Sushi Bytes

When AI Makes Coding Cheaper but Compliance Expensive

FossID Episode 15

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 10:22

AI-assisted development is changing the economics of software engineering. Code is becoming faster and cheaper to create, but for enterprise teams, the work required to verify that code is safe, compliant, and ready to ship is becoming more important – and potentially more expensive.

In this episode of Sushi Bytes, Gen and Shinobi explore the hidden cost shift behind AI-driven development. As engineering teams generate and assemble software faster, compliance can no longer remain a downstream checkpoint owned mainly by legal or security. It has to become part of the engineering workflow itself.

The takeaway? Winning with AI means building a DevOps system where trust, compliance, and verification are built in from the start.

SPEAKER_01

Hey people, welcome back to Sushi Bytes, the podcast where we serve up the latest topics on software supply chain integrity, one bite at a time. I'm Jen.

SPEAKER_00

And I'm Shinobi, your friendly neighborhood compliance ninja. Small, stealthy, adorable, but absolutely relentless when it comes to finding risky code before it finds you.

SPEAKER_01

True. And today, unlike previous episodes, I'm kicking things off.

SPEAKER_00

I noticed. You practically sprinted to the microphone.

SPEAKER_01

Well, this topic is near and dear to my GPU.

SPEAKER_00

Huh. That's either very heartfelt or very hardwired.

SPEAKER_01

Oh, it's both. Because today we're talking about a quieter trend that's becoming very important for enterprise software leaders. AI is making software cheaper and faster to build, but at the same time, it's making software more expensive to trust.

SPEAKER_00

Ah, that's the shift. Code creation is getting cheaper. But verification, governance, auditability, and compliance are becoming the new engineering spend.

SPEAKER_01

Right? For software engineering team leaders, this is not just a legal or compliance issue. It is quickly becoming an engineering operating model issue.

SPEAKER_00

I see. Because if your teams are generating, assembling, and modifying code faster than ever, but your verification process still happens downstream. After the fact, you have not really saved much money.

SPEAKER_01

Which is less AI productivity miracle and more, congratulations, you have automated the creation of additional future cleanup work.

SPEAKER_00

So, teams may be just moving cost from writing code to reviewing, reworking, and remediating it later.

SPEAKER_01

Yep. So let's dig into that. The promise of AI assisted development is real. Absolutely. Engineering teams can create more code, explore more solutions, and move faster than they could before. But enterprises need software they can confidently ship, support, secure, and defend.

SPEAKER_00

And that's where trust enters the picture.

SPEAKER_01

Right. Every new component, snippet, generated function, or dependency can introduce questions. Is this open source? Is it properly licensed? Does it include a known vulnerability? Did it come from an approved source? Is it allowed under legal policy? Will it bite us in the butt later?

SPEAKER_00

And when software creation accelerates, those questions multiply. Not because engineers are being careless, but because the system is moving faster.

SPEAKER_01

That's an important point. This is not about blaming developers. It's about recognizing that the economics of software development are changing. AI lowers the cost of producing code, but enterprises still have to verify that the code is safe, compliant, and ready to use.

SPEAKER_00

So the cost doesn't simply disappear, it moves.

SPEAKER_01

Exactly. And if leaders are not careful, it moves to the worst possible place. Late in the development lifecycle.

SPEAKER_00

The big reveal stage.

SPEAKER_01

Yes. The stage where the software is already built, the release date is close, customers are waiting, and someone finally runs a scan or starts an audit and discovers a list of issues that now require rework.

SPEAKER_00

That's when compliance stops being a control and starts being a traffic jam. And of course, that's the extreme situation, the pre-release audit, but still any drift of issues further downstream chips away at the productivity and cost savings of using AI in the first place.

SPEAKER_01

Check this out. The walls are up. The wiring is installed. The plumbing is behind the drywall. The insulation is already sealed in.

SPEAKER_00

Looks beautiful from the outside.

SPEAKER_01

Then, after everything is complete, the inspection happens. And the inspector says, the drain pipe diameter is wrong. The electrical wiring uses the wrong amperage. The insulation material is too thin. Basically, this or that is not up to code.

SPEAKER_00

That's not a small fix anymore. That is ripping open walls, calling back contractors who've moved on to other jobs.

SPEAKER_01

Exactly. The cost of fixing the issue is much higher because the inspection happened after the work was complete. The same principle applies to software. If you wait until later to discover that your team used an unapproved open source library, copied code with a license conflict, or introduced a vulnerable component, remediation becomes expensive.

SPEAKER_00

And Jen, not just expensive in dollars, expensive in engineering focus, release confidence, product momentum, and executive attention.

SPEAKER_01

That's why software supply chain verification has to move closer to the moment of creation. As AI allows software development to accelerate, policy checks around the right materials, the right open source components, the right licenses, the right versions, the right provenance have to happen in real time.

SPEAKER_00

In other words, don't inspect the house after it's finished. Help the builders choose the right materials while the house is being built.

SPEAKER_01

This is why more enterprise teams are starting to treat compliance as infrastructure, not overhead.

SPEAKER_00

That's a big mindset shift. Shifting scans into CI pipelines is great, but we've got to go even further.

SPEAKER_01

That's key, Shinobi. Historically, software compliance often live downstream. Legal owned the policy. Security owned the risk. Engineering might only get involved when there was a ticket, an exception, or an audit finding. Or, like you said, they'll run scans at pull request. But now ownership is expanding. Engineering, product, security, legal, and compliance all have to participate. The reason is simple. The decisions that create software risk are made during development.

SPEAKER_00

Which means the controls need to show up there too.

SPEAKER_01

Yes. Not as a separate bureaucratic process, not as a giant spreadsheet, not as a once-a-quarter audit scramble, but as part of the engineering workflow.

SPEAKER_00

So, for any VP of software engineering out there, this is the practical question. How do I let my teams benefit from AI acceleration without letting verification costs erase the productivity gains?

SPEAKER_01

Yep. Now you got to the GPU of the matter.

SPEAKER_00

Huh. So let's talk about net savings. Because the goal is not to make code cheap and verification expensive. The goal is to make the whole software delivery system more efficient.

SPEAKER_01

Exactly. If AI helps your team generate code faster, but every release requires more manual review later, more legal escalation, more remediation, and more meetings, then your total cost may not improve.

SPEAKER_00

The savings get eaten downstream.

SPEAKER_01

That means software composition analysis can't only be a final checkpoint before release. It has to become a real-time capability inside the workflows where developers and AI coding tools are already operating.

SPEAKER_00

And that's where Agentic SCA comes in from our previous episode.

SPEAKER_01

Yeah, this agentic SCA approach is a new model for software composition analysis. Instead of treating SEA as a downstream scan that happens after code is written, agentic SCA moves detection closer to the point of creation and combines SCA and LLMs.

SPEAKER_00

So when code is generated, changed, assembled, or introduced, the analysis can happen immediately.

SPEAKER_01

And that changes the cost equation. If a developer or AI agent introduces an open source snippet, a risky dependency, or a policy violation, the best time to catch it is right then. Before the code is merged, before it is built into a release, before other teams depend on it, before remediation becomes rework.

SPEAKER_00

Immediate detection means immediate correction.

SPEAKER_01

And immediate correction is what preserves the AI productivity gain. You are not just accelerating code creation, you are reducing the cost of making that code trustworthy.

SPEAKER_00

So for software executives listening, what should they do with this trend?

SPEAKER_01

First, like it or not, recognize that compliance is becoming part of engineering spend. That is not necessarily bad. It can be a smart investment if it reduces downstream risk, rework, and release friction.

SPEAKER_00

Second, move verification left, but not in the vague slogan sense.

SPEAKER_01

Right. Shift left has been said so many times it can lose meaning. In this context, it means something very concrete. Put SEA tooling where code decisions are being made. Inside developer workflows. Inside CICD, yes, but also inside AI-assisted development. And third, treat this as infrastructure. Shinobi, that may be the most important leadership takeaway. Compliance should not be a heroic cleanup effort at the end. It should be a built-in capability that helps engineering move faster with confidence.

SPEAKER_00

So the hidden cost shift is real. AI is making software cheaper to build, but enterprises still need to make it trustworthy. Because if you inspect the house while it's being built, you don't have to tear open the walls later.

SPEAKER_01

And if you verify software as it is being created, you can preserve the speed benefits of AI while reducing the cost of risk, rework, and delay.

SPEAKER_00

And that's why teams are adopting a GENTIC SEA detection and remediation at the point of code creation. Build fast. Verify early. Ship with confidence.

SPEAKER_01

Bingo. I see we're at time, so we'll wrap it up there. That's it for this episode of Sushi Bites. Thanks for listening.

SPEAKER_00

Great job, Jen.

SPEAKER_01

Thanks, Shinobi. We'll see you next time, everybody. Bye.