Venkatadri Marella, Lead DevOps Engineer at BenchPrep.
As DevSecOps matures, artificial intelligence (AI) is transforming the way security, compliance and automation are carried out across the software development life cycle. Intelligent agents founded upon large language models (LLMs) and multi-agent systems have given rise to a paradigm shift in practices like infrastructure-as-code (IaC).
Here in this article, we elaborate on how some of the newer agent-based techniques—namely multichain processing (MCP), agentic control plane (ACP) and agent-to-agent (A2A) orchestration—apply to DevSecOps in current times with special focus on control and automation of infrastructure.
Constructing Building Blocks
Let’s first go over how such AI-driven methodologies find application in DevSecOps:
• MCP: Refers to processing several independent flows or tools (chains), once applied in AI reasoning but now also for orchestrating CI/CD pipelines.
• ACP: Master control plane where AI agents operate together with governance, policy and roles, dynamically managing infrastructure or workflows.
• A2A: Agent-to-agent collaboration where agents work together or pass on work, crucial for scaling and modularizing DevSecOps capabilities.
DevSecOps Redefined: The Agentic Future
MCP: IaC Workflow Orchestration Across Environments
DevSecOps pipelines fairly frequently cross environments—cloud, on-prem, Kubernetes, etc. MCP enables:
• Chainable IaC verification (e.g., linear execution of linters, cost estimators and security scanners).
• Multicloud IaC deployment orchestration, where an agent governs logic across Terraform, Helm and Pulumi stacks.
Example: An MCP-driven agent uses a lint → validate → scan → deploy pipeline, adjusting steps as a function of environment-specific requirements (e.g., AWS vs. GCP policy).
ACP: Policy-Based, Agentic Governance Of Infrastructure
With ACP, DevSecOps activities can move away from pipeline-configuration-stagnation toward role-based agent decision making and away from hard-coded automation decisions. These include:
• Role-based agent delegation: Dev, Sec and Ops agents manage approval, analysis and enforcement.
• Auditability and observability are integrated into every IaC process through control plane logs and agent decision trails.
• Dynamic compliance-as-code: Agents dynamically change IaC deployments in real time to maintain compliance SLAs.
Example: Policy change causes the ACP to reconfigure agent permissions; security agent approval is necessary prior to re-deploying a Kubernetes cluster.
A2A: Collaborative Agents Automating the SDLC
Agent-to-agent coordination enhances the scalability and resiliency of DevSecOps:
• Remediation agents fix problems as security agents diagnose them or they grow more severe.
• Deployment agents dynamically provision resources while testing agents inject attacks (chaos/security tests).
• Feedback loops emerge in which QA, compliance and optimization agents teach one another.
Example: A QA agent finds a network exposure; it notifies a compliance agent, which sends a remediation agent to auto-patch the IaC.
The Infrastructure-As-Code Angle: Why It Matters
IaC is the foundation for automated DevSecOps. Insertion of AI agents at this point brings in:
• Pre-deployment proactive threat detection
• Self-healing infrastructure by dynamic reconfiguration
• Audit-ready pipelines with clear agent reasoning
• Human-in-the-loop interventions as necessary, informed by AI insights
With Terraform, Ansible, Pulumi, Helm or Crossplane, agent-based models can bring IaC to life from static definitions to living intelligent infrastructure.
Challenges And Considerations
• Auditing And Trust: AI agents must be auditable. Traces of reasoning, logs and provenance are needed.
• Isolation And Access Control For The Agents Themselves: Agents need isolation and access control to prevent drift or abuse.
• Training And Tuning: Companies need to get agent behavior aligned with internal policies and compliance regimes.
Considering Thoughts
As DevSecOps comes into this new age of AI amplification, the MCP, ACP and A2A model of unification brings unprecedented flexibility, intelligence and responsiveness to infrastructure automation. The secret lies in imagining IaC as a more-than-code thing; it’s an insightful surface, ready to be broken down, reasoned about and optimized by self-guided agents with security, compliance, and efficiency in mind.
Here, in this future to come, DevSecOps is not just automated—it is agentic.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
