With the recent shake-up around CVE funding and broader questions about long-term support for cybersecurity infrastructure, controlling what you can is more important than ever. Modern software development practices rely heavily on CI/CD systems, which serve as the primary conduit from a developer's local environment to production. The adoption of DevOps practices and microservices has diversified the CI/CD landscape, introducing a broader and more complex attack surface that threat actors are increasingly targeting. One key risk is Inadequate Flow Control, where an attacker exploits weak or missing safeguards within the CI/CD pipeline to push unauthorised or malicious code without triggering any manual checks or secondary validation. This can be achieved through various means such as committing code to a monitored branch that automatically triggers deployment, using manual triggers to deploy unauthorised code, or publishing malicious updates to shared libraries used in production. To mitigate this risk, businesses should establish controls that require multiple layers of validation, including enforcing strict branch protection rules, limiting and auditing auto-merge rules, requiring multi-person approval for deployments, and monitoring and detecting production drift. Integrating security-focused tools such as Sigstore, Scorecard, SLSA, and Allstar can also help strengthen the CI/CD security posture.