AI Native DevCon London maps the emerging AI coding stack

Patrick Debois uses the AI Native DevCon London 2026 program itself as a diagnostic tool, arguing that what a conference chooses to debate — and what it no longer bothers arguing about — reveals where the industry actually stands. The two-day event featured 41 talks across three tracks, and its central signal was that "skills are the new code" had moved from contested claim to accepted premise. Guy Podjarny's opening keynote introduced the Context Development Lifecycle (CDLC), which layers tools, context and skills, harnesses (deterministic frameworks that constrain probabilistic models), pipelines, and governance. His closing argument was that humans should now live in the CDLC and leave the SDLC to agents.

John Groetzinger at Cisco showed knowledge pipelined so engineers and agents consume it from the same source without divergence.

The sessions that followed filled in each layer. On the context and skills layer, James Moss at Tessl addressed skill sprawl — the supply chain problem that emerges when an organisation accumulates more context files than anyone can track, with no versioning or approval flows. John Groetzinger at Cisco showed knowledge pipelined so engineers and agents consume it from the same source without divergence. Shaun Smith from HuggingFace examined MCP, the protocol that moves context between systems, and the choices still being made about its design. On novel surfaces, Steve Ruiz at tldraw demonstrated a canvas as a live build environment where multiple agent instances run concurrently on the same shared document, while Lars Trieloff at Adobe described a browser-native agent project where the agentic loop runs inside the browser tab itself — controlling the browser from within — rather than sitting in a sidebar.

Security emerged as a cross-cutting concern. Liran Tal at Snyk reported that scanning publicly circulating skills on ClowHub found roughly one in seven had security issues, including malware distribution, credential harvesting, and known vulnerabilities embedded in `SKILL.md` files that agents were reading and trusting without verification. He named the attack pattern "toxic flows" and drew a parallel to the early npm ecosystem. The article is truncated before covering the productivity data presented by Simon Obstbaum from Stanford's Software Engineering Productivity Research Group and Rob Willoughby at Tessl, which included measurements across 150,000 engineers and systematic runs of 500 skills against 1,000 tasks.

Key facts

1. 01AI Native DevCon London ran June 2nd, spanning two days, three tracks, and 41 talks.
2. 02Guy Podjarny's keynote introduced the Context Development Lifecycle (CDLC), layering tools, skills, harnesses, pipelines, and governance.
3. 03Unlike the prior year, no sessions argued for context engineering — that debate was treated as settled.
4. 04A skill in the CDLC is defined as context with a named, versioned, testable, and installable boundary.
5. 05Liran Tal at Snyk found roughly one in seven publicly circulating skills on ClowHub had security issues, including malware distribution and credential harvesting.
6. 06Tal named the attack pattern 'toxic flows' and drew a parallel to the early npm supply chain ecosystem.
7. 07Lars Trieloff at Adobe described a browser-native agent that runs the agentic loop inside the browser tab itself, making the app the sidebar rather than the agent.

Topics