
Welcome to ASSYST OnPoint xChange, exploring next-generation DevSecOps in GovTech. Eugene Goldlust, speaking with Vinay Shirke, CIO of ASSYST. They are discussing how AI, automation, and innovative platforms such as ASSYST’s Argus are shaping secure software delivery.
Eugene: Vinay, thank you for taking the time to chat. Federal agencies are under pressure to deliver software faster and more securely. To start, what do you see as the future of DevSecOps and secure software delivery in the federal landscape?
Vinay: It’s an exciting time. We’re seeing DevSecOps really take hold across federal organizations. In fact, the Department of War now has several software factories using DevSecOps to push code into production—and they’re already seeing faster deployment cycles, enhanced security, higher software quality, and better outcomes for users. That kind of success is encouraging civilian agencies to follow suit. The future of federal DevSecOps will involve scaling these “software factory” models across departments, breaking down silos, and ingraining security into every step of the software lifecycle. Security isn’t a box to check at the end anymore; it’s becoming a built-in foundation for speed and innovation. As one industry expert put it, modern missions require security that powers velocity rather than slows it down. Agencies can’t afford to trade off speed for security; they need both for mission success.
Eugene: Right, the stakes are incredibly high. A system failure in government isn’t just a business issue; it impacts mission assurance, national security, citizen safety, and public trust. So DevSecOps is about balancing that responsibility with the need to innovate quickly. How are agencies ensuring that balance holds, especially as they adopt new technologies like AI?
Vinay: They’re evolving their mindset. The agencies that succeed treat security and compliance not as roadblocks but as strategic enablers of faster delivery. We see leadership support for DevSecOps by investing in automation and cultural change. For example, some agencies now embed security experts from day one of a project, even starting the ATO (Authority to Operate) at kickoff, so security requirements run in parallel with development. This “compliance-as-code” approach means things like vulnerability scans, configuration checks, and governance policies are automated in the pipeline. It’s continuous monitoring and continuous authorization, rather than big-bang audits at the end. With DevSecOps, compliance and risk management become ongoing activities that strengthen mission assurance while development continues. And importantly, agencies are keeping a human-centered focus. Barbara Morton from the VA said it well: “You can’t automate empathy, so even as we automate processes, we ensure the end-user’s needs and experience stay front and center. That mindset is crucial for public trust.” Quote from Meritalk.com (https://www.meritalk.com/articles/va-official-ai-can-boost-efficiency-but-you-cant-automate-empathy/ )
Eugene: Let’s dive into AI. There’s a lot of buzz around AI transforming software testing and quality assurance. How do you see AI changing the game for federal software QA?
Vinay: AI is a game-changer for testing, no doubt. Traditional testing can be a bottleneck, but AI helps us test smarter and faster. For instance, generative AI can now automatically generate test cases and datasets, even simulating complex user interactions – greatly reducing the manual effort for QA teams. We’re essentially letting AI handle repetitive or highly complex test design work. That means broader test coverage in less time. AI can also detect anomalies and predict high-risk code areas to focus testing where it matters most. And when it comes to security, AI-driven tools in a DevSecOps pipeline can continuously perform real-time code analysis, dependency scanning, and compliance monitoring. The result is higher-quality software delivered more quickly, with fewer security gaps – exactly what NIST has been advocating. In fact, NIST’s DevSecOps guidance notes that using AI in development “improves work efficiency” and yields “higher quality software in a more timely manner”. So, the future of QA will heavily feature AI assistants working alongside human testers.
Eugene: It sounds like AI can supercharge continuous testing. But what about the human element? How do we ensure AI-driven testing still aligns with human-centered design and doesn’t become a black box?
Vinay: Great point. We always pair AI with human oversight and HCD principles. AI can crunch data and suggest tests, but humans still set the testing goals and validate critical scenarios. We ensure that the user experience – including accessibility and usability – is part of the test criteria. Interestingly, AI tools can even assist here: some automation platforms use AI to simulate screen readers or check color contrast, helping catch accessibility issues early. But ultimately, testers and designers review those results to ensure applications are truly user-friendly and equitable. In short, AI handles the heavy lifting and repetitive tasks, while humans focus on empathy, strategy, and creative problem solving. That combination lets us meet HCD goals and mission needs without slowing down.

Eugene: Vinay, ASSYST has been progressively building an AI-enabled test automation platform. For our audience of CIOs and tech leaders, what is the strategic value of this platform? How does Argus help agencies deliver secure software faster or better?
Vinay: Argus is all about accelerating quality at scale. Strategically, it provides an enterprise-wide test automation platform that enables agencies to standardize and expedite testing across multiple teams and projects. Under the hood, it’s cloud-based and highly extensible. That means it can integrate with your existing dev tools, continuous integration (CI/CD) pipelines, and even with enterprise test data or requirements systems. By centralizing automated test scripts in a common repository, Argus promotes reusability; you write a test once and reuse it across many applications. This not only improves efficiency and consistency in testing but also lowers the total cost of ownership for quality assurance.
Eugene: And it’s AI supported, correct? How is AI built into Argus?
Vinay: Yes, that’s a key differentiator. We’ve embedded AI capabilities to make the platform smarter and more proactive. For example, Argus can use AI to analyze user stories or requirements and automatically generate test cases aligned with them. It’s like having a co-pilot for your QA team. The platform’s AI can also prioritize tests based on risk or past defect patterns, and it learns over time. Another aspect is AI-driven visual verification: Argus can visually execute test scripts and verify UI elements, helping catch visual or layout issues that traditional scripts might miss. All this means QA teams can cover more ground in less time, with greater confidence in software quality. Strategically, an AI-enabled Argus shortens release cycles (since testing is no longer a bottleneck) and embeds security and compliance checks into tests by default. In other words, it helps deliver high-quality, federal-compliant software from day one.
Eugene: I like that it aligns with compliance needs automatically – that’s huge for federal programs. So Argus promotes team collaboration, boosts quality and speed, and ensures things like security scanning and even accessibility are baked in. It essentially acts as a quality guardian across the DevSecOps pipeline.
Vinay: Exactly. We sometimes call it a “QA Platform-as-a-Service” for the enterprise. And because it’s cloud-based and modular, it’s easy to adopt for new projects. Teams can onboard quickly, configure it to their tech stack (it’s technology-agnostic for web, API, etc.), and start getting immediate feedback on each build. In the long run, the strategic value is continuous improvement – the more you use Argus, the smarter it gets, and the more your overall software delivery gains a reputation for reliability and trust.
Eugene: Vinay, how is the rise of AI-generated code, including prompt-based development methods like “vibe coding”, impacting testing and quality assurance in federal software delivery?
Vinay: Great question, Eugene. AI-generated code, even “vibe coded” applications, is dramatically accelerating development cycles. But we’ve also heard horror stories of folks deploying vibe-coded apps only to watch them collapse under load or get compromised due to overlooked quality attributes. So, while I’m excited about the productivity gains, I remain cautious. We must apply the same – if not greater – rigor in testing and QA for AI-produced code as we do for human-written code.
Eugene: Vinay, what risks do you see, such as hallucinated logic in AI outputs, and how should we adapt our validation and continuous testing processes?
Vinay: One major risk is hallucinated logic. Generative AI can produce code that looks plausible but is subtly wrong or nonsensical. We’ve seen cases where an AI coding assistant generates functions that don’t compile, uses convoluted algorithms that contradict themselves, or even invents calls to non-existent APIs. If such issues slip through, they can introduce hidden bugs or security vulnerabilities. In a federal context, that’s especially dangerous – flawed AI-generated code might create compliance gaps or security holes that undermine our mission. Validation is key! Every AI-generated snippet needs thorough review and testing. In practice, that means we treat AI-written code like any other code in our DevSecOps pipeline. Teams should continue to submit pull requests and conduct peer code reviews, even if an AI generates the code. We leverage all our QA controls – robust linting and static analysis (SAST) tools in CI, unit, and integration test suites – as a safety net to catch AI’s mistakes. It’s tempting to trust the AI’s confident output, but we must enforce quality gates. A mature DevSecOps pipeline remains essential: every commit (whether AI- or human-driven) triggers automated tests, and code is promoted only after passing all checks. This way, hallucinations or errors are caught early, long before any release.
Eugene: How can AI enabled platforms like Argus help us maintain software quality and compliance in a DevSecOps and HCD-focused environment?
Vinay: We need continuous test adaptation to keep up with AI’s rapid, iterative development style. AI can refactor or generate new code in seconds, so our testing approach has to be just as agile. This is where AI-enabled QA platforms like Argus come into play. A platform uses AI to generate test scripts automatically from plain English requirements or user stories. It eliminates much manual test scripting by allowing even non-programmers to create tests in natural language. More importantly, Argus features self-healing tests that adapt when the application’s UI or logic changes. For example, if an AI-generated update alters an element ID or workflow, the automation can intelligently adjust the test script on the fly. This kind of continuous adaptation means our tests won’t break every time the AI introduces a change – the test suite evolves with the codebase. By ensuring automation is resilient, we drastically reduce maintenance overhead and can keep pace with the high velocity of AI-driven releases. And because Argus integrates seamlessly with our CI/CD pipelines, we’re executing a broad battery of tests on each build (across functionality, API, UI, etc.), enabling continuous testing and early bug detection even as the code rapidly evolves. The result is we catch critical issues sooner and support faster, safer releases.
Critically for software, these AI-driven testing practices help us always maintain quality and compliance standards. Modern QA isn’t just about finding bugs – it’s about ensuring the software and its components (SBOM) meet all security and regulatory requirements from the start. We can embed compliance checks into our automated test suites. For instance, a cloud-based test automation solution can include computerized checks for security controls, privacy rules, and compliance with coding standards, so any AI-generated code is immediately vetted against federal requirements. If AI inadvertently introduces insecure code, our integrated security tests (such as vulnerability scanners and policy-as-code checks) will flag it early. The same goes for accessibility and other regulations: we have tools to automatically validate against Section 508 and WCAG accessibility guidelines, ensuring new features remain inclusive and legally compliant. In fact, by incorporating usability and accessibility testing into the CI/CD workflow (as part of our HCD approach), we uphold human-centered design principles throughout development. That means every iteration of the software is not only secure and functional, but also user-friendly and accessible – all continuously verified. This blend of DevSecOps and HCD ensures that security, usability, and compliance get equal priority early on, rather than being afterthoughts. It builds user trust and makes achieving things like Authority to Operate much smoother, since we’re generating real-time evidence of compliance with each release.

Eugene: Vinay, any guidance for the workforce on the future of AI in QA?
Vinay: Looking forward, I see AI changing the role of our engineers rather than replacing them. Generative coding tools handle grunt work, but the human experts stay in the driver’s seat. Our developers and testers are becoming more like quality governors and product stewards, guiding the AI, setting the right prompts, and then rigorously verifying the outputs against mission needs. As one industry expert noted, coding is “slowly becoming a QA and product definition heavy job,” where the developer’s goal is to understand patterns, master testing methods, and clearly articulate the business objectives for the code. That mindset is exactly what federal CIOs and engineering leaders are adopting. By pairing AI-powered development with AI augmented testing and DevSecOps discipline, we get the best of both worlds: high-velocity delivery and high-assurance software. In sum, prompt-based AI coding can be a game-changer for productivity, but only when we anchor it with strong QA practices, continuous test adaptation, and platforms like Argus to automatically uphold our quality and compliance standards at every step. This approach lets us innovate faster while still “shifting left” on security, quality, and user-centric design, which is ultimately what drives successful federal IT outcomes.

Eugene: Vinay, to wrap up, paint us a vision. How do you see product engineering and testing evolving so that agencies can continuously innovate while still meeting compliance mandates, mission assurance, and human-centered design goals?
Vinay: I see a future where these goals are not in conflict but in harmony. We’re moving toward a model where compliance is continuous and largely automated. Imagine real-time dashboarding of security and compliance posture for every app release, with AI flagging issues instantly. DevSecOps will make “compliance as code” the norm, so meeting regulations is just a natural outcome of the pipeline. That frees up teams to focus on mission functionality. For mission assurance, the key will be building robust feedback loops. In the future, every deployment will include telemetry and user feedback that feed directly into planning. This means products quickly adapt to any issues, ensuring reliability and performance for mission-critical systems. AI will help here too, predicting potential failure points or performance bottlenecks before they impact the mission.
On the innovation side, I envision fusion teams of developers, security, ops, and UX designers working together from the start (a true DevSecOps/DevSecDesignOps culture). They’ll use platforms like our Argus and Green Accelerator, so they’re not bogged down by manual tasks or siloed tools. With those mundane parts automated, the teams can spend more time on creative solutions and user-centered improvements. And HCD remains front and center: we’ll continue testing with real users, incorporate accessibility, and design for the human experience. DevSecOps complements this by encouraging iterative development and frequent user feedback – as we saw in agencies that emphasize a human-centered approach in their DevSecOps practices.
Ultimately, I think the vision is of software factories that continuously innovate engines – producing updates that are secure, compliant, and user-friendly by default. When security and compliance become built-in quality attributes rather than afterthoughts, you get faster innovation with greater trust. Federal programs can then deliver on their missions with agility and earn the public’s confidence. The technology (AI, automation, platforms) is enabling this, but it’s the cultural shift, embracing DevSecOps and human-centered thinking, that will truly make continuous innovation possible.
Eugene: Well said. It’s a future where speed, security, and empathy go hand in hand. This has been a thoughtful discussion – thank you, Vinay, for sharing your insights. I’m sure our readers gained a valuable perspective on leveraging AI and DevSecOps to meet the public sector’s unique needs.