The AI Race Is Becoming a Remediation Race
If AI is going to change how we find vulnerabilities, then policy has to address the full cycle of repair ... Read More
Open is Not Costless: Reclaiming Sustainable Infrastructure
For years, the software industry treated public package registries like a law of nature. They were simply there. Immutable, invisible, and somehow outside the normal rules of cost, capacity, and responsibility ... Read More
AgentOps Is Here: What DevSecOps Leaders Need to Do Now
We've seen this pattern before. The industry gets a new kind of leverage, treats it like a tool upgrade, and then acts surprised when the operating model snaps under the strain. Waterfall didn't "become" Agile because of Jira. DevOps didn't "become"Â DevSecOps because someone added a scanner to CI. Those shifts ... Read More
Trust At Scale: The Commons, Threats, and AI in the Loop | Sonatype
Dependency management used to be a private embarrassment: an Ant script, a /lib folder, and classpath roulette. You could ship anyway, and the consequences mostly stayed inside your org. ... Read More
The First Mile of Trusted AI Development
We've Been Building Toward This Moment For months, I've been writing about a growing tension at the center of AI-powered development: AI can now generate code at extraordinary speed, yet our ability to govern that code hasn't evolved to match it. In a series of articles, I explored the emerging ... Read More
The Last Mile Problem: AI Can Write Code, But Only Policy Can Ship It
Artificial intelligence (AI) can already write code that compiles, runs, and sometimes even surprises us by passing tests. In many ways, it's crossed the threshold that once separated "assisted coding"Â from "autonomous creation." ... Read More
From Generic Code to Specialist AI: How MCP Will Reshape the Developer Experience
One of the challenges with using AI and LLMs to generate code today is that they mostly produce generic code. That shouldn't surprise us ... Read More
The LLM Dependency Trap
Large language models are reshaping how we write software. With a few prompts, developers can generate boilerplate, integrate dependencies, write tests, and scaffold entire systems in a fraction of the time it used to take ... Read More
From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure
Open source doesn't run on any individual project, foundation, or company — it runs on shared infrastructure. That's why we've come together with other stewards to issue a Joint Statement on Sustainable Stewardship ... Read More
The End of Tribal Knowledge: Why Contextual Policy Is the Foundation for Agentic AI Development
For years, the challenge in software security and governance hasn't been knowing what to do, but instead scaling that knowledge across fast-moving teams. At Sonatype, we invested heavily in solving that through contextual policy. Not just rules, but rules that understood intent. Rules that prioritized based on usage, risk, and ... Read More
