AWS re:Invent 2025 -Developers Soar at Southwest Airlines®: A Journey to AI-Powered DevSecOps-AIM102

Summary of AWS re:Invent 2025 - Developers Soar at Southwest Airlines®: A Journey to AI-Powered DevSecOps

The AI Paradox and GitLab's Agentic Platform

• There is an "AI paradox" where some organizations are all-in on AI for software development, while others are just getting started
• GitLab has developed a "Duo Agentic Platform" (DAP) to enable custom AI agents across the software development lifecycle
• DAP allows defining AI agents for tasks like merge request review, issue/epic conversations, and CI/CD troubleshooting
• GitLab's unified data model powers these AI agents by providing data across projects, groups, CI jobs, and releases

Southwest Airlines' IT Journey

• Southwest has evolved from client-server, PowerBuilder apps, and Sybase databases to cloud migrations and DevOps maturity
• The journey involved separating concerns like security, compliance, and external dependencies from autonomous product teams
• Shifting security "left" was a major challenge, moving from calendar-based scans to integrated application and runtime scanning

Building the Right Team

• Southwest looks for employees with natural curiosity, high ownership, and a good sense of humor to thrive in the changing IT landscape
• The cultural transformation involved empowering autonomous product teams while still addressing enterprise concerns
• Gradually adopting cloud-native architectures and tooling, rather than a "big bang" approach, helped teams get comfortable with the changes

Transforming with GitLab and AWS

• Southwest started small with 4 critical applications for cloud migration, learning through a "lift and shift" approach before moving to cloud-native
• Integrating GitLab and AWS tooling enabled Southwest to shift security and compliance concerns left, providing "security as a service"
• Automating governance and integrating metadata across tools allowed flexibility for engineers while maintaining enterprise-grade hardening

The Future of AI-Powered DevSecOps

• Southwest is excited about persona-based AI agents and agentic workflows to iterate quickly across different roles (PO, developer, security)
• AI agents can help aggregate issues, find security vulnerabilities, and generate merge requests across the codebase
• Authorization and access control for these AI agents is a key challenge being addressed through scoped permissions and proxy policies

Measuring the Impact of AI

• Anecdotal evidence and user stories are important, but Southwest also wants to track metrics and observability to demonstrate the ongoing benefits of AI
• Integrating AI usage data into their observability platform, like CloudWatch, will help quantify efficiency gains across the software development lifecycle
• Patience and experimentation are key, as teams learn to effectively leverage AI without over-promising or rushing to refactor large codebases

Key Takeaways

• GitLab's Duo Agentic Platform enables custom AI agents across the SDLC, powered by a unified data model
• Southwest's gradual, iterative approach to cloud and DevOps transformation enabled cultural change and effective use of new tools
• Persona-based AI agents and agentic workflows are the future, but authorization and access control are critical challenges
• Measuring the business impact of AI, through metrics and observability, is essential to sustain adoption and demonstrate value