Research Note

Specification-Driven Development Market Analysis

Enterprise Platform vs. Standalone IDE: AWS Kiro vs. GitHub + Microsoft Ecosystem

Paula Silva — Software GBB Americas | Microsoft Latam GBB
March 2026
Page 2 / 7

2. The Platform Thesis: Why SDD Tooling Alone Is Not Enough

Enterprise software development requires far more than a specification workflow. It requires security scanning, governance, compliance, multi-cloud deployment, agent orchestration, observability, model diversity, and integration with business data and processes. This section maps the full platform architecture that surrounds and amplifies SDD in the GitHub + Microsoft ecosystem — capabilities that have no equivalent in a standalone IDE.

2.1 GitHub + Microsoft: End-to-End Enterprise Platform

Layer 5: Enterprise Data
Work IQ M365 Copilot Copilot Studio
Layer 4: Developer Experience
Spec Kit Copilot SDK APM Claude Code
AWS
Kiro
IDE
Layer 3: Agent Orchestration
Foundry GitHub Models Agentic Workflows
Layer 2: Governance
Purview DSPM Content Safety
Layer 1: Security
GHAS Defender AW Firewall MCP Gateway

Layer Details

Layer 1: Security & DevSecOps

GitHub Advanced Security (GHAS)
  • CodeQL semantic code analysis
  • Secret scanning (pre-commit + push protection)
  • Dependabot + EPSS risk scoring
  • Copilot Autofix for AI-generated remediation
  • Code review with AI-assisted quality checks
Microsoft Defender for Cloud
  • Multi-cloud security (Azure + AWS + GCP)
  • Runtime-to-code vulnerability mapping
  • Bidirectional GHAS integration (Ignite 2025)
  • Opens GitHub issues from runtime findings
  • Copilot Autofix triggered from Defender alerts
Agentic Workflow Security
  • Agent Workflow Firewall (domain allowlists, Squid proxy)
  • MCP Gateway (fine-grained data access, DIFC guards)
  • Zero-secret agent architecture
  • Three-container sandbox design
  • Defense-in-depth: substrate → config → planning
  • Forensic logging at all trust boundaries

Layer 2: Governance, Compliance & Content Safety

Microsoft Purview
  • Data Security Posture Management for AI (GA April 2026)
  • Automated weekly risk assessments (top 100 SharePoint sites)
  • DLP policies protecting agent data flows
  • AI Observability across agent behavior
  • Outcome-based remediation workflows
  • Regulatory templates for AI governance
Azure AI Content Safety
  • Content filtering on agent inputs/outputs
  • Prompt shield (injection protection)
  • Groundedness detection for agent responses
  • Integrated into Foundry evaluation pipeline
  • Custom category creation per industry
  • Multi-language support for LATAM

Layer 3: Agent Orchestration & Model Freedom

Azure AI Foundry
  • 11,000+ models (Claude Opus/Sonnet, GPT-5, Gemini, Llama, DeepSeek)
  • Three agent types: prompt, workflow, hosted
  • Managed identity (Entra) for agents
  • Evaluation framework (safety, quality, grounding)
  • MCP native tool integration
  • Versioning and rollback for production agents
GitHub Models + Copilot
  • BYOK: AWS Bedrock, Google AI Studio, OpenAI, Anthropic, xAI
  • Organization-level model governance
  • Copilot coding agent (autonomous PRs)
  • Copilot CLI (terminal-native agents, model selection)
  • Agentic memory system (7% PR merge improvement)
  • 4.7M paid subscribers; 50K+ organizations
GitHub Agentic Workflows
  • Natural language → GitHub Actions compilation
  • 50+ reusable workflow templates
  • Continuous AI: 8 use cases (docs, triage, a11y, quality)
  • GenAIScript for programmable prompts
  • AI Inference Action (native model access in CI/CD)
  • Human approval gates at critical points

Layer 4: SDD Workflow & Developer Tooling

GitHub Spec Kit (SDD)
  • MIT license, agent-agnostic
  • spec.md → plan.md → tasks/ → implement
  • Constitution.md for architectural guardrails
  • 25+ agent platform support
  • Gated phases with human checkpoints
  • 78.5K GitHub stars
Copilot SDK + APM
  • Multi-language agent SDK (TS, Python, Go, .NET, Java)
  • Agent Package Manager (apm.yml)
  • Compiles to AGENTS.md, CLAUDE.md, .cursor/
  • Security audit (apm audit — detects hidden Unicode)
  • Portable agent configuration across teams
  • CI/CD-native via GitHub Actions
Claude Code + Anthropic
  • Claude models in GitHub Copilot (Opus 4.6, Sonnet 4.5)
  • Claude Code plan mode for safe analysis
  • Context engineering: calibrated abstraction, token budgets
  • Tool design for agents: minimal, non-overlapping
  • Agent architecture: workflows vs agents patterns
  • Just-in-time retrieval, sub-agent delegation

Layer 5: Enterprise Data & Productivity Integration

Microsoft Work IQ
  • M365 data: emails, calendars, docs, Teams
  • Natural language querying via MCP server
  • Microsoft Entra authentication
  • Cross-platform (Windows, Linux, macOS)
  • GitHub Copilot CLI + VS Code integration
M365 Copilot + Copilot Studio
  • Workflow agents for cross-Office automation
  • Copilot Tuning for domain-specific models
  • Agents Client SDK (Android, iOS, Windows)
  • VS Code extension for agent development
  • 90%+ Fortune 500 adoption

Platform Integration Summary

The GitHub + Microsoft stack delivers SDD as one layer within a five-tier enterprise platform: Security (GHAS + Defender + AW Firewall + MCP Gateway) → Governance (Purview DSPM + Content Safety) → Agent Orchestration (Foundry + GitHub Models BYOK + Agentic Workflows + Copilot coding agent) → Developer Experience (Spec Kit + Copilot SDK + APM + Claude Code) → Enterprise Data (Work IQ + M365). No standalone IDE can replicate this integration depth.

2.2 AWS Kiro: Standalone IDE

Kiro is a VS Code fork (Code OSS) with built-in SDD workflows (requirements → design → tasks), agent hooks, steering rules, and MCP support. It uses Claude Sonnet 4.5 and Haiku 4.5 via Amazon Bedrock. Key capabilities include EARS-notation structured requirements, property-based testing (PBT) auto-generated from specs, checkpointing for agent rollback, CLI agent, multi-root workspace support, and background automation (docs, unit tests, code optimization).

As a standalone IDE, Kiro's enterprise integration is limited to IAM Identity Center (SSO via Okta, Entra), S3 conversation logging, GovCloud (US) availability, and IP indemnity for paid tiers. It does not include dedicated security scanning, governance, compliance automation, multi-cloud agent orchestration, enterprise data integration, or model diversity. Teams adopting Kiro must separately procure and integrate these capabilities — but those integrations are not native to Kiro.

Adoption: 250,000+ developers in first 3 months. Notable enterprise customer: TNL Mediagene. Startup program offers 1 year Pro+ for eligible startups.

AWS Kiro Enterprise Integration (Limited)

  • IAM Identity Center (SSO via Okta, Entra)
  • S3 conversation logging
  • GovCloud (US) availability
  • IP indemnity for paid tiers
  • Missing: Security scanning, governance, multi-cloud orchestration, enterprise data integration, model diversity
← Previous: Executive Summary
Back to Report Index
Next: SDD Comparison →
Paula Silva — Software GBB Americas | Microsoft Latam GBB | March 2026