Designing AI-powered features means constantly negotiating the line between automation and human agency. Good AI UX is about letting users building trust and confidence in the AI as their organizations move up in their AI maturity, and enabling HITL (human-in-the-loop) where needed. As AI handles more decisions, designers become responsible for the guardrails. Across these projects, I've focused on governance, auditability, and giving users meaningful control over what AI does on their behalf. Most AI design conversations focus on what AI can do. I'm more interested in what it should do, and who gets to decide. The projects here explore that question through security workflows, where the stakes of getting that balance wrong are unusually high.

AI controls workshop (2026)

Designing for and with AI is like putting our design process on steroids, and then on fast-forward. True, we can all spin up ideas and clickable prototypes a LOT faster than before. But our jobs as designers are still important to design with intentionality.

That’s one of the reasons I took time to conduct an exercise with my team on AI controls across the Secure section. It carved out time and space to ask questions like:

Where are we most comfortable giving AI full autonomy? Where should decisions be made strictly by humans? And where is human-AI partnership the best option?

Then, considering our features - current and upcoming - from a CRUD perspective (create, read, update, delete):

Where are we comfortable defaulting to read only? To write or execute?

There is a natural review process built into CI/CD in GitLab at the Merge Request level. Most of our customers seem to be at a place with their AI maturity that they’re comfortable with AI proposing vulnerability remediations in merge requests, but want a security human to review and make the final decision. In some circumstances, they want to prioritize quality over speed, and in others, speed over quality (if other security mitigations are in place).

This exercise, which involved collaboration from Product, Application Security (“customer zero”), and Engineering, challenged assumptions and brought about engaging conversations about our AI roadmap goals. The result was team engagement, a place to have everyone’s voice heard, and internal alignment.

2. Project Aura (2025 & 2026)

Project Aura is GitLab’s design exploration for the Autonomous Software Factory: a future where agents handle execution and humans set intent, make consequential decisions, and govern what gets built. In the near term, Aura work is about vision-setting and pressure-testing interaction patterns across the SDLC, rather than about implementation.

For the Secure UX team, the initial exploration wasn’t to jump into polished screens. The team’s early focus was to orient around where Aura intersects with security workflows, then build a strong point of view around personas, workflows, and user needs before going deep on UI, with emphasis on validating needs with Customer 0 and understanding how AI changes Sec and broader SDLC workflows across different maturity levels.

The main Sec exploration areas were:

Security posture / remediation orchestration — making AI-surfaced findings actionable, improving prioritization, and exploring an AI-native remediation review queue.
AI governance — defining what agents are allowed to do, how chain of custody and auditability work, and how governance feels like deliberate configuration rather than compliance overhead.
Authentication / authorization — clarifying agent identity, permission scoping, attribution, and least-privilege controls across chat, flows, triggers, and artifacts.

A key framing for Sec was to err on the conservative side: don’t automate humans out of the loop too early. Early Aura exploration assumed HITL (human in the loop) matters for trust, safety, auditability, and regulated customers, especially in remediation and governance flows.

On AI maturity, the broader Aura direction is to design primarily for Level 4, while still making the experience work for Levels 0–4 because customers will adopt at different speeds; Level 5 is intentionally out of scope.

AI maturity levels reference: The Five Levels: from Spicy Autocomplete to the Software Factory

After writing user stories for each persona (Builder, AppSec Engineer, and AI agent) and creating user flows, I jumped into a design prototype using Visual Studio Code with the Claude Code integration in order to get early feedback from engineering on an idea I had: A centralized place for the Builder (formerly Software Developer) to reviews the remediation proposals generated by AI.

3. AI user flow - Beta (2026)

The Security Insights PM had detailed requirements and defined scope for each version release of our new SDLC agent, but engineering, product, and Customer Success Managers all seemed to be on different pages. I created this visual and shared it during a team sync which allowed everyone to ask questions and get aligned on the Beta scope. I find these kinds of visuals clarify expectations both for internal teams and properly sets customer expectations for each release and corresponding milestone.

4. AI feature development: “Explain this Vulnerability” (2024)

OVERVIEW

In late 2024, the team at GitLab introduced GitLab Duo, a complete suite of AI capabilities to power DevSecOps workflows. GitLab Duo's AI features enable our users to write secure code faster, and to enhance productivity by providing helpful explanations and insights into the code. One example of this manifests in harnessing the power of AI to prevent security breaches. The first release of my team’s Explain this Vulnerability feature leveraged an LLM powered by Google AI to assist in securing applications by:

Summarizing detected vulnerabilities
Helping developers and security analysts understand the vulnerability and its implications
Showing how a vulnerability can be exploited with detailed example code
Providing in-depth solutions to the vulnerability
Providing suggested mitigation along with sample code tuned toward your project's programming language

ABOUT THE PROJECT

Quite literally overnight, an executive decision was made that our product needs to start incorporating AI functionality; not in a few months, but ASAP. The existing UX roadmap I created with my PM would have to be balanced with iterative releases of this AI feature, with increasing levels of maturity, starting with Experiment, then Beta, and finally, GA.

While I learned what capabilities this AI provided and how we could translate that into a UI, I was simultaneously syncing with eight other designers who were rushing to release AI features for their own categories. While our existing design system didn’t have any existing AI-specific patterns or components, the designers and I met every week, and, in GitLab fashion, collaborated asynchronously every day in between, to make sure we were introducing these features quickly but without sacrificing product consistency or quality.

PROJECT HIGHLIGHTS

The Senior Product Manager I work very closely with awarded me with a discretionary bonus based on values of collaboration, results, efficiency, and transparency for the quick turnaround of the AI feature “Explain this vulnerability”.
We were able to deliver an MVC (Explain this vulnerability - Experiment) within one milestone, and Explain this vulnerability - Beta within another two. Our GA will be released after I complete another round of solution validation, this time with external customers (required for GA).
Of course, with the evolution of LLMs comes many opportunities for us to expand upon our AI features but only if we can also ensure that the quality of the responses and solutions stays above our success criteria ( >85% accuracy and <5% incorrect or misleading responses).

WHO

Senior Product Manager, the Threat Insights engineering team (backend/ frontend/ fullstack), internal vulnerability research team (for prompt testing/ QA), Senior Technical Writer, other designers working simultaneously on other AI features for GitLab (for feedback and collaboration), and myself (Senior Product Designer for Threat Insights, responsible for research and designs for the “Explain this vulnerability” feature).

WHEN

March 2023 - ongoing

THE PROCESS

ASSETS

I. Design: Explain this vulnerability (Experiment)

After a group-level admin manually switches on the AI and ML toggles under “Settings”, the blue info-alert announces the AI feature on any SAST vulnerability. I included a link to a feedback issue in the alert so we could collect early feedback (positive or negative) about the feature, and used a drawer component to populate the AI results. A drawer, as opposed to a modal, allows the users to still view information about the vulnerability on the left of the page for cross-referencing. I’m currently in the process of doing research to see if it would be valuable to collapse or resize the drawer, in case it’s hiding any critical vulnerability info behind it. *Note: This is a test project and a test vulnerability, in order to keep GitLab data secure.*

II. Heuristic Evaluation (required for Beta)

Using our own GitLab heuristics (largely inspired by Nielsen/ Norman), I evaluated the “Explain this vulnerability - Beta” designs before it was implemented in Production. A passing grade of “C” was required in order to mature to Beta, and the original score came out to be a “C”. After reviewing with my team and urging my PM and Technical Writer to, at the least, make some improvements to our documentation, we were able to improve the scores to average as a “B” before it’s Beta release.

III. Explain this vulnerability (Beta) - designs

A few differences to note from the “Experiment” to the “Beta” design here: **1) A pre-flight check** (security scan) **checks for hard coded passwords** and warns the user to avoid sending this sensitive info to the AI. It can be overly cautious and report false positives, so we wanted to allow the user to review the code and proceed, if clear of passwords. **2) The user can also now preview the prompt** we’re sending to the AI, **and** **decide whether or not to include the source code** that the vulnerability was detected in. If they are not comfortable sending the code, they can remove it, and a more general explanation of that vulnerability type will be generated. **3) The AI designers and I decided to associate our AI features with purple,** which is used in our marketing design library but not our product design library, to establish a cognitive shortcut and relationship with any AI features across the product. Hence, the “Explain vulnerability” button is now in purple and featuring our new GitLab AI icon (courtesy of a designer on the Foundations team). **4) A feedback collection mechanism** now appears at the bottom of the AI results in the drawer, in order to collect feedback and ensure a minimum standard of quality.

IV. USER RESEARCH INSIGHTS (PROBLEM & SOLUTION VALIDATION)

I recorded a walkthrough video of my research insights and included a couple of highlights reels of customers talking, because there’s something compelling about hearing it directly from the user’s mouth, and helps to create empathy for our end users. However, due to the participant confidentiality that must stay internal to GitLab team members only, I’ve created a written report that can be shared publicly (and hides the identities of participant names and company names).

V. Explain this vulnerability (GA) - WIREFRAMES

Adds button to create an MR with the AI-suggested fix in the drawer.

Testing a new feedback component that will break down user feedback into measurable, quantifiable data.

Adds the AI feature into the MR experience, where developers can triage their vulnerabilities, thus saving time for the security engineer.

What I’ve learned so far

I’ve been working off UX Roadmaps for the past 2 years and have, for the most part, been aware of which projects are in the pipeline, their scope, and what milestone they need to be completed by. This project, however, came out of virtually nowhere, and I’m proud of how the team and I have pivoted and come together to accomplish a lot in a short amount of time, and how quickly we keep learning about the many opportunities that AI presents. This project proved that I can be resourceful while working under tight deadlines.
AI will constantly be evolving, so it’s important to stay on top of the latest developments, and never really call this feature “complete”. Similarly, we have to continuously monitor the quality of the AI results we’re getting and how we can continue to improve the results by evaluating different models, testing prompts, and keeping the standard of UX extremely high through consistent qual and quant testing.

AI controls workshop (2026)