What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 5 min read

Shadow AI: The Engineering Risk Your Dashboard Doesn't Show

Your engineering leaders feel it: the pressure to adopt AI for competitive advantage. But they fear losing control. How do you move fast without exposing the org to unknown risk? The tension is real, and it's playing out in your codebase right now whether you've acknowledged it or not.

The AI Adoption Paradox

The majority of developers are already using AI coding tools. Many do it without explicit org approval. This is shadow AI — unmanaged AI adoption happening beneath leadership's radar. Your developers aren't being reckless. They're solving problems faster. They're shipping features. They're staying competitive in a market where AI literacy is becoming table stakes.

But shadow AI creates a governance gap. You don't know what code is being generated. You don't know what tests are being written. You don't know which vulnerabilities are being introduced and missed during review. And worst of all: you don't know that you don't know.

What Shadow AI Looks Like

Shadow AI takes many forms in real engineering orgs:

Developers using Copilot without security review. Code generated by AI assistants passes through your existing code review process — but reviewers don't know which lines are AI-generated. They can't flag AI-specific risks like prompt injection vulnerabilities or training data leakage.

Teams building internal AI agents without architecture oversight. Your ML teams are experimenting with prompt-chaining, RAG systems, and multi-step agentic workflows. They're moving fast. But they're not documented. Your architecture review process doesn't have frameworks for evaluating LLM-based systems. You don't know how they scale, how they fail, or what happens when context windows overflow.

Generated code entering production without adequate review. AI-generated code is good — often really good. But it has blind spots. It can miss edge cases. It can over-rely on patterns from its training data. It can make assumptions about performance that don't hold at your scale. Reviewers who don't know code is AI-generated won't catch these.

AI-generated tests that pass but don't test meaningful scenarios. Tests generated by AI are syntactically correct. They run. They pass. But they often test happy paths and miss boundary conditions. They might mock everything and assert nothing. They look like test coverage until you actually try to catch a bug with them.

Prompt injection vulnerabilities no one is checking for. When AI code interacts with user input — which increasingly it does — you need to think about prompt injection. But your security scanning tools weren't built to catch these. Your code review process wasn't designed for them. Your threat modeling doesn't include them. They're a new class of risk, and they're propagating through your systems undetected.

The Governance Gap

Most orgs fall into one of two camps, and neither works.

Camp 1: Ban AI tools entirely. You block Copilot. You disable IDE integrations. You don't allow Claude or ChatGPT in your workflows. This protects you from shadow AI — because you prevent adoption entirely. But you also lose competitive advantage. Your developers get frustrated. Talented engineers leave to join orgs that let them work with modern tools. You don't stay competitive.

Camp 2: Allow anything, measure nothing. You let developers use whatever tools they want. You assume code review catches problems. You don't change your security scanning. You don't measure whether practice quality holds steady as velocity accelerates. This feels faster, but you're flying blind. You don't know if your quality practices scale under AI-accelerated output. You only discover problems when they hit production.

There is a third way.

Measuring AI Impact on Practice Quality

The answer isn't to control developers. It's to measure your practices continuously and flag drift early.

Track whether code review depth changes after AI adoption. Are reviewers spending the same time on AI-generated code? Are they asking the same questions? Are they catching the same categories of defects? When you can measure review velocity and quality separately, you can see if AI accelerates one without degrading the other.

Monitor test coverage quality, not just percentage. 95% coverage is meaningless if tests don't assert anything. You need to measure test assertion density, boundary condition coverage, and mock usage. When AI generates tests, you need to know whether they're testing the right things or just hitting line targets.

Check if security scanning catches AI-generated vulnerabilities. Run your static analysis, your dependency scanners, and your runtime security tools on AI-generated code. Do they catch prompt injection risks? Do they catch data leakage patterns? Do they catch the new classes of vulnerabilities that emerge when humans and AI co-author systems?

Measure whether documentation keeps pace with AI-accelerated output. AI accelerates coding velocity. But if documentation doesn't accelerate too, you'll end up with high velocity and low visibility. You need to measure whether your teams are documenting architecture decisions, system behavior, and failure modes as fast as they're shipping features.

Concordance's 50 protocols give you the framework to detect practice drift as AI adoption accelerates. You're not measuring whether developers use AI. You're measuring whether your engineering practices hold steady under AI-accelerated output. That's the insight that matters.

Velocity Governance: The Third Way

Don't ban AI. Don't ignore the risk. Measure your practices continuously. When AI tools accelerate velocity, watch whether your quality practices keep pace. Flag practice degradation early. Make data-driven decisions about where guardrails are needed.

This is velocity governance. It's the operating model for teams that want to move fast while staying in control. You don't prevent innovation. You measure the impact of innovation on your engineering practices. You course-correct when practices degrade. You compound velocity gains without compounding risk.

Shadow AI won't disappear. But shadow risk can. That's what practice measurement gives you.

Ready to measure practice quality under AI acceleration?

AI Readiness Checklist →

See Concordance Sentinel — human-in-the-loop oversight →