Why Governance Matters
QCon London 2026
Slides available on SpeakerDeck.
References
Books and Research Reports
Accelerate: The Science of Lean Software and DevOps (Forsgren, Humble, Kim, 2018)
https://www.oreilly.com/library/view/accelerate/9781457191435/
Research showing CABs don’t improve stability.
Regulatory and Industry Reports
FCA: Implementing Technology Change — multi-firm review of CABs in financial services
https://www.fca.org.uk/publications/multi-firm-reviews/implementing-technology-change
Statistics on CAB effectiveness.
Cortex 2026 Engineering in the Age of AI report
https://www.cortex.io/report/engineering-in-the-age-of-ai-2026-benchmark-report
AI tool adoption and governance statistics.
Jellyfish 2025 State of Engineering Management report
https://jellyfish.co/resources/2025-state-of-engineering-management-report/
Earlier data on AI tool adoption (61% to 90%).
Sonar 2026 State of Code Developer Survey
https://www.sonarsource.com/the-state-of-code/developer-survey-report/
42% of committed code is AI-generated; 96% don’t trust AI code.
Pragmatic Engineer 2026 AI Tooling deep dive
https://newsletter.pragmaticengineer.com/p/ai-tooling-2026
95% using AI tools weekly; 70% using 2–4 tools.
Veracode GenAI Code Security Report (October 2025 update)
https://www.veracode.com/resources/analyst-reports/2025-genai-code-security-report/
45% of LLM tasks introduced security flaws.
2025 Harness State of Software Engineering Excellence Report
https://www.harness.io/the-state-of-software-engineering-excellence
Only 11% of orgs generate SBOMs for all artefacts.
DORA State of DevOps research (Google Cloud)
DORA capabilities.
EU Cyber Resilience Act (Regulation 2024/2847)
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
SBOM mandate for products sold in EU markets. Reporting from Sept 2026; full enforcement Dec 2027.
Linux Foundation / OpenSSF data on open source in modern applications (70–90%)
Referenced for the claim that most modern software is code you didn’t write.
Supply Chain Attack Coverage
Socket.dev: Ongoing supply chain attack targets CrowdStrike npm packages
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
CISA alert: Widespread supply chain compromise impacting npm ecosystem
Aikido: npm debug and chalk packages compromised
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
AI and Cybersecurity Statistics
CRN Asia: AI cuts cyberattack breakout time (CrowdStrike report)
27-second fastest breakout time.
Coretelligent: Anthropic disrupts GTG-1002 cyber espionage
AI-driven cyberattack campaign.
The Network Installers: AI cyber threat statistics
https://thenetworkinstallers.com/blog/ai-cyber-threat-statistics/
87% of orgs targeted by AI-powered attacks.
Software Supply Chain Security Tools
Sigstore / Cosign — signing and verifying container images
https://docs.sigstore.dev/about/overview/
CycloneDX — SBOM standard and tooling
SLSA (Supply Chain Levels for Software Artefacts)
OpenSSF Scorecard — automated security checks for GitHub repos
https://github.com/ossf/scorecard
Semver ranges explained (npm)
AI Code Security
Aikido: Slopsquatting — AI package hallucination attacks
https://www.aikido.dev/blog/slopsquatting-ai-package-hallucination-attacks
AI hallucinating package names that attackers register.
Engineering Culture and Practices
Dan McKinley: Choose Boring Technology
https://mcfunley.com/choose-boring-technology
Henrik Kniberg: Agile intro slides (alignment vs autonomy)
https://blog.crisp.se/2023/09/20/henrikkniberg/agile-intro-slides-from-my-kth-talk
Henrik Kniberg: Alignment at Scale (keynote PDF)
https://blog.crisp.se/wp-content/uploads/2016/08/Agile-Africa-keynote-Alignment-at-Scale.pdf
Zalando open source technology radar
https://opensource.zalando.com/tech-radar
Andrea Laforgia: Shifting trust from human inspection to systemic verification (LinkedIn)
Financial Times-Specific References
The Advent of Change API (FT Product & Technology blog)
https://medium.com/ft-product-technology/the-advent-of-change-api-8dae0f95245e
Sarah Wells: Productivity at the FT (InfoQ presentation)