Andy Ellis
π€ SpeakerAppearances Over Time
Podcast Appearances
And my vote is you have to put a point where, to your point, they prove something out and then it gets prioritized and traditionally scaled, developed, etc.
Right.
And somebody else takes it over.
Exactly.
I don't think it's going to replace the developers right away.
I've seen some cases where companies try to do that, but it's definitely an accelerator, right, of the, you know, I did 10 plus years of development back in the day and I use it right now and it definitely accelerates the basic work I do.
I think the interesting thing is like people hear AI and they automatically think it's special, but when you ask how are security leaders supposed to think about AI generated code, there's a lot of basic controls that should be applied, whether it's AI or human generated, right?
So like AI generated code could have the same weaknesses as human code.
So the middle ground may be the same CICD pipeline as human generated code.
It should have code scanning, secret detection, software composition analysis,
like all this stuff that we should have anyhow.
But we do, and I love your point, Andy, need to consider where it's different.
So if you're considering fully agentic development, we should consider human in the loop, if it makes sense, when those risks necessitates it.
AI generated meta tagging may be a thing.
So if someone's going back and looking at code later, they know who has the accountability for it, or AI had the accountability for it, or tie it back to the product.
If a product owner is gonna be using AI,
make them be accountable for that code regardless of whether it's AR or not.
The thing that I find interesting, though, in the AppSec or the ProductSec world is SBOM analysis and SCA and all that stuff becomes very important because we don't know where this code is being taken from or where it's being motivated and inspired from.
So, like, that can be very important.
But at the end of the day, the company's got to decide β