devops-automation icon indicating copy to clipboard operation
devops-automation copied to clipboard

Published 20 hours ago verified publisher icon finos

How are FINOS members approaching adoption of AI Code Assistants?

Open ashukla13 opened this issue 1 year ago • 4 comments

AI Code Adoption Approach at Banks There is a lot of interest in adoption of AI Code Assistants like GitHub CoPilot.

How are FINOS member organizations approaching adoption of these tools.

In particular, how are they thinking about the following when it comes to AI Code assistants:

  • Risk considerations and guardrails
  • SDLC controls
  • Integrations and rollout approach (incl. use cases to prioritize)
  • Measuring benefits

ashukla13 avatar Feb 16 '24 16:02 ashukla13

@cnygardtw will you be able to provide a view on what ThoughtWorks is seeing across regulated organizations re. adoption of AI Code Assistants like GitHub CoPilot

ashukla13 avatar Mar 18 '24 00:03 ashukla13

@cnygardtw will you be able to provide a view on what ThoughtWorks is seeing across regulated organizations re. adoption of AI Code Assistants like GitHub CoPilot

Sure, I'll be able to provide some background on our experiences.

cnygardtw avatar Mar 19 '24 12:03 cnygardtw

Minutes from discussions from DevOps SIG SMEs form March SIG meeting (#182 ):

  • These tools are code assistants. They don't replace the developer. Developers are still responsible for the generated code, including reviewing suggestions from AI code assistants for accuracy and conformance with existing policies - no different than code they wouldwrite without the use of such tools.
  • All code generated by such tools should be subject to existing SDLC controls and processes; including multiple human in loop controls - for requirements, code review (4 eyes check), code scanning (including for security vulnerabilities), and testing
  • Consider from a risk perspective:
    • information security (incl. data flow)
    • legal
    • privacy
    • model governance
    • misuse/abuse of chat features beyond technical questions
  • Other things to consider in discussions with AI code assistant vendors - esp., from a legal and contractual perspective:
    • Input (prompt/context) retention or use for training models (beyond custom models that you specifically want to train)
    • Code suggestions violating license/copyright agreements; some vendors offer indemnification and/or filtering of certain types of output
  • Would help vendors shared more information on how they implement some of the risk mitigations - risk groups may want this level of detail_
    • Consider having a session with AI code assistant tool vendors so they can explain how they mitigate the risks outlined above.
  • Did not get to discussion on metrics to consider to track benefits and also the potential issues (e.g., defects); this will be discussed in a separate meeting (likely April)

ashukla13 avatar Mar 21 '24 16:03 ashukla13

Minutes from discussions from DevOps SIG SMEs form March SIG meeting (#182 ):

  • Such tools are code assistants. They don't replace the developer. Developers are responsible for the generated code, including reviewing suggestions from AI code assistants for accuracy and SDLC policy conformance - no different than code they write without the use of AI code assistants

  • All code generated by such tools will be subject to current SDLC controls and processes; including multiple human in loop controls - for requirements, code review (4 eyes check), code scanning (including for security vulnerabilities), and testing

  • Consider from a risk perspective:

    • data flow/information security requirements
    • legal
    • privacy
    • model governance
    • misuse/abuse of chat features beyond technical questions

  • Other things to consider in discussions with AI code assistant vendors - esp., from a legal and contractual perspective:

    • Input (prompt/context) retention or use for training models (beyond custom models that you specifically want to train)
    • Code suggestions violating license/copyright agreements; some vendors offer indemnification and/or filtering of certain types of output - Would help vendors shared more information on how they implement some of the risk mitigations - risk groups may want this level of detail
    • Consider having a session with AI code assistant tool vendors so they can explain how they mitigate the risks outlined above.

  • Did not get to discussion on metrics to consider to track benefits and also the potential issues (e.g., defects); this will be discussed in a separate meeting (likely April)

Code Generation Indemnity Further Reading referenced on today's call

Existing policies: https://blogs.microsoft.com/on-the-issues/2023/09/07/copilot-copyright-commitment-ai-legal-concerns/ https://cloud.google.com/blog/products/ai-machine-learning/protecting-customers-with-generative-ai-indemnification

Reporting coverage: https://www.runtime.news/ai-vendors-promised-indemnification-against-copyright-lawsuits-the-details-are-messy/ https://learn.g2.com/ai-code-generators-legal-considerations

karlmoll avatar Mar 21 '24 21:03 karlmoll