Velocity vs Capacity; Agentic AI & Cybersecurity; AI Mandates Drive Devs Crazy; Good Management
Issue #47 Bytes
đ± Dive into Learning-Rich Sundays with groCTO —ïž
Agile Velocity vs. Capacity
Ever feel like your Agile team is promising the moon but only delivers a pebble? You're probably mixing up velocity (what you actually get done) with capacity (all the hours you have). This blog is your friendly guide to untangling these two. Learn the difference, dodge planning disasters, and finally get a grip on realistic sprints. Plus, a sneak peek at how AI can be your Agile superhero! Intrigued?
Let's get human about Agile.
Article of the Week â
âThe âSâ in MCP Stands for Securityâ âElena Cross
Agentic AI Threats and Mitigations
Thereâs a funny meme running wild on social media with regards to AI Augmented Coding: âThe S in MCP stands for Security.â Chris Hughes is breaking down the Feb 2025 OWASP report on AI Threats originating from Agentic usage, prominently with coding augmentation and MCP-fueled conversations that involve direct access to key infrastructure.
What Is Agentic AI?
Agentic AI refers to systems that can act on your behalf.
Examples:
AutoGPT-like systems that take action
Agents that interact with your APIs, databases, or browsers
AI tools with access to CI/CD pipelines, ticketing systems, or cloud infra
We covered MCPâs in a previous issue.
Agentic AI is powerful but risky. If you treat it like a passive tool, youâre setting yourself up for failure. Think of it as an autonomous coworker and give it the same scrutiny, oversight, and accountability.
Main Threats
Prompt Injection
Agents can be tricked into unsafe behavior through manipulated input.
Example: malicious instructions hidden in user docs or webpages.
Over-permissioned Agents
Many agents inherit full user permissions. This means they can access sensitive systems and data without proper controls.
Lack of Visibility
Agent behavior is often poorly logged and monitored. You canât secure what you canât see.
Shadow Agents
Agents can be created and run without organizational approval or oversight. Think: Shadow IT, but autonomous and fast-moving.
What You Should Do
Constrain Agent Permissions
Limit what agents can do and access. Give them scoped identities and not full user accounts.
Harden Inputs
Sanitize all incoming content and prompt data. Avoid dynamic or user-generated sources unless vetted.
Log Everything
Track every action an agent takes. Log its API calls, tools used, and system access.
Set Boundaries
Apply rate limits, sandboxing, and kill switches. You need a way to pause or stop rogue behavior immediately.
Design for Explainability
If an agent does something unexpected, you should be able to trace why it happened and what triggered it.
đą Surviving AI?- Stephan's Got Your Back!
AI Disruption Got You Reeling?
Stephan Schmidt, the legendary CTO coach, has launched "Survive AI"! This amazing newsletter is your essential guide to navigating the torrents of the great AI disruption, offering sharp insights and practical, actionable strategies. Known for his brilliant CTO coaching & engineering leadership thoughts, Stephan will equip you to not just survive, but truly thrive in this rapidly evolving landscape.
Stop feeling overwhelmed and start confidently navigating the AI future â Subscribe to "Survive AIâ on substack now! đ
Other highlights đ
AI Coding Mandates are Driving Developers to the Brink
Sage Lazzaro writes on LeadDev regarding the C-suite-fueled push to get AI into everything and having engineers ramp up their skills in AI by sheer osmosis and exposure.
Almost half of C-suite executives said in a recent survey that AI adoption is âtearing their company apartâ as a rift emerges between leadership and the employees adopting such tools.
Weâre not just seeing a tooling shift. Weâre watching a culture clash unfold between optimistic execs and overloaded ICs which is beginning to fray the edges of engineering teams.
Mandates are top-down and vague.
Leaders are saying âeveryone should use AI for codingâ without defining success, setting clear expectations, or recognizing variance in team workflows.
Developers are overwhelmed, not lazy.
Many engineers feel like theyâre already at capacity. Now theyâre being asked to adopt, learn, and show results from a tool that may not even fit their current tasks or environment.
Fear and confusion are spreading.
ICs worry: âWill I fall behind if I donât embrace AI fast enough?â Managers worry: âAm I supposed to enforce something I donât fully understand?â
Itâs creating a psychological toll alongside the technical burden.
Advice for Leaders
đ Ground initiatives in real problems
Start by asking: What workflows feel heavy right now? Where are we wasting time? Then explore whether AI can actually help with those specific issues.đŻ Define success clearly
Donât just measure usage. Measure reduced cycle time, improved onboarding, or fewer bugs. Make sure success metrics feel relevant and achievable to the people doing the work.đ Support teams like itâs a product rollout
Give people space, time, and resources to explore. That means dedicated time in sprints, pairing sessions, Slack channels for sharing learnings, etc.đŁ Center trust and psychological safety
Culture eats tooling for breakfast. Developers wonât experiment if theyâre afraid of being judged for doing it wrong or falling behind. Safety must come first.
The Precise Language of Good Management
In high-functioning teams, misalignment doesnât usually stem from malice, it comes from muddled communication. When managers use vague phrases or hedge too much, they leave room for confusion, misinterpretation, or unnecessary stress. One of the most underrated skills in management is the ability to speak clearly, concisely, and with intention.
The Stay Saasy team provide us a good framework for precise and impactful delivery on feedback, especially when it is difficult to convey to someone we cherish and trust.
Precise communication builds psychological safety. It eliminates ambiguity, removes emotional guesswork, and empowers teams to focus on outcomes instead of second-guessing subtext. In a world where async work, distributed teams, and high output are the norm, fuzzy talk is friction.
What Happens When You Don't Get This Right
Teams freeze or spin because the ask isnât clear
People overthink basic interactions
Managers lose credibility as decision-makers
Feedback feels passive-aggressive instead of constructive
Progress slows under the weight of interpretation
Practical Examples
âHow Am I Doing?â
The most common example of imprecise language is when someone asks you in a 1:1 âhow am I doing?â Very few managers are ready to answer this question well on the spot.
âOh youâre doing well, communication could improve a bit but overall youâre doing well.â
What often happens is that the performance round happens and the person gets below expectations.
Itâs best to take these questions seriously and ideally state that you need more time to prepare feedback that is actionable, not merely present. Be precise: tell them where they can improve. What doesnât work, when that happens and what they should do instead in no uncertain terms. If youâre not ready for this conversation, share an intention to make that the focus of your next 1:1 meeting.
Performance Assessments
Itâs easy to give generic praise or wanting to elicit a positive emotional response should the person you are assessing read your assessment immediately. But looking for approval in this manner will only undermine the managerâs influence and respect.
When giving positive feedback, precisely relate what about something that happen was better than expected, or if it happens often and consistently, call it out as being systematic and reliable. Likewise, for negative feedback highlight key action points and suggested change.
âCan you do this?â
Boolean-conversations have a special circle in hell in most organizations. Estimations, ideas, trade ofs. Be precise and answer the underlying question, not the words in the question literally. Can you do this is a question phrased to figure out what can be done and what the implications would be if the team committed the decision now.
Promotions
I think a promotion soon is looking good. â We have two promotion cycles in the next 12 months. I think the one in 3 months is less likely and the one in 9 months is about 80% there. Letâs discuss why Iâm thinking about those probabilities and we can make sure you feel thatâs fair.
PIPs
Hey these last two weeks have been great. â These last two weeks have been at the level of output we determined was necessary for you to succeed in this PIP. Youâll have to keep this up for the remainder to pass.
Hiring
Yeah you can basically choose your team once youâre in. â We have three teams that have open roles right now. One of them you arenât a fit for based on your background, so realistically that leaves two and of those two the X team seems like a better fit, so if you wouldnât want to join that team, letâs talk
Find Yourself đ»
Thatâs it for Today!
Whether youâre innovating on new projects, staying ahead of tech trends, or taking a strategic pause to recharge, may your day be as impactful and inspiring as your leadership.
See you next week(end), Ciao đ
Credits đ
Curators - Diligently curated by our community members Denis & Kovid
Featured Authors - Chris Hughes, Stay Saasy Team, Sage Lazzaro (for LeadDev)
Sponsors - This newsletter is sponsored by Typo AI - Ship reliable software faster.
1) Subscribe â If you arenât already, consider becoming a groCTO subscriber.
2) Share â Spread the word amongst fellow Engineering Leaders and CTOs! Your referral empowers & builds our groCTO community.