For businesses operating in highly regulated industries, zero risk tolerance policies often lead to delays in AI adoption. Although there are certainly risks that accompany irresponsible AI use, with intentional implementation AI has the potential to boost productivity, reduce risk, and increase profits. Furthermore, failing to implement AI is a risk of its own in the current tech landscape as carrying legacy technical debt can create a bigger risk than moving forward with AI. In this blog, we’ll discuss how, by treating AI adoption like a graduated driver’s license, firms can reduce the risks associated with AI usage by building competency, trust, and safety rails before the AI ever “touches the wheel.”
Risk management has been on my mind a lot this past year since I have a 16 year old daughter who began driving this year in the lovely (but busy) city of Washington, DC. Getting her license opens up the opportunity for her to drive herself to her sports practices, her summer job and to go run errands for me – so I selfishly want her to succeed at this so that I have more time back in my own day. And yet, getting her license also means not just knowing how to drive on quiet side roads, but also knowing how to merge onto 5 lane highways at speed. The risks are real and unforgiving.
Just like teaching a child to drive can be daunting, so too can adopting AI, especially when working in a highly regulated environment such as the financial industry where risk tolerance is very, very low. However, AI adoption also can be a huge opportunity to modernize legacy code bases, fix operational vulnerabilities, tighten testing practices, and free up human time to really think about where we should be headed. So the question remains: how can firms balance the real risks with growth and new opportunities? Essentially, how do we treat AI like a student driver?
Phase 1: AI in Review & Suggestion Mode
In this first phase of adoption, AI is “in the car” but only as a highly observant passenger. It has zero access to the pedals or the wheel. For organizations in risk-averse industries, taking the first step toward AI integration can be as simple as using AI exclusively for analysis of the past and review of the present. As an observer, AI can perform shadow code reviews of human PRs and make non-binding suggestions. Over time, developers are able to build trust in the workflow when the AI flags potential security vulnerabilities or logic errors.
In addition to reviewing current changes, much like a passenger studying the map so the driver does get lost, AI in The Permit Phase is able to track down and document business requirements and changes that were lost to time. For example, how many of your current developers understand what transformations are applied by that old COBOL code sitting on a server in the corner? And how many could figure out what would break in the user facing web application should that COBOL code stop working? By crawling legacy code-bases, AI is capable of reverse engineering requirements and data flows and drawing attention to otherwise overlooked critical functionalities.
As an observer, the AI is also able to identify unexpected hazards along the way. Tasking AI to find existing security flaws and missing test coverage in legacy systems provides an opportunity for human “drivers” to benefit from an additional set of eyes as they evolve the system.
Throughout this phase, we have the opportunity to prove the AI’s “eyes” work before we trust its “hands.” In this way, we’ll make sure AI understands the road signs and laws before they get their hands on the wheel.
Phase 2: AI Graduates to Simple Tasks
As firms become more comfortable with the presence of AI and AI’s ability to understand their technology and business needs, they will be ready to let AI put its hands on the wheel. But in this phase, we are just driving in an empty parking lot and human developers will still keep a hand on the emergency brake.
In this phase firms select simple tasks for AI to attempt. Potential introductory tasks include fixing small bugs, upgrading libraries to respond to a security vulnerability, introducing new scripts to automate deployment, or even adding missing unit and integration tests. Once AI attempts these tasks, engineers then need to run the resulting code through a battery of automated compliance and quality scanning tools like Snyk and SonarQube as well as independent validation before finally proceeding to a human review. This swiss cheese model for reviews substantially reduces the risk of AI generated code wreaking havoc on a critical system. And, perhaps most importantly, it still requires a human to review the generated code.
In this phase, the AI began to add real value by doing work on its own and simultaneously demonstrated that it can execute without veering off course or without breaking existing standards and compliance rules.
Phase 3: AI Operates on Complex System Features
Let’s be honest, AI isn’t ready for a “full license”, but it is ready to do some serious highway driving so long as the human is still guiding the direction and could grab the hand-brake from the passenger seat if needed. If the AI is at the wheel, the human is still playing a crucial role as theStrategicNavigator and Safety Officer.
As a strategic navigator, engineers are responsible for validating the planned approach and architecture before AI starts the engine, and are responsible for watching the road once we’re on the move. Because AI can generate code much faster than humans can naturally digest it, teams face a unique risk of creating a ‘comprehension gap’ where the software evolves faster than the team’s understanding of it. The human’s primary role is to slow things down when necessary, to ensure this gap doesn’t widen to a degree that it threatens the maintainability of the system.
Using AI in this manner requires a strict framework, which is where tooling like Spec-Driven Development (SDD) shines. Under SDD, you don’t just let the AI drive; you give it a strict digital boundary called a “Constitution”, your firm’s non-negotiable architectural and security standards. From there, engineers act as strategic navigators, feeding the AI precise feature specifications covering everything from usability concerns to system integration to non-functional requirements. The AI then builds the features iteratively, constructing a single piece, waiting for human review, and incorporating feedback before moving on to the next section. This controlled, iterative approach ensures that while the AI might be doing the heavy lifting, it is rigidly bound to the rules you’ve established.
SDD and AI-integration can also help to streamline auditability through improved documentation processes since every turn the AI takes is logged in markdown. In addition to resulting code, decisions made by AI can be traced back to the provided queries as well as the initial specification.
By defining clear boundaries iteratively implementing, organizations are able to maintain control and ensure that they aren’t increasing risk vectors. If used with intention, AI can even be used to handle the testing, security, and documentation that humans (and budgets) frequently don’t have time for.
Trust in AI is Earned in the Passenger Seat
You don’t hand the keys to a high-performance vehicle to someone who hasn’t proven they can navigate a parking lot. Why should AI be any different? For financial services firms, proper supervision and clear boundaries means the path to AI adoption is fraught with less risk than might initially appear to be present.
As my daughter learns to drive the streets of DC, I’ve realized my own role has shifted. I’m no longer the one with my hands on the wheel, but I am the one scanning the horizon for the hazards she can’t see yet. This is the future of the engineers in highly regulated industries. We are moving away from manual labor coders towards Strategic Navigators. We aren’t losing control; we are gaining a higher vantage point. Using AI allows our best minds to stop worrying about syntax and start focusing on systems.
By modernizing with a well-trained AI at the wheel and an expert human as the navigator, we can finally move at the speed the market demands without sacrificing the safety our industry requires. If you’re interested in discussing AI adoption at your organization, we’d love to connect.
