IMO: Open Source in the AI Era, why Risk Transfer Became the Product

Florian Forster
Florian Forster

Founder and CEO

    In early 2025, we changed Zitadel’s license from Apache 2.0 to AGPL 3.0 (see our original post: https://zitadel.com/blog/apache-to-agpl). This post is about what happened after that and what we experienced building and operating an open source infrastructure project in the age of AI.

    The Signal We Saw Early

    When we made the license change in early 2025, the discussion focused on cloud providers and unfair value extraction. That was true, but it wasn’t the full picture. The deeper signal was that we believed the traditional open source funnel was already breaking — and that AI would fundamentally change it, though not in the way we fully understood at the time.We began to suspect that in an era of abundant code, the value of open source was no longer compounding through distribution, but shifting toward something AI couldn't generate.

    Looking at the industry in 2026, this is no longer theoretical. Across the broader OSS ecosystem, many projects that relied on casual search-driven discovery saw that layer weaken dramatically. What shifted was not demand, but the shape of discovery. Basic how-to questions are now resolved inside large language models before a developer ever opens a browser tab. If your sustainability depended purely on top-of-funnel attention, you felt that shift immediately.

    We didn’t make this move reactively. We moved because we realized the old rules of open source were expiring, and we wanted to pioneer a sustainable path that would allow us to stay open, honest, and independent.

    AI Didn’t Steal Our Code — It Qualified the Lead

    For years, open source ran on an implicit exchange: we publish high-quality code and documentation; in return, we get traffic, mindshare, and eventually customers.

    AI inverted that exchange.

    Developers paste errors into a chat box and get answers instantly. AI now acts as a ruthless pre-sales engineer: it answers the commodity questions and filters noise before a human ever evaluates vendors. Our own data shows that traffic originating from ChatGPT accounts for thousands of highly engaged human sessions, with long visit durations and deep page views across documentation, pricing, and deployment guides. These are not bots scraping content; they are architects and developers clicking cited sources after an AI-assisted evaluation. The docs are still being read, but increasingly by high-intent humans who arrive later in the decision cycle.

    The code is still used, more than ever. What changed is the entry point: AI reduces casual attribution but amplifies qualified evaluation. Instead of broad, low-intent traffic, we increasingly see concentrated, high-intent sessions that reach pricing, deployment, and architecture documentation.

    This is what I call the top-of-funnel collapse. It didn’t hurt everyone equally, but it punished projects that relied on visibility rather than accountability.

    Code Is Cheap. Trust Is Not.

    One uncomfortable truth of 2026 is that code has become a commodity. AI can generate decent implementations faster than any team. What it cannot generate is trust.

    Our B2B SaaS customers are not paying Zitadel for a simple login button or another OAuth flow. They pay us because delegated access management and authentication in a B2B SaaS multi-tenant system are sensitive, mission-critical, and often regulated. When you serve enterprise tenants, you must guarantee isolation, uptime, compliance, and auditability — and that risk does not disappear just because the code is open. They want guarantees.

    What we actually sell these days is risk transfer.

    We take on the responsibility for uptime, security response, compliance artifacts, regular external penetration tests, active vulnerability disclosure programs, and long-term maintenance. SLAs, SOC 2 reports, public security advisories, audit trails, CVE disclosures, and threat intelligence are not features — they are insurance policies. The fact that our public security advisory page is active is not a sign of weak software, but of radical transparency. Transparency is not a marketing tactic for us; it is a core value. We publish advisories, disclose vulnerabilities, and document our security posture publicly because trust in infrastructure is earned through visibility, not silence. This value is fundamentally immune to AI disruption because it is about accountability, not syntax.

    Clarity Beats the Hiding Game

    The industry response to this pressure has been revealing.

    Some projects stopped shipping binaries to force sales. Others moved to non-OSI licenses with vague boundaries. A few went fully closed.

    We took a different route.

    AGPL 3.0 is not a loophole. It is a clear contract. You can use Zitadel freely, modify it, and even run it in production. If you turn it into a service without contributing back, we ask you to engage with us commercially. That’s not hostility — it’s reciprocity.

    We did not hide the code. We did not break our community promise. We simply made the value exchange explicit.

    Internally, we often describe this as Code or Contribution. If you build on Zitadel and improve it, contribute that work back. If you use it commercially at scale without contributing code, then contribution can also mean cash — through support contracts, SaaS subscriptions, or enterprise self-hosting agreements. Both are valid forms of reciprocity. In practice, our SaaS offering is largely product-led and self-service, while commercial self-hosting deals are often enterprise engagements focused on compliance, SLAs, and long-term operational guarantees. Importantly, we have also seen meaningful code contributions from organizations that chose the “Code” path — improvements, integrations, and fixes that strengthen the core for everyone. Reciprocity works best when both paths are real.

    Clear licensing is a feature. Hidden source is a bug.

    Open Source Is a Supply Chain Now

    Modern infrastructure projects are no longer small libraries maintained on weekends.

    Zitadel is a security-critical, cloud-native monorepo spanning a lightweight Go backend, an event driven architecture, Angular and Next.js frontends, generated APIs, SDKs, documentation, and release pipelines. Every dependency update, security advisory, and CVE response matters. Keeping this entire surface area secure and coherent against modern vulnerabilities is not hobbyist work. This is supply chain engineering.

    The hobbyist model cannot sustain this level of responsibility. Revenue is not a betrayal of open source. It is what funds the hygiene that everyone depends on, including free users. This is my core conviction: infrastructure-grade open source is not sustained by ideology alone (just look at the recent maintainer burnout and deprecation of the community ingress-nginx), but by durable economic structures. If we expect production-critical systems to be secure, audited, and accountable, we must also accept that someone has to be paid to carry that responsibility.

    Projects like Kubernetes or Keycloak are sometimes cited as counterexamples, but they exist within ecosystems heavily backed by large corporations or foundations such as the CNCF. The same is true for Linux itself. The Linux kernel remains open source not because it runs on volunteer goodwill alone, but because thousands of engineers are paid by companies whose businesses depend on it. Corporate payroll and foundation funding are economic structures — just less visible ones. That kind of institutional funding is a form of commercial support as well — just structured differently. Most independent infrastructure projects do not have that luxury. For them, sustainable revenue is not an optional ideology; it is the only way to guarantee long-term security, maintenance, and accountability.

    This is effectively a dual-licensing model built around our Code or Contribution principle: AGPL 3.0 for openness and reciprocity, and commercial agreements for organizations that prefer to contribute financially rather than through code. That structure is how we pay for security engineers, audits, and the boring but essential work that never shows up in a demo.

    What This Means for Open Source Going Forward

    I believe open source is not dying. But it is stratifying.

    Some projects will remain passion-driven and small, and that is healthy. Others, especially those that sit in the critical path of production systems, must adopt models that acknowledge economic reality.

    Instead of fighting AI crawlers, we are embracing them. We actively optimize our documentation for Generative Engine Optimization (GEO), including machine-readable resources like our llms file (especially for the docs) and work on agent-facing improvements like AGENTS.md. If AI systems are becoming the first reader of technical documentation, we want them to have precise, structured ground truth about Zitadel’s cloud-native, event-sourced architecture. We feed the AI the syntax, so the human can evaluate the trust.

    For us, the honest answer in all of this is to stay open, demand reciprocity, and monetize responsibility rather than basic features. By selling risk transfer and compliance to enterprise customers, we fund the core open-source engine. That allows the efficiency-driven developer to pull our Docker image, deploy a secure identity layer in minutes, and use 2FA, passkeys, and modern protections without hitting a paywall or worrying about the project disappearing. Our mission is to give everyone a safe platform to start building — whether through open source or through a commercial agreement that transfers operational risk. Instead of restricting security, we concentrate pricing differentiation in areas like compliance, reporting, SLAs, and enterprise-grade guarantees — where the value lies in accountability, not in withholding protection.

    A year in, I am convinced this was not just the right choice for Zitadel — it was the only one that preserved both our values and our future.

    Florian

    Liked it? Share it!