Vibe, then structured, then agentic. Detailed prompts become tests, tests become evals with rubrics, evals become specs and CI gates. Each rung moves "is this right?" out of your head and into something that checks itself.
In 2026 the disciplined end of that dial has a name: spec-driven development. You have earned a genuinely better output.
More agentic is not more better — and more governed is not more better either. Match both axes to the stakes: a weekend prototype stays vibe-coded and ungoverned; state-changing or money-moving work earns the full climb. Governance has a real cost, so spend it where the blast radius is.
The build days hand you the config where governance lives — but filling it in is not the same as being governed. That climb, L1→L3, is the other axis.
Each of the next five days sits on both axes. Read every one through all three lenses.
# AGENTS.md — deploy-bot owner: adnan@team.dev # a named human is accountable (Identity) model: claude-opus-4 permissions: # least privilege as a hard ceiling (Validation) allow: [ repo:read, ci:trigger ] deny: [ prod:write, secrets:read ] hooks: pre_tool_use: ./hooks/validate.sh # check every call before it runs (Validation) post_tool_use: ./hooks/log.sh # stream action + reasoning (Evidence) runtime: require_approval: [ deploy, refund, delete ] # human gate (Runtime control) observable: true # every step to the audit log
IBM Cost of a Data Breach 2025: 63% of breached organisations had no AI governance policy, and 97% of breached-AI orgs lacked proper access controls. Shadow-AI breaches cost roughly $670K more.