When Naoharu Sasaki stepped into a boardroom at a conservative Japanese financial firm last spring and declared, “We’re going to treat AI like a team member, not a toy,” some executives gasped. In many traditional companies, the very mention of “AI in code” triggers alarm bells: What if it leaks secrets? What if it introduces bugs? What happens to the engineers?
Today, that same message is becoming Microsoft-Copilot–level reality—thanks to GitLab’s push to weave AI into every step of software development. The company’s new “Duo” suite, now deeply integrated into its DevSecOps platform, is positioning AI not as a bolt-on tool, but a full partner in code. The risk is high. If it works, hundreds of organizations will shift how they build software forever. If it fails, it could erode trust in AI across the industry.
Why GitLab’s move matters
Software is the invisible backbone of our lives—governments, banks, healthcare, cars, even homes. But with complexity rising, teams are drowning in toil: merging code, writing tests, tracking security holes, ensuring compliance. Many surveys now say the DevSecOps market is accelerating quickly; it’s projected to grow from billions today to tens of billions in the next few years.
What GitLab is trying to do is ambitious: embed AI everywhere (“planning, code, testing, deployment, security”) so teams can do more with less.In April 2025, GitLab went a big step further by launching GitLab Duo with Amazon Q, combining AI agents from Amazon directly into its DevSecOps platform. The pitch? Let AI take the heavy lifting—planning features, refactoring legacy code, detecting and fixing security problems—so humans can focus on core creativity and architecture.
GitLab also just announced the public beta of its Duo Agent Platform, meant to let AI agents and human developers collaborate asynchronously, handing off tasks with context and continuity. It signals that GitLab sees AI not just as a helper, but as a new kind of dev-team member.
For developers, this could mean days of manual testing and code reviews collapse into minutes of AI-assisted work. For companies, the appeal is clear: faster shipping, more predictable quality, fewer human errors. But it could also unsettle established roles, power structures, and trust in how code is made.
Real people, real tension
Take a mid-sized fintech firm in Tokyo (let’s call it “Sanctum Finance”). They had strict rules: no AI touches production; every line must be human-written and reviewed. The risk of exposing IP or introducing hidden vulnerabilities was too high. “We were terrified,” says their CTO (speaking on condition of anonymity). But as deadlines mounted and talent stretched thin, they allowed a pilot: GitLab Duo in testing mode, only for internal modules.
Within weeks, junior engineers were getting AI-suggested tests and bug fixes. The leads could skip boilerplate changes and focus on architecture. The results saved a week of engineering toil. But it also raised politics: which leads now own quality? If AI messes up, who’s accountable? The trust barrier loomed large.
In another real case, Volkswagen Digital Solutions participated in an early access program. Their DevOps engineers praised how GitLab Duo with Amazon Q smoothed tasks from “issue to merge.” But behind the scenes their security team audited every AI-generated patch. They still found edge cases that required human intervention.
“Participating in the early access program for GitLab Duo with Amazon Q has given us a glimpse into its transformative potential for our development workflows,” said Osmar Alonso, DevOps engineer at Volkswagen Digital Solutions. “Even in its early stages, we saw how the deeper integration with autonomous agents could streamline our process, from code commit to production. We’re excited to see how this technology empowers our team to focus on innovation and accelerate our digital transformation.”
These stories reflect a deeper tension: engineers can feel replaced or devalued. One GitLab investor recently pushed back at rumors critics called “AI taking jobs.” GitLab’s CEO responded plainly: as code generation gets easier, the number of engineers will increase—not shrink—because more people can contribute. Yet that promise is still unproven at scale.
The stakes: trust, security, and a vulnerability spotlight
For GitLab, failure is not just product risk, it’s reputational risk. If AI code is buggy or insecure, trust in AI-assisted coding could take a serious hit across the industry. That danger surfaced publicly in May 2025, when security researchers discovered a prompt-injection vulnerability in GitLab Duo. Attackers could embed hidden instructions in comments or code, tricking Duo into leaking private source or injecting malicious content. GitLab responded quickly, patched the issue, and emphasized that this kind of risk only underscores why human guards must remain in place.
Meanwhile, many organizations still say security is their biggest barrier to adopting AI. According to one 2024 report, 79 percent of firms believe security concerns are slowing their AI rollout. That makes GitLab’s pitch—“you can embed AI securely inside your DevSecOps stack, with governance and local deployment”—a core part of its differentiation.
If GitLab succeeds, it could reset expectations: AI isn’t a third-party “assistant you call in” but a native partner built into your software infrastructure.
Where this fits—and where others stand
GitLab is not alone in racing toward “agentic AI for dev.” Microsoft’s GitHub Copilot, Amazon’s CodeWhisperer, and OpenAI tools are aggressively expanding. But many of them sit at the edges—integrated in editors, but not baked into a full DevSecOps lifecycle with governance and security built in.
GitLab’s competitive move is to own the entire pipeline: code, CI/CD, security, deployment, issue tracking—all wrapped with AI. That gives it a strategic lever: if organizations adopt Duo deeply, they may consolidate tools, reduce tool sprawl, and lock in GitLab more tightly.
In the broader industry, AI in DevOps and DevSecOps is becoming a top trend for 2025. Analysts expect shifts like “AI-driven security automation,” “autonomous remediation,” and “security-as-code” to gain steam. If GitLab’s gamble pays off, it may accelerate the trend.
Final thought: breakthrough or bet?
GitLab’s initiative feels like a turning point: it moves AI from optional add-on to infrastructure. For companies, the upside is massive—faster delivery, fewer bugs, more time for creative work. For engineers, it brings both relief and anxiety: relief from drudgery, anxiety about error, transparency, and accountability.
If GitLab can stay ahead of vulnerabilities, maintain trust, and scale adoption without breaking, this could be one of those quiet tectonic shifts in how software is written. But if AI failures lead to data breaches, blown projects, or broken trust, the backlash could ripple beyond one product and slow AI adoption across the tech world.
