Security Experience Decision Framework
An alignment tool for routing capabilities and feature decisions into the right experience layer. Use this in working sessions to answer: where does this belong, and why?
How to use this document
How the categories relate
Policies and Orchestration are both platform-enforced but differ on whether the outcome is predetermined (rule-based) or context-dependent. One-off Duo sits alone as the only user-initiated, non-repeatable category.
AI Configuration and One-off Duo Interactions are cross-cutting — they appear within phases rather than as phases themselves.
Configure Scanners
Set up the scanners you need, where you need them. The core goal of scan configuration is coverage — defining which scanners run, on which projects and branches, and under what conditions. AI-based approaches to coverage (like AI SAST) belong here when they help users achieve coverage and require transparency into inputs and outputs. Agentic data collectors that don't serve coverage belong in a broader AI Configuration experience, outside of scan profiles.
Answer these questions to find the right layer for your feature:
Is this feature about what gets scanned — or what happens to findings?
Is this feature about scanner coverage — or agentic data collection?
Triage
Cut through the noise and act on what matters. Define how findings are evaluated and prioritized — through consistent enforcement rules, agent-enriched signals, or a combination of both.
Answer these questions to find the right layer for your feature:
Are AI-enriched signals informing this triage decision?
Does this feature need to enforce a consistent rule across all findings of this type?
Does the triage decision require context from multiple sources or agents?
Remediate
Drive consistent, auditable outcomes via enforcement rules or orchestration flows. When a pattern repeats, consider promoting it from flow to policy.
Answer these questions to find the right layer for your feature:
Does this outcome need to be consistent, traceable, and rule-based?
Is the outcome complex, multi-step, or context-dependent?
Govern
Define enforcement, accountability, and change control. Governance outcomes require consistency, traceability, and determinism — making Policy the right layer for most features in this phase. Exceptions: features that require multi-agent reasoning before an outcome is determined, or human-in-the-loop approval flows that produce recommendations rather than direct enforcement.
Answer these questions to find the right layer for your feature:
Is this outcome focused on enforcement or approval gates?
Does this capability require full audit history or change tracking?
Does this agentic outcome require human review before it takes effect?
Orchestration flows are designed for contextual, multi-step decisions. But over time, some flows stabilize — they run on the same inputs and produce the same outputs every time. At that point they've become de facto policies implemented in the wrong layer.
Some features aren't purely one thing. A common pattern: Orchestration surfaces a recommendation, and Policy enforces the outcome. These aren't competing — orchestration can inform what policy gets written, and policy can trigger orchestration.
Some decisions require complex multi-signal reasoning to arrive at a conclusion — but once arrived at, the conclusion is enforced the same way every time. This is the Policy/Orchestration seam, and it's the most common point of confusion.
Both involve agents. The distinction is about inputs vs. actions: AI Configuration defines what data is available to agents (context, enrichment sources, signal inputs). Agentic Orchestration defines what agents do with that data (actions, workflows, multi-step decisions).
There's a meaningful difference between defining what a profile contains and requiring that a profile be applied. These are separate concerns and should be designed separately.
- Scan profiles are about coverage, not Triage or Remediation outcomes — A scan profile defines what to scan, how broadly, and with what context. It shouldn't define what happens to the output. Outputs flow to Policy (enforcement) or Orchestration (contextual).
- Data collection agents that don't serve coverage belong in AI Configuration — FP analysis and SDLC context agents enrich policy signals but don't help users get coverage. Their configuration belongs in a platform-wide AI Configuration experience, not in scan profiles alongside scanners.
- Enforcing the use of profiles is a Policy concern, not a scan config concern — Requiring that a profile be applied to a project or pipeline is an enforcement rule — it belongs in Policy. Scan config defines what the profile contains; Policy defines whether and where its use is required.
- Security agents are managed in AI Configuration and Agentic Orchestration — not in scan setup — Data collection agents (like FP Agent) live in AI Configuration. Agents that take action or drive workflows (like the SDLC Agent) live in Agentic Orchestration. Neither is configured as part of scan profiles.
- Policies are enforcement rules, not just consistent functions — A policy is a Trigger + Rule + Action: same input → same output, every time. But what makes something a policy isn't just consistency — it's that it defines what must or must not happen. This applies beyond Security: branch protection, merge requirements, and approval gates are all policy-layer constructs.
- Agentic orchestration is for complex, multi-signal outcomes — When you need to combine context from multiple agents, chain actions across steps, or solve a cross-cutting problem, use agentic orchestration. Security is one use case — this layer extends platform-wide.
- Auditability favors policy — Policy-based actions produce consistent, traceable logs. Agentic orchestration reduces auditability. If a flow pattern repeats and auditability is becoming a concern, consider promoting it to policy.
- Agentic data collector
- An AI agent whose primary role is gathering and enriching signals (e.g. FP likelihood, SDLC context) rather than taking action. These are configured in AI Configuration, not scan profiles.
- AI Configuration
- The platform-wide experience for configuring which data and context agentic systems can access. Covers enrichment sources, signal inputs, and agent data permissions. Not Security-specific.
- Agentic Orchestration
- A named, repeatable multi-step workflow executed by agents — combining context from multiple sources to drive decisions or actions that a single policy rule can't express.
- FP analysis / FP Agent
- False positive analysis. The FP Agent enriches findings with likelihood signals that inform whether a finding is a true positive. It is a data collection agent — configured in AI Configuration.
- One-off Duo Interaction
- A single, user-initiated Duo prompt or interaction. Not designed to scale or repeat. Useful for exploration, ad hoc analysis, or generating suggestions that a human then acts on.
- Policy
- A normative enforcement rule with the structure Trigger + Rule + Action. Policies define what must or must not happen, consistently, across every project and team. Full audit trail by design.
- Scan Profiles
- Configuration that defines which scanners run, on which projects and branches, and under what conditions. Governs coverage inputs only — not what happens to findings after a scan completes.
- SDLC context / SDLC Agent
- Software Development Lifecycle context — signals about pipeline state, deployment risk, code quality, team ownership, and branch activity. The SDLC Agent collects and surfaces this context for use in triage and remediation decisions.
- SPP (Scan Policy Project)
- The GitLab project used to store and manage security policies. Enforcing that a group or project must use an SPP is a Policy concern; the contents of the policies within the SPP are Scan Profile or Policy concerns depending on their scope.
- Trigger + Rule + Action
- The canonical structure for a policy. Trigger: what event initiates the policy. Rule: the condition evaluated. Action: what happens when the condition is met. If a feature can't be expressed in this form, it likely belongs in Orchestration.