Below is a step-by-step process to migrate your software delivery lifecycle from human-led to AI-assisted / AI-driven with human governance, using Claude + Codex across planning, architecture, HLD/LLD, development, testing, and security scanning.
Target model
Do not move directly from “humans do everything” to “AI does everything.” Use this maturity path:
| Stage | Ownership model |
|---|---|
| Stage 1 | Human does work, AI assists |
| Stage 2 | AI drafts, human reviews |
| Stage 3 | AI implements low-risk work, human approves |
| Stage 4 | AI handles repeatable workflows, human audits |
| Stage 5 | AI operates within strict SDLC guardrails |
A good target is: AI prepares and executes; humans approve, monitor, and own accountability.
Step-by-step migration process
Step 1: Inventory your existing system
Start by creating a complete map of your current application.
For each microservice, document:
| Area | What to capture |
|---|---|
| Service name | Purpose and business capability |
| Tech stack | Language, framework, database, queue, cache |
| APIs | REST, GraphQL, gRPC, events |
| Dependencies | Upstream and downstream services |
| Data ownership | Tables, schemas, topics, buckets |
| Deployment | CI/CD, Docker, Kubernetes, cloud setup |
| Testing | Unit, integration, contract, regression |
| Security | Auth, roles, secrets, vulnerabilities |
| Operations | Logs, alerts, dashboards, runbooks |
This becomes your AI context base.
Without this step, Claude and Codex will produce guesses instead of reliable engineering output.
Step 2: Create an “AI Context Pack”
Create a standard folder in each repository, for example:
/ai-context
product-overview.md
architecture.md
service-boundaries.md
coding-standards.md
database-design.md
api-contracts.md
testing-strategy.md
security-rules.md
deployment-process.md
known-issues.md
Also add root-level instruction files such as:
CLAUDE.md
AGENTS.md
CODEX.md
CONTRIBUTING.md
These should explain:
- What this service does
- How to run it locally
- How to run tests
- Coding standards
- Security rules
- Branching strategy
- PR expectations
- What AI must never change without approval
This is the foundation for moving work from humans to AI.
Step 3: Define roles for Claude and Codex
Use both tools with different responsibilities.
| Area | Claude | Codex |
|---|---|---|
| Planning | Strong | Medium |
| Requirement analysis | Strong | Medium |
| Architecture | Strong | Medium |
| HLD / LLD | Strong | Medium |
| Code generation | Medium | Strong |
| Refactoring | Medium | Strong |
| Test generation | Strong | Strong |
| Security review | Strong | Medium |
| Documentation | Strong | Medium |
| PR implementation | Medium | Strong |
| Code review | Strong | Strong |
Recommended split:
Claude: planning, architecture, design, analysis, documentation, review, risk assessment.
Codex: code changes, test creation, refactoring, bug fixing, implementation tasks.
Step 4: Convert your SDLC into AI-ready workflows
Your current flow may be:
PLAN → Architecture → HLD → LLD → Development → Testing → Security Scan → Release
Convert it into this AI-assisted flow:
Human request
↓
Claude analyzes requirement
↓
Claude creates plan + HLD + LLD
↓
Human approves design
↓
Codex implements code
↓
Codex/Claude generates tests
↓
CI/CD runs tests and scans
↓
Claude reviews PR and risk
↓
Human approves merge
↓
Deployment automation releases
Phase-by-phase migration
Phase 1: AI-assisted planning
Start with planning only.
Give Claude business requirements and ask it to produce:
- Functional summary
- Non-functional requirements
- Assumptions
- Open questions
- Risks
- Affected microservices
- Dependencies
- Estimated implementation steps
- Testing scope
- Security impact
Human responsibility:
- Validate assumptions
- Confirm scope
- Approve plan
At this stage, AI should not modify code.
Phase 2: AI-generated architecture and HLD
Next, allow Claude to generate architecture documents.
For every feature, Claude should produce:
1. Current system understanding
2. Proposed architecture
3. Affected services
4. API changes
5. Database changes
6. Event/message changes
7. Security implications
8. Scalability considerations
9. Failure scenarios
10. Rollback strategy
Human responsibility:
- Architecture review
- Security review
- Approval before implementation
Recommended output:
HLD.md
architecture-decision-record.md
sequence-diagram.md
data-flow.md
risk-analysis.md
Phase 3: AI-generated LLD
After HLD approval, move to LLD.
Claude or Codex should generate:
- Class/module changes
- API request/response models
- Database migration design
- Validation rules
- Error handling
- Logging changes
- Config changes
- Unit test plan
- Integration test plan
- Rollback steps
Human responsibility:
- Confirm detailed design
- Confirm edge cases
- Confirm backward compatibility
At this point, the AI should be able to create a very clear implementation plan.
Phase 4: AI-assisted development
Now introduce Codex for implementation.
Start with low-risk tasks:
- Unit tests
- Small bug fixes
- DTO/model changes
- API validation changes
- Logging improvements
- Documentation updates
- Refactoring without behavior change
Do not start with:
- Payment logic
- Authentication/authorization
- Database migration-heavy changes
- Security-sensitive code
- Production incident fixes
- Large cross-service redesigns
Recommended Codex workflow:
1. Read requirement
2. Read HLD/LLD
3. Inspect relevant service
4. Create implementation plan
5. Make code changes
6. Add tests
7. Run local checks
8. Prepare PR summary
Human responsibility:
- Review diff
- Review tests
- Approve PR
Phase 5: AI-generated tests
Use AI heavily for testing.
For each feature, generate:
- Unit tests
- Integration tests
- Contract tests
- API tests
- Negative test cases
- Boundary tests
- Regression test cases
- Security-focused tests
For microservices, prioritize:
- Contract testing between services
- Database migration tests
- Message queue/event tests
- Backward compatibility tests
- Idempotency tests
- Retry/failure tests
AI should also generate test matrices like:
| Scenario | Input | Expected result | Test type |
|---|---|---|---|
| Valid request | Correct payload | Success | API |
| Missing field | Invalid payload | 400 error | Negative |
| Unauthorized user | No token | 401 error | Security |
| Duplicate request | Same request twice | Idempotent response | Integration |
Phase 6: Security scanning and AI security review
Security should not be left only to Claude or Codex. Use AI plus automated tools.
Your pipeline should include:
- Static code analysis
- Dependency vulnerability scanning
- Secret scanning
- Container image scanning
- Infrastructure-as-code scanning
- License scanning
- API security testing
- OWASP checks
Claude can review:
- Authentication risks
- Authorization gaps
- Input validation
- Injection risks
- Data exposure
- Logging of sensitive data
- Secrets handling
- Multi-tenant data leakage
- Broken access control
Codex can fix:
- Vulnerable dependency versions
- Missing validation
- Unsafe error messages
- Weak test coverage
- Simple security defects
Human responsibility:
- Approve all security-sensitive changes
- Review high/critical vulnerabilities
- Own final release decision
Phase 7: AI-assisted code review
Before human review, let Claude review the PR.
Ask Claude to check:
- Does the code match the requirement?
- Does it follow the HLD/LLD?
- Are there missing tests?
- Are there security risks?
- Are there performance issues?
- Are there breaking API changes?
- Are logs and errors appropriate?
- Is rollback possible?
Then the human reviewer checks:
- Business correctness
- Architecture alignment
- Security-sensitive areas
- Production risk
This reduces human review effort but does not remove accountability.
Phase 8: CI/CD integration
Your pipeline should become the enforcement layer.
Minimum pipeline:
1. Build
2. Unit tests
3. Integration tests
4. Contract tests
5. Linting
6. Code quality scan
7. Dependency scan
8. Secret scan
9. Container scan
10. SAST
11. DAST for deployed test environment
12. Test coverage threshold
13. Manual approval for production
AI can generate code, but CI/CD should decide whether it is acceptable.
Phase 9: Start with one pilot microservice
Do not migrate all microservices at once.
Choose one service that is:
- Medium complexity
- Well-tested
- Not security-critical
- Not payment-critical
- Has clear ownership
- Has stable APIs
Run a 4-week pilot.
Measure:
- Time to produce HLD/LLD
- Development cycle time
- Number of AI-generated defects
- Test coverage improvement
- PR review time
- Security scan results
- Production incidents
- Human effort saved
Only after success, expand to more services.
Phase 10: Define approval gates
Use this rule:
| Activity | AI can draft | AI can execute | Human approval required |
|---|---|---|---|
| Requirement analysis | Yes | Yes | Yes |
| HLD | Yes | No | Yes |
| LLD | Yes | No | Yes |
| Code changes | Yes | Yes | Yes |
| Unit tests | Yes | Yes | Optional |
| Security fixes | Yes | Limited | Yes |
| Database migrations | Yes | Limited | Always |
| Production deploy | No | No/limited | Always |
| Incident resolution | Assist only | Limited | Always |
Recommended operating model
Human responsibilities
Humans should continue to own:
- Product decisions
- Architecture approval
- Security approval
- Production release approval
- Incident accountability
- Compliance decisions
- Final code ownership
AI responsibilities
AI can increasingly handle:
- Drafting plans
- Writing HLD/LLD
- Generating code
- Generating tests
- Updating documentation
- Performing first-pass review
- Explaining code
- Refactoring
- Finding gaps
- Preparing release notes
Standard AI workflow for every new feature
Use this repeatable process:
1. Product requirement is created.
2. Claude analyzes requirement.
3. Claude identifies affected microservices.
4. Claude creates implementation plan.
5. Claude creates HLD.
6. Human approves HLD.
7. Claude creates LLD.
8. Human approves LLD.
9. Codex creates code changes.
10. Codex creates tests.
11. CI/CD runs checks.
12. Claude reviews PR.
13. Human reviews PR.
14. Security scans must pass.
15. Human approves release.
16. Deployment happens through existing pipeline.
17. Claude creates release notes and documentation.
Example folder structure for AI-driven SDLC
/docs
/architecture
system-overview.md
microservice-map.md
data-flow.md
/adr
ADR-001-service-communication.md
/features
FEATURE-123
requirement.md
plan.md
hld.md
lld.md
test-plan.md
security-review.md
release-notes.md
/ai-context
service-summary.md
coding-rules.md
test-rules.md
security-rules.md
deployment-rules.md
This makes every feature traceable from requirement to release.
Migration roadmap
First 30 days
- Document existing architecture
- Create AI context packs
- Select one pilot microservice
- Use Claude for planning and HLD
- Use Codex only for tests and small fixes
- Keep humans fully in control
Days 31–60
- Use AI for LLD generation
- Use Codex for feature implementation
- Add AI-generated test coverage
- Add Claude PR review
- Strengthen CI/CD quality gates
Days 61–90
- Expand to 3–5 microservices
- Standardize prompts and templates
- Introduce AI-generated release notes
- Use AI for security review support
- Measure productivity and defect trends
After 90 days
- AI handles repeatable engineering tasks
- Humans focus on architecture, review, security, and product direction
- Mature services can move to AI-first implementation with human approval
Key risks and controls
| Risk | Control |
|---|---|
| AI misunderstands system | Maintain strong AI context docs |
| AI creates insecure code | Security scans + human security review |
| AI breaks contracts | Contract tests required |
| AI changes too much | Small PR size limit |
| AI exposes secrets | Secret scanning + no secrets in prompts |
| AI produces untested code | Test coverage gate |
| Humans overtrust AI | Mandatory review checklist |
| Architecture drift | HLD/LLD approval gate |
Practical starting point
Start with this sequence:
1. Pick one non-critical microservice.
2. Create an AI context folder for it.
3. Ask Claude to generate the service overview.
4. Ask Claude to generate missing HLD/LLD from existing code.
5. Human architect reviews and corrects it.
6. Ask Codex to add missing unit tests.
7. Run CI/CD and security scans.
8. Ask Codex to implement one small enhancement.
9. Ask Claude to review the PR.
10. Human approves and merges.
Once this works reliably, repeat across other services.
Final recommendation
Treat Claude and Codex as AI engineering team members, not as full replacements for your human team.
A strong model is:
Claude = Analyst + Architect + Reviewer
Codex = Developer + Test Engineer + Refactoring Assistant
Human = Owner + Approver + Security/Governance Authority
CI/CD = Final quality enforcement layer
The safest migration path is:
Documentation → Planning → HLD/LLD → Tests → Small Code Changes → Larger Features → AI-first Delivery with Human Approval