Skip to content
← Back to Insights
AI in Practice
AI vendorSDLCAI securityenterprise AI

Why Your AI Vendor Promises Too Much

IT companies claim they can deploy AI themselves. Then it turns out they don't follow development processes, skip code review, and expose company data externally. "We can do it ourselves" is the most expensive sentence in IT.

I'm showing the technical director's team at an infrastructure company how Claude Code works. Agentic workflow β€” the model reads code, analyzes context, proposes changes, runs tests. The director nods and says: "Nice. We can do this ourselves."

Three months later, someone from that same company calls me. Not the director β€” someone from the team. They want to talk because "there's a security issue." It turns out their internal team started "deploying AI" β€” sending production client data to external models via API, without sandboxing, without data classification, without any governance. Code generated with AI was going to production without code review. Without tests. Without staging.

"We can do it ourselves" turned into a data leak and code nobody understands.

The Problem Isn't Ambition β€” It's Process

I have nothing against ambition. I actually respect it. The problem is that many IT companies β€” especially those in infrastructure rather than software β€” lack the fundamental development processes that are a prerequisite for safe AI usage.

I'm talking about SDLC β€” Software Development Life Cycle. About code review. About automated tests. About test environments separated from production. About data classification and governance. About the principle that before anything reaches production, it passes through multiple pairs of eyes and automated controls.

These processes aren't formalities. They are security infrastructure. And an AI model is only as good as the process it operates within.

What Companies That "Can Do It Themselves" Don't Know

From my observations, infrastructure companies that declare readiness to deploy AI on their own most often don't know a few things:

How AI models are trained and which SDLC steps their operation depends on. Tools like Copilot, Claude Code, or Cursor don't generate code in a vacuum. Their effectiveness depends on context β€” the repository structure, code quality, whether technical documentation and tests exist. Without these, they generate garbage, and the company has no tools to verify it.

Where company data ends up when it's sent to a model. Without data governance, nobody knows which data is confidential, which can leave the organization, and which shouldn't even reach an internal model. I've seen situations where client data β€” sensitive, covered by NDAs β€” was sent to public APIs without any controls.

That "it works" is not the same as "it's secure." AI-generated code may work. It may pass basic manual tests. But without code review, without static analysis, without regression tests β€” it's a ticking time bomb. It works today. It explodes in production next month.

"We'll Do It Ourselves" β€” The Most Expensive Sentence in IT

I'm not saying an external consultant is always needed. I'm saying that if a company doesn't have a mature development process, deploying AI without oversight is a business risk, not innovation.

Companies that never had SDLC process discipline are suddenly handed tools that generate code at a speed no programmer can match. That sounds like acceleration. In practice, it's acceleration toward a wall β€” because nobody is controlling the quality of what's being produced.

The market says "AI democratization β€” everyone can!" And that's true β€” everyone can start. But not everyone can do it safely and sensibly. Especially companies that can't tell staging from production.

What Should Come First

Before a company starts deploying AI in its products and services, it should answer a few questions:

  • Do we have a defined development process (SDLC) and are we following it?
  • Do we have data classification and know what can leave the organization?
  • Does every piece of code β€” regardless of whether a human wrote it or a machine generated it β€” go through code review and testing?
  • Do we have separate development, test, and production environments?
  • Does someone in the company understand how AI models work and what their limitations are?

If the answer to any of these is "no" or "I don't know" β€” it's not the time for "we'll do it ourselves." It's the time for a readiness audit and an honest reckoning with what's missing.

Collaboration, Not Ego

The best AI deployments I've seen combined the company's ambition with external oversight of the process. Not because the company was incompetent. Because someone from outside sees blind spots that the internal team doesn't notice β€” because they're too close.

AI is not a space where it pays to prove you "can do it yourself." It's a space where it pays to prove you can collaborate β€” safely, with process discipline, with responsibility for data and quality.

Dear Reader, if you recognize these patterns in your company or your vendors β€” let's talk. I invite you to get in touch β€” Leszek Giza.

Interested in AI consulting?

30-minute free consultation β€” book now.

Book a call β†’+48 516 210 516

Related articles