How GitLab Powers the Worldâs Critical Software
Software doesnât just power products, but runs the critical systems that keep industries and governments moving.
With this being said, ensuring that this software is built securely, at speed and at scale has never been more critical
GitLab sits at the centre of this challenge, serving as the backbone for organisations that depend on trusted, collaborative development.
Julie Davila, VP of Product Security at GitLab, leads efforts to secure the platform, its environments and the software supply chains customers rely on.
With experience across NASA, Sophos, Ansible and Red Hat, she brings a collaborative, pragmatic approach to tackling complex security challenges while mentoring the next generation of technologists.
At GitLab, her team not only safeguards the product but also uses it daily, fuelling continuous improvement.
As organisations – from airlines to banks and government agencies – depend on GitLab to build trusted software, Julie’s work ensures they can innovate securely at scale in a rapidly evolving, AIâdriven industry.
“As AI transforms software development, GitLab sits at a unique vantage point,” Julie explains. “We understand everything it takes to deliver software, positioning us to orchestrate collaboration between human teams and the AI agents they control.
“We’re the software factory that enables other software factories to operate efficiently in an increasingly complex digital world.”
Here, Julie shares her insights with Technology Magazine.
How can security teams best collaborate with AI systems to proactively identify and respond to evolving threats?
Security teams should treat AI as a force multiplier for existing capabilities, not a replacement for expertise.
Start with high-volume, low-context tasks where AI excels: automated triage of vulnerability reports, initial classification of security incidents and pattern recognition across security telemetry.
We’ve seen success using AI to generate initial security release documentation and perform preliminary bug bounty triage, reducing response times while maintaining human oversight for critical decisions.
The key is establishing clear boundaries: AI handles the data processing and initial analysis, while security professionals provide context, validate findings and make strategic decisions.
Implement feedback loops where human corrections train your AI systems to better understand your specific threat landscape.
This collaborative model scales security operations without sacrificing the nuanced judgment that only experienced practitioners can provide.
What are the most urgent steps businesses should take to ensure their AI deployments are both secure and aligned with regulatory expectations?
Most organisations consume AI models rather than build them, yet face the same regulatory scrutiny under frameworks like NIST's AI RMF, ISO/IEC 23053 and the EU AI Act.
Start by inventorying all AI touchpoints – from third-party models to embedded AI features – and map them against compliance requirements for your industry.
Establish governance for AI integration: document which models you're using, their intended purposes and maintain audit logs of AI-assisted decisions.
This creates defensible records when regulators ask how AI influenced your product's behaviour or customer outcomes.
Critical but overlooked: run AI-specific incident tabletops. Traditional security playbooks assume deterministic systems, AI incidents require different muscles.
Practice scenarios like model drift affecting customer operations, prompt injection exposing sensitive data, or AI-generated content violating compliance.
These exercises reveal gaps in detection, containment, and communication that only surface when teams grapple with AI’s probabilistic nature.
How can organisations upskill their workforce to recognise and counter advanced threats like AI-driven social engineering attacks?
Teaching security teams prompt engineering isn’t just about using AI, it’s about understanding attack vectors.
When defenders know how to craft prompts, they recognise manipulation techniques attackers use against AI-enhanced systems.
Start with hands-on exercises where teams attempt prompt injection against sandboxed AI systems. Understanding these attack patterns, like remote prompt injection vulnerabilities where attackers manipulate AI assistants through external data sources, helps teams build better defences.
Security researchers have demonstrated how these techniques can compromise AI-powered development tools, highlighting the need for proactive defence strategies.
Create âpurple teamâ exercises where defenders use AI to generate phishing campaigns, then analyse what made them convincing.
This builds intuition for AI-generated social engineering markers: subtle inconsistencies in tone, overly perfect grammar in contexts where it's unusual or responses that feel templated despite seeming personalised.
Most importantly, establish a culture where questioning AI output is encouraged.
How can security leaders balance the need for innovation with the imperative to manage supply chain risks and prevent unauthorised or insecure AI integrations?
We expect agentic AI to offer development teams significant productivity gains, but security must evolve simultaneously.
The path forward requires pragmatic governance that enables rather than blocks innovation.
Implement SLSA-aligned controls for AI components: track provenance of models and training data, establish build integrity for AI pipelines and verify AI agent behaviours before production deployment.
At GitLab, we treat AI agents as privileged identities, linking them to human operators through composite identities for accountability.
Create ‘paved roads’ for AI adoption with pre-approved models, secure integration patterns and the same security controls applied to AI-generated code as human-written code, just earlier in the workflow.
This approach prevented issues similar to those faced by major DevOps platforms where AI assistants inadvertently suggested insecure code patterns or exposed API keys.
The key insight: security teams who provide clear, fast paths for safe AI adoption become enablers of innovation rather than blockers.
