GitLab packages Duo Agent Flows so multi-step runs share the platform's controls
Maya Okonkwo
In a blog post this week, GitLab put a name on the abstraction it wants delivery teams to build around: Duo Agent Flows, packaged multi-step runs meant to carry the same access controls, triggers and review gates as any other pipeline object. If your team already runs on GitLab, the practical question is smaller than the announcement: what does an agent get to do on your repo when nobody is watching, and can you audit it the same way you audit CI?
What GitLab is naming
Per the post, an agent flow is a named, multi-step run that GitLab manages the same way it manages other platform work. The three example flows GitLab calls out are ordinary delivery chores dressed for an agent: implement an issue, fix a pipeline, and review a merge request. Each chains several steps into one unit with a defined entry, a defined exit, and a place in the platform's permission model.
The framing GitLab gives is worth quoting in the vendor's own terms. Chat that only answers still leaves every handoff to the user. Homegrown scripts don't inherit changes in access controls, new triggers or updated review gates when the platform ships them. A flow is meant to sit between the two: a repeatable unit the platform wraps in the same controls it applies to everything else on the review path.
Where inheritance actually earns its keep
Multi-step agents are not the news. Every major platform is shipping those. The load-bearing claim in the post is inheritance: when GitLab tightens a review gate, adds a trigger or narrows a token scope, existing flows pick up the change without a maintainer editing YAML in every repo.
That property is real. A homegrown script hitting the API with a personal access token uses whatever policy was in effect on the day someone wrote it, and it stays there until a human comes back to update it. Drift is where most audit findings on internal automation come from, and inheritance is the only clean way to close it at scale.
The catch is the other side of the same fact. An agent that inherits the platform's access controls also inherits every mistake in them. A misconfigured group role, an over-broad approval rule, a code owner who rubber-stamps everything: the flow uses exactly the permissions you have, not the ones you meant to have.
What the announcement does not answer
The post positions the shape of the abstraction. It does not, in what has been published so far, spell out a per-flow cost cap, an execution-isolation contract, or a rollback story for a flow that has already opened a merge request against a protected branch. Those are the questions a reliability review would ask before turning a flow loose on a busy monorepo.
The other missing beat is the failure mode. Chat fails by staying silent. Homegrown scripts fail loudly and in isolation. A packaged flow that fires on a merge-request event and opens twenty commits before anyone reads the first one fails at platform scale. What GitLab does with a flow that misbehaves, whether it is paused, quarantined or rate-limited, is the on-call knob you want documented in advance, not after the first incident.
Where other platforms are drawing the same line
Every major CI/CD platform is trying to name this shape right now, and each is picking a different trade-off.
- GitHub has been building the same idea in pieces: a Copilot coding agent that opens pull requests, agentic workflows that recently swapped a personal access token for the built-in
GITHUB_TOKEN, and Actions-native event triggers. The result is closer to a set of agent-flavored jobs than a single flow object, but the trust boundary is the workflow token, which platform teams already understand. - Atlassian has been layering agents into Jira and Bitbucket around a shared identity model. If the delivery loop you care about starts on a ticket and ends on a merge, that end-to-end scope is a genuine advantage over a Git-only platform.
- Harness has been shipping autonomous worker agents that plug into an existing pipeline as steps, rather than as a separate flow abstraction. For teams already running Harness for delivery, the migration cost is lower because there is nothing new to model.
- CircleCI and other pipeline-first vendors are keeping the agent as an orb or a step called from a normal job. That is the least invasive design and the one with the least new attack surface. It also does the least to solve the drift problem GitLab is naming.
- Buddy takes a different tack: a declarative pipeline with pre-built actions and a sandbox per job, where you call an agent from a step or a webhook rather than as a first-class flow object with a lifecycle. For a small platform team that wants agent work bounded inside a normal pipeline and does not want to adopt a new abstraction, that is a reasonable place to land. For a team that specifically wants a policy-inheriting flow object with its own trigger and review surface, GitLab's model or GitHub's Copilot coding agent is the closer fit. The Buddy action catalog is the place to eyeball the primitives before deciding.
None of these are wrong. They are different bets about where the trust boundary of an agent belongs, and the right answer depends on what your existing pipeline already looks like.
What to wait for
The two pieces of documentation worth waiting for, before any of this changes how a Friday deploy feels, are the flow lifecycle contract (who can stop a running flow, and how fast) and the audit surface (does a flow's actions appear in the same audit stream as a human's, keyed to the same actor model). Until both are answered on the record, the safe read is that GitLab has named the shape well and is still finishing the parts that make it a load-bearing on-call primitive.
Source: GitLab (about.gitlab.com)