Architecture position paper ยท July 2026

From Code Scarcity to Controlled Execution

The Enterprise Software Fabric for AI-Generated Applications

A position paper on the shifting economics of software, safe in-house deployment, least privilege, governed data products, and private-banking-grade access control.
Audience: CIO, CTO, CISO, Chief Data Officer, enterprise architects, platform engineering leaders, and technology risk leaders in regulated enterprises.

Core proposition

AI-assisted coding increases the supply of software artifacts faster than many enterprises can safely review, authorize, integrate, deploy, operate, and retire them. The strategic response is not primarily an "AI infrastructure platform." It is an internal software deployment fabric that treats generated code as untrusted supply and makes safe execution, narrow connectivity, dual-principal authorization, and lifecycle ownership easy by default.

Abstract

Software generation is becoming materially easier as coding agents and AI-assisted development tools improve. The precise productivity effect remains context-dependent and difficult to measure, but the direction of change is clear: more people can produce more code, delegation to AI systems is increasing, and organizations are experiencing greater pressure on coordination, testing, security review, deployment, and operating systems. Recent DORA research frames AI as an amplifier of the surrounding organizational system; recent empirical work on open-source development finds higher code contribution alongside increased coordination time; and current productivity experiments show both the rapid adoption of agentic tools and the difficulty of measuring work when developers change task selection and run multiple agents concurrently. [1โ€“5]

This paper argues that the enterprise control point should move downstream. Rather than attempting to control every act of code generation, enterprises should make the path from source artifact to production execution explicit, automated, observable, and policy-governed. The proposed "Enterprise Software Fabric" accepts code, containers, manifests, and workflows from humans or AI tools; verifies and records provenance; evaluates requested capabilities; deploys only to controlled runtime environments; assigns workload identities; propagates user context; authorizes data access at governed product boundaries; and operates each application with telemetry, ownership, service levels, and retirement rules.

Private banking is used as the demanding reference case. A relationship manager may use an AI coding tool to create a portfolio stress-testing application, but neither the AI tool nor the resulting application should receive a broad production service account. Effective access should be the intersection of the application's approved capability, the current user's entitlement and relationship to the client, the data product's policy, the declared purpose, and the current context. This paper develops the architecture, risk model, operating model, and phased implementation roadmap for that approach.

Contents
  1. Thesis and scope
  2. What has actually changed: evidence and limits
  3. The economic shift
  4. Strategic response: an Enterprise Software Fabric
  5. Reference architecture
  6. Least privilege for humans and software
  7. Risk-based data connections
  8. Complex data products as security contracts
  9. Private banking reference scenario
  10. Operating model and governance
  11. Implementation roadmap
  12. Metrics that reveal whether the model works
  13. Design principles
  14. Conclusion
  15. Appendix A. Example capability manifest
  16. Appendix B. Example authorization decision record
  17. Appendix C. Risk-tier control matrix
  18. References

1. Thesis and scope

The central thesis is deliberately narrower than the common claim that "AI will make software development free." Software is not becoming free, and evidence does not support a universal productivity multiplier. What is changing is the relative scarcity of activities across the software lifecycle. The ability to express business logic in working code is becoming more abundant. The ability to turn a growing stream of artifacts into trusted, properly authorized, maintainable production systems remains scarce.

That distinction matters because enterprise architecture follows bottlenecks. When servers were scarce and slow to provision, organizations optimized around hardware and capacity planning. Cloud computing standardized on-demand access to shared pools of configurable resources that could be provisioned and released with comparatively low management effort. [21] The cloud did not eliminate architecture, security, reliability, or cost management; it moved differentiation away from owning hardware and toward how organizations consumed and governed infrastructure. The comparable AI-era hypothesis is that code production becomes less differentiating while governed execution becomes more differentiating.

Position

The enterprise should make creating an application easy, but make unrestricted access to sensitive data almost impossible. Narrow, policy-governed access should be easy. Broad, standing credentials should be exceptional.

The paper therefore focuses on deploying the artifacts of AI-assisted software creation into controlled in-house environments. It is not a paper about training foundation models, hosting inference clusters, selecting model providers, or building a corporate chatbot. The generating tool may be Claude Code, Codex, Cursor, a future agent framework, a human development team, or a combination. The control architecture should not depend on authorship. The source artifact is outside the production trust boundary until it passes enterprise admission controls.

The proposed model is especially relevant to regulated enterprises with complex data estates, large numbers of internal workflows, and strong segregation requirements. Private banking is an illustrative case because client confidentiality, banker-client relationships, delegated coverage teams, jurisdictional constraints, and transactional capabilities create access-control problems that simple role-based models handle poorly.

2. What has actually changed: evidence and limits

2.1 The evidence supports a bottleneck shift more strongly than a universal speedup claim

The strongest credible argument is not that every developer is now several times faster. It is that AI-assisted and agentic tools are changing the volume, shape, and organization of software work. DORA's 2025 research describes AI primarily as an amplifier of existing organizational strengths and weaknesses, arguing that returns depend on the underlying organizational system rather than the tool alone. [1] DORA's platform-engineering guidance goes further: it describes coding gains being absorbed by downstream disorder in testing, security review, and deployment, and presents a high-quality internal platform as the standardization and governance layer that converts local speed into organizational performance. [2]

The empirical productivity literature is still evolving. METR's early-2025 randomized experiment found a slowdown for experienced open-source developers using then-current tools. Its February 2026 update says the later experiment is difficult to interpret because adoption became so widespread that some developers refused to participate if they might have to work without AI; developers also changed which tasks they submitted and increasingly ran multiple agents concurrently. METR believes early-2026 tools likely provide more speedup than early-2025 tools, but explicitly characterizes its own evidence about magnitude as weak. [3] This is a useful warning against basing architecture strategy on a single percentage productivity claim.

A revised 2026 study using GitHub Copilot usage data and public open-source project data reports a 5.9% increase in project-level code contributions, driven by increased participation and individual productivity, while coordination time increased by 8% because of more code discussions. [4] The important architectural signal is the coexistence of higher output and higher coordination cost. Even when the net effect is positive, the surrounding system must absorb more contributions, review more changes, reconcile more dependencies, and preserve shared standards.

Adoption patterns also show increasing delegation. The Anthropic Economic Index report based on privacy-preserving analysis of one million Claude.ai conversations and one million API transcripts reported that directive task delegation increased from 27% to 39% over eight months, with enterprise API usage skewing toward more automated and specialized tasks. [5] This does not prove that autonomous software production is dominant, but it supports the expectation that enterprises will receive a growing volume of artifacts produced with less continuous human attention.

Table 1. Evidence versus inference: what can be claimed confidently and what remains a strategic hypothesis.
ClaimEvidence statusArchitecture implication
AI always makes developers dramatically fasterNot established. Results vary by developer, task, tool generation, and study design.Do not justify platform investment with a single speedup percentage.
AI increases the supply of code and contribution opportunitiesSupported by usage trends and multiple empirical studies, though magnitude varies.Design for more artifact intake and more diverse producers.
Downstream coordination, testing, security, and deployment can absorb local coding gainsSupported by DORA's system-level framing and empirical coordination findings.Treat platform quality and automated assurance as first-class strategy.
AI-generated code is uniformly insecureNot supported. Studies show distinct defect profiles and meaningful security risks, but results vary by language, benchmark, and detection method.Treat all artifacts as untrusted supply; verify based on risk, not author identity.
The strategic control point moves from code creation toward governed executionArchitectural inference based on the above evidence.Invest in admission, identity, policy, data products, observability, and lifecycle controls.

2.2 Generated code should be treated as a different supply pattern, not a different trust category

Recent research on code quality supports caution without supporting panic. A 2025 large-scale study comparing more than 500,000 human- and AI-generated Python and Java samples found different defect profiles and reported more high-risk security vulnerabilities in AI-generated code, while human-written code showed greater structural complexity and more maintainability issues. [6] A separate 2025 preprint studying AI-tagged code in widely used GitHub projects reports that AI output concentrates in glue code, tests, refactoring, documentation, and boilerplate; it also reports that some vulnerability classes are overrepresented and that shallow human review can allow defects to persist. [7] Another large study of explicitly AI-attributed GitHub files found that most analyzed files had no identifiable CWE-mapped vulnerability, again underscoring that "AI code is insecure" is too crude a conclusion. The practical lesson is that author identity is a poor trust signal.

Existing secure-development frameworks therefore remain relevant, but must be made cheaper and more automated. NIST's Secure Software Development Framework recommends integrating a core set of secure-development practices into each software lifecycle. [8] SLSA provides a mature vocabulary for producing artifacts, distributing provenance, and verifying artifacts and their build provenance. [9] The AI-era requirement is not to invent a parallel lifecycle for AI-authored code. It is to make secure intake and verification routine enough to handle a much larger flow of small applications and changes.

Figure 1. Conceptual shift in relative effort. Percentages are illustrative, not empirical estimates. (Interactive version: the "Where the effort goes" slider in chapter 01.)

3. The economic shift: from implementation scarcity to controlled execution

Software economics can be viewed as a flow-and-stock problem. AI coding tools increase the flow of new source code, services, scripts, connectors, dashboards, workflow tools, and experiments. Each accepted artifact adds to the stock of software that must be owned, patched, observed, authorized, cost-managed, and eventually retired. The unit cost of initial implementation can fall while the total portfolio cost rises because the organization simply owns much more software.

This creates a software version of a rebound effect. When a capability becomes cheaper, demand often expands. A business unit that previously could justify five internal applications may now request fifty. Many of those applications may be small and valuable. But each production application still creates some combination of dependencies, credentials, data pathways, operational alerts, user support, vulnerability exposure, legal retention questions, and ownership obligations. This is an informed architectural inference rather than a measured universal law, but it is consistent with the observed increase in contribution volume and coordination demands. [2,4]

3.1 The new cost centers

3.2 The cloud analogy โ€” useful, but incomplete

The cloud analogy is useful because cloud computing made infrastructure provisioning more on-demand and standardized, while forcing organizations to become better at identity, configuration, cost management, reliability, and governance. NIST's definition emphasizes shared configurable resources that can be rapidly provisioned and released with minimal management effort. [21] AI-assisted software creation can produce a similar abstraction shift at a higher layer: business logic can be created faster, but the enterprise still needs standardized execution and governance.

The analogy is incomplete because software artifacts are semantically richer than compute instances. A generated application embeds business assumptions, data transformations, user experiences, and operational actions. The enterprise fabric must therefore govern not only where code runs, but what the runtime is allowed to know and do.

4. Strategic response: an Enterprise Software Fabric

The strategic response proposed here is an Enterprise Software Fabric: a productized internal capability that converts untrusted software artifacts into controlled, observable, least-privileged applications. It is deliberately artifact-first. The generating model is not assumed to be inside the bank. The code generator can change without changing the production control plane.

Design rule

Generated code may request capabilities. It must never grant itself capabilities. A manifest is a declaration of requested access; the platform and policy system decide what is allowed.

DORA defines platform engineering around automation, self-service, repeatability, internal developer platforms, and golden paths that make secure and compliant build, test, and deployment easier. Its 2026 guidance explicitly links platform quality to whether AI adoption becomes organizational performance or downstream disorder. [2] The Enterprise Software Fabric extends that platform-engineering idea into four additional directions required for sensitive enterprises: capability-based admission, dual-principal authorization, governed data-product connections, and lifecycle accountability.

Figure 2. The artifact trust boundary and the Enterprise Software Fabric.

4.1 What the fabric is

4.2 What the fabric is not

5. Reference architecture

The reference architecture is organized into six planes. The logical planes can be implemented with different technologies; the architecture depends on the separation of responsibilities, not a particular vendor stack.

5.1 Plane A โ€” artifact intake and software supply chain

The first plane turns source material into a verifiable artifact. The minimum output is not merely a container image. It is an artifact bundle: executable package, dependency inventory, test results, vulnerability findings, build provenance, policy-relevant metadata, owner, purpose, and capability request. NIST SSDF provides secure-development practices, while SLSA 1.2 provides concepts for increasing software supply-chain guarantees and verifying provenance. [8,9]

5.2 Plane B โ€” admission and risk evaluation

The admission layer evaluates the artifact and its requested capability combination. Policy should be executable where possible. Open Policy Agent's Kubernetes admission examples show a general model in which deployment requests can be rejected for violating rules such as allowed registries, required labels, or resource limits. [18] An enterprise fabric can apply the same principle at a richer business level: client data plus internet egress, bulk export, or trading write access should trigger stronger controls than an internal read-only application using market data.

5.3 Plane C โ€” controlled runtime

The runtime target should be boring, standardized, and difficult to escape. It may be Kubernetes, virtual machines, serverless runtimes, or another internal platform, but it should expose a consistent control contract: workload identity, managed secret retrieval, default-deny network policy, approved egress destinations, resource quotas, runtime hardening, patching policy, and observable deployment state.

Workload identity should not depend on an IP address or a long-lived shared secret. SPIFFE is one example of an open workload identity framework: it defines standards for securely identifying software systems in dynamic environments and issuing short-lived cryptographic identity documents to workloads. [14] The architectural requirement is more general: every runtime workload must have a first-class identity that can be authorized independently from the human user.

5.4 Plane D โ€” identity, delegation, and authorization

The authorization plane evaluates both who is using the application and which application is acting. NIST Zero Trust shifts control away from implicit trust based on network location toward users, assets, and resources, with authentication and authorization performed before access to protected resources. [10] NIST ABAC defines authorization in terms of attributes of subjects, objects, operations, and environment conditions evaluated against policy and relationships. [11] These principles are well suited to private banking, where entitlement depends on client relationships, booking centers, legal entities, role delegation, product restrictions, and transaction context.

5.5 Plane E โ€” governed data products and operational capabilities

Applications should normally connect to governed data products and business capabilities rather than raw operational databases. Data mesh literature frames data ownership around business domains, data as a product, self-service platform infrastructure, and federated computational governance. [15] For this paper, the security implication is as important as the organizational one: the producer boundary can enforce classification, row filtering, field masking, permitted purpose, aggregation rules, and rate limits consistently for every consuming application.

5.6 Plane F โ€” operational envelope

Every application that reaches production should inherit a minimum operational envelope: structured logs, traces, metrics, correlation identifiers, dependency mapping, health checks, cost attribution, security status, incident ownership, and lifecycle state. OpenTelemetry is an open, vendor-agnostic framework for generating, collecting, and exporting telemetry including traces, metrics, and logs; it is one concrete standard that can reduce instrumentation fragmentation. [19]

For banks, operational resilience is not merely convenience. The Basel Committee's principles for operational resilience are intended to strengthen banks' ability to withstand operational disruption, including technology failures and cyber events. [20] A proliferation of small AI-assisted applications must not create a proliferation of invisible, ownerless operational dependencies.

6. Least privilege for humans and software

The most important authorization rule in the proposed architecture is that application permission and human permission are separate constraints. A user does not automatically gain every capability the application possesses, and an application does not inherit every data entitlement the user has.

Effective-access model

Effective Access = App Capability โˆฉ User Entitlement โˆฉ Data-Product Policy โˆฉ Declared Purpose โˆฉ Current Context

The intersection model prevents a generated application from becoming a privilege escalator. A relationship manager may be entitled to view certain client portfolios, while the portfolio-scenario application may only be approved for positions, valuations, and market data. The application cannot reach tax identifiers merely because the user can see them in another system. Conversely, the application may be generally capable of reading portfolio positions, but a particular relationship manager can only retrieve positions for clients within the manager's authorized relationship graph.

Figure 3. Dual-principal authorization: user identity and workload identity are evaluated together. (Interactive version: the access simulator in chapter 05.)

6.1 Relationship-based access for client coverage

Private-banking access is naturally relational. Typical facts include "RM manages client," "assistant is delegated by RM," "investment specialist supports relationship team," "client is booked in legal entity," and "portfolio belongs to client." A relationship-based authorization model can represent these links. Google's Zanzibar paper is a foundational example of a globally consistent authorization system used across major Google services. [13] The relevant lesson is not to copy Google's implementation, but to represent relationships as authorization data rather than embedding them separately in each application.

ABAC then complements the relationship graph with contextual rules: jurisdiction, device posture, employment status, client confidentiality flags, product constraints, time-sensitive delegation, and requested action. [11] In practice, a policy decision may combine ReBAC for "who is related to the client?" with ABAC for "is this operation allowed now under these conditions?"

6.2 Delegation should remain visible through service chains

When an application calls downstream services, it should not erase the originating user context or reuse a broad application credential. OAuth 2.0 Token Exchange defines a mechanism for exchanging a token for another token, including delegation and impersonation semantics. It explicitly describes a resource server exchanging a received access token for a new downstream token that can be more narrowly scoped for the target service. [12]

For sensitive workflows, delegation is generally preferable to invisible impersonation because the audit trail should retain both subject and actor. An authorization record should be able to say: the relationship manager was the subject, portfolio-scenario-app/v17 was the actor, the requested purpose was client review, and the data product released only the permitted fields for the specified client.

7. Risk-based data connections

The risk unit should be the capability combination, not merely the application label. A small application can be dangerous if it combines regulated data with broad export and unrestricted internet egress. A large internal analytics application can be lower risk if it operates on aggregated, non-client-specific data and has no write path.

7.1 Data sensitivity tiers

Table 2. Illustrative data sensitivity tiers. Enterprises should align names and controls to their own classification policy.
TierExample dataDefault posture
D0 PublicPublic rates, public research, public instrument factsSelf-service within normal software controls.
D1 InternalInternal reference data, non-sensitive operational metricsAuthenticated internal access; standard logging and ownership.
D2 ConfidentialInternal financials, employee or sensitive business dataNamed purpose, restricted audience, stronger egress and export controls.
D3 RegulatedPersonal data, regulatory records, suitability informationUser-context enforcement, field minimization, full audit, retention rules.
D4 Client-specific restrictedClient identity, holdings, mandates, tax status, special confidentiality flagsRelationship authorization, purpose/context checks, strong anti-bulk controls, tightly controlled egress.

7.2 Capability risk dimensions

A practical risk score can be derived from dimensions rather than a single application class. The dimensions need not be multiplied mathematically, but they should be evaluated systematically:

7.3 Risk ladder for application deployment

Table 3. Risk ladder: friction increases with the requested capability combination, not with application size alone.
LevelTypical useRequired controls
L0 ExperimentSynthetic or public data; isolated prototypeNo production credentials; no internal network access; self-service ephemeral deployment; automatic expiry.
L1 Governed internal appRead-only lower-sensitivity internal productsCorporate identity; workload identity; approved APIs; standard admission checks; telemetry; owner.
L2 Confidential appConfidential or limited regulated dataDual-principal authorization; narrow scopes; restricted egress; field minimization; stronger logging; periodic recertification.
L3 Client-specific regulated appClient-specific reads or bounded client workflowsRelationship authorization; purpose/context checks; anti-bulk controls; full audit chain; enhanced change control; legal-entity constraints.
L4 Transactional capabilityPayments, orders, trades, mandates, master-data changesAction-specific short-lived credentials; transaction caps; separation of duties; human approval where required; idempotency; compensating or rollback process; heightened resilience.

The productivity objective is to make L0 and L1 extremely fast, L2 largely automated, L3 governed but usable, and L4 deliberately difficult. A 300-line internal tool should not require the same governance path as a core-banking replacement. But small size must never become an argument for a shared production database password.

8. Complex data products as security contracts

AI coding tools become far more useful when they can compose stable enterprise capabilities instead of discovering undocumented schemas and reconstructing business semantics from source tables. This is why data-product maturity and AI-assisted development are complementary investments.

Data mesh principles emphasize domain-oriented ownership, data as a product, self-service infrastructure, and federated computational governance. [15] The paper's extension is to treat the data product not only as a high-quality dataset, but as a secure consumption contract. A mature product should publish schema, semantics, freshness and service levels, owner, classification, lineage, supported purposes, authorization rules, masking behavior, aggregation restrictions, retention rules, and interface contract.

Table 4. A data product should expose security and governance semantics as part of its contract.
Product contract elementWhy it matters for AI-generated applications
Schema and semanticsThe application can be generated against stable meaning rather than raw source structure.
Owner and support modelThe consuming app has a responsible provider and escalation path.
Classification and field sensitivityThe platform can evaluate risk before deployment and mask or reject fields.
Authorization ruleThe producer can enforce client, portfolio, legal-entity, or purpose constraints consistently.
Supported actionsRead, aggregate, propose, write, and transact can be separated into different capabilities.
Rate and bulk limitsA compromised or buggy app cannot silently turn interactive access into mass extraction.
Lineage and provenanceDownstream decisions can be traced to sources and transformations.
Retention and export policyGenerated apps cannot choose retention or replication behavior arbitrarily.

8.1 Avoid raw database connectivity as the default integration pattern

Direct database access externalizes governance into every consuming application. The consumer must understand table semantics, row filters, client relationships, masking rules, schema changes, and audit expectations. AI may make the connector code easy to write, but that simply accelerates coupling and duplicates policy. Governed products invert the model: the producer owns semantics and enforces policy at a stable boundary; the application receives only the capability it needs.

8.2 Where MCP fits โ€” and where it does not

The Model Context Protocol can be useful as a standard interface through which AI clients discover and invoke tools or resources, but it should not be mistaken for the enterprise authorization model. The MCP authorization specification defines transport-level authorization for HTTP transports and uses OAuth-based mechanisms. It requires resource indicators, audience validation, and separate authorization treatment for downstream APIs; it explicitly forbids token passthrough. [16] The associated security guidance explains that token passthrough creates accountability, audit-trail, trust-boundary, and exfiltration risks. [17]

In the Enterprise Software Fabric, MCP can be an adapter surface or developer-facing protocol, while the actual enterprise security boundary remains a governed gateway or data-product interface. An MCP server that calls a client-data API should acquire a separate target-specific token rather than forwarding a user token blindly. The user, workload, target resource, and purpose should remain visible to the authorization system.

9. Private banking reference scenario

Consider a relationship manager who asks an AI coding agent to build a portfolio stress application: "Show current concentration, currency exposure, and performance under three historical stress scenarios for my clients." The agent can generate a user interface, backend service, tests, container configuration, and capability manifest. The tool may run outside the production environment. It never receives production client data or production database credentials.

9.1 Build and admission path

9.2 Runtime request path

9.3 The crucial negative guarantees

9.4 Transactional capabilities require a different control envelope

A scenario-analysis application may be permitted to propose an order but not place it. A separate transactional capability can require short-lived action-specific authorization, transaction value limits, product suitability checks, pre-trade controls, segregation of duties, and explicit human confirmation or four-eyes approval according to policy. Read access and write access should never be bundled merely for developer convenience.

The architectural principle is "proposal versus authority" at two layers. AI-generated code proposes requested capabilities to the deployment fabric. Decision-support applications propose business actions to the transactional control system. In both cases, authority belongs to policy-governed systems and accountable humans, not to the code generator.

10. Operating model and governance

The Enterprise Software Fabric should be run as an internal product, not as a ticket queue. DORA's platform-engineering guidance emphasizes product management, user journeys, self-service golden paths, clear feedback, and an incremental minimum viable platform. [2] The objective is enabling constraint: make the safe path easier than bypassing it.

10.1 Responsibilities

Table 5. Governance is federated: the central platform does not own every application or every data policy.
RolePrimary responsibilities
Platform product teamGolden paths, artifact intake, runtime targets, developer experience, policy feedback, platform SLOs.
Identity and authorization teamPolicy decision infrastructure, relationship graph, attribute sources, delegation/token exchange, decision audit.
Domain / data-product teamSemantics, quality, producer-side enforcement, classification, interface lifecycle, service levels.
Application ownerBusiness purpose, user population, acceptance testing, operational ownership, cost accountability, recertification.
Security and technology riskControl objectives, policy-as-code standards, exception governance, monitoring requirements, assurance strategy.
Business risk / compliancePurpose restrictions, client and jurisdiction rules, transactional approvals, regulatory interpretation.

10.2 Golden path and exception path

The golden path should cover common application patterns: internal web app, scheduled job, event consumer, API service, analytical dashboard, and workflow tool. A software template can scaffold repository structure, pipeline configuration, manifests, telemetry, and ownership metadata; Backstage Software Templates are one example of this pattern. [22] The implementation technology is secondary. The important feature is that common controls are inherited rather than reimplemented.

Exceptions are necessary for unusual workloads, but they should be explicit, time-bounded, owned, and measurable. A rigid "golden cage" will drive shadow IT; an invisible exception culture will recreate unmanaged production. The platform should provide fast feedback on why a request was rejected and what changes would make it acceptable.

10.3 Lifecycle ownership is a security control

Every deployed application should have a named business owner, technical owner, cost center, support tier, dependency inventory, last-use signal, and review date. Low-risk applications can expire automatically unless renewed. Orphaned applications should lose sensitive connectivity before they become invisible legacy systems. This is one of the places where the economics of abundant code must be confronted directly: the enterprise needs a deletion pathway as polished as its creation pathway.

11. Implementation roadmap

The architecture should be built incrementally. The worst approach is to design a comprehensive enterprise platform for two years while users continue creating unmanaged scripts and integrations. The roadmap below starts with the trust boundary, then adds identity and data governance sophistication.

Phase 1 โ€” establish the production trust boundary (0โ€“90 days)

Phase 2 โ€” capability manifests and risk tiers (3โ€“6 months)

Phase 3 โ€” dual-principal authorization (6โ€“12 months)

Phase 4 โ€” scale application creation safely (12+ months)

12. Metrics that reveal whether the model works

A successful fabric should be measured on both delivery speed and control quality. Counting AI licenses or lines of generated code is not useful. DORA recommends balanced software-delivery and platform metrics, including lead time, deployment frequency, recovery time, change failure percentage, and rework. [2] The fabric also needs access- and lifecycle-specific measures.

Table 6. A balanced scorecard for the Enterprise Software Fabric.
MetricWhat it tests
Idea-to-safe-production lead time by risk tierWhether the platform reduces friction where risk is low without hiding high-risk work.
% production apps with no standing human-managed secretWhether workload identity and managed credentials are replacing fragile secret distribution.
% sensitive data access through governed productsWhether policy is moving from application code into consistent producer boundaries.
% authorization decisions traceable to user + workload + target + purposeWhether dual-principal accountability is real rather than conceptual.
Policy exception count, age, and expiry rateWhether exceptions are controlled or silently permanent.
Orphaned application rateWhether abundant software is creating unmanaged legacy stock.
Unused capability / over-privilege rateWhether declared and actual access are converging toward least privilege.
Change failure and recovery metrics by tierWhether stronger controls improve stability without merely slowing delivery.
Decommission lead timeWhether the organization can retire software as efficiently as it creates it.
Sensitive-data egress paths per applicationWhether connectivity risk is shrinking and becoming explicit.

13. Design principles

14. Conclusion

The most important enterprise consequence of Claude, Codex, Cursor, and similar tools may not be a particular productivity percentage. It may be a change in the location of scarcity. When many more people can produce useful software artifacts, the institution's differentiating capability becomes the ability to let more software exist safely.

That requires a shift in architecture investment. The enterprise should not concentrate only on controlling which AI coding tool employees use. It should establish a strong production trust boundary and a high-quality path across it: controlled builds, provenance, risk-based admission, controlled runtime targets, workload identity, user-context authorization, delegated credentials, governed data products, observable operations, and lifecycle ownership. DORA's system-level framing, recent empirical evidence on higher contribution and coordination demands, established zero-trust and authorization principles, software supply-chain standards, and data-product thinking all point in this direction. [1โ€“4,8โ€“15]

For private banking, the architecture is especially clear. A relationship manager should be able to create or sponsor a small, valuable application quickly. The resulting application should never need a credential that can read the bank's entire client base. Effective access should be calculated at runtime from the intersection of application capability, user entitlement and relationship, data-product policy, purpose, and context. The data provider should enforce its own policy, and every decision should remain attributable to both user and workload.

Final proposition

The AI-era enterprise advantage will not come from generating the most code. It will come from safely turning abundant software artifacts into bounded, observable, least-privileged business capabilities โ€” and retiring them when they no longer create value.

Appendix A. Example capability manifest

The following illustrative manifest shows the type of declarative input the platform can evaluate. It is intentionally technology-neutral; the syntax is only an example. (An annotated, clickable version lives in the interactive edition's Annex.)

application:
  name: portfolio-scenario-app
  owner: wealth-advisory-zurich
  purpose: client-portfolio-review
  audience: relationship-managers

runtime:
  internet_egress: false
  workload_identity: required
  support_tier: business-hours
  expiry_review_days: 180

data_connections:
  - product: market-data.prices
    action: read

  - product: wealth.portfolio-positions
    action: read
    user_context_required: true
    relationship_required: manages_or_delegated
    bulk_export: false

  - product: crm.client-profile
    action: read
    fields:
      - domicile
      - risk_profile
      - investment_horizon

operational_capabilities:
  trading.read: false
  trading.propose: false
  trading.write: false

observability:
  traces: required
  metrics: required
  audit_correlation: required

Appendix B. Example authorization decision record

timestamp: 2026-07-05T10:14:22Z
decision: allow
subject_user: employee-9382
actor_workload: spiffe://bank.internal/app/portfolio-scenario/v17
purpose: client-portfolio-review
target_resource: wealth.portfolio-positions
operation: read
client_scope: client-4711
relationship_path: employee-9382 -> primary_rm -> client-4711
policy_bundle: PB-PORTFOLIO-READ-v12
issued_scope: positions.read client:4711
token_audience: https://portfolio-data.bank.internal
expires_in: 300s
correlation_id: 19d8a6d2-...

Appendix C. Risk-tier control matrix

Table 7. Illustrative control matrix; actual controls must be aligned to enterprise policy and applicable regulation.
ControlL0L1L2L3L4
Production dataNoLower sensitivityConfidential / limited regulatedClient-specific regulatedTransactional
Workload identityRecommendedRequiredRequiredRequiredRequired
User-context authorizationNoAs neededRequired for user-scoped dataRequiredRequired
Relationship checksNoNoAs neededRequired where client-scopedRequired where client-scoped
Default-deny egressYesYesYesYesYes + stricter allowlist
Bulk exportNoBoundedRestrictedNormally prohibitedProhibited unless explicit process
Human approvalNoNoException-basedFor selected high-risk actionsPolicy-driven / four-eyes where required
Change controlAutomatedAutomatedAutomated + evidenceEnhancedHighest / transactional governance
RecertificationAuto-expiryPeriodicPeriodicFrequentFrequent + transaction control review

References

[1]DORA. "State of AI-assisted Software Development 2025." 2025.
[2]DORA. "Capabilities: Platform Engineering." Last updated 12 January 2026.
[3]Becker, J., Rush, N., Cunningham, T., Rein, D., and Mahamud, K. "We are Changing our Developer Productivity Experiment Design." METR, 24 February 2026.
[4]Song, F., Agarwal, A., and Wen, W. "The Impact of Generative AI on Collaborative Open-Source Software Development: Evidence from GitHub Copilot." arXiv:2410.02091, revised 14 May 2026.
[5]Appel, R., McCrory, P., Tamkin, A., McCain, M., Neylon, T., and Stern, M. "Anthropic Economic Index report: Uneven geographic and enterprise AI adoption." arXiv:2511.15080, 2025.
[6]Cotroneo, D., Improta, C., and Liguori, P. "Human-Written vs. AI-Generated Code: A Large-Scale Study of Defects, Vulnerabilities, and Complexity." ISSRE 2025; arXiv:2508.21634.
[7]Wang, B. et al. "AI Code in the Wild: Measuring Security Risks and Ecosystem Shifts of AI-Generated Code in Modern Software." arXiv:2512.18567, 2025. Preprint.
[8]NIST. SP 800-218, "Secure Software Development Framework (SSDF) Version 1.1." February 2022.
[9]SLSA. "SLSA Specification, Version 1.2." Approved specification.
[10]NIST. SP 800-207, "Zero Trust Architecture." August 2020.
[11]NIST. SP 800-162, "Guide to Attribute Based Access Control (ABAC) Definition and Considerations." Updated 2019.
[12]IETF. RFC 8693, "OAuth 2.0 Token Exchange." January 2020.
[13]Pang, R. et al. "Zanzibar: Google's Consistent, Global Authorization System." USENIX ATC 2019.
[14]SPIFFE. "SPIFFE Overview." Current documentation.
[15]Dehghani, Z. "Data Mesh Principles and Logical Architecture." MartinFowler.com, 3 December 2020.
[16]Model Context Protocol. "Authorization." Specification version 2025-06-18.
[17]Model Context Protocol. "Security Best Practices." Current documentation.
[18]Open Policy Agent. "OPA for Kubernetes Admission Control." Current documentation.
[19]OpenTelemetry. "What is OpenTelemetry?" Last modified 6 April 2026.
[20]Basel Committee on Banking Supervision. "Principles for Operational Resilience." Bank for International Settlements, 31 March 2021.
[21]NIST. SP 800-145, "The NIST Definition of Cloud Computing." September 2011.
[22]Backstage. "Software Templates." Current documentation.
[23]Schreiber, M. and Tippe, P. "Security Vulnerabilities in AI-Generated Code: A Large-Scale Analysis of Public GitHub Repositories." arXiv:2510.26103, 2025.
[24]Tihanyi, N. et al. "How secure is AI-generated Code: A Large-Scale Comparison of Large Language Models." Empirical Software Engineering; arXiv:2404.18353.

Research note. This paper deliberately separates empirical findings from architectural inference. Productivity estimates for AI-assisted development are still unstable and context-dependent. The architecture thesis does not require a universal speedup claim; it depends on the more modest observation that software artifact production is becoming easier and more widely delegated, increasing the value of scalable validation, governed deployment, identity, data-product boundaries, and lifecycle control.