Every engineering organisation runs an SDLC whether or not anyone has written it down. The question is not whether you have one, but whether it is explicit, measured and resistant to the pressures that erode delivery at scale: regulatory audits, security incidents, AI-assisted commits of uncertain quality, and the slow accretion of third-party dependencies nobody fully owns. This is a practitioner's view of the software development life cycle for teams where "move fast" has consequences measured in fines, outages and breach disclosures.
The SDLC is a control system, not a checklist
The canonical stages - requirements, design, implementation, testing, deployment, maintenance - are real, but treating them as a linear sequence you complete once is where teams go wrong. At scale the SDLC is a continuous control loop: every change re-enters the cycle, and the value of the framework comes from the feedback and guardrails between stages, not the stages themselves. The single most durable finding in delivery research is unglamorous. Small batch sizes and robust automated testing are what keep throughput and stability high. The 2024 DORA Accelerate State of DevOps Report, drawn from roughly 39,000 professionals worldwide, reaffirms that these fundamentals matter more as systems grow more complex, not less.
Concretely, this means your SDLC should make the small, well-tested change the path of least resistance and the large, unreviewed change painful. If your branching, review and deployment process rewards big-bang merges, no amount of process documentation will save delivery stability.
AI changes the inputs to every stage
AI-assisted development is now an input to requirements, implementation and review, and the data should make any director cautious about uncritical rollout. DORA found that AI adoption reliably lifts individual productivity, flow and job satisfaction, yet for every 25% increase in AI adoption, estimated delivery throughput dropped around 1.5% and delivery stability fell roughly 7.2%. The mechanism is intuitive: AI makes it cheap to produce more code, and larger changesets carry more delivery risk. Independent analysis from InfoQ notes that 39% of respondents reported low or no trust in AI-generated code, and that AI usage correlates with exactly the larger changes the same report flags as risky.
The implication for your SDLC is not to ban AI. It is to treat AI as a way to reduce administrative burden while holding the line on the controls that catch its failure modes: human code review, comprehensive automated testing, and batch-size limits. AI productivity gains that bypass the testing stage are borrowing against future incidents.
Security belongs in every stage, not a gate at the end
The most consequential shift in modern SDLC thinking is that security is no longer a phase. NIST created its Secure Software Development Framework precisely because, in its own words, "few SDLC models explicitly address software security in detail." The SSDF (SP 800-218) is not a competing methodology; it is a set of high-level secure-development practices you integrate into whatever SDLC you already run. Version 1.2 was released for public comment in December 2025 under U.S. Executive Order 14306, and its three objectives are worth internalising: reduce vulnerabilities in released software, mitigate the impact of vulnerabilities that slip through, and address root causes so the same classes of defect stop recurring.
For regulated and high-scale teams, one detail matters disproportionately. NIST explicitly expects acquirers to use the SSDF when communicating security requirements to suppliers. If you sell software to enterprises or government, your SDLC's security practices are increasingly a procurement gate, not an internal nicety. Mapping your stages to SSDF practices is becoming a commercial requirement, not a maturity badge.
Your dependencies are part of your SDLC now
Most production code your team ships was written by someone else. The SSDF treats software supply chain security as a first-class SDLC responsibility spanning design, implementation and maintenance: securely acquiring and maintaining third-party components, tracking provenance through Software Bills of Materials (SBOMs), and continuously monitoring dependencies for newly disclosed vulnerabilities. The practical test is whether, on the day a critical CVE lands in a widely used library, you can answer "are we affected, and where?" in minutes rather than days. If your SDLC has no inventory and no continuous monitoring, that answer is a fire drill every time.
The same expansion now reaches AI systems themselves. In July 2024 NIST released SP 800-218A, an SSDF community profile adding secure-development practices for generative AI and dual-use foundation models. The signal for governance is clear: if your organisation builds or fine-tunes models, those models are software in your SDLC, with their own provenance, testing and maintenance obligations.
Platform engineering: real gains, real transition cost
Internal developer platforms are the current answer to SDLC friction at scale, and the evidence supports them - with a caveat worth quoting to anyone selling you a platform as a silver bullet. DORA found that platform engineering improves developer productivity and organisational performance, with the largest benefit accruing to large organisations. But it also cautions that platforms can temporarily reduce change stability and throughput if rolled out without care, and that smaller organisations face real implementation friction. A platform is itself a product subject to the SDLC: it has users, requires testing, and degrades delivery if shipped half-finished. Budget for the dip, measure it, and do not let the migration become an unmonitored big-bang change of the kind the same research warns against.
What this means for how you run the cycle
For a director or staff engineer, a credible modern SDLC has a few non-negotiable properties. Keep batch sizes small and automated testing comprehensive, because these are the controls every other trend stresses. Treat AI as leverage on routine work while keeping human review and testing as hard gates, since trust in generated code is not yet earned. Embed SSDF-style security practices into each stage rather than bolting on a pre-release scan. Maintain a live inventory of third-party and model dependencies with continuous vulnerability monitoring. And instrument the whole loop so you can see throughput and stability move, rather than asserting that your process works.
The SDLC's value was never in the diagram. It is in making the disciplined path the easy one - small changes, tested thoroughly, with security and provenance baked in - so that scale and regulation become constraints you operate within rather than crises you react to. At Expeditious Software we help engineering teams turn that discipline into running infrastructure, from DevOps and CI/CD pipelines to platform and security practices that hold up under audit.
Sources
- Accelerate State of DevOps Report 2024 - DORA / Google Cloud
- 2024 Accelerate State of DevOps Report Shows Pros and Cons of AI - InfoQ
- Secure Software Development Framework (SSDF) Version 1.2 is Available for Public Comment - NIST
- Secure Software Development Framework (SSDF) Project - News - NIST CSRC
