DEVOPSdigest

"Don't just launch an AI integration or deploy AI tools because it sounds cool," advises Cassius Rhue, VP, Customer Experience, SIOS Technology(link is external). "Understand the reasons, risks and rewards, and strategy behind your implementation. Be sure to understand all the costs for integration of these tools as well. These costs will go beyond just the price tag on the tool or service."

With this advice in mind, Part 12 of this series features expert recommendations on how to avoid the risks associated with using AI to support software development.

PLAN FOR RESISTANCE

Don't forget to consider the bad as well as the good. Plan for potential challenges to AI adoption, including employee resistance or concern.
Dotan Nahum
Head of Developer-First Security, Check Point Software Technologies(link is external)

PROCEED WITH CAUTION

All tools, including AI tools leveraged in support of development, need to be used with care, handled with caution, and leveraged with some constraint. Don't discount the need for your team's native and natural intelligence remaining front and center of the development process.
Cassius Rhue
VP, Customer Experience, SIOS Technology(link is external)

I recommend companies proceed with AI with extreme caution. AI, in my opinion, is just another tool in the toolbox, but its power and potential should neither be overstated nor underestimated. The desire to create efficiencies and save money will be a very strong driving force. However, I believe some early pioneers will suffer catastrophic disasters if they blindly dive in too deep. At a recent AI and cybersecurity meetup here in Toronto, one of the speakers gave some great advice: Introduce AI into your processes, but never remove human overview at any level. On top of fears that AI will make mistakes, or worse case fantasy scenario take over like HAL 9000 did in the movie 2001: A Space Odyssey, there is also the danger of your AI being hijacked by a bad actor or cybercriminal.
Geoff Burke
Community Manager, Object First(link is external)

UNDERSTAND HOW AI CAN FAIL

The development teams of the future will be building AI into their software, in addition to helping them program. So, they will need to be familiar with all the ways AI can fail. With AI, testing and debugging become even more important. Companies will need to understand that, and make sure that there is sufficient time to test, and that the programmers have the skills needed to test well. Programmers may spend less time writing code, but they'll have to spend more time thinking through all the corner cases, making sure that everything is tested. Don't underestimate the difficulty here: AIs don't make the same kinds of mistakes that we do. Techniques like fuzzing — testing with random input — may become the best way to find out where AIs have failed.
Mike Loukides
VP of Emerging Tech Content, O'Reilly Media(link is external)

ESTABLISH GUARDRAILS

While this is all to the benefit of DevOps teams, it is vital to ensure AI guardrails are implemented across the board for security purposes. By doing so, DevOps teams can rest easy knowing they can remain focused on innovation while maintaining robust protection against evolving threats.
Eoin Hinchy
CEO and Co-Founder, Tines(link is external)

Implementing a robust governance framework to oversee AI integration will help maximize benefits and mitigate any potential risks. Simply put, the easier it becomes to build apps using GenAI, the more crucial and central governance will become to IT's remit.
Jithin Bhasker
GM & VP for the App Engine Business , ServiceNow(link is external)

As companies encourage implementation, it is crucial that customers implement strong governance frameworks and tools to avoid introducing new risks in their business from AI generated code. Adopting best practices is important, but establishing and enforcing these practices ensures adherence to standards and mitigates risks effectively.
Peter White
SVP of Emerging Products, Automation Anywhere(link is external)

DEFINE AI USAGE POLICIES

The AI journey is one of perpetual learning. First and foremost, make sure your company has defined an AI usage policy and a standard set of criteria for evaluating new tools that utilize AI.
Todd McNeal
Director of Product Management, SmartBear(link is external)

A key requirement is to implement an AI policy and ensure it's read and understood by everyone in the company, not just developers. This requires researching the most appropriate LLMs (MS, AWS, Google, etc.) for your organization.
Rupert Colbourne
CTO, Orbus Software(link is external)

IMPLEMENT AN AI MANAGEMENT SYSTEM

Importantly, before AI integration progresses too far, companies should consider leveraging ISO 42001 to build a framework for an AI Management System (AIMS). This proactive approach to governing AI use can help ensure responsible and effective implementation, mitigate risks, and align AI initiatives with organizational goals and ethical standards. Establishing such a framework early can provide a solid foundation for scaling AI use in development processes.
Thomas Fou
VP of Compliance Services, BlueAlly(link is external)

USE SAME OVERSIGHT AS YOU WOULD FOR HUMAN DEVELOPERS

The risks that come to mind for most people are along the lines of "what if AI writes inefficient code? Or code that the engineers don't understand fully?". That's 100 percent a consideration, but it's worth clarifying that I don't see it as a unique risk from AI. I'd argue that sometimes software engineers can write inefficient code, or code that their successor or peers don't fully understand when they leave the company. My advice is to make sure you still maintain the same type of systems with AI in the loop that you would for humans. This includes peer reviews, code documentation, and so on. Having humans in the loop, and accepting from time to time that you may need to adjust, correct, or intervene is key.
Jeff Hollan
Head of Applications and Developer Platform, Snowflake(link is external)

FOCUS ON SECURITY

The security of organizations' IP is the most important thing. It's imperative that users don't sacrifice data security in the name of AI productivity.
Jeff Hollan
Head of Applications and Developer Platform, Snowflake(link is external)

While AI is the shiny new thing all organizations are moving towards, it is important not to rush to capitalize on the benefits of AI. Too often companies overlook application security, leading to significant security gaps, especially at the application layer where sensitive data is most at risk. While executives recognize the need for a new security governance model for AI, only a small fraction of AI projects actually incorporate a security component, reflecting a clear gap.
Chetan Conikee
Co-Founder and CTO, Qwiet AI(link is external)

EVALUATE YOUR DATA SECURITY

Understand your current data policies and where things are stored. What are the crown jewels that make your business tick? Are there proper controls around the human interaction itself as of right now? If not, then do not assume that AI will solve that for you. If your modern data controls aren't in place from a developer standpoint, then it is probably safe to assume there is now a higher risk once AI is supporting the building.
Sean Heide
Research Technical Director, Cloud Security Alliance(link is external)

Utilize AI for Patch Management

Implement smart patching solutions to address third-party vulnerabilities efficiently. AI-driven recommendations can help developers find and remediate software vulnerabilities quickly.
Javed Hasan
CEO and Co-Founder, Lineaje(link is external)

ENSURE TRAINING DATA QUALITY

Data quality can be a great indicator of the tool's performance, so we advise verifying that the AI training data is clean, well-structured, and representative of your development processes.
Dotan Nahum
Head of Developer-First Security, Check Point Software Technologies(link is external)

We should embrace this technology, but we need to do it safely. If machine models are only as good as the training data and methods used to teach them, generative AI models also need supervised training on curated datasets that protect privacy.
Chris Wysopal
Co-Founder and Chief Security Evangelist, Veracode(link is external)

Don't be afraid to use AI for development but ensure that it's coming from trusted sources. AI providers must be clear and transparent about the data and methodology that is used to train their large language models. This applies across all AI-driven tools because the adoption and management of AI becomes significantly more difficult, expensive, and risky without such transparency. When AI models and tools are transparent by default, businesses can spend more time looking for solutions to their problems, rather than worrying about the reliability of the tools they're using.
Keri Olson
VP of Product Management, AI for Code, IBM(link is external)

TREAT AI LIKE AN INTERN

For the time being I'd suggest treating AI for coding or test generation the same way you'd treat someone new on the team, new to your organization. Better yet maybe treat them like an intern or apprentice. Give them some work to do and check it thoroughly. Once you've done that, you'll start to learn what they're good and bad at and when to trust them.
Arthur Hicken
Chief Evangelist, Parasoft(link is external)

TREAT AI RESPONSES AS SUGGESTIONS, NOT THE TRUTH

We need to be cautious and take it as a suggestion and never take a response as 100% truth.
Udi Weinberg
Director of Product Management, Research and Development, OpenText(link is external)

Go to: Exploring the Power of AI in Software Development - Part 13: More Recommendations