AI has not accelerated software delivery uniformly. It has accelerated the two ends of the lifecycle (the shift-left work of planning and authoring, and the shift-right work of operating and supporting) at very different rates from the middle that connects them. What used to be a balanced pipeline is now a two-sided sprint, with a thin layer of human judgement in the middle straining to keep up.
Shift left used to mean prevention. Now it means generation.
Shift left was a quality discipline. The premise was simple: defects cost less to fix the earlier you catch them, so move the catching earlier. Tests before code. Reviews before merge. Threat modelling before architecture. The shape of the work did not change; only the timing.
In the agentic era, the shape of the work has changed. The earliest part of the lifecycle is no longer where a human deliberates. It is where an agent generates. The bottleneck has moved up a layer. Not "how do we catch defects earlier" but "how do we constrain what gets written in the first place."
Tests still matter. Reviews still matter. But the unit of control has shifted. It is now about what the agent is allowed to produce, not just what slips through the gate.
This is what the policy-as-code conversation is occupying. Rules the agent reads before it writes. Architectural constraints expressed as machine-readable conventions. Approved imports, banned patterns, mandatory templates. The same shift-left intuition (catch it earlier, it costs less) applied to a workflow where "earlier" now means before code exists, not before review begins.
Shift right used to mean recovery. Now it means continuous reality-checking.
Shift right was the discipline of catching what the earlier gates missed. Observability, feature flags, canary deploys, error budgets. Production is the only place where the system meets the real world, and the discipline of instrumenting that meeting is what kept incidents from becoming outages.
In the agentic era, shift right has expanded. It is no longer just about catching bugs in production code. It is about catching behaviour drift in production AI surfaces. Support copilots that begin answering off brand. Sales assistants that quote something nobody promised. Marketing automations that send the wrong segment a wrong-priced offer. The right side of the lifecycle now includes every place where an AI is touching a customer, and "monitoring" has to mean monitoring what those surfaces actually say.
The discipline is still recovery. The shape of recovery has changed.
The governance layer between them
Most organisations think of shift left and shift right as opposite ends of the same lifecycle, with CI/CD as the bridge between them. That model was clean in 2022. It is no longer sufficient.
What sits in the middle of the lifecycle today is not just CI/CD. It is the set of decisions, approvals, and accountabilities that determine whether a generated change becomes a deployed change, and whether a deployed change becomes a customer outcome the company is willing to stand behind. CI/CD captures the mechanical record of what flowed through. Governance is the layer that captures who decided what, on what basis, on both sides of the pipeline.
Without that layer, shift left collapses into "the agent did what it did" and shift right collapses into "the model did what it did." The accountability story disappears. The organisation finds itself with telemetry on both ends and judgement nowhere in the middle.
How each team in a SaaS company feels this
The shift-left and shift-right compression is not an engineering-only concern. It surfaces across every team that owns part of the customer relationship in a SaaS company. A governance layer that spans both sides compounds across all of them.
Leverage at the gate, control over behaviour
Rules constrain what gets generated. The merge gate captures what gets approved. Production behaviour can be rolled back without rolling back code, because the AI surface is governed independently of the deploy.
Intent matches what shipped
A structured record of which feature, in what shape, was actually approved into production, and which AI-surface behaviour was sanctioned. The gap between "what we said we would build" and "what shipped" stops growing silently.
Brand safety at AI scale
What was said at scale, on which channel, to which segment, and what was authorised in advance. Available before the press inquiry happens, not reconstructed after it.
A defensible source of truth
What the chatbots, demo agents, and deal-room copilots are quoting, governed against what actually shipped and what was approved to say. Sales stops carrying the risk of representations no human signed off on.
One pull, the whole story
When an incident lands, the answer to "what changed, when, who approved it, what was the customer promised" comes from a structured record, not from reconstructing across CI logs, chat history, and tribal memory.
An organisational ledger that audits itself
One artefact the CFO, the CISO, and the board can all read. Decisions, approvals, and accepted risks across both sides of the build, queryable on demand instead of assembled before each board meeting.
TCO, and the case for planning the governance layer now
There is a temptation to view governance as a cost layer. Another tool, another integration, another review step. In a quarterly view, that framing is defensible. In a multi-year view, it is exactly inverted.
The cost of operating a SaaS product company is dominated, over time, by three things: incidents and their fallout, regulatory and compliance overhead, and the coordination tax across teams that do not share a source of truth. Each of these compounds. An incident that lacks a clear approval record costs more to resolve than one with a clean record. A compliance audit reconstructed from logs costs more than one pulled from a governance ledger. A coordination meeting that exists because three teams disagree on what shipped costs more than the meeting that does not need to happen.
Governance is the layer that reduces the slope of all three. The upfront integration cost is real and bounded. The savings are recurring and compounding.
Planning for it
The organisations that will run efficiently over the next three years are not the ones that adopt the most AI. They are the ones that adopt AI with a governance layer planned in. This is not a slow-down argument. It is the opposite. Governance is what lets a team ship more confidently, because the record of who decided what is intact, and the next decision does not have to relitigate the last one.
For most SaaS companies, the planning question is not whether to add governance. It is when, and at which layer. Adding it during a calm period is cheap. Adding it after the first incident nobody can explain is expensive.
We think the calm period is now.
Tomosu builds the governance layer between shift left and shift right, the place where decisions, approvals, and accountabilities get captured as first-class events. If you are operating a SaaS product company and feeling the pull of AI on both sides of the build, we are opening a small design partner cohort. Book a call →