preloader

· devops ai gitlab security ci-cd enterprise

GitLab Transcend 2026: Agent-Native Git, 50x Faster Pipelines, and the Enterprise Governance Problem Nobody Has Solved Yet

Source: GitLab Blog

GitLab held its Transcend virtual event on 10 and 11 June 2026, framing the occasion as the start of what it calls the “agentic engineering era.” The headline announcements span three distinct areas: a rebuilt Git infrastructure designed for AI agent workloads, a context graph for reducing token consumption and hallucinations, and an enterprise governance layer that attempts to answer the question most organisations have been quietly avoiding – who is accountable when an AI agent changes your production code?

Next-Generation Source Code Management

The centrepiece technical announcement is a rearchitected implementation of the Git protocol based on a distributed model. In traditional CI/CD and AI-assisted workflows, agents clone entire repositories to inspect or modify code. GitLab’s Next-Gen SCM allows agents to query repositories server-side rather than pulling a full clone. The results are substantial: task completion runs 50 times faster, token consumption drops by half, and network traffic falls by a factor of 1,000 compared to full-clone operations.

For organisations running AI-assisted code review, automated refactoring, or security scanning across large monorepos, the practical implication is that operations which previously hit timeout limits or consumed excessive compute become routine. The architecture also reduces the risk of accidental data exfiltration during agent operations, since an agent that never receives a full repository clone cannot inadvertently transmit one.

GitLab Orbit: Context Without Hallucinations

GitLab Orbit, now in public beta, is a context graph that spans the entire software lifecycle. Rather than relying on agents to reconstruct code context from raw file contents, Orbit provides structured relationship data covering issues, merge requests, pipelines, deployments, and dependencies across the organisation’s project history.

GitLab’s internal benchmarks attribute significant quality improvements to Orbit: agents respond 11 times faster, use 4.5 times fewer tokens, and produce 45 times fewer hallucinations compared to context assembled without the graph. The hallucination reduction figure is the one that matters most for production use. Hallucinated code suggestions, test results, or dependency recommendations in an automated pipeline are not merely inconvenient – they represent a potential security or reliability failure waiting to propagate downstream.

Orbit will be accompanied by a community hackathon running from 10 to 24 June, inviting contributors to build agents, workflows, and integrations on top of the context graph and publish them to GitLab’s AI Catalog.

AI Governance Framework: Every Agent Action Gets an Identity

The announcement that carries the most weight for enterprise security and compliance teams is the AI Governance framework, currently in private beta.

The framework assigns an identity, a policy path, and an audit record to every agent action within GitLab. DevSecOps teams gain real-time visibility into agent inputs, the model’s reasoning trace, individual tool calls, and anomalous or high-risk activity patterns across the entire organisation. Approvals can be required before agents perform sensitive operations such as merging code, modifying pipeline configuration, or accessing protected branches.

This matters because the existing governance gap in most AI-assisted development programmes is significant. Teams that have deployed AI coding agents typically know what outputs were produced but lack visibility into what the agent did to produce them. When an incident occurs – a regression, a security finding, a compliance question – reconstructing the decision chain is difficult or impossible without structured audit logs. The GitLab framework addresses this by making the audit trail a first-class output of every agent operation, not an optional log that can be reconstructed after the fact.

The Governance Problem European Teams Need to Solve Now

European engineering teams working under NIS2 or deploying software into regulated sectors face a concrete problem: the directive’s security and incident management requirements apply to the processes that produce software, not just the software itself. An AI agent with write access to a production codebase, operating without identity, policy controls, and audit trails, is a control gap that national competent authorities will eventually ask about.

GitLab’s governance framework is a meaningful step toward resolving that gap, but it is a platform feature, not a policy. Organisations that deploy it still need to define what policies apply to which agent operations, establish approval workflows that reflect their actual risk tolerance, and integrate agent audit logs into their existing SIEM or log management infrastructure.

They also need to address the transition risk of moving from today’s largely manual pipeline to one where agents are making or recommending a significant share of changes. That transition requires updated change management procedures, access control reviews, and, in many cases, revisions to the operational runbooks that incident response teams rely on.

If your team is evaluating GitLab’s agentic engineering capabilities, planning a pipeline modernisation that incorporates AI agents, or needs help designing governance controls that satisfy NIS2 obligations while preserving development velocity, contact Excello Digital. We work with European engineering organisations to build DevSecOps programmes that hold up under both technical and regulatory scrutiny.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!