Standard : Guardrails are built into delivery workflows

Purpose and Strategic Importance

This standard ensures guardrails are embedded in delivery workflows to guide safe, high-quality engineering decisions without slowing teams down. They provide proactive, automated checks that prevent issues before they reach production.

Aligned to our "Guardrails, Not Gates" policy, this standard enables autonomy with confidence. Without it, teams rely on manual oversight or overly restrictive gates—leading to delays, frustration, or increased risk.

Strategic Impact

  • Safer, faster delivery with fewer handoffs
  • Better governance without bureaucracy
  • Higher confidence in quality, security, and compliance
  • Greater autonomy for teams operating within defined boundaries

Risks of Not Having This Standard

  • Inconsistent or unsafe decisions during delivery
  • Delayed releases due to manual oversight
  • Risk of non-compliance or missed best practices
  • Loss of developer trust in process or governance

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Teams rely on manual checks and tribal knowledge.
Risk is managed informally.
Process & Governance No consistent rules or enforcement across delivery pipelines.
Technology & Tools Controls are applied outside workflows or as late-stage reviews.
Measurement & Metrics Risk-related incidents are tracked manually, if at all.

Level 2 – Managed

Category Description
People & Culture Teams adopt basic policy controls (e.g. branch protection).
Process & Governance Static guardrails exist but vary across teams or platforms.
Technology & Tools Manual steps are added to CI/CD, such as pre-merge approvals.
Measurement & Metrics Simple tracking of policy violations or deployment exceptions.

Level 3 – Defined

Category Description
People & Culture Guardrails are understood as enablers, not blockers.
Process & Governance Guardrails are defined across delivery stages and centrally maintained.
Technology & Tools Common guardrails are embedded into templates, pipelines, or tools.
Measurement & Metrics Guardrail coverage and adoption are measured and reported.

Level 4 – Quantitatively Managed

Category Description
People & Culture Teams contribute to evolving and refining guardrails.
Process & Governance Effectiveness of controls is reviewed regularly.
Failures trigger retrospective updates.
Technology & Tools Pipelines enforce context-aware guardrails automatically.
Measurement & Metrics Risk signals are correlated to delivery events and tracked over time.

Level 5 – Optimising

Category Description
People & Culture Guardrails are part of engineering identity.
Teams build with safety in mind.
Process & Governance Guardrails are updated dynamically based on incident learnings or platform feedback.
Technology & Tools Continuous validation and feedback loops improve guardrail relevance.
Measurement & Metrics Guardrail data informs platform, architecture, and governance improvements.

Key Measures

  • % of services with guardrails embedded in CI/CD pipelines
  • % of guardrail violations caught pre-deploy
  • Mean time to adapt guardrails after failure events
  • Number of deployments bypassing or overriding controls
  • Feedback loop time from issue to guardrail refinement