AI Speed Creates Its Own Risk
In 2024, New York City launched an AI-powered chatbot designed to help business owners navigate city regulations. The goal was straightforward. Entrepreneurs and small business owners could ask questions and receive immediate guidance on permits, hiring requirements, labor regulations, and other compliance issues. The system sounded knowledgeable, responded quickly, and projected confidence. There was just one problem …
Journalists and researchers soon discovered that the chatbot was providing inaccurate information on a variety of legal and regulatory topics. In some cases, it advised employers they could take actions that appeared to violate labor laws. In others, it offered guidance that conflicted with existing regulations. The chatbot wasn’t intentionally deceptive. It was doing exactly what large language models are designed to do: generate plausible answers based on patterns in data. Plausible and correct are not the same thing.
A Dangerous Assumption
What struck me about this story wasn’t the chatbot’s mistakes. Software systems have always contained bugs and inaccuracies. What caught my attention was how many people assumed the AI’s confidence was evidence of its accuracy.
As organizations rush to integrate AI into software development, we’re creating systems that can generate code, write documentation, produce test cases, recommend architectural decisions, and even suggest security controls. The productivity gains are extraordinary. Tasks that once required hours can now be completed in minutes.
Yet the New York City chatbot illustrates an important lesson: AI can generate an answer long before it can guarantee the answer is correct. That reality sits at the heart of AI risk management.
Speed Creates Its Own Risk
A lot of today’s tech leaders approach AI primarily as a productivity tool. They focus on accelerating development cycles, reducing costs, and increasing engineering output. Those benefits are real, and companies that ignore AI risk falling behind competitors who embrace it.
The challenge is that speed can create its own form of risk.
A developer who writes code manually has time to think through design decisions, edge cases, and potential consequences. When AI generates hundreds of lines of code instantly, that natural pause disappears. The development process becomes faster, but the opportunity for flawed assumptions to enter the system also increases.
At Sonatafy, we’ve reviewed AI-generated code that looked polished and professional while containing security vulnerabilities, inefficient database queries, and subtle logic errors. Nothing appeared obviously wrong. In fact, the code often looked better than what an average developer might write from scratch.
That is precisely what makes the risk so difficult to manage. The issue isn’t poor quality. The issue is misplaced trust.
AI-generated code should be treated as a first draft, not a finished product. Every recommendation should be reviewed. Every architectural suggestion should be challenged. Every security control should be validated independently. AI can accelerate the work, but it cannot replace engineering judgment.
Security is a Significant Concern
Many developers interact with AI systems by sharing code snippets, logs, architecture diagrams, and production issues. In the rush to gain efficiency, organizations sometimes overlook the possibility that sensitive information is being exposed to external systems.
A developer troubleshooting a customer issue may paste confidential data into a chatbot. An engineer may upload proprietary source code to generate recommendations. A product manager may share strategic plans while creating requirements documents.
Each individual action appears harmless. Yet collectively, they can create serious exposure.
That’s why effective AI governance begins with clear rules. Teams need to understand which AI tools are approved, what information can be shared, and how sensitive data should be protected. Organizations that skip this step frequently discover their governance gaps after a problem occurs rather than before.
The Erosion of Expertise
There’s another risk that receives far less attention than it deserves. The gradual erosion of expertise. One reason experienced engineers are valuable is that they understand context. They know why previous decisions were made. They recognize patterns from past failures. They understand tradeoffs that aren’t obvious from documentation alone.
AI doesn’t possess that organizational memory.
As development teams become increasingly dependent on AI-generated solutions, there is a danger that engineers begin accepting recommendations without fully understanding them. Junior developers may receive answers without developing the skills required to evaluate those answers critically. Over time, this can create an organization that becomes highly efficient while becoming less capable.
That may sound contradictory, but it isn’t. Efficiency and capability are not always the same thing.
The organizations that will succeed with AI are not the ones that automate the most tasks. They’re the ones that preserve human judgment while using AI to eliminate repetitive work. They understand that technology should amplify expertise, not replace it.
Managing AI risk ultimately comes down to discipline. It requires strong code reviews, rigorous testing, security validation, clear accountability, and continuous monitoring. These practices were important before AI arrived. They are even more important now.
I also believe leaders need to evaluate both sides of the equation. Most organizations measure the value AI creates. Fewer measure how effectively they are using AI to create that value. Even fewer assess the unintended consequences.
AI can accelerate development, but is it increasing technical debt? AI can reduce costs, but is it weakening institutional knowledge? AI can improve efficiency, but are teams becoming too dependent on automated recommendations?
Those are the questions that matter. Are you ready to answer them?




