How Atlassian thinks about AI-native SDLC

Hi Atlassian Community!

I'm @Kevin Wang , Senior Trust Analyst at Atlassian. Part of my role is helping customers understand how Atlassian approaches security, privacy, and compliance across our apps, services and platforms.

Software development is entering a new era, driven by rapid adoption of agentic AI capable of orchestrating traditional human operated engineering workflows. While this evolution enables organisations to ship code at unprecedented speed, it also introduces new security risks which need deliberate attention.

Today I want to share some insights on how Atlassian thinks about security in AI-enabled software development: focusing on thematic risks, our AI-native SLDC approach, and some practical starting points for your own teams.

AI-native software development: What are the risks? 

While AI clearly boosts software development productivity, its security risks often remain hidden until it’s too late. AI-enabled attacks have surged dramatically in recent years, a trend that shows no signs of slowing as more capable LLMs become widely available.

We attribute these attacks, to four primary drivers which if left unmanaged will lead to significant consequences:

1. A lower bar for sophisticated attacks. Advanced LLMs can identify and exploit vulnerabilities without deep expertise, enabling novice attackers to deliver sophisticated attacks and penetrate robust control systems.
2. Increased vulnerability density. Like humans, agents are prone to generating insecure code, consisting of logic flaws, insecure patterns, and vulnerable dependencies. The difference lies in speed: when code is shipped at pace, security exposure scales proportionally if review and testing don't keep pace.
3. Shadow engineering and traceability gaps. Unregulated agents create invisible parallel pipelines, and may perform unintended actions without human oversight. Insufficient logging exacerbates this risk, making it difficult to establish accountability and complicating incident management and regulatory compliance.
4. The echo chamber effect. Relying on the same set of AI agents and underlying models to both write and validate code creates an echo chamber, where blind spots are reinforced rather than caught. As a consequence, subtle edge cases and logical flaws go undetected, giving teams false confidence that code is ready for production.
   
   

Atlassian’s response: Our approach to AI-native SDLC

At Atlassian, AI-native SDLC is central to how our engineers work and how we build better products. Maintaining customer trust as this evolves means security has to be built in from the start, and not treated as an afterthought. We see four connected areas as critical to getting this right, and while our thinking continues to evolve, these are the domains where we believe deliberate investment matters most:

1. Security embedded in the workflow. We believe agent-generated code should meet the same standards as human-authored code. This requires security acceptance criteria for agent-generated changes, approved architectural patterns, and machine-readable policies that enforce secure defaults. The outcome is a secure path that remains the easiest path, even at machine speed.
2. Agents with defined boundaries. Scaling the use of coding agents safely means thinking carefully about secure defaults, such as least privilege, controlled permissions, and comprehensive logging. These foundations support traceability of agent actions, which in turn underpins incident management and compliance as agentic workflows mature.
3. Agent to agent supervision. Because autonomous coding agents operate and iterate at a velocity that defies human review, static boundaries and passive logging are no longer enough. Organisations must therefore deploy a dedicated compliance and monitoring agent, fully independent from the coding agents it supervises, to catch code flaws and security risks before they reach production.
4. Continuous measurement and improvement. As agent capabilities grow, so must the feedback loops around them. Tracking vulnerability trends, setting test expectations for generated changes, and feeding signals back into agent guidance are all areas we see as essential. Autonomy can expand incrementally over time, but only in lockstep with improved confidence in agent output, with human review reserved for where it matters most.
   
   

Four things your team can do today:

You don't need to solve AI security all at once. The steps below are practical regardless of where your team sits on the AI adoption curve, with each delivering tangible security value today, while building the foundation for a more mature AI security posture over time:

1. Get the basics right first. Most breaches still exploit fundamentals: phishing, poor access control, unpatched systems. AI raises the stakes for getting these right.

2. Map your AI exposure. Know which tools and agents your teams use, what data they can access, and where your trust boundaries sit. You can't govern what you can't see.

3. Define what needs human sign-off. Be deliberate about which agent actions can run automatically and which require human approval. For organizations operating in highly regulated environments, such as FedRAMP governed cloud service providers, a minimum level of human oversight may be mandated. In all cases, thresholds should be reviewed regularly, with flexibility to shift as AI maturity grows, but the decision should always be a conscious one.

4. Prepare for AI incidents. Test your incident response playbooks for AI-enabled workflows before you need them. You can refer to this resource, for Atlassian's end to end approach for incident management. 

Call to action:

As always, we’d love to hear your input which you can provide by leaving a comment below:

1. What's working: What guardrails or practices has your team put in place for AI security in your engineering processes, and where are you're still figuring it out?

2. What you want to learn: AI security topics you'd like further insight on, whether thought leadership, strategic advice, or practical guidance.

3. What would help: Security features or improvements that would support your team’s adoption of AI-native SDLC when using Atlassian Cloud.

Your input is valued, and directly shapes what we prioritise and publish next!