How is GitLab Helping to Secure AI Data Centre Operations?
Software is the unseen backbone of today’s digital economy, powering not just consumer applications but also the critical systems that keep industries and governments running.
For data centre operators, where resilience and trust are essential, the ability to build and secure software at scale has become more important than ever.
At the centre of this effort is GitLab, which provides collaborative development tools relied upon by enterprises and public organisations worldwide.
Julie Davila, Vice President of Product Security at GitLab, leads the work to secure both the platform and the software supply chains it supports. With experience across NASA, Sophos, Ansible and Red Hat, she brings a pragmatic approach to complex security challenges while mentoring the next generation of technologists.
Julie and her team also use GitLab in their own daily operations, fuelling continuous improvement and resilience.
“As AI transforms software development, GitLab sits at a unique vantage point," she told Technology Magazine in a recent interview.
“We understand everything it takes to deliver software, positioning us to orchestrate collaboration between human teams and the AI agents they control. We’re the software factory that enables other software factories to operate efficiently in an increasingly complex digital world.”
How can security teams best collaborate with AI systems to proactively identify and respond to evolving threats?
Security teams should treat AI as a force multiplier for existing capabilities, not a replacement for expertise.
Start with high-volume, low-context tasks where AI excels: automated triage of vulnerability reports, initial classification of security incidents and pattern recognition across security telemetry.
Weāve seen success using AI to generate initial security release documentation and perform preliminary bug bounty triage, reducing response times while maintaining human oversight for critical decisions.
The key is establishing clear boundaries: AI handles the data processing and initial analysis, while security professionals provide context, validate findings and make strategic decisions.
Implement feedback loops where human corrections train your AI systems to better understand your specific threat landscape.
This collaborative model scales security operations without sacrificing the nuanced judgment that only experienced practitioners can provide.
What are the most urgent steps businesses should take to ensure their AI deployments are both secure and aligned with regulatory expectations?
Most organisations consume AI models rather than build them, yet face the same regulatory scrutiny under frameworks like NIST's AI RMF, ISO/IEC 23053 and the EU AI Act.
Start by inventorying all AI touchpoints ā from third-party models to embedded AI features ā and map them against compliance requirements for your industry.
Establish governance for AI integration: document which models you're using, their intended purposes and maintain audit logs of AI-assisted decisions.
This creates defensible records when regulators ask how AI influenced your product's behaviour or customer outcomes.
Critical but overlooked: run AI-specific incident tabletops. Traditional security playbooks assume deterministic systems, AI incidents require different muscles.
Practice scenarios like model drift affecting customer operations, prompt injection exposing sensitive data, or AI-generated content violating compliance.
These exercises reveal gaps in detection, containment, and communication that only surface when teams grapple with AIās probabilistic nature.
How can organisations upskill their workforce to recognise and counter advanced threats like AI-driven social engineering attacks?
Teaching security teams prompt engineering isnāt just about using AI, itās about understanding attack vectors.
When defenders know how to craft prompts, they recognise manipulation techniques attackers use against AI-enhanced systems.
Start with hands-on exercises where teams attempt prompt injection against sandboxed AI systems. Understanding these attack patterns, like remote prompt injection vulnerabilities where attackers manipulate AI assistants through external data sources, helps teams build better defences.
Security researchers have demonstrated how these techniques can compromise AI-powered development tools, highlighting the need for proactive defence strategies.
Create āpurple teamā exercises where defenders use AI to generate phishing campaigns, then analyse what made them convincing.
This builds intuition for AI-generated social engineering markers: subtle inconsistencies in tone, overly perfect grammar in contexts where it's unusual or responses that feel templated despite seeming personalised.
Most importantly, establish a culture where questioning AI output is encouraged.
How can security leaders balance the need for innovation with the imperative to manage supply chain risks and prevent unauthorised or insecure AI integrations?
We expect agentic AI to offer development teams significant productivity gains, but security must evolve simultaneously.
The path forward requires pragmatic governance that enables rather than blocks innovation.
Implement SLSA-aligned controls for AI components: track provenance of models and training data, establish build integrity for AI pipelines and verify AI agent behaviours before production deployment.
At GitLab, we treat AI agents as privileged identities, linking them to human operators through composite identities for accountability.
Create āpaved roadsā for AI adoption with pre-approved models, secure integration patterns and the same security controls applied to AI-generated code as human-written code, just earlier in the workflow.
This approach prevented issues similar to those faced by major DevOps platforms where AI assistants inadvertently suggested insecure code patterns or exposed API keys.
The key insight: security teams who provide clear, fast paths for safe AI adoption become enablers of innovation rather than blockers.
