Skip to content
Agent Month
Email

Playbooks

Senior-engineer-grade how-to for production AI

Last verified: June 2026· playbook index

Updated June 2026

The CTO's first 90 days with an AI mandate

If you just got an 'add AI' mandate, the move is to sequence it: cut LLM cost and add evals in the first 30 days, standardize the AI-coding workflow in days 30–60, and ship the first agent-bearing feature in days 60–90. The wins fund the rest.

For: CTO

Updated June 2026

How to build a production MCP server

A production MCP server is auth, scoping, and audit logs — wrapped around a typed tool surface. The patterns are well-known; the 3-week timeline assumes you know which system to expose and a named internal owner.

For: Head of Platform

Updated June 2026

LLM cost optimization playbook: 7 levers, 30–60% savings

Most production AI is paying 3–10x what it should. The wins are in routing, caching, batching, prompt-cache prefixes, and RAG retrieval quality — not in switching models. A 4–6 week engagement consistently finds 30–60%.

For: VP Engineering

Updated June 2026

The AI coding golden path: a 6–10 week rollout

Your engineers are already using Claude Code, Cursor, and Copilot — in a free-for-all. Adoption is real, gains aren't compounding. The fix is a golden path: shared rules, MCP access to the top 3 internal systems, and review hooks that keep quality high. A 6–10 week engagement.

For: Head of DevEx

Updated June 2026

Prompt injection prevention: a production playbook

Prompt injection is the AI-era version of SQL injection: an attacker controls part of the model's input and uses that control to act outside the intended trust boundary. The fix is not "better prompts" — it's a layered control set: input validation, tool authorization, audit logs, and a human approval gate on high-impact actions.

For: CISO / Security Leaders

Updated June 2026

AI code supply chain risk: a compliance playbook

AI code introduces supply-chain risks that traditional AppSec tooling misses — hallucinated packages, training-data-derived snippets, license violations, and the regulatory map that didn't exist in 2024. For healthcare and finance, the playbook is to map each risk to a control, ship the scanner, and document the residual risk for the regulator.

For: CISO / Security Leaders