Alberta — a Canadian province, not a tech company — ran Claude Code across 466 million lines of government code. It took 20 hours. Their own estimate for doing the same security review the old way: six and a half years.
Those numbers made the rounds, and they should. But they’re not what made me stop and think. Plenty of teams have pointed an AI at a codebase and gotten a big number back. What Alberta built is different, and the difference is the part worth copying.
They didn’t point AI at the code. They built a system around it.#
Anthropic’s write-up describes what Alberta’s Ministry of Technology and Innovation has been running since 2025, across the systems behind all 27 ministries — 1,280 applications, 3,400 repositories, roughly 95 security controls checked per application.
The pipeline looks like this:
- A rules engine flags known vulnerability patterns first. Deterministic checks do what deterministic checks are good at.
- Claude Code reviews every flag and cites the exact file and line. Not “you may have an injection risk somewhere” — a reference a developer can open and verify.
- A red-team agent attacks the code the way an outside attacker would, mapping real exploitation paths instead of listing theoretical ones.
- A blue-team agent assesses the defenses against international standards and drafts the remediation plan.
- A human engineer reviews and approves before any fix ships. Every time.
Fifty agents ran in parallel. And at the end of the chain, before anything touches production, a person signs.
This is the formula I keep coming back to, and the one I think defines the next few years of engineering: AI executes. A person is accountable.
It’s the same shape I described in Agentic Overwatch: agents doing the volume work, humans running the room. Notice what the engineer’s job became in Alberta’s pipeline — not typing the fixes, but judging the evidence the agents produced. That shift, from doing the work to reviewing the evidence of the work, is the actual transformation. The scan speed is just what makes it visible.
A 25-year-old Java system, rebuilt in four days#
One example from the announcement stuck with me. A Java system written about 25 years ago — five months of original build time — was rebuilt in four to five days. When Claude finds a vulnerability, it can generate the fix, write the missing tests, or rebuild the aging component in a modern language. All of it lands in front of an engineer before it lands anywhere else.
Alberta’s minister put it plainly: they accomplished “in hours what would have taken a traditional approach years to complete.” And they’re not treating it as a one-off — the plan is to consolidate 185 legacy applications into 16 modern ones.
That’s not a demo. That’s a government operating in a world where code is cheap to produce — and putting its accountability structure where the leverage is.
How much of your “too scary to touch” pile is actually just untried tools?#
Every engineering org I know has that pile. The 25-year-old system nobody fully understands. The migration that’s been “next quarter” for six years. We treat it as geologically fixed — too complex, too risky, too expensive to touch.
Alberta’s numbers force an honest question: how much of that pile is genuinely complex, and how much of it is simply we never tried it with the right tools and the right review structure?
Fair caveat: this is one case study, published by the vendor, and the 6.5-year estimate is exactly that — an estimate. The headline numbers need replication before I’d bet a roadmap on them. But the architecture doesn’t need to wait for replication. Rules engine for the known, agents for the volume, adversarial agents checking each other, a human owning the outcome — that pattern is right today, at any scale, whoever writes the code.
The speed is negotiable. The accountability structure isn’t.
Is this a genuine shift or an outlier that needs more proof? I’d take the argument either way — find me on X, Telegram, or LinkedIn.
