Select Page

Gopal Dommety

|
February 11, 2026
originally published on Feb 11, 2026
Share

Software teams are about to re-learn an old lesson: having data is not the same as having context.

Your repos, CI/CD tools, ticketing systems, observability stack, and security scanners already produce an ocean of data. Yet in the moments that matter—an incident, a risky release, a compliance audit, a “why did we do this?” postmortem—we still rely on tribal knowledge and archaeology across Slack threads, Jira tickets, meeting notes, and a few people’s memories.

The current wave of tool-using AI agents makes this gap painfully obvious. Agents can call APIs and summarize logs, but they struggle with long-running, cross-system work unless they can access how your organization actually operates—its workflows, exceptions, precedents, approvals, and the real meaning of states like “done” or “safe to ship.”

Recently, the phrase “context graphs” has moved from niche to mainstream. One catalyst was Ashu Garg’s (with Jaya Gupta) blog, which sparked a wave of discussion around the realization  that the next enterprise advantage won’t come from adding AI to existing systems of record—it comes from capturing the decision traces that make actions explainable and repeatable. In a follow-up, Ashu emphasizes how central decision traces are to making agentic systems accountable.

That framing lands hard in software delivery because the “why” behind fixes and approvals almost never lives in one place. It’s scattered across Slack, Jira, PR comments, incident notes, and postmortems—exactly where AI agents struggle unless we make context durable.

That’s where Code-to-Cloud Context Graphs come in.

What is a Code-to-Cloud Context Graph?

A code-to-cloud context graph is a living, permission-aware model that connects:

  • Enterprise + delivery entities (people, services, repos, documents, tickets, systems)
  • with temporal traces of actions and events between them
  • and decision traces that explain why outcomes happened (exceptions, overrides, approvals, precedents)

This is the key distinction:

  • Traditional systems record what happened (final states, outcomes).
  • Code-to-cloud context graphs capture why it happened (reasoning, policy evaluation, exceptions, precedent).

As a product framing: a code-to-cloud context graph is institutional memory made queryable—not the “process doc” version, but the messy reality of how work gets done across code, delivery, and runtime.

Why code-to-cloud context graphs are needed now

1) Agents changed the interface to work

Agents are cross-system and action-oriented. As they become the “front door” to engineering and operations, the UX of work starts to detach from the underlying tools. Something canonical has to exist underneath the agent—otherwise the agent is guessing.

2) Governance alone doesn’t solve ambiguity

Even when agents can access systems of record, they hit judgment calls: exceptions, overrides, side-channel approvals, and precedent. These are decision traces, and you can’t reliably reconstruct them later. If you want safe automation, decision traces must be captured in the execution path.

3) The real work is not in the system of record

Systems capture outcomes, but the real work happens in the glue: Slack, email, docs, tickets, meetings, and PR comments. Without a structured view of how work actually happens, AI can’t automate reliably.

Code-to-cloud context graphs for software delivery: what changes vs a generic enterprise graph

A generic enterprise graph might connect people, documents, and teams. A code-to-cloud context graph must model delivery reality end-to-end.

Core entities

  • SDLC: repo, branch, PR, commit, build, test, artifact, image, SBOM, attestation
  • Runtime: environment, cluster, namespace, deployment, config change, feature flag
  • Risk: policy, control, finding/vulnerability, exception, compensating control
  • Ops: alert, incident, runbook, on-call, change window, postmortem

Core traces

  • “merged → built → signed → deployed → rolled back”
  • “policy evaluated → exception granted → compensating control applied”
  • “incident opened → mitigated → postmortem published → guardrail updated”

This is what turns a graph from “documentation of objects” into a model of operations.

Code-to-cloud context graphs for AI: what’s different?

If you’re building AI-enabled software or agentic workflows, the graph must also capture what agents did and why actions were allowed.

Agent + AI traces

  • Prompt + tool traces: what the agent saw, what tools it called, what it proposed
  • Policy constraints at decision time: what was allowed vs blocked, and why
  • Human verification: who approved the plan, what evidence was considered
  • Outcome feedback: did the change reduce incidents? did it pass audit? did risk decrease?

Enterprise AI isn’t just “answer questions.” It’s make changes safely. The moment an agent can trigger actions (deploy, disable, patch, remediate), you need a durable, queryable explanation trail.

The new thing with AI: capturing tribal knowledge as decision traces

Many organizations already know that something was fixed: a rollback happened, a hotfix PR was merged, a policy exception was granted.

But the most valuable part is usually missing:

  • Why was that fix chosen?
  • What evidence and constraints were considered at the time?
  • What alternatives were rejected?
  • Under what conditions does the same fix apply again?

That “why” lives in Slack threads, Jira tickets, postmortems, PR comments, and incident notes.

AI changes the game by extracting the decision context from that unstructured glue and converting it into structured Decision Trace objects attached to the code-to-cloud chain.

A short note like:

“Rolled back because latency spike came from DB connection pool exhaustion after traffic doubled; quick fix was to increase pool + revert feature flag until indexing completed.”

becomes queryable and reusable. Next time you see the symptom, a human or agent can ask:

  • “Is this the same failure mode as last time?”
  • “Does the same fix apply, or is there new complexity (different dependency, different load pattern, different policy constraints)?”

This is how the code-to-cloud context graph becomes a living memory—not just an inventory.

Practical problems this graph solves for software and AI

A code-to-cloud context graph isn’t a nice-to-have. It directly reduces recurring operational pain.

1) Incident triage becomes war-room-proof

Instead of jumping across tools and memories, you can query:

  • What changed in the last 60 minutes for this service/environment?
  • Was there a deploy/config/flag change right before the incident?
  • What’s the blast radius across dependencies?

2) Runtime failure triage becomes faster and more accurate

Not every incident is a change. Sometimes it’s load, infra, or a dependency failure. A code-to-cloud context graph helps answer:

  • Did traffic spike or saturation increase (CPU/mem/GC/queue depth)?
  • Did a DB, cache, or load balancer degrade?
  • Are node pressures, cert expiries, or network errors involved?
  • By linking runtime logs/metrics with service topology and ownership, you get to the failure domain faster.

3) Risk prioritization becomes reality-based

Most security tools produce findings, not risk in context. The graph answers:

  • Is this vulnerability in a running prod workload or a stale image?
  • Is it internet-reachable or internal?
  • Does it touch regulated data or a crown-jewel service?
  • Are compensating controls or exceptions in place?

4) Compliance evidence becomes continuous

Audits require lineage:

  • Which controls applied to this release?
  • What evidence exists from code → build attestation → deploy record → runtime config?
  • Which exceptions were approved, by whom, and when do they expire?

5) Safe remediation and automation becomes possible

Automation requires contextual trust:

  • auto-remediate only in dev/low-criticality systems
  • require approvals for regulated environments
  • block during freeze windows
  • prefer rollback actions when error rates spike

The graph supplies facts + decision traces to enforce guardrails and keep an audit trail.

6) Long-running workflows become automatable

Many enterprise workflows span weeks or months: incident follow-ups, exception tracking, remediation programs. The graph provides durable memory so agents can execute multi-step processes without losing the thread.

7) AI coding agents become more reliable and less risky

AI coding agents often fail in enterprises because they lack context about the real system: ownership, policies, deployment constraints, and what “safe” means in production. A code-to-cloud context graph gives agents the missing guardrails and grounding:

  • Correct scope: which repo/service/environment is actually affected
  • Correct constraints: required tests, approvals, dependency policies, change windows
  • Correct fix pattern: PR-based patch vs config change vs compensating control
  • Lower risk: fewer hallucinated changes, fewer “technically correct but unsafe” fixes, plus an auditable “why”

What a code-to-cloud context graph enables (the “so what”)

1) “What changed?” becomes instant and accurate

  • What changed recently for this service/env?
  • Was there a deploy/config/flag change before the incident?
  • What is the dependency blast radius?

2) “Why did we do this?” becomes auditable

  • Which exception allowed this policy violation?
  • Who approved it, based on what precedent?
  • What compensating controls exist, and when do they expire?

3) Agents can complete long-running workflows reliably

The graph provides process memory plus decision traces—so agents can safely execute workflows spanning multiple tools and weeks of activity.

Summary

Code-to-cloud context graphs are emerging because AI agents are becoming the interface to work, and agents need more than raw data—they need operational truth plus decision history.

A code-to-cloud context graph connects:

  • entities (code, pipelines, runtime, policies, incidents),
  • relationships (lineage and dependencies),
  • and traces (actions, approvals, exceptions, outcomes),

so teams can:

  • diagnose incidents faster,
  • prioritize risk based on real impact,
  • maintain continuous compliance evidence,
  • and safely automate remediation with contextual guardrails.

In short: a code-to-cloud context graph turns scattered SDLC signals into a trustworthy, queryable memory for both humans and AI.

FAQ

What’s the difference between a knowledge graph and a code-to-cloud context graph?

A knowledge graph models entities and relationships. A code-to-cloud context graph adds time-indexed action traces and decision history across SDLC and runtime, which is essential for audits, governance, and safe automation.

Do you need to integrate every tool to build a code-to-cloud context graph?

No. Start with Git + CI/CD + runtime. Add incidents and one risk/policy source next. Expand into SBOM/attestations, feature flags, IAM, and deeper dependency modeling over time.

Why do AI agents need a code-to-cloud context graph?

Because agents must operate across tools and take actions safely. The graph provides reliable context, constraints, and auditability so agents don’t guess or overreach.

Tags : security

Gopal Dommety

Gopal Dommety, Ph.D. is the Chief Executive Officer of OpsMx, a company advancing the automation and security of software delivery for the modern enterprise. Under his leadership, OpsMx is redefining how organizations build, secure, and release software, enabling developers to deliver innovation with speed, safety, and confidence. A technologist and inventor, Dr. Dommety holds over 70 patents and is the principal author of several Internet Protocols (RFCs) that power today’s global networking infrastructure. His work has shaped critical areas of large-scale distributed systems, algorithmic design, and secure automation. He has also authored more than 20 peer-reviewed papers, book chapters, and journal publications, and previously led the Mind-Map Project, an AI research initiative focused on modeling behavioral and personality traits from user-generated data. Before founding OpsMx, he was a General Partner at Neem Capital, a technology-focused investment firm, and held senior leadership roles in product management, research, and engineering at major technology companies and startups. Rooted in humble beginnings from a remote village in India, Gopal’’s career is guided by the principles of simplicity, first-principles thinking, and purpose-driven innovation—values that continue to shape his vision for building secure, intelligent, and resilient technology systems that move the world forward.

Questions? Email Gopal Email Icon

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Like

How OpsMx Builds a Context Graph

February 13, 2026
Share

EU Cyber Resilience Act (CRA) readiness: how OpsMx helps every stakeholder prepare for Cyber Resilience Act compliance

February 9, 2026
Share

Keeping the Vibe Alive: Why Traditional Security is the Unsung Hero of AI Coding

January 22, 2026
Share

On-Demand Webinar

Managing Open Source Security Risk

Managing Open Source Security Risk – Developers and AppSec Working Together

Watch Now

Relevant Posts

On-Demand Webinar

Building Comprehensive, Cost Effective AppSec with Open Source Security Tools

Watch Now

Ship Secure Faster

Talk to an Expert