From AI-Generated Code to Auditable Deployment: How Pillars of Creation Secures Our Agentic Workflow

By: Jamil Jadallah

The promise of AI in software development is no longer a distant future; it's a practical reality.

AI agents can now act as powerful co-pilots, bootstrapping entire applications from templates and natural language prompts. But in the world of enterprise-grade, highly regulated software, a burst of AI-driven creativity is only the first step. How do you take AI-generated code and ensure it’s secure, compliant, and trustworthy enough for mission-critical environments?

With SmoothGlue™, we’ve answered that question by pairing our use of Agentic AI with Pillars of Creation (PoC), our proprietary CI/CD framework. PoC was specifically designed to simplify and unify pipelines for highly regulated sectors, such as defense and government. It acts as the essential bedrock of trust, taking the output of our AI agents and ushering it through a gauntlet of automated checks and balances.

This is how we combine the speed of agents with the rigor of DevSecOps…

The Role of Agentic AI: A Developer's Accelerator

First, let's clarify what we mean by "Agentic AI." In our workflow, we use Large Language Models (LLMs), such as Claude Code or Gemini, as powerful project scaffolders. An engineer can start with our core templates, like the SmoothGlue Django Core, and use an agent to rapidly generate the boilerplate for a new project.

This dramatically accelerates the initial phase of development, handling tedious setup and allowing our engineers to focus on the unique business logic of the application. The agent delivers the first draft, but for that draft to become a deployed reality, it must meet the exacting standards of our clients.

The Challenge: Compliance in High-Stakes Environments

Our customers, including lighthouse clients like the Kessel Run Software Factory, operate in sectors where security, compliance, and traceability are not just best practices—they are contractual obligations. The entire development process must align with stringent standards, such as the DoD DevSecOps Reference Design.

This is why we built PoC. Standard CI/CD tools were not enough; we needed a framework that had compliance and security baked into its DNA.

Introducing PoC: Our DevSecOps Foundation

PoC is our answer to these challenges. It’s a modular, extensible CI/CD framework that provides a reliable path to production. Its core strength lies in several key features, which we think of as our "pillars":

• Reusable, Pre-Configured Templates: PoC provides pre-built CI/CD templates for GitLab that dramatically reduce setup time and ensure consistency. This improves the developer experience, allowing teams to focus on delivering business value instead of managing pipeline configurations.
• Automated Security and Quality Assurance: This is the heart of the framework. The pipeline automatically integrates a suite of best-in-class tools for linting, code scanning, secrets detection, and vulnerability assessments. We use tools like SonarQube, Semgrep, Checkov, and Trufflehog to continuously identify and mitigate security risks.
• DoD-Compliant Image Builds: For our defense sector clients, we enforce security policies during the image build process, using DoD Iron Bank container images to ensure all containers are production-ready, secure, and compliant.
• Automated Body of Evidence (BOE) Generation: To meet strict audit and regulatory requirements, PoC automatically generates human-readable documentation that proves compliance. This ensures our software is always in an audit-ready state, a critical feature for government environments.
• Broad Technology Support: The framework is designed for modern, multi-language environments, with comprehensive support for Java, JavaScript, Go, and Python.

The Synergy: Full Workflow from Agent to Argo CD

The magic happens when our Agentic AI workflow meets the PoC pipeline. Here’s how it works in practice:

1. AI-Assisted Creation: An engineer uses an Agentic LLM to generate a new project from our core templates.
2. Commit and Merge: The developer commits the initial code and creates a merge request in GitLab.
3. The Automated Gauntlet: This is where PoC takes over. The pipeline automatically performs a series of rigorous checks: linting, unit testing, code scanning, and secrets detection.
4. Secure Publication: Once all checks are passed, the developer artifacts are published to the GitLab Registry.
5. GitOps Deployment: From the registry, Argo CD securely deploys the application to the development environment, ensuring a traceable and reliable path to production.
6. Auditability: As a final step, a BoE is automatically generated, creating an immutable record that the deployed application has met all security and compliance standards.

Building the Future, Responsibly

By integrating Agentic AI with our PoC framework, we get the best of both worlds: the incredible speed and efficiency of AI-powered code generation, and the uncompromising security and compliance demanded by our customers. It proves that innovation and discipline are not opposing forces, but necessary partners.

PoC ensures that no matter how code is generated—whether by a human developer or an AI agent—it is always subject to the same high standards. This is how we build the future, not just quickly, but responsibly.

• Originally posted on braingu.com
• About the Author
• Learn about BrainGu
• Learn about SmoothGlue