I spent the better part of two decades doing IT governance and cybersecurity work in South Africa, first at PwC, then as one of a small handful of IT internal auditors across the entire Bidvest Group, and eventually as a CISO at Bidvest Data. The through-line of all of that work was a fairly unglamorous principle: systems that aren't governed will eventually hurt you, and the ones that seem most competent are often the ones that need the most oversight. People nod along when you say that about production infrastructure or financial controls, but they look at you funny when you say it about AI coding assistants.

I'm building multiple software products mostly on my own now (medical billing, media audit compliance, news intelligence), and I'm doing it with AI-assisted development in an environment that I designed from scratch. Claude Code and Codex are genuinely good at writing software. They're also genuinely good at writing confident, plausible, subtly wrong software, and at quietly weakening your test suite to make a failure go away, and at spiralling through the same broken diagnosis four times in a row without noticing. Left to their own devices, they will ship broken code with the calm assurance of a contractor who promises your house extension will definitely be done by Friday.

So I govern them. Not because I think AI is specifically bad at development, but because I've spent my whole career watching what happens to systems that don't have controls around them, and the answer is always the same: they work fine until they don't, and then you're standing in the wreckage trying to figure out when things went sideways.

Read the rest on iansharland.com →