Skip to main content
Back to all posts
9 minFORGE MethodologyApril 4, 2026

What Is the FORGE Methodology? From Tools to Arsenal

Everyone has AI tools. Almost no one has a methodology for using them. FORGE is a six-pillar framework for redesigning knowledge work around autonomous AI agents — and building an arsenal that compounds.

RM

Ryan Macomber

Founder, VibeSec Advisory

Why most AI adoption is failing quietly

Teams are buying AI tools. Usage numbers look great. Then, three months in, leadership asks what actually changed, and the answer is usually: not much.

People are using Claude to summarize emails. They are using Copilot to autocomplete code. They are prompting their way through tasks they could do without it. The tools are getting used. The processes have not changed at all.

This is the Solow paradox for knowledge workers: you can see the AI tools everywhere except in the productivity statistics.

The gap is not the tools. The gap is methodology. Teams are AI-Assisted — they have the tools — but they have not become AI-Augmented, where processes are actually redesigned, or AI-Native, where every repeatable workflow is built for humans and agents working together.

That is what FORGE is for.

What is FORGE?

FORGE is a methodology for mapping and redesigning business processes for the age of autonomous AI agents. It is not a software platform. It is not a prompt library. It is a structured way of looking at how work actually flows through a team and deciding where AI agents can take over discrete steps, where humans need to stay in the loop, and what needs to be in place before any of that goes live.

The methodology has six pillars organized across three phases: Understand, Redesign, and Compound.

The compounding part is what most methodologies miss. Every workflow you redesign using FORGE produces working Skills files — artifacts your team owns and installs. Skill number five builds on skills one through four. After six months, you have a library. After a year, that library is your operating playbook. When someone leaves, their expertise stays as Skills files.

That is not another strategy deck. That is building an arsenal.

Phase 1 — Understand: Baseline

The first pillar is Baseline, and it is the one most teams want to skip.

Without Baseline, everything that follows is built on assumptions. Before touching a single process, FORGE maps how work actually flows today — not the org chart version, but the real one, with every step, every handoff, every tool. It captures what tools are in use (sanctioned and shadow), what the process actually looks like end to end, and the numbers that will prove this worked before anything changes.

Three questions define Baseline: What AI tools is your team currently using? Walk me through one complete cycle of this workflow. What number would prove this workflow change worked?

That last question matters more than it sounds. If you do not agree on the measurement before you change anything, you will spend the back half of the rollout arguing about whether it worked instead of proving it did.

Artifact to produce: FORGE Baseline Report, including tool inventory, process map, baseline metrics (cycle time, touches, error rate, cost), and a standardization recommendation.

Phase 2 — Redesign: Skills, Agents, Guardrails, Schedule

Skills: What can your team actually do with AI?

Skills are captured expertise in repeatable prompts — working .md files that define exactly how an agent performs a task: what inputs it needs, what quality looks like, what guardrails apply. Your team installs them. They work. They compound.

Most organizations skip this step entirely. They buy a tool, run a one-hour demo, and assume people will figure it out. Some do. Most use the tool in ways that are much less valuable than what it is capable of, or in ways that create risk they do not see.

Keep reading with free field-guide resources.

VibeSec Advisory publishes practical research, Skills, workflow examples, MCP notes, prompt injection tests, and AI red-team lessons for builders working with agentic AI.

Skills work is not training in the traditional sense. It is capturing what your best people know how to do and encoding it into files that anyone on the team — or any agent — can execute consistently. When you design agent workflows, Skills are what those agents actually follow.

Artifact to produce: 5 to 10 Skills files for the workflow set, installed in the team's environment. Each Skill includes: purpose, trigger, inputs, steps, output format, quality checks, and linked Guardrails.

Agents: Where does AI actually take over?

An Agent in the FORGE sense is a specialized autonomous worker assigned to specific process steps, with clear scope and a defined handoff structure. Not "an AI assistant you can ask anything." A focused worker with a clear job, specific permissions, and a specific place in the workflow.

The key design decision is the first-pass/second-pass structure: which steps does the agent handle first, and where does the human review? An agent researches prospects and drafts personalized outreach. A human approves before it routes. That is a different workflow, not just a faster one.

Artifact to produce: Agent Architecture Map, showing which agents handle which Skills, scope boundaries, first-pass/second-pass handoff points, escalation paths, and ownership assignments.

Guardrails: What keeps agents in bounds?

Guardrails are everything that keeps agents in bounds and humans in control — verifiable, not aspirational.

They include human approval steps, where a person reviews before the work proceeds. Automated checks that validate output without human intervention. Data boundaries that define what an agent can access and what it cannot. Action limits that specify what an agent is authorized to do in connected systems. And escalation rules that determine what happens when an agent encounters something outside its expected range.

Security lives in the Guardrails pillar because it belongs there. An agent with access to your CRM that can send emails on behalf of your sales team is not just a productivity tool. It is a system with meaningful permissions. The Guardrails around that agent are what make it safe to deploy.

Most AI programs treat security as an afterthought. FORGE treats it as a first-class pillar. Guardrails should be verifiable, not aspirational.

Artifact to produce: Guardrails Specification per workflow, including data access policies, action limits, human approval gates, escalation triggers, alert configurations, and AI policy notes covering approved tools, approved uses, and incident response.

Schedule: When does the process run?

Schedule is what turns a designed workflow into an operational one.

Schedule defines when a process runs, how often, what triggers it, and how the team monitors it. Without explicit scheduling, agentic workflows either run continuously with no oversight or depend on someone remembering to trigger them manually. Most knowledge worker workflows are triggered by "someone remembers on Tuesday." That is the first thing to fix.

Artifact to produce: Schedule Design, including trigger definitions, cadence, monitoring hooks, phased rollout plan (manual trigger → scheduled with human review → fully autonomous), and criteria for when each step removes the human from the loop.

Phase 3 — Compound: Capture

Capture is the pillar that was missing from every previous version of this methodology — and it is the one that changes the math.

Without Capture, FORGE is a one-off exercise. With it, FORGE is a system.

Every workflow redesigned produces Skills files, Guardrails specs, agent configs, and lessons learned. Those artifacts make the next workflow faster to redesign. The team's AI capability compounds. After six months of disciplined FORGE practice, a team has a Skills library of 30 to 50 files, a Guardrails baseline, and a playbook for redesigning new workflows in hours instead of weeks. New hires onboard to AI-native processes. When someone leaves, their expertise stays as Skills files.

Trail of Bits built the same system internally and reached 201 Skills, 84 agents, and 414 reference files. That arsenal did not appear on day one. It compounded.

Artifact to produce: Capture System, including Skills library structure, naming conventions, process for adding new Skills, quarterly review cadence, and a Maturity Scorecard tracking the team's progression from AI-Assisted to AI-Augmented to AI-Native.

The maturity ladder

FORGE uses a three-level maturity ladder to measure progress:

AI-Assisted — The team has tools. People use them individually and inconsistently. No standard, no policy, no measurement. Leadership cannot tell who is using AI or whether it is helping. This is where most teams are.

AI-Augmented — Workflows are redesigned, not just sped up. Agents handle first passes. Humans review and approve. Skills files exist for three to five workflows. The team has a Guardrails baseline. At least one workflow runs on a schedule without manual triggers.

AI-Native — Every repeatable process is decomposed, assigned, bounded, and scheduled. The Skills library is the primary knowledge base — not Google Drive, not "ask Sarah." New processes are designed AI-first. The team measures AI capability as a KPI alongside revenue and pipeline.

How VibeSec Advisory uses FORGE now

The public front door is now the free field guide: research notes, workflow examples, Skill Libraries, prompt-injection lessons, MCP notes, and tool reviews for builders securing agentic AI.

FORGE remains useful as an educational model for mapping a workflow before an agent gets more authority. Use it to name the baseline, capture Skills, assign agents, define guardrails, set a schedule, and preserve lessons.

VibeSec Advisory is no longer using this page as a commercial front door. The next step is to compare the model against the public Skill Library and workflow examples.

Browse the free Skill Library or review the workflow examples.

If your team is using agentic AI tools and your process design has not kept up, that is the gap FORGE closes.

AI Workflows Weekly

Read the archive

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

First-party signup with double opt-in. No embedded newsletter iframe, no analytics cookies, and unsubscribe anytime.

Keep testing agentic AI risk.

VibeSec Advisory is a free field guide. Use the research archive, Skill Library, and workflow examples to keep improving what you are building.