Quality Gates
Quality gates define where human approval is required. As agents become more capable, gates prevent automation from bypassing critical checkpoints.
Types of gates
Section titled âTypes of gatesâMerge gates
Section titled âMerge gatesâRequirements before code merges to main/production branches.
Standard: Passing tests, code review approval, no conflicts, docs updated.
AI-specific: Different requirements for AI-heavy PRs? AI assist vs. replace review? Disclosure required?
Deployment gates
Section titled âDeployment gatesâRequirements before deploying to environments.
Standard: Pre-deployment tests pass, security scan clean, performance benchmarks met, production approval.
AI-specific: Extra scrutiny for first deploy of AI-generated code? Automated rollback triggers?
Design gates
Section titled âDesign gatesâApproval required before significant architecture changes.
Standard: Design doc approved, security review for sensitive areas, architecture review.
AI-specific: AI can inform but not decide architecture. Human approval required for AI-suggested design changes.
Data gates
Section titled âData gatesâControls around data access and modification.
Standard: Database migration reviewed, data deletion requires approval, PII access controlled.
AI-specific: AI-generated migrations need extra review. No direct AI access to production data.
Implementation
Section titled âImplementationâTechnical enforcement
Section titled âTechnical enforcementâCI/CD checks: Automated testing, coverage thresholds, security scanning, linting.
Branch protection: Required reviewers, status checks must pass, no direct pushes.
Process enforcement
Section titled âProcess enforcementâRequired reviewers: Minimum approvals, specific approvers for specific paths, CODEOWNERS configuration.
Checklists: PR templates with required confirmations, security checkboxes, AI disclosure prompts.
Human checkpoints
Section titled âHuman checkpointsâRequired human involvement:
- Production deployments
- Database migrations
- Security-sensitive changes
- Customer-facing feature changes
Cannot be automated:
- Final deployment approval (critical systems)
- Architecture decisions
- Security exception approvals
- Compliance sign-off
Gate configuration by risk
Section titled âGate configuration by riskâ| Risk Level | Examples | Gates |
|---|---|---|
| Low | Docs, tests, style fixes | Automated checks, single reviewer, auto-merge |
| Medium | Feature code, non-critical bugs | Full automated checks, human review, standard approval |
| High | Security, payments, data handling | Enhanced checks, senior reviewer, security review |
| Critical | Auth, encryption, compliance | All gates + security team + lead approval + staged rollout |
Agents and gates
Section titled âAgents and gatesâAgents can: Run automated checks, flag issues, suggest reviewers, generate artifacts (changelogs, migration scripts).
Agents shouldnât: Approve their own output, bypass human checkpoints, deploy to production without human trigger, grant elevated permissions.
Gate anti-patterns
Section titled âGate anti-patternsâ- Rubber-stamp gates: Approval always granted without review
- Gate proliferation: So many gates people game them
- Inconsistent enforcement: Gates apply sometimes but not others
- AI gate avoidance: Routing AI code around tighter reviews
Measuring effectiveness
Section titled âMeasuring effectivenessâ| Metric | Question |
|---|---|
| Pass rate | Are legitimate changes passing? |
| Catch rate | Are issues caught before production? |
| Latency | How much do gates slow the process? |
| Bypass rate | How often are gates skipped? |
Use these metrics to tune gatesâneither too permissive nor too restrictive.
Resources
Section titled âResourcesâ- Agent Readiness â Eno Reyes, Factory AI - Preparing organizations for agentic workflows