<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Governance &#183; PiniShv</title><link>https://pinishv.com/tags/governance/</link><description>Pini Shvartsman leads AI transformation inside a 100+ engineer SaaS org. Field notes on autonomous engineering: AI-powered execution, human accountability.</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© 2026 Pini Shvartsman</copyright><lastBuildDate>Fri, 24 Apr 2026 16:00:00 +0300</lastBuildDate><atom:link href="https://pinishv.com/tags/governance/index.xml" rel="self" type="application/rss+xml"/><item><title>100 Days to the EU AI Act Deadline. Your Engineering Team Hasn't Started.</title><link>https://pinishv.com/articles/eu-ai-act-100-days-engineering-not-started/</link><pubDate>Fri, 24 Apr 2026 16:00:00 +0300</pubDate><guid>https://pinishv.com/articles/eu-ai-act-100-days-engineering-not-started/</guid><description>August 2, 2026 is the enforcement deadline for EU AI Act high-risk obligations. From today, that&amp;rsquo;s exactly 100 days. In most orgs, the legal team is tracking this and the engineering team hasn&amp;rsquo;t been formally told what they need to ship. By July that gap will not be recoverable. Here&amp;rsquo;s what Articles 5, 12, 14, and 50 actually require when you translate them into code, and a 100-day plan to ship on time.</description><content:encoded>&lt;p>Today is April 24, 2026. The EU AI Act&amp;rsquo;s enforcement deadline for high-risk AI systems is August 2, 2026. That&amp;rsquo;s exactly 100 days.&lt;/p>
&lt;p>In most engineering organizations, the legal team is tracking this. The compliance team is tracking this. The engineering team has not been formally told what they need to ship by August.&lt;/p>
&lt;p>By July, that gap will not be recoverable. Not because the work is impossible. Because the work requires sprint capacity that wasn&amp;rsquo;t planned for.&lt;/p>
&lt;h2 class="relative group">Who this actually applies to
&lt;div id="who-this-actually-applies-to" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#who-this-actually-applies-to" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Before anything else, kill the myth that this is &amp;ldquo;a European company problem.&amp;rdquo;&lt;/p>
&lt;p>The EU AI Act applies extraterritorially. If your AI system is used by EU citizens, you are in scope regardless of where your company is headquartered. US-based SaaS with EU customers? In scope. Israeli startup selling to a German bank? In scope. AI feature in a product that&amp;rsquo;s accessible from Europe at all? In scope. Your B2B API is called by someone else&amp;rsquo;s product that serves EU users? Still in scope. Downstream distribution doesn&amp;rsquo;t insulate upstream providers.&lt;/p>
&lt;p>There&amp;rsquo;s no &amp;ldquo;I didn&amp;rsquo;t know&amp;rdquo; exemption. Fines go up to €35 million or 7% of global annual revenue, whichever is higher.&lt;/p>
&lt;p>If you have any customer traffic from the EU, even indirect traffic through a partner, this is your problem.&lt;/p>
&lt;h2 class="relative group">What the law actually requires (in engineering language)
&lt;div id="what-the-law-actually-requires-in-engineering-language" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-the-law-actually-requires-in-engineering-language" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Each critical article, translated into changes in your repo.&lt;/p>
&lt;h3 class="relative group">Article 50: Transparency
&lt;div id="article-50-transparency" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#article-50-transparency" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>&lt;strong>Law:&lt;/strong> Users must be told when they&amp;rsquo;re interacting with an AI. AI-generated content needs machine-readable markers and metadata.&lt;/p>
&lt;p>&lt;strong>Engineering translation:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Add a visible UI disclosure anywhere users interact with an AI-driven feature. Not buried in the terms of service. In the flow.&lt;/li>
&lt;li>Attach machine-readable metadata (HTTP headers, EXIF-equivalent content tags) to any AI-generated content your system produces or distributes.&lt;/li>
&lt;li>For chat interfaces, a persistent &amp;ldquo;AI assistant&amp;rdquo; label near the input field is the minimum.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>What this means for your sprint:&lt;/strong> audit every product surface where a model output reaches a user. Every single one. Add disclosure if missing. Add metadata tagging if content leaves your system.&lt;/p>
&lt;h3 class="relative group">Article 12: Record-keeping
&lt;div id="article-12-record-keeping" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#article-12-record-keeping" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>&lt;strong>Law:&lt;/strong> Every interaction with a high-risk AI system must be logged in a structured, auditable format that a regulator can query.&lt;/p>
&lt;p>&lt;strong>Engineering translation:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Structured event logging on every model inference. Inputs, outputs, model version, timestamp, user or tenant identifier, confidence scores if available.&lt;/li>
&lt;li>The log must be queryable. A 12-month pile of unstructured stdout does not count.&lt;/li>
&lt;li>Retention needs to match the regulatory requirement (typically 6 years for high-risk systems).&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>What this means:&lt;/strong> if your current AI feature logs to stdout or to a generic app log, that&amp;rsquo;s not compliant. You need a dedicated audit trail with a proper schema, proper indexing, and retention guarantees.&lt;/p>
&lt;p>&lt;strong>What this costs:&lt;/strong> this is the one that eats the most sprint time. Log schema design, storage tier pricing, indexing for query performance, access controls on the audit store. If you&amp;rsquo;re starting in April for an August deadline, you&amp;rsquo;re already tight.&lt;/p>
&lt;h3 class="relative group">Article 14: Human oversight
&lt;div id="article-14-human-oversight" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#article-14-human-oversight" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>&lt;strong>Law:&lt;/strong> Sensitive AI decisions need a defined path for human review before taking effect.&lt;/p>
&lt;p>&lt;strong>Engineering translation:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Identify the decision points where AI output influences high-risk outcomes (hiring, credit, healthcare, legal, education, critical infrastructure).&lt;/li>
&lt;li>At each of those points, there must be a deterministic path that routes the decision to a human before the outcome is final.&lt;/li>
&lt;li>The human must have the actual ability to override the AI&amp;rsquo;s suggestion, not just acknowledge it. &amp;ldquo;Click to confirm&amp;rdquo; with no real friction doesn&amp;rsquo;t count.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>What this means:&lt;/strong> your AI features that auto-approve, auto-reject, or auto-route need a human gate if the outcome is classified high-risk. The gate has to be real, with a real UI, real authority, and real training for the humans using it.&lt;/p>
&lt;h3 class="relative group">Article 5: Prohibited practices
&lt;div id="article-5-prohibited-practices" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#article-5-prohibited-practices" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>&lt;strong>Law:&lt;/strong> Some AI uses are outright banned. Social scoring of individuals by public authorities, exploitative manipulation of vulnerabilities, certain biometric categorization, real-time remote biometric ID in public spaces.&lt;/p>
&lt;p>&lt;strong>Engineering translation:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Content policy filters on inputs before they reach your models.&lt;/li>
&lt;li>A classification layer that recognizes and blocks prohibited use patterns.&lt;/li>
&lt;li>Documentation showing how you prevent your system from being used for prohibited purposes.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>What this means:&lt;/strong> for most engineering teams, this is the smallest implementation lift, unless you&amp;rsquo;re in a directly affected industry (HR tech, surveillance, credit scoring, biometrics). The documentation burden is still real. Auditors will ask for your prohibited-use risk assessment even when your answer is &amp;ldquo;we don&amp;rsquo;t do any of this.&amp;rdquo; &amp;ldquo;We don&amp;rsquo;t do that&amp;rdquo; is an answer that requires evidence, not a shrug.&lt;/p>
&lt;h2 class="relative group">Why the legal team isn&amp;rsquo;t the bottleneck
&lt;div id="why-the-legal-team-isnt-the-bottleneck" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#why-the-legal-team-isnt-the-bottleneck" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The legal teams have been on this for a year. The compliance frameworks exist. The consultants are getting 20 to 30% of the budget pie for certification-related work. Vendors are already passing costs through with visible markups.&lt;/p>
&lt;p>None of that ships code.&lt;/p>
&lt;p>The bottleneck is engineering sprint capacity that was never allocated. Specifically:&lt;/p>
&lt;ul>
&lt;li>Audit log infrastructure (Article 12) is an engineering-heavy build&lt;/li>
&lt;li>Human oversight UIs (Article 14) need product and front-end work&lt;/li>
&lt;li>AI feature disclosure (Article 50) needs coordinated UX across every surface&lt;/li>
&lt;li>API inventory and risk classification (prerequisite for all of it) requires engineering time to map&lt;/li>
&lt;/ul>
&lt;p>In organizations doing this well, someone senior on the engineering side already took the brief from legal and translated it into specific issues in the backlog before the end of Q1 2026. If that hasn&amp;rsquo;t happened in your org yet, somebody needs to do it this week.&lt;/p>
&lt;h2 class="relative group">The 100-day plan
&lt;div id="the-100-day-plan" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-100-day-plan" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Here&amp;rsquo;s the realistic minimum. Compress if you have less time. Don&amp;rsquo;t expand if you have more, because you don&amp;rsquo;t.&lt;/p>
&lt;h3 class="relative group">Days 1 to 15 (now through May 9): Inventory and triage
&lt;div id="days-1-to-15-now-through-may-9-inventory-and-triage" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#days-1-to-15-now-through-may-9-inventory-and-triage" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;ul>
&lt;li>Complete API inventory of every AI-involved endpoint your systems call, produce, or expose.&lt;/li>
&lt;li>Classify each endpoint by risk level under the Act (minimal, limited, high-risk, prohibited).&lt;/li>
&lt;li>Name an engineering owner for each high-risk surface. Not the CTO. An actual engineer who&amp;rsquo;s going to do the work.&lt;/li>
&lt;/ul>
&lt;p>If you do nothing else in the next two weeks, do this. Everything else depends on it.&lt;/p>
&lt;h3 class="relative group">Days 16 to 50 (May 10 through June 13): Build the audit layer
&lt;div id="days-16-to-50-may-10-through-june-13-build-the-audit-layer" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#days-16-to-50-may-10-through-june-13-build-the-audit-layer" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;ul>
&lt;li>Design and ship a structured event logging system for high-risk AI interactions.&lt;/li>
&lt;li>Retention policy, schema, indexing, access controls. All of it.&lt;/li>
&lt;li>Backfill where you have data. Don&amp;rsquo;t backfill where you don&amp;rsquo;t, but document the gap.&lt;/li>
&lt;/ul>
&lt;p>This is where your engineering budget goes. If you&amp;rsquo;re outsourcing one thing, outsource the rest so engineering can focus here.&lt;/p>
&lt;h3 class="relative group">Days 51 to 80 (June 14 through July 13): Disclosure and oversight
&lt;div id="days-51-to-80-june-14-through-july-13-disclosure-and-oversight" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#days-51-to-80-june-14-through-july-13-disclosure-and-oversight" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;ul>
&lt;li>Add AI disclosures across every relevant product surface.&lt;/li>
&lt;li>Add machine-readable metadata to AI-generated content.&lt;/li>
&lt;li>Ship the human oversight UIs for high-risk decision points.&lt;/li>
&lt;/ul>
&lt;p>This is where product and design need to stop saying &amp;ldquo;it doesn&amp;rsquo;t affect this quarter&amp;rsquo;s roadmap.&amp;rdquo; It does now.&lt;/p>
&lt;h3 class="relative group">Days 81 to 100 (July 14 through August 2): Documentation and dry-runs
&lt;div id="days-81-to-100-july-14-through-august-2-documentation-and-dry-runs" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#days-81-to-100-july-14-through-august-2-documentation-and-dry-runs" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;ul>
&lt;li>Complete the technical documentation required for your risk classification.&lt;/li>
&lt;li>Run internal dry-runs of a regulator query. Can you actually produce the audit trail for a specific user&amp;rsquo;s specific interaction from four months ago? If not, fix it now.&lt;/li>
&lt;li>Train the humans doing the oversight role. They need to understand what they&amp;rsquo;re reviewing.&lt;/li>
&lt;/ul>
&lt;h3 class="relative group">The one thing that blows up the plan
&lt;div id="the-one-thing-that-blows-up-the-plan" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-one-thing-that-blows-up-the-plan" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>If you&amp;rsquo;re an engineering leader reading this in April, you have time. If you&amp;rsquo;re reading this in July, you don&amp;rsquo;t. The honest answer at that point is to either pull high-risk AI features off your EU-facing product or accept that your first enforcement cycle will go badly. Better said out loud now.&lt;/p>
&lt;h2 class="relative group">What to do this week
&lt;div id="what-to-do-this-week" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-to-do-this-week" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Three things, in order.&lt;/p>
&lt;p>&lt;strong>Monday morning: one-hour sync between your most senior engineer and your most senior compliance person.&lt;/strong> Leave with a shared doc listing every AI-involved product surface. Share with the CTO or VP Eng by end of day.&lt;/p>
&lt;p>&lt;strong>By Thursday: classify every surface&lt;/strong> (minimal, limited, high-risk, prohibited). For high-risk ones, name an engineering owner.&lt;/p>
&lt;p>&lt;strong>By Friday: the audit-log infrastructure team exists and knows what they&amp;rsquo;re building.&lt;/strong> Even if it&amp;rsquo;s two people. Even if one of them is borrowed from a platform team. The work starts now or it doesn&amp;rsquo;t finish.&lt;/p>
&lt;p>The EU AI Act isn&amp;rsquo;t a future problem anymore. It&amp;rsquo;s a planning problem you have this week. It&amp;rsquo;s also where the &lt;a
href="https://pinishv.com/articles/ai-code-cheap-to-produce-not-to-own/">longstanding gap between how fast organizations produce AI code and how slowly they govern it&lt;/a> finally gets priced. In fines. In front of regulators. Most orgs will not realize that until too late. The ones that do now get to ship on time.&lt;/p>
&lt;p>If you&amp;rsquo;re already working on this, I&amp;rsquo;d love to hear what&amp;rsquo;s surprised you. If you haven&amp;rsquo;t started, forward this to whoever decides sprint priorities. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a>, &lt;a
href="https://t.me/by_pini"
target="_blank"
>Telegram&lt;/a>, or &lt;a
href="https://www.linkedin.com/in/pinishv"
target="_blank"
>LinkedIn&lt;/a>.&lt;/p>
&lt;hr>
&lt;p>&lt;strong>Disclaimer:&lt;/strong> This article references the EU AI Act and related compliance materials for illustrative and educational purposes. It is not legal advice. You should consult a qualified legal team for compliance specifics in your jurisdiction and industry. Articles, deadlines, and classifications referenced are based on publicly available sources at the time of writing and may change. The opinions expressed are my own. I have no financial interest, business relationship, or affiliation with any specific compliance vendor mentioned. This is commentary, not legal, investment, or business advice.&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/eu-ai-act-100-days-engineering-not-started/feature.png"/></item><item><title>AI Makes Code Cheap to Produce. Not Cheap to Own.</title><link>https://pinishv.com/articles/ai-code-cheap-to-produce-not-to-own/</link><pubDate>Thu, 02 Apr 2026 12:00:00 +0200</pubDate><guid>https://pinishv.com/articles/ai-code-cheap-to-produce-not-to-own/</guid><description>AI accounts for 42% of committed code. 96% of developers don&amp;rsquo;t fully trust the output. Only 48% always verify before committing. The gap between how fast we generate code and how well we govern it is the real risk of AI-assisted development.</description><content:encoded>&lt;p>Here&amp;rsquo;s the gap that should worry engineering leaders more than any single AI incident.&lt;/p>
&lt;p>AI made code dramatically cheaper to produce. Boilerplate, scaffolding, internal tools, glue code, first-pass implementations. All faster. I&amp;rsquo;ve &lt;a
href="https://pinishv.com/articles/ai-didnt-replace-software-engineering/">written about this before&lt;/a> and I believe the speed is real.&lt;/p>
&lt;p>But the cost of owning code didn&amp;rsquo;t drop at the same rate. Some of those things got faster too. CI pipelines, SAST, dependency scanning, automated testing. The tooling exists. But having the tools and actually making them the focus are different things. Most teams automate the easy checks and skip the hard ones. And when code volume doubles, even the automated parts need more attention than they&amp;rsquo;re getting.&lt;/p>
&lt;p>The gap between production speed and ownership capacity is where organizations get hurt.&lt;/p>
&lt;h2 class="relative group">What the data says
&lt;div id="what-the-data-says" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-the-data-says" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>&lt;a
href="https://www.sonarsource.com/resources/developer-survey-report/"
target="_blank"
>Sonar&amp;rsquo;s developer survey&lt;/a> puts numbers on it: 72% of developers who have tried AI use it daily. AI accounts for 42% of committed code. But 96% don&amp;rsquo;t fully trust the output, and only 48% say they always verify AI-assisted code before committing.&lt;/p>
&lt;p>Half the code isn&amp;rsquo;t being verified by the people who committed it. That&amp;rsquo;s not a tooling problem. That&amp;rsquo;s a discipline gap.&lt;/p>
&lt;p>On the security side, Veracode found risky security flaws in 45% of tests across more than 100 models. Georgetown CSET found that almost half of AI-generated snippets contained bugs that were often impactful. &lt;a
href="https://www.gitguardian.com/state-of-secrets-sprawl-report-2026"
target="_blank"
>GitGuardian&amp;rsquo;s 2026 report&lt;/a> detected 28.6 million new secrets in public GitHub commits in 2025, a 34% increase year over year, with AI-assisted commits leaking secrets at roughly twice the baseline.&lt;/p>
&lt;p>On code quality, &lt;a
href="https://www.gitclear.com/ai_assistant_code_quality_2025_research"
target="_blank"
>GitClear&amp;rsquo;s analysis&lt;/a> found more cloned code, less refactoring, and more short-term churn. A &lt;a
href="https://arxiv.org/html/2601.13597v2"
target="_blank"
>January 2026 study&lt;/a> on autonomous coding agents found static-analysis warnings rising 18% and cognitive complexity up 39%.&lt;/p>
&lt;p>None of this says AI is useless. All of it says code production is accelerating faster than code governance.&lt;/p>
&lt;h2 class="relative group">Where it breaks
&lt;div id="where-it-breaks" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#where-it-breaks" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The pattern I keep seeing looks the same across organizations.&lt;/p>
&lt;p>AI generates code quickly. The PR looks good. The tests pass (if there are tests). The review is fast because the diff is large and the reviewer is busy. It ships. It works. For now.&lt;/p>
&lt;p>Three months later, someone needs to modify that code and can&amp;rsquo;t understand it because nobody on the team wrote it in a way they&amp;rsquo;d naturally reason about. Or a dependency it pulled in has a vulnerability. Or a license obligation nobody noticed is now a legal question. Or the secrets it embedded are in a log somewhere.&lt;/p>
&lt;p>The cost doesn&amp;rsquo;t show up at generation time. It shows up at ownership time. And by then, the team that generated it has moved on to the next sprint.&lt;/p>
&lt;p>&lt;a
href="https://dora.dev/ai/gen-ai-report/dora-impact-of-generative-ai-in-software-development.pdf"
target="_blank"
>DORA&amp;rsquo;s 2025 AI report&lt;/a> found a negative relationship between higher AI adoption and delivery stability. Their recommendation is one of the oldest engineering lessons: small batch sizes. AI can generate massive blocks of code that are hard to review and test. Small batches plus strong automated testing are the counterweight.&lt;/p>
&lt;h2 class="relative group">What to change
&lt;div id="what-to-change" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-to-change" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>&lt;strong>Same gates for all code.&lt;/strong> AI-generated code goes through tests, review, linting, SAST, dependency scanning, secret scanning, and license checks. No exceptions. The standard is &amp;ldquo;would we be comfortable owning this in production?&amp;rdquo;&lt;/p>
&lt;p>&lt;strong>Small batches, always.&lt;/strong> Resist the temptation to let AI generate a 500-line PR. Break it up. Review it in pieces. The speed gain from generation is worthless if it creates a review and maintenance bottleneck downstream.&lt;/p>
&lt;p>&lt;strong>Track provenance.&lt;/strong> If you can&amp;rsquo;t answer what third-party components entered through AI, what licenses apply, and who owns the output, you don&amp;rsquo;t understand what you shipped.&lt;/p>
&lt;p>&lt;strong>Measure ownership, not output.&lt;/strong> Escaped defects. Rework rate. Time-to-understand for someone new. Rollback frequency. These tell you whether code is owned, not just produced.&lt;/p>
&lt;p>&lt;strong>Budget for the ownership layer.&lt;/strong> If your team is spending 80% of its capacity generating code and 20% on everything else, flip that conversation. The generation is the cheap part now. The ownership is where the investment needs to go.&lt;/p>
&lt;h2 class="relative group">The one-line version
&lt;div id="the-one-line-version" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-one-line-version" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>AI made the first draft cheap. It didn&amp;rsquo;t make the second year cheap. Plan accordingly.&lt;/p>
&lt;hr>
&lt;p>&lt;em>How is your team handling the gap between code production speed and governance capacity? I&amp;rsquo;d love to hear what&amp;rsquo;s working. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a> or &lt;a
href="https://t.me/by_Pini"
target="_blank"
>Telegram&lt;/a>.&lt;/em>&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/ai-code-cheap-to-produce-not-to-own/feature.png"/></item><item><title>'I Only Built a Small Script for Myself.' That Might Be the Most Dangerous Sentence in Your Company.</title><link>https://pinishv.com/articles/shadow-ai-most-dangerous-sentence/</link><pubDate>Thu, 02 Apr 2026 10:00:00 +0200</pubDate><guid>https://pinishv.com/articles/shadow-ai-most-dangerous-sentence/</guid><description>35% of developers access AI coding tools through personal accounts. AI lets one person bypass every paved road the organization built, very fast and very quietly. Shadow AI isn&amp;rsquo;t about rogue employees. It&amp;rsquo;s about productive people touching systems the company is responsible for.</description><content:encoded>&lt;p>&amp;ldquo;I only built a small local script for myself.&amp;rdquo;&lt;/p>
&lt;p>That sentence, from a well-intentioned engineer who just wanted to automate something tedious, might be the most dangerous thing happening inside your organization right now.&lt;/p>
&lt;p>Not because the engineer is malicious. Because AI changed what one person can do in an afternoon. And the organization&amp;rsquo;s controls weren&amp;rsquo;t built for that.&lt;/p>
&lt;h2 class="relative group">The old version of this problem
&lt;div id="the-old-version-of-this-problem" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-old-version-of-this-problem" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Shadow IT has been around forever. Someone signs up for a SaaS tool with their personal email. A team spins up an AWS instance outside the approved account. A developer installs an unsanctioned browser extension. IT security has been playing whack-a-mole with this for decades.&lt;/p>
&lt;p>But the old version had natural friction. Building useful software took time. One person couldn&amp;rsquo;t do that much damage alone because one person couldn&amp;rsquo;t build that much alone.&lt;/p>
&lt;p>AI removed that friction.&lt;/p>
&lt;h2 class="relative group">What shadow AI actually looks like
&lt;div id="what-shadow-ai-actually-looks-like" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-shadow-ai-actually-looks-like" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>An engineer uses their personal Claude or ChatGPT account to build an internal tool. They don&amp;rsquo;t think of it as shadow AI. They think of it as being productive. The tool works. It saves the team time. Everyone&amp;rsquo;s happy.&lt;/p>
&lt;p>But that tool may touch production credentials. It may pull in five packages nobody approved. It may embed an API key. It may process customer data. It may send data to an AI provider through a personal account with consumer-grade privacy terms. It never goes through SAST, SCA, secret scanning, license review, or architecture review.&lt;/p>
&lt;p>&lt;a
href="https://www.sonarsource.com/resources/developer-survey-report/"
target="_blank"
>Sonar&amp;rsquo;s developer survey&lt;/a> says 35% of developers access AI coding tools through personal accounts rather than work-sanctioned ones. &lt;a
href="https://docs.github.com/en/code-security/concepts/code-scanning/about-code-scanning"
target="_blank"
>GitHub&amp;rsquo;s code scanning&lt;/a> analyzes code in a repository. If the code never makes it to a repository, those controls are blind.&lt;/p>
&lt;p>One person. One afternoon. Zero oversight. And because AI made them productive enough to actually ship something useful, nobody questions it until something breaks.&lt;/p>
&lt;h2 class="relative group">Why this is different from old shadow IT
&lt;div id="why-this-is-different-from-old-shadow-it" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#why-this-is-different-from-old-shadow-it" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The old shadow IT problem was someone using Dropbox instead of SharePoint. Annoying, but contained.&lt;/p>
&lt;p>Shadow AI is someone building a tool that connects to production databases, processes customer records, calls external APIs, and runs on a schedule. In a day. Without anyone knowing.&lt;/p>
&lt;p>The blast radius is completely different. And the speed means it happens before governance can react.&lt;/p>
&lt;p>I wrote about &lt;a
href="https://pinishv.com/articles/claude-code-leak-why-it-matters/">the Claude Code leak&lt;/a> this week. That was a packaging mistake at Anthropic. But the shadow AI version of that story plays out in organizations every day. Not as a public incident. As a quiet accumulation of unmanaged code touching systems the company is responsible for.&lt;/p>
&lt;h2 class="relative group">What to actually do about it
&lt;div id="what-to-actually-do-about-it" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-to-actually-do-about-it" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>&lt;strong>Sanction the tools, not just the behavior.&lt;/strong> Give teams approved AI accounts with enterprise privacy terms. If they&amp;rsquo;re going to use AI regardless (and they will), make the sanctioned path easier than the personal one.&lt;/p>
&lt;p>&lt;strong>Make the paved road the fastest road.&lt;/strong> If using the official repo, the official CI pipeline, and the official review process is slower than doing it solo with a personal AI account, people will keep going solo. Fix the incentive.&lt;/p>
&lt;p>&lt;strong>Scan for what you don&amp;rsquo;t know about.&lt;/strong> Look for patterns: API keys in places they shouldn&amp;rsquo;t be, services calling external endpoints you didn&amp;rsquo;t approve, code repos that appeared outside your org&amp;rsquo;s GitHub or GitLab. The stuff you don&amp;rsquo;t know about is the stuff that hurts.&lt;/p>
&lt;p>&lt;strong>Talk about it openly.&lt;/strong> The problem isn&amp;rsquo;t that employees want to be productive. The problem is unmanaged productivity touching systems the organization is responsible for. Frame it that way. Not as a crackdown. As a boundary.&lt;/p>
&lt;h2 class="relative group">The real issue
&lt;div id="the-real-issue" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-real-issue" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Nobody is building shadow AI to cause problems. They&amp;rsquo;re building it because AI made them capable of solving problems nobody else was solving for them. That&amp;rsquo;s a sign of a motivated team. It&amp;rsquo;s also a sign that your official tooling and processes aren&amp;rsquo;t keeping up.&lt;/p>
&lt;p>The fix isn&amp;rsquo;t to ban AI. It&amp;rsquo;s to make the managed path so good that nobody needs to go around it.&lt;/p>
&lt;hr>
&lt;p>&lt;em>Dealing with shadow AI in your organization? I&amp;rsquo;d love to hear how you&amp;rsquo;re handling it. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a> or &lt;a
href="https://t.me/by_Pini"
target="_blank"
>Telegram&lt;/a>.&lt;/em>&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/shadow-ai-most-dangerous-sentence/feature.png"/></item></channel></rss>