Velocity vs Capacity; Agentic AI & Cybersecurity; AI Mandates Drive Devs Crazy; Good Management
Issue #47 Bytes
š± Dive into Learning-Rich Sundays with groCTO ā¤µļø
Agile Velocity vs. Capacity
Ever feel like your Agile team is promising the moon but only delivers a pebble? You're probably mixing up velocity (what you actually get done) with capacity (all the hours you have). This blog is your friendly guide to untangling these two. Learn the difference, dodge planning disasters, and finally get a grip on realistic sprints. Plus, a sneak peek at how AI can be your Agile superhero! Intrigued?
Let's get human about Agile.
Article of the Week ā
āThe āSā in MCP Stands for Securityā āElena Cross
Agentic AI Threats and Mitigations
Thereās a funny meme running wild on social media with regards to AI Augmented Coding: āThe S in MCP stands for Security.ā Chris Hughes is breaking down the Feb 2025 OWASP report on AI Threats originating from Agentic usage, prominently with coding augmentation and MCP-fueled conversations that involve direct access to key infrastructure.
What Is Agentic AI?
Agentic AI refers to systems that can act on your behalf.
Examples:
AutoGPT-like systems that take action
Agents that interact with your APIs, databases, or browsers
AI tools with access to CI/CD pipelines, ticketing systems, or cloud infra
We covered MCPās in a previous issue.
Agentic AI is powerful but risky. If you treat it like a passive tool, youāre setting yourself up for failure. Think of it as an autonomous coworker and give it the same scrutiny, oversight, and accountability.
Main Threats
Prompt Injection
Agents can be tricked into unsafe behavior through manipulated input.
Example: malicious instructions hidden in user docs or webpages.
Over-permissioned Agents
Many agents inherit full user permissions. This means they can access sensitive systems and data without proper controls.
Lack of Visibility
Agent behavior is often poorly logged and monitored. You canāt secure what you canāt see.
Shadow Agents
Agents can be created and run without organizational approval or oversight. Think: Shadow IT, but autonomous and fast-moving.
What You Should Do
Constrain Agent Permissions
Limit what agents can do and access. Give them scoped identities and not full user accounts.
Harden Inputs
Sanitize all incoming content and prompt data. Avoid dynamic or user-generated sources unless vetted.
Log Everything
Track every action an agent takes. Log its API calls, tools used, and system access.
Set Boundaries
Apply rate limits, sandboxing, and kill switches. You need a way to pause or stop rogue behavior immediately.
Design for Explainability
If an agent does something unexpected, you should be able to trace why it happened and what triggered it.
š¢ Surviving AI?- Stephan's Got Your Back!
AI Disruption Got You Reeling?
Stephan Schmidt, the legendary CTO coach, has launched "Survive AI"! This amazing newsletter is your essential guide to navigating the torrents of the great AI disruption, offering sharp insights and practical, actionable strategies. Known for his brilliant CTO coaching & engineering leadership thoughts, Stephan will equip you to not just survive, but truly thrive in this rapidly evolving landscape.
Stop feeling overwhelmed and start confidently navigating the AI future ā Subscribe to "Survive AIā on substack now! š
Other highlights š
AI Coding Mandates are Driving Developers to the Brink
Sage Lazzaro writes on LeadDev regarding the C-suite-fueled push to get AI into everything and having engineers ramp up their skills in AI by sheer osmosis and exposure.
Almost half of C-suite executives said in a recent survey that AI adoption is ātearing their company apartā as a rift emerges between leadership and the employees adopting such tools.
Weāre not just seeing a tooling shift. Weāre watching a culture clash unfold between optimistic execs and overloaded ICs which is beginning to fray the edges of engineering teams.
Mandates are top-down and vague.
Leaders are saying āeveryone should use AI for codingā without defining success, setting clear expectations, or recognizing variance in team workflows.
Developers are overwhelmed, not lazy.
Many engineers feel like theyāre already at capacity. Now theyāre being asked to adopt, learn, and show results from a tool that may not even fit their current tasks or environment.
Fear and confusion are spreading.
ICs worry: āWill I fall behind if I donāt embrace AI fast enough?ā Managers worry: āAm I supposed to enforce something I donāt fully understand?ā
Itās creating a psychological toll alongside the technical burden.
Advice for Leaders
š Ground initiatives in real problems
Start by asking: What workflows feel heavy right now? Where are we wasting time? Then explore whether AI can actually help with those specific issues.šÆ Define success clearly
Donāt just measure usage. Measure reduced cycle time, improved onboarding, or fewer bugs. Make sure success metrics feel relevant and achievable to the people doing the work.š Support teams like itās a product rollout
Give people space, time, and resources to explore. That means dedicated time in sprints, pairing sessions, Slack channels for sharing learnings, etc.š£ Center trust and psychological safety
Culture eats tooling for breakfast. Developers wonāt experiment if theyāre afraid of being judged for doing it wrong or falling behind. Safety must come first.
The Precise Language of Good Management
In high-functioning teams, misalignment doesnāt usually stem from malice, it comes from muddled communication. When managers use vague phrases or hedge too much, they leave room for confusion, misinterpretation, or unnecessary stress. One of the most underrated skills in management is the ability to speak clearly, concisely, and with intention.
The Stay Saasy team provide us a good framework for precise and impactful delivery on feedback, especially when it is difficult to convey to someone we cherish and trust.
Precise communication builds psychological safety. It eliminates ambiguity, removes emotional guesswork, and empowers teams to focus on outcomes instead of second-guessing subtext. In a world where async work, distributed teams, and high output are the norm, fuzzy talk is friction.
What Happens When You Don't Get This Right
Teams freeze or spin because the ask isnāt clear
People overthink basic interactions
Managers lose credibility as decision-makers
Feedback feels passive-aggressive instead of constructive
Progress slows under the weight of interpretation
Practical Examples
āHow Am I Doing?ā
The most common example of imprecise language is when someone asks you in a 1:1 āhow am I doing?ā Very few managers are ready to answer this question well on the spot.
āOh youāre doing well, communication could improve a bit but overall youāre doing well.ā
What often happens is that the performance round happens and the person gets below expectations.
Itās best to take these questions seriously and ideally state that you need more time to prepare feedback that is actionable, not merely present. Be precise: tell them where they can improve. What doesnāt work, when that happens and what they should do instead in no uncertain terms. If youāre not ready for this conversation, share an intention to make that the focus of your next 1:1 meeting.
Performance Assessments
Itās easy to give generic praise or wanting to elicit a positive emotional response should the person you are assessing read your assessment immediately. But looking for approval in this manner will only undermine the managerās influence and respect.
When giving positive feedback, precisely relate what about something that happen was better than expected, or if it happens often and consistently, call it out as being systematic and reliable. Likewise, for negative feedback highlight key action points and suggested change.
āCan you do this?ā
Boolean-conversations have a special circle in hell in most organizations. Estimations, ideas, trade ofs. Be precise and answer the underlying question, not the words in the question literally. Can you do this is a question phrased to figure out what can be done and what the implications would be if the team committed the decision now.
Promotions
I think a promotion soon is looking good. ā We have two promotion cycles in the next 12 months. I think the one in 3 months is less likely and the one in 9 months is about 80% there. Letās discuss why Iām thinking about those probabilities and we can make sure you feel thatās fair.
PIPs
Hey these last two weeks have been great. ā These last two weeks have been at the level of output we determined was necessary for you to succeed in this PIP. Youāll have to keep this up for the remainder to pass.
Hiring
Yeah you can basically choose your team once youāre in. ā We have three teams that have open roles right now. One of them you arenāt a fit for based on your background, so realistically that leaves two and of those two the X team seems like a better fit, so if you wouldnāt want to join that team, letās talk
Find Yourself š»
Thatās it for Today!
Whether youāre innovating on new projects, staying ahead of tech trends, or taking a strategic pause to recharge, may your day be as impactful and inspiring as your leadership.
See you next week(end), Ciao š
Credits š
Curators - Diligently curated by our community members Denis & Kovid
Featured Authors - Chris Hughes, Stay Saasy Team, Sage Lazzaro (for LeadDev)
Sponsors - This newsletter is sponsored by Typo AI - Ship reliable software faster.
1) SubscribeĀ ā If you arenāt already, consider becoming a groCTO subscriber.
2) Share ā Spread the word amongst fellow Engineering Leaders and CTOs! Your referral empowers & builds our groCTO community.