agentic Delivery Operations

Four disciplines grew up separately. When agents author most changes, they collapse onto the same control point — the merge gate — and become one thing: agentic delivery operations.

In brief

When agents author most changes, CI/CD, DevOps, DevSecOps and FinOps converge on one control point — the merge gate — and become a single discipline: each change is gated on evals/policy, golden-path conformance, provenance/security and cost/token budget together.

  • DORA 2025: AI amplifies the system it lands in; returns come from the platform, not the tools — platform quality is the decisive moderator of AI value.
  • CI/CD’s centre of gravity moves from build-test-deploy to verify-and-accept; the merge gate is the control point the other disciplines plug into.
  • DevSecOps moves supply-chain checks to runtime (OWASP agentic Top 10): provenance, signing, SBOM/AI-BOM, slopsquat scanning at the gate.
  • FinOps reframes cost around the token (“Tokenomics”): agentic workloads cost far more, unconstrained loops grow cost super-linearly, so cost becomes a pre-merge guardrail.
  • The convergence is a unified control plane, expressed as code, that gates change on all four dimensions at the pull-request/merge.

CI/CD, DevOps, DevSecOps and FinOps were built at different times for different problems, and most organisations still run them as separate practices with separate tools and separate owners. Agentic delivery is quietly forcing them together. When agents author the bulk of changes, every one of these disciplines ends up reaching for the same control point — the moment a change is proposed and merged — and the cleanest way to understand the next few years of delivery is that the four are converging into a single discipline you might call agentic delivery operations.

Start with the empirical anchor, because it disciplines the hype. The 2025 DORA research finds that AI raises throughput and product performance but still degrades delivery stability, and that its dominant effect is to amplify the system it lands in — the largest returns come not from the tools but from improving the underlying platform and workflows. Decisively, platform quality is the moderator: where the internal platform is strong, AI’s effect on performance is strong and positive; where it is weak, the effect is negligible. That single finding is why the four disciplines converge on the platform rather than each spawning its own AI stack.

Four disciplines, one control point: the merge gate becomes the unified control plane where evals, golden-paths, provenance and cost are all checked.

CI/CD becomes the acceptance gate

When agents generate change in minutes, the pipeline’s centre of gravity moves from building and deploying to verifying and accepting. The time saved on generation is reabsorbed as a verification tax — DORA’s own phrase — as a flood of agent-authored pull requests arrives needing review. The pipeline stops being a build-test-deploy conveyor and becomes the place where evals run, policy is checked, and acceptance is decided. We argue the deeper version of this in our piece on the agentic SDLC as an acceptance-gate problem; the point here is narrower and structural: that acceptance gate is the control point the other three disciplines now plug into.

DevOps, DevSecOps and FinOps all arrive at the same gate

DevOps contributes the platform: golden paths designed for agents as well as humans, so the safe way to ship is the easy way, and the cognitive load of doing it right sits in the platform rather than in every engineer’s head. DevSecOps changes character — when AI writes the code, the software supply chain becomes a runtime concern, and OWASP’s 2026 agentic Top 10 elevates exactly this: agent supply-chain vulnerabilities, slopsquatted dependencies, unsigned artefacts. Its mitigations — provenance, signing, SBOMs and AI-BOMs, dependency allowlisting — are checks that belong at the merge gate, not in a separate quarterly scan. And FinOps, the newcomer, reframes cost: the FinOps Foundation now treats the token as the atomic unit of AI cost, and agentic workloads are materially more expensive — reasoning agents consume many times more tokens per task, and unconstrained agent loops can grow cost super-linearly unless they are governed. The consequence is that cost stops being a monthly surprise and becomes a guardrail: a budget checked before a change ships, the same way a security policy is.

When agents author the change, CI/CD, DevOps, DevSecOps and FinOps stop being four practices and become four checks at one gate.

One control plane, checked at the merge

Put the four together and a single picture emerges: a unified control plane that runs at the pull-request and merge gate and asks, of every agent-authored change, four questions at once. Does it pass the evals and policy (CI/CD)? Does it travel the golden path (DevOps)? Is it provenanced and secure (DevSecOps)? Is it within budget (FinOps)? This is not speculative — FinOps agents are already being run inside pull requests to check resource cost against guardrails before infrastructure is provisioned, which is the convergence happening in miniature. The organisations that win the next phase will stop operating four tool-chains beside each other and start operating one control plane, expressed as code, that gates change on all four dimensions together. We are careful not to over-claim the savings — some widely-quoted figures for what cost-governance delivers did not survive scrutiny — but the structural direction is not in doubt.

The practical move is to stop treating CI/CD, DevOps, DevSecOps and FinOps as separate programmes with separate roadmaps and start designing the merge gate as the one control plane they all express themselves through — and to invest there, because the platform is where AI’s returns actually land. For the cost economics underneath the FinOps dimension, read the AI delivery P&L; for the assurance dimension, continuous assurance; for the acceptance argument at the centre of it, the agentic SDLC.

Frequently asked

How does CI/CD change in the agentic era?
The pipeline’s centre of gravity moves from build-test-deploy to verify-and-accept. As agents flood the pipeline with change, the saved generation time is reabsorbed as a “verification tax”, and the merge gate becomes where evals, policy and acceptance are decided — the control point the other disciplines plug into.
Why are CI/CD, DevOps, DevSecOps and FinOps converging?
Because when agents author most changes, all four reach for the same control point — the merge gate. DevOps provides golden paths for agents, DevSecOps moves supply-chain checks to runtime, and FinOps turns token cost into a pre-merge guardrail. They become four checks at one gate rather than four separate practices.
What is FinOps for AI / “Tokenomics”?
Treating the token as the atomic unit of AI cost and making it a first-class delivery line item. Agentic workloads consume many times more tokens per task, and unconstrained agent loops can grow cost super-linearly, so cost becomes a guardrail checked before a change ships rather than a monthly surprise.
What does the unified control plane check?
Of every agent-authored change, at the merge gate: does it pass evals and policy (CI/CD), travel the golden path (DevOps), carry provenance and pass security (DevSecOps), and stay within budget (FinOps) — all expressed as code, gated together.

Our perspective

The common view

CI/CD, DevOps, DevSecOps and FinOps are separate practices with separate tools and owners.

The Ivaaya view

In agentic delivery they converge on the merge gate into one control plane: every agent-authored change is gated on evals/policy, golden-path, provenance/security and cost together — and the platform, not the tools, is where the returns land.

These are mature, separate disciplines; why merge them?
Because agents make change abundant and route all four concerns to the same control point. Running four tool-chains beside each other misses that the checks now belong together, as code, at the merge.
  • Design the merge gate as the unified control plane the four disciplines express through.
  • Invest in the internal platform — it is the decisive moderator of whether AI helps.
  • Make cost a pre-merge guardrail (token budgets), not a monthly reconciliation.
The evidence & related ideas →

What we’ve observed

  • DORA 2025: AI lifts throughput/product performance but degrades stability; with high platform quality AI’s effect is strong and positive, with low platform quality it is negligible.
  • FinOps agents are already run inside pull requests to check cost against guardrails before infrastructure is provisioned — the convergence in miniature.
  • Refuted: specific cost-governance reduction figures (e.g. ~47–55% token/USD savings, a 100%-effective budget gate) did not survive verification — the direction holds, the numbers do not.

How certain are we?

  • AI degrades delivery stability without strong control systems / platformestablished: Observed repeatedly across delivery programmes.
  • Platform quality is the decisive moderator of AI’s valueobserved: Seen consistently in our own work.
  • CI/CD, DevOps, DevSecOps and FinOps converge on the merge gate into one control planeemerging: Still early, but increasingly visible.

Related ideas

Harness ArchitectureGovernance-to-Value RatioThe Acceptance GapRead first: The Agentic SDLC Is an Acceptance-Gate Problem

Part of a perspective

Related thinking