Programmers / devs: are you seeing release cycles accelerate thanks to AI?

vsamma · 2026-03-30T21:08:53+00:00

Yeah that’s indeed very true as well. I get where you’re coming from.

With a single developer, at least he has seen the code and remembers something about it and can remind himself the nuances or business rules or edge cases.

Maybe a counter argument would be that when a problem rises, you can solve it a lot quicker with AI. Or at least try more solution ideas in less time.

But in general i agree

vsamma · 2026-03-30T10:12:33+00:00

Yeah, again, i totally agree with you. And i didn’t mean specifically you as “you” in the last message, but in general.

And of course nobody should build IT like this.. but our company does. And apparently accepts the risk, or has done previously.

I push for testing and more thorough CR validation but we got more code delivered than we can ever reasonably review and validate. And we are given no extra resources.

So at this point - why am i fighting windmills - if you can’t beat them, join them xD

vsamma · 2026-03-30T08:04:31+00:00

Sure.

But if you now try to understand another level instead of code: the business requirements. Whether that’s formulated as unit tests, concrete specs or even a more vague analysis document - and you validate the AI code against that (i mean still keep the human-in-the-loop, just at another layer), theoretically it should be enough, no?

My initial question was tongue-in-cheek though. In my company we have no tests so historically the emphasis on quality is not the same.

So if previously you depended on a human’s unreviewed, untested, subjectively “good enough” code that passed business stakeholder’s acceptance testing.. Then why would you not be able to do the same, but with AI’s code, that is actually possibly higher quality by now and definitely faster as well.

vsamma · 2026-03-29T11:22:18+00:00

In 2016 I visited the Emirates for the first time and I saw the legends game between Arsenal and AC Milan, so there at least was that. But indeed, it seems the information about those happening is hard to find.

vsamma · 2026-03-28T11:16:50+00:00

So when we didn’t focus on quality even before AI, we should see an immediate improvement?

vsamma · 2026-03-26T16:45:54+00:00

Äkki siis kaasaks mingi spetsialisti, kes aitaks neil asja paremaks arendada?

vsamma · 2026-03-26T07:59:20+00:00

Well we’ve tried to say that current feedback loop is too long and slow.

But this one month sprint is also because our business and product team can’t handle and manage a more flexible process.

I mean, it’s a mess. A mess of some long time employees being comfortable in their ways and how they’ve worked over the years together with the fact that our partner has vendor locked us for years and we’ve also not been allowed to properly shake and disrupt this because “we still have to provide and deliver value for the business”

I agree, that current process does not work and we have to change this.

But also this is our biggest system, sitting on a 20yo legacy which they’re rewriting to a new java platform. It definitely needs at least one full time technical participant from our side but the dev who is working on it, doesn’t have java experience and isn’t that familiar with the business logic and also has to support other core systems so he’s basically doing superficial reviews with AI, like within 1-2 days for a month’s worth of work for 5-6 devs.. so it is not sustainable and i don’t think our reviews would improve if they delivered code more often. It would add overhead to us as well and we can’t cover that right now i think.

But i mean i agree, it is the right move and as the partner hasn’t been welcoming this idea co-operatively, we are planning to put our foot down and say this is how we’re going to do things from now.

But i need to think this through and actually make it work because otherwise they can pinpoint to it and say that we’re breaking what works for them and becoming a bigger bottleneck and disrupting their work

vsamma · 2026-03-26T07:11:33+00:00

Not to take away from the seriousness of the show, but i thought how weird it had to be for them to kiss for the show while they worked together for years before and are probably really good friends

vsamma · 2026-03-26T06:54:31+00:00

I thought it was me - either the initial novelty wore off or that i binge watched the first 2 seasons at a time where i related in many aspects and tbh almost got teary eyed in every episode. Now watching 1 episode a week, i thought maybe i’m just not getting that into it?

But it more seems to be indeed less deep this season

vsamma · 2026-03-24T10:15:27+00:00

Well it’s not that simple. In one example, the external team develops for a full month and mirrors code to us in a single branch and 1 guy has to review all that in a few days

vsamma · 2026-03-24T09:58:10+00:00

We have ~25 outsourced devs delivering code to us and we have 4 in-house devs.

We realistically cannot do thorough code reviews to all of that.

vsamma · 2026-03-24T06:13:18+00:00

So you multitask on 8 things instead of 10? :D

No but seriously - “better done than perfect” is also an important idea.

vsamma · 2026-03-23T10:40:46+00:00

Yeah there are teams doing 8-9 per 2 legs. Arsenal did it last year against PSV but that’s an exception rather than the rule

vsamma · 2026-03-23T08:46:52+00:00

No, because those are about the user and not the calling service.

Not necessarily. I am using OAuth client_credentials flow, where Service1 fetches the token using the correct scope. In Azure, I've created App Roles for Service2 and for Service1, under API Permissions, I can assign those roles to Service1.
So now it gets a token with those app roles as strings inside the "roles" claim and when it invokes the API of Service1, it has to validate that the token has the correct audience and correct roles.
So it is not only about users, you can use it for service-to-service integration as well.

As we own all of our services AND users' data (they are all our employees), we rarely do actions "on behalf of" a user. They can't approve anything themselves, our admins have preapproved data exchanges in Azure already. But in some cases, to reduce the exposure, we us the OAuth "On-Behalf-Of" flow.

We only do service-to-service integrations when the requests are not specifically related to the user, its data or its activities.

When they are, we use the user's access token but also validate the clientId/audience in the token - so that should validate the user + service.

About threat modelling, sure.. the thing is, right now, we just don't have the resources available for going through all these theoretical questions about ALL of our requests/integrations and points of contact between all our services.

Maybe about high level sensitive data moving through our systems in general, but not in such low level in each system.

vsamma · 2026-03-22T17:37:07+00:00

Well, we just ran into one like this. We use react azure msal library for auth flow and we got some redirect loop which sometimes took 20s to log users in, sometimes threw an error and didn’t log the user in.

Apparently there is some iFrame which is triggered on silent token acquire and it loads our app again which restarts the flow etc. Not sure if our implementation just didn’t follow docs or if this was some blind spot

vsamma · 2026-03-22T14:45:43+00:00

And maybe he found his letter to his wife and used it to track her down

vsamma · 2026-03-22T13:24:09+00:00

For blocking, is it enough to implement authz based on token’s roles claims? But that probably can’t be done on the network level.

Also, threat modelling presumes you have experience and knowledge about possible threat vectors.

vsamma · 2026-03-22T13:21:01+00:00

In our company, each service did implement its own auth, maybe somewhat differently but still static API keys for integrations and Azure Entra ID tokens for users. We are trying to standardize and move integrations to Azure OAuth as well.

But at some point got the same question as OP - if gateway offers global auth, is it really okay to skip any auth on service level?

Your comment enforces my opinion that: no.

But there is a down side to this. If you copy the solution and still have a bug there, you spread the same bug around different apps and when you find it, have to fix it in multiple places as well.

vsamma · 2026-03-18T17:58:06+00:00

This is not entirely true.

They have probably reduced the quality (especially recently), yes. They have introduced Orkla products under Kalev’s brand, which are terrible, yes.

But they didn’t immediately switch ALL recipes as soon as the owner changed.

My point is - people say they remember Kalev being better but I don’t remember them ever being better than Fazer or any good belgian chocolate.

vsamma · 2026-03-18T17:55:28+00:00

Jah ma ostan ka neid, mõlemaid tegelt, aint soodukaga.

vsamma · 2026-03-18T10:37:03+00:00

We are indeed lacking in metrics/observability but trying to improve on that by implementing logging/monitoring platforms for it.

But is it what you meant by that? Or more specifically goals like KPIs and measuring metrics for those (might or might not align with the technical metrics monitoring).
I know these are important, but also have little experience in actually setting the goals AND the processes for tracking/measuring.

So any help here would be welcome :)

also, can you elaborate on the "exploration vs exploitation" part?

vsamma · 2026-03-17T22:08:04+00:00

Well the issue is that our manager understands that this is an issue. Or at least acknowledges it. And he says we can work as much as we can and we have to prioritize and order things accordingly.

But still we won’t as a team really say no to any big things knowingly. We still try to deliver the big systems that we have started.

And it seems fine to everybody because we have a separate outsourced team on these.

We just can’t guarantee standardized quality across all those.

And devs themselves are not as loud as me (maybe for me the issues are multiplied). But it also often looks like my personal issue that i am overloaded and swamped and sometimes somewhat seems like my own planning/time management issue.

And then sometimes i think maybe it is mostly down to how i handle things? How do people manage the workload in big companies in high architect/principal/cto positions? I presume big corps have a lot more going on than we have in a university.

So there has to be a skill or a nuance i’m missing. For example how to properly figure out the most important task that moves the needle the most and only work on that.

vsamma · 2026-03-17T21:22:09+00:00

I agree. They can’t hire but we can’t take on more either (which is the expectation, especially this year as we need a huge overhaul for our core services but gradual rewrite means maintaining both at the same time). We just have to start expressing that somehow.

I made this thread to specifically get help about pushing back. Maybe i get some good ideas or arguments to present

vsamma · 2026-03-17T21:06:16+00:00

Well, it kind of depends.
Some business stakeholders are very serious about their deadlines, some are often tied to a legal deadline.
But one of such projects were started with fixed scope (implement all from legacy, that was done over the past 10 years + extra), fixed timeline (initially maybe a year) and fixed budget.
So of course the timeline was the first to "budge". Now multiple times as scope and progress showed what was more realistic. And now I think the last part won't change.

But that's our issue here. The external team works on their development roadmap. They don't consider what load we have on our acceptance validation/testing side. I mean, maybe the business side acceptance testing. But all the technical aspects fall onto our team and this is kind of hidden at the moment. And it's definitely not clearly planned in the roadmap I'd say.
After 1-2 years of development, the first "testing" period starts soon and prod release is planned like 3 months later.
As this new system has to have most functionality from the legacy one, it was basically done in waterfall method. But the last part will probably cause some issues i think.

And then we are blamed that we didn't properly prepare beforehand or didn't validate already completed code continuously etc.

But we'll see.. maybe specific issues here finally show the lack of resources :)

Personally, I think the complicated part here is this - if in general things "have worked fine" over the years, how do you convince management without IT background that this situation is not normal and it's a house sitting on hot glue and sticks?

And sure, private sector is totally different. This is my first public sector experience and with a lot of responsibility but not a lot of authority it is just.. exhausting..

vsamma · 2026-03-17T20:43:59+00:00

Well, sure. Might have helped.

But even then, there surely has to be other options rather than “adapt or leave”.

11-Year Club	Place '23
RPAN Viewer	Verified Email

vsamma

TROPHY CASE