Laava LogoLaava
Back to news
News & analysis

Sonar's Gitar deal shows why AI agents need verification, not just generation

Sonar's acquisition of Gitar points to the next enterprise AI bottleneck: verifying agent output before it reaches production. For companies moving beyond demos, governance, auditability and cost control matter as much as generation speed.

Source & date

Sonar: AI code verification leader acquires Gitar to expand into AI code review

Why this matters

News only becomes relevant when you can translate what it means for process, risk, investment, and decision-making in your own organization.

What happened

Sonar announced the acquisition of Gitar, an AI-native code review company, to expand SonarQube into a broader verification platform for agentic software development. The company says the combined platform will review and verify code from the moment AI agents generate it through to production deployment.

The deal is less about another coding assistant and more about the control layer around coding agents. Sonar says SonarQube is used by more than 7 million developers and AI agents, and that over 75 percent of the Fortune 100 rely on it to validate quality, security and architectural integrity. Gitar adds AI-powered code review built for teams where agents, not only humans, produce changes.

Sonar also made the cost and reliability argument explicit. It claims teams using Sonar are 44 percent less likely to experience outages related to AI-generated code, while codebases cleaned by SonarQube can reduce AI token usage by up to 8 percent. Those numbers come from Sonar, so they should be treated as vendor claims, but the direction is important: the market is moving from generation speed to verification, governance and operating cost.

Why it matters

Enterprise AI is leaving the demo phase. That does not only mean better models. It means more AI output entering systems where mistakes have a cost: production codebases, customer workflows, backoffice decisions, compliance checks, documents and operational records. When output starts changing real work, the question shifts from can the agent generate something useful to can the organisation trust, inspect and govern what it generated.

That is why verification is becoming its own category. A coding agent that produces a pull request needs tests, architectural checks, security analysis, dependency awareness and a record of what changed. A document or workflow agent needs the equivalent: source citations, permissions, confidence thresholds, business rules, human approval where needed and an audit trail of every action.

There is also a cost lesson here. Token spend does not only come from user prompts. It comes from messy context, repeated retries, unclear standards and agents trying to reason over noisy systems. If an organisation wants predictable AI cost, it needs cleaner inputs, reusable context and automated checks that stop expensive mistakes early.

Laava perspective

For Laava, this is exactly why an AI agent should not be treated as a standalone chatbot or a loose tool account. The useful part is the managed system around it: context, reasoning, action, monitoring and clear boundaries. In software teams that may look like code verification. In document-heavy and workflow-heavy operations, it looks like permission-aware retrieval, workflow validation, source-backed answers, escalation logic and safe integration with ERP, CRM, SharePoint, email or ticketing systems.

This also fits the managed runtime view. A sovereign runtime or Laava Box setup is not valuable because there is a box in the room. It is valuable when it gives the organisation one governed AI environment for agents, logging, model selection, data access and operational controls. Verification becomes easier when agents run in a known environment instead of being scattered across personal AI accounts and disconnected SaaS tools.

The same pattern applies to model choice. A model-agnostic runtime lets a company use the right model for the right task, but model choice only matters if the surrounding process is disciplined. The agent still needs the right context, the right integration points, a way to prove its work and a clear line between preparing an action and executing it.

What you can do

If you are already experimenting with AI agents, audit the verification layer before adding more use cases. Ask what evidence the agent uses, which systems it can touch, how outputs are checked, where human approval is required and how failures are logged. If those answers are vague, scaling the agent will multiply risk rather than value.

A practical next step is to pick one operational bottleneck and design the agent with controls from day one. For example: a document agent that cites sources, respects permissions, routes uncertain cases to a person and writes every decision to an audit trail. That is less glamorous than a live demo, but it is the difference between AI that impresses once and AI that can safely run inside the operation.

Translate this to your operation

Determine where this affects you first for real

The practical question is not whether this news is interesting, but where it directly changes your process, tooling, risk, or commercial approach.

Plan your AI Opportunity ScanGet in touch

First serious step

From news to a concrete first route

Use market developments as context, but make decisions based on your own operation, systems, and risk trade-offs.

No commitment to build. You get a concrete route, risk readout, and an honest view of where AI is not needed.

Included in the first conversation

Assess operational impactSeparate relevant risks from noiseDefine the first route
Start with one process. Leave with a sharper first route.
Sonar's Gitar deal shows why AI agents need verification, not just generation | Laava News