GS logog-saravanan blog
AI Engineering & AI-SDLC

Process-First AI-SDLC: Why Prompts Won't Save Your Team

Effective AI code development is 20% prompts and 80% process. A practical framework for AI-SDLC adoption that survives contact with real engineering teams.

·2 min read·
#AISDLC#AIEngineering#DevOps#Process

Most "AI in SDLC" rollouts I see start with a tool — Copilot, Cursor, Claude Code — handed to engineers with the instruction "use this, ship faster." Six months later velocity hasn't moved, code review queues have grown, and the security team is fielding incidents about hardcoded secrets and hallucinated dependencies.

The tool wasn't the problem. The process around the tool was missing.

The five process layers AI-SDLC actually needs

  1. Context layer — repository conventions, ADRs, and prompt libraries checked into the repo. The AI must read them on every task.
  2. Guardrail layer — pre-commit hooks for secret scanning, SBOM diffs, and licence checks. The AI generates; the hooks block.
  3. Review layer — PR template that asks "what did the AI write vs you?" + a reviewer checklist tuned for AI-typical failure modes (plausible-but-wrong, missing edge cases, dependency hallucinations).
  4. Telemetry layer — track AI-generated PRs separately. Are they merged faster? Do they revert more? You can't improve what you don't measure.
  5. Training layer — short, scenario-based sessions. Not "here's the tool." Yes "here's how to break down a feature into AI-shaped tasks."

Process-first means the process exists first

If your team is shipping AI-assisted code into main before you've defined the guardrail and review layers, you're not doing AI-SDLC — you're doing AI roulette.

The order matters:

1. ADRs + conventions in repo
2. Guardrails in CI + pre-commit
3. PR template + reviewer training
4. THEN turn on Copilot/Cursor/etc.
5. Telemetry from day one
6. Iterate the prompts in the repo as you learn

What "effective AI code development" actually looks like

  • Tasks are scoped to ~200 lines of diff.
  • The prompt references the ADR for the relevant subsystem.
  • The AI produces a PR with tests and a self-review comment.
  • The human reviewer spends time on intent, not syntax.
  • Telemetry shows AI-PRs revert at the same or lower rate as human PRs.

When you get there, AI is genuinely a force-multiplier. Without the process, it's an incident generator.