We Put AI Agents on Our Software Team. Here's What It Actually Took.

Waterloo Data's engineering leadership built a live fleet of AI agents that plan, write, review, and ship software under real governance — alongside human engineers. The hard part wasn't the autonomy.
There's a lot of noise right now about "agentic AI" — autonomous agents that will supposedly replace software teams overnight. Most of it is demos. An agent writes some code in a sandbox, everyone applauds, and nothing ships to production.
At Waterloo Data, we took a different approach. We built Signet: an agent framework where AI agents work as real members of a software delivery team — in Slack, on real repositories, under real governance — alongside our human engineers. Not a prototype. A live fleet, delivering.
We want to share what we learned, because the hard parts aren't what most people think.
The team is live — and it looks like a team
Today, eight agents run in our environment: a PM, a senior developer, a code reviewer, a QA engineer, an SRE, a release producer, and two triage agents. Each one has a name, a chat presence, and a defined role. You @-mention them in Slack the same way you'd ping a colleague. They coordinate with each other — and with humans — in the same threads.
That last part is the design principle that matters most: every role is human-swappable. An agent can fill a seat on the team, or a person can. The workflow doesn't change. When a human takes over a task, the agent stands down cleanly. This isn't AI replacing a team — it's a delivery model where the work is structured well enough that either can hold the role.
- 8 — agents on the live fleet
- 2 — human sign-offs on a full project run
- 0 — external orchestration in the dev–review cycle
Autonomy is easy. Governance is the hard part.
Anyone can wire an LLM to a GitHub token and let it loose. That's exactly what you should never do. What makes Signet production-grade is the control layer around every agent:
Least-privilege charters.
Every agent operates under a signed charter declaring exactly what it may touch — which repos, which channels, which phases of the delivery lifecycle. The enforcement is structural: the model's output can never expand its own permissions, no matter what it generates.
Evidence-gated delivery.
An agent can't simply declare its work done. Closing a development goal requires verifiable evidence — a real pull request from the right branch, validated green, confirmed by the control plane through trusted reads of the version control system. In plain terms: an agent can never talk its way to "done." It has to prove it.
Human approval where it counts.
High-impact actions — approving a PR, producing a release artifact — require a single-use, human-approved grant, bound to the exact action being taken. Autonomy for the routine, human sign-off for the consequential.
A tamper-evident audit trail.
Every action by every agent is hash-chained into an audit log. When an agent reviews a pull request or commits a fix, there's a complete, verifiable record of what happened and under whose authority.
Validation before anything ships.
Writer agents build and test their own branches in a locked-down, network-denied sandbox before a PR ever opens. A failed lint doesn't stall the pipeline — the system repairs mechanical failures and re-validates from cold. A fix never fakes a green build.
What it's already done
This isn't theoretical. On our live fleet:
- A fully autonomous developer→reviewer cycle ran end to end. Our senior dev agent implemented a real fix, our reviewer agent reviewed it and requested changes, the dev iterated, the reviewer approved, and it merged — with no human orchestration in between.
- A complete delivery project drove itself from Discovery through Post-Launch. The project kicked off from a written brief, each phase advanced automatically off verified exit gates — requirements, acceptance criteria, design artifacts, QA — and the humans involved signed off at exactly two points: Design and Launch. When QA fails, the system routes work back to Build and tries again, with a cap that escalates to a human rather than looping forever.
- Agents review real pull requests on GitHub and Azure DevOps — grounded reviews, where the agent is required to actually read the code before it's allowed to submit a verdict.
Why we built it
AI without governed, reliable foundations is a prototype, not a product.
That's the same conviction we bring to every client engagement. We've spent 16+ years building data platforms on that principle. Signet applies it to AI agents — identity, least privilege, auditability, and human oversight designed in from the start, not bolted on after something goes wrong.
It's also making us faster. The delivery model we bring to clients — senior U.S.-based leadership, deeply integrated nearshore engineering — now has a third layer: governed agents handling well-defined work under the same accountability structures as everyone else on the team. A force multiplier on the force multiplier.
What this means if you're thinking about agentic AI
If your organization is exploring AI agents — for software delivery, operations, or anything that touches production systems — the questions to ask aren't "which model?" or "which framework?" They're:
- What, exactly, is this agent allowed to do — and what enforces that?
- How do we know its work is actually done, versus claimed done?
- Where do humans approve, and where do they get out of the way?
- Can we audit every action after the fact?
We've been living those questions on our own team. If you're working through them on yours, we'd genuinely enjoy the conversation.
Schedule a 30 Minute Assessment
We'll follow up within 1 business day to understand your goals and see where
we can help -- no sales pressure.



