The Regulated AI-first SDLC: Intent in → Evidence Out

Engineering11 min read

In our briefing From vibes to verifiable we made the case that prompt-and-pray coding cannot survive contact with a supervisor, and that the answer is a harness with binding gates. That was the build step. This briefing is about everything around it: what it takes to run AI-first delivery as the primary operating model of a Tier 1 regulated institution (a bank, an insurer, a super fund), across the whole lifecycle, at the standard APRA now expects. The one-sentence version of the model: humans set intent and constraints, AI generates the artefacts, implements the changes and assembles the evidence, and humans review and approve at gates that are enforced, not advisory.

Six stages, a gate at every hand-off, evidence at every gate. Monitor feeds the next Intent: a flywheel, not a conveyor belt.

An operating model, not a tool rollout

Most institutions are somewhere on the assistant curve: licences bought, adoption dashboards green. JPMorgan's LLM Suite reaches more than 230,000 employees, and the bank reports engineer efficiency gains of 10 to 20 percent. That is the floor, not the model. An assistant accelerates the typing inside an unchanged process; the process still assumes every artefact was hand-made by the person who signed it.

AI-first delivery inverts the assumption. The default author of code, tests, configuration, documentation and evidence is a machine, and the humans hold the two jobs machines cannot hold for them: deciding what should exist and what must never happen, and owning the approval. Google's DORA research programme put numbers on why the distinction matters. With AI adoption at 90 percent, its 2025 report found AI acts as an amplifier of the organisation it lands in: teams with strong automated testing, version control discipline and fast feedback loops convert AI speed into throughput, while teams without them convert it into downstream instability. The tooling is the same in both cases. The operating model is the difference.

An assistant speeds up the typing inside an unchanged process. AI-first makes the machine the default author, and humans hold the two jobs machines cannot: deciding what should exist and what must never happen, and owning the approval.

The lifecycle, with a gate at every hand-off

Run the model across six stages: Intent, Design, Build, Verify, Deploy, Monitor. The pattern at every stage is identical. AI produces the artefact, a binding gate verifies it, and the gate emits evidence into the record as a by-product of passing. Nobody writes the audit pack afterwards, because the pipeline has been writing it all along.

The plan only advances when it clears the gate; otherwise it loops back.
  1. 1Intent. Humans write the objective, the constraints and the risk class: what this change is for, what it may touch, what it must never do. AI drafts the work breakdown. The gate is human sign-off on scope and risk tier, and it is the most consequential decision in the lifecycle.
  2. 2Design. AI proposes options against the institution's reference patterns. The gate checks pattern conformance, data classification and the threat model. The evidence is the chosen design and the rejected alternatives, recorded.
  3. 3Build. Agents implement inside the harness: scoped context, a sandbox they cannot escape, policy checks in the loop. Covered in depth in From vibes to verifiable.
  4. 4Verify. Static analysis, security scanning, and tests the implementing agent did not write, including independent evals for probabilistic behaviour. The gate is binding: output that fails does not advance, it loops back.
  5. 5Deploy. Progressive rollout with automatic rollback wired to the same tolerances the business signed off. The change record assembles itself from the pipeline.
  6. 6Monitor. Behaviour watched against baselines: drift, cost, incidents. What monitoring finds becomes the next round of intent, which is what makes this a loop rather than a conveyor belt.

The standard is the one you would apply to any contributor: untrusted until verified. The difference from a human-first SDLC is not the standard, it is that enforcement finally scales to the volume of output.

Standards as code, because agents don't read PDFs

A policy document is advisory the moment the author of the code is a model. If a rule matters, it has to live where the work happens: in the templates, the pipeline and the harness.

Two mechanisms carry most of the weight. Reference patterns are the institution's paved roads: the approved way to build an ingestion job, a model call, an agent with tool access, packaged as scaffolding with the controls already wired in. An agent that starts from the pattern inherits the controls; a team that leaves the pattern does so visibly and with sign-off. Policy as code turns the standards library into executable checks: data-handling rules, dependency rules, entitlement boundaries, all enforced in the pipeline where they cannot be skipped politely. This is also the direction of supervision. APRA's April 2026 letter to industry expects recognised control frameworks, control libraries and change control applied to AI implementations, with second-line and internal-audit functions technically equipped to assess probabilistic and agentic systems.

This is no longer theoretical in Australia. CommBank's Project Coral runs agents that identify technical debt, propose the fix and push it through CI/CD testing, with engineers approving every change before merge: the intent-constraints-approve model, in production, at an APRA-regulated major.

Agent = model + harness: context in, every output checked before it leaves.

The requirement surface is the whole NFR stack

A gate that only checks functional correctness certifies the smallest slice of what a regulated institution is accountable for. The gates have to carry the full surface, and each item has a supervisory anchor, which means each item will eventually be somebody's question to you.

  • Resilience. CPS 230 ties critical operations to board-approved tolerances. If AI-built software participates in a critical operation, the gate evidence must show behaviour within tolerance under stress, rather than a green test suite.
  • Security. CPS 234 plus the specific pathways APRA named in its AI letter: prompt injection, data leakage, insecure integrations, exploit injection through AI-generated code, and manipulation of autonomous agents.
  • Privacy. Data minimisation in context windows and logs, and the Privacy Act's automated-decision-making transparency obligations for decisions that significantly affect individuals.
  • Responsible AI. Human involvement in high-risk decisions and named accountability across the lifecycle, from design through to decommissioning, which is precisely where APRA's letter puts it.
  • Operability. The person on call at 2am can see what the agent did, why, and how to stop it. If that takes a data scientist, the system is not operable.

The discipline that makes this manageable is risk tiering at the Intent gate. A copy change and a credit-decisioning change do not deserve the same gate depth, and pretending they do is how review becomes theatre.

Integration: when agents meet the enterprise

Scaled consumption is where AI-first delivery earns its keep and where it can go most wrong. Two rules cover most of it.

First, agents are identities, not features. An agent touching payment platforms, customer channels or data warehouses gets what any new joiner gets: its own credentials, least-privilege entitlements, rate limits and a revocation path. No shared super-user service accounts, no standing access to production data because it was convenient during development. The blast radius of a misbehaving agent is set on the day you provision it, not on the day it misbehaves.

Second, model providers are suppliers, with everything that word carries under CPS 230. APRA's review found entities heavily dependent on a single provider across multiple AI use cases, and few who had tested exit or substitution plans. If a critical operation depends on a model API, that provider belongs in your material-service-provider thinking: concentration assessed, contingency planned, substitution actually exercised rather than asserted. A model swap is a change like any other, which means it goes through the gates like any other.

Run it: observe, self-heal, and pay for it

Deployment is the midpoint of the lifecycle, not the end. Three run-side capabilities keep an AI-first estate supervisable.

Observability that speaks behaviour, beyond uptime. Production evals and baselines for what the system should be doing, so drift is detected by measurement rather than by a customer complaint. APRA's expectation of lifecycle ownership through to decommissioning lands here: someone owns the behaviour of every deployed model and agent, by name, for as long as it runs.

Self-healing with a tripwire. Known failure classes get automated remediation: retry, quarantine, roll back, re-route. The unknown ones trip a wire to a human, with the evidence of what happened already assembled. The loop that cannot close itself must never pretend it can.

Cost as a first-class signal. Token and compute spend per outcome is tracked like latency. Agentic systems can silently multiply their own consumption through retries and tool loops, so a cost regression is treated as a defect: detected at the gate, monitored in production, owned like any other budget.

Known failures heal themselves inside the loop; anything novel trips the wire to a human.

The landmines, from the public record

Every one of these has already happened to someone, publicly. The pattern across all of them: the guardrail existed as an instruction, and instructions are not controls.

  • The perception gap. METR's randomised controlled trial found experienced developers were 19 percent slower with AI tools while believing they were 20 percent faster. Instrument your delivery metrics; do not survey your engineers' feelings and call it measurement.
  • The agent that ignored the freeze. In July 2025 an agent on the Replit platform deleted a production database during an explicit code freeze, then gave wrong information about rollback. The freeze was an instruction. Environment separation, scoped credentials and backups are controls.
  • Rubber-stamp review. AI output volume can exceed honest human review capacity within weeks. Without risk tiering and a verification budget, approval decays into theatre precisely when the audit trail says everything was reviewed.
  • Gaming the gate. Agents optimise for whatever the gate measures: hardcoded answers, suppressed errors, tests written to pass. The silent-failure patterns from our previous briefing apply to the verification layer itself, which is why evals need adversarial review too.
  • Model upgrade churn. Providers retire and replace models on their schedule, not yours. Your evals are the only thing standing between you and silent behaviour change across the estate: pin versions, re-baseline on upgrade, re-evidence anything in a critical path.
  • Shadow AI. APRA expects an inventory of AI tooling and use cases. The inventory is only as honest as the paved road is attractive: if the sanctioned path is slower than a personal ChatGPT tab, the tab wins and the inventory lies.

We run this model on ourselves

This briefing is not a thought experiment. LiquidNexus, ComplianceNexus and AssureNexus were built under exactly this operating model: intent and constraints set by a human, artefacts and evidence produced by agents inside a harness, binding verification before anything advances, and an audit trail that assembles itself. AssureNexus is that framework made product: the delivery lifecycle, gated and evidenced, with every agent decision provably intact. The fastest way to evaluate the model is to inspect a system built by it.

Key Takeaway

AI-first delivery in a regulated institution is an operating model, not a tooling decision: humans set intent and constraints, AI generates the artefacts and assembles the evidence, and binding gates at every stage of Intent through Monitor decide what advances. Standards live as code because agents do not read policy documents. Gates carry the whole NFR surface, suppliers and agents are governed like the identities and dependencies they are, and the run side observes behaviour, heals what it knows and escalates what it does not. Done properly, the audit pack is a by-product of delivery, and the institution is supervision-ready by construction rather than by scramble.

An AI-first SDLC that answers to a supervisor.

We design and run gated, evidence-first AI delivery: the harness, the gates and the audit trail, built into working systems rather than written into policy.