AI Under Control : accélérer en sécurité

AI UNDER CONTROL:
ACCÉLÉRER EN SÉCURITÉ

Merci à nos partenaires

AI UNDER CONTROL:
ACCÉLÉRER EN SÉCURITÉ

AI x CRAFT:
DELIVER, FASTER, SAFER

Since yesterday…

You’ve seen
demos…

AI will replace team
devs.

@cyriux @arollafr
U serious?

"AI will replace
team devs."
— non-dev team

"AI will replace
team devs."
AI will NOT replace
team devs.
— dev teams
— non-dev team

@cyriux @arollafr
But AI is so
impressive
for coding!

@cyriux
And a bit
dangerous
too…

How to do AI?

DORRA BARTAGUIZ
@CYRIUX @AROLLAFR
15 years - 18M€ CA - 130 colleagues
CTO

CYRILLE MARTRAIRE
@CYRIUX @AROLLAFR
15 years - 18M€ CA - 130 colleagues
Co-founder

arolla.fr @arollafr
TDD | BDD | DDD

arolla.fr @arollafr
crafting architecture

arolla.fr @arollafr
Trainings
Consulting
Projects

@cyriux
BUY OUR BOOKS!

AI for developers.

LLM & chats.

AI PANORAMA
ChatGPT, Claude, Gemini

LLM & chats.
Coding Assistants.

AI PANORAMA
ChatGPT, Claude, Gemini
Copilot, smart autocomplete
Sweep
ContinueCodiumAI
Cogram, MutableAI, Tabnine
Cody
CodeWhisperer

LLM & chats.
Coding Assistants.
AI-IDE’s

AI PANORAMA
ChatGPT, Claude, Gemini
Copilot, smart autocomplete
Cursor, Windsurf
Claude Code
Sweep
ContinueCodiumAI
Cogram, MutableAI, Tabnine
Cody
CodeWhisperer

LLM & chats.
Coding Assistants.
AI-IDE’s
Agentic Assistants

AI PANORAMA
ChatGPT, Claude, Gemini
Copilot, smart autocomplete
Cursor, Windsurf
Cline, Roo, Junie
Claude Code
Sweep
ContinueCodiumAI
Cogram, MutableAI, Tabnine
Cody
CodeWhisperer

LLM & chats.
Coding Assistants.
AI-IDE’s
Agentic Assistants
Mix of simpler tools.
AI PANORAMA
ChatGPT, Claude, Gemini
Copilot, smart autocomplete
Cursor, Windsurf
Cline, Roo, Junie
repomix, aider,
Claude Code
Sweep
ContinueCodiumAI
Cogram, MutableAI, Tabnine
Cody
CodeWhisperer

LLM & chats.
Coding Assistants.
AI-IDE’s
Agentic Assistants
Mix of simpler tools.
AI PANORAMA
ChatGPT, Claude, Gemini
Copilot, smart autocomplete
Cursor, Windsurf
Cline, Roo, Junie
repomix, aider,
Claude Code
Sweep
ContinueCodiumAI
Cogram, MutableAI, Tabnine
Cody
CodeWhisperer
MCP, A2A…

LLM & chats.
Coding Assistants.
AI-IDE’s
Agentic Assistants
Mix of simpler tools.
AI PANORAMA
ChatGPT, Claude, Gemini
Copilot, smart autocomplete
Cursor, Windsurf
Cline, Roo, Junie
repomix, aider,
Claude Code
Sweep
ContinueCodiumAI
Cogram, MutableAI, Tabnine
Cody
CodeWhisperer

where to use AI?

dont look too far
to use AI

Focus on repetitive and
laborious tasks

Exploration Formulation
Decomposition
Développement
Refactoring
Development practices
Automation

Exploration Formulation
AutomationDecomposition
Développement
Refactoring
Development practices

@cyriux @arollafr
AI everywhere,
all the time!

@cyriux
What could
go wrong?

@cyriux
https://codescene.com/hubfs/whitepapers/Refactoring-vs-Refuctoring-Advancing-the-state-of-AI-
automated-code-improvements.pdf
AI-based refactoring:
may not improve the code
quality, or even degrade it
Code Scene
may introduce subtle bugs (eg
reversed conditions)
don’t even always compile

@cyriux
https://cloud.google.com/resources/content/dora-impact-of-gen-ai-software-development
The "productivity paradox"
7.2% production instability for every 25% usage of coding
assistants
Production instability risk
Lots of positives, but:
Going faster doesn’t mean delivering faster

@cyriux
https://www.gitclear.com/ai_assistant_code_quality_2025_research
More churn,
duplication
They analyzed 153M lines of code
GitClear
"the frequency of copy/pasted
lines increased 6% faster than our
prediction"

‘lines of code’:
NOT a measure of
productivity
!

@cyriux

AI is good to
generate tech debt

AI is so powerful we
risk cognitive
overload

@cyriux
Copilot is lost.
How do I get
back on track?

@cyriux @arollafr
git = UNDO
button for AI

One more thing

@cyriux

Generating code, not
even looking at it.

Demonstrate behavior
quickly, get feedback.

VIBE CODING: LOWERING THE BARRIER

Create a POC or MVP
without coding

DevGPT
Smol Developer
GPT Engineer
Frameworks pour créer des MVPs en solo
Bolt
Génération d’un POC/MVP
AutoGPT
AgentCoder
SWE-agent
Prometteurs pour automatiser les
développements de tout un environnement
(code, tests, bases...)
StackBlitz AI
WebContainers AI
Utile pour des POCs
Replit Ghostwriter
Développer en ligne dans l’IDE Replit
pour des MVP
And more..
POC without
devs
Create a POC or MVP
without coding

@cyriux

Vibe coding is VERY
good at generating
tech debt

@cyriux
Vibe Wrangling vs. Software Engineering
— Simon Wardley

@cyriux
Vibe Wrangling vs. Software Engineering
I DON’T care about decisions
in code for this thing.
— Simon Wardley
•Emergent discovery.
•Deals with more complex spaces.
•Good for prototypes.

@cyriux
Vibe Wrangling vs. Software Engineering
I DO care about decisions in
code for this thing.
— Simon Wardley
•Dynamic discovery, AI-assisted.
•Deals with more complicated spaces.
•Good for running systems.

Demonstrate behavior
quickly, get feedback.
Then rebuild using
software engineering.
VIBE CODING: EXECUTABLE SPECS FTW

@cyriux @arollafr
AI everywhere,
to go faster!

@cyriux
How to
make it
safer too?

@cyriux @arollafr
Your job is
software
engineering!

It takes good brakes to go fast

@CYRIUX
AI UNDER CONTROL

Craft AI
The 4 QUADRANTS
by AROLLA

Preventive
Machine
Defensive
Human
43
2 1
LES QUADRANTS AI Under Control: The 4 Quadrants

Preventive
Linters
Packmind
Tests, ArchUnit tests
Machine
Defensive
Human
43
2 1
LES QUADRANTS
automation after commits
AI Under Control: The 4 Quadrants

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Machine
Defensive
Human
43
2 1
LES QUADRANTS
automation before commits automation after commits
AI Under Control: The 4 Quadrants

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Machine
Defensive
Human
knowing what we want
Training, upskilling
Mob-programming
Team standards
43
2 1
LES QUADRANTS
automation before commits automation after commits
AI Under Control: The 4 Quadrants

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
43
2 1
LES QUADRANTS
automation before commits automation after commits
AI Under Control: The 4 Quadrants

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
43
2 1
automation before commits automation after commits
AI Under Control: The 4 Quadrants

@cyriux @arollafr
Context
Engineering!

where to use AI?

dont look too far
to use AI

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
automation before commits automation after commits
AI Under Control: AI to help build control

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
LES QUADRANTS
automation before commits automation after commits
explore
literature
AI Under Control: AI to help build control
sum up team
favorites

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
LES QUADRANTS
automation before commits automation after commits
explore
literature
retrogen
doc
prepare
rulesets
AI Under Control: AI to help build control
sum up team
favorites

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
LES QUADRANTS
automation before commits automation after commits
explore
literature
generate
custom
extensions
help
configure
tools
generate
tests
retrogen
doc
prepare
rulesets
AI Under Control: AI to help build control
sum up team
favorites

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
LES QUADRANTS
automation before commits automation after commits
explore
literature
help
visualize
generate
custom
extensions
help
configure
tools
generate
tests
retrogen
doc
prepare
rulesets
AI Under Control: AI to help build control
sum up team
favorites

@cyriux
A few
examples

@cyriux
From the list of source code files of the application,
recognize the common architecture patterns used in the
application.
Domain-Driven Design (DDD): ...
Layered Architecture: ...
Adapter Pattern: ...
Data Access Object (DAO) Pattern: ...
Reverse-engineering documentation
(as-is, good naming)

@cyriux
From the list of source code files of the application, and
knowing it conforms to the hexagonal architecture pattern,
generate a context diagram (as in Simon Brown's C4 model) of
it in the dot file format to be rendered as diagram by
graphviz; put the domain in the middle, and list every
external touchpoint around, putting on the left the ones
using the domain, and putting on the right the ones
providing value to the domain.
context_diagram.dot
Reverse-engineering documentation
(as-is, good naming, plus a hint)

@CYRIUX
External Touchpoints Using the Domain
External Touchpoints Providing Value to the Domain
Domain
- Basket
- Coordinates
- DistanceUnit
- FuelCardMonitoring
- FuelCardTransaction
- FuelCardTransactionReport
- FuelEconomy
- FuelCard
- GeoDistance
- Geocoding
- LocationTracking
- Merchant
- Money
- Vehicle
- VolumeUnit
FuelCardTxListener
ReportDAO
SmartGISGeoCodingAdapter
WebServiceGPSTrackingAdapter
VehicleDatastore
FuelCardResource
ReportResource
FuelCardJMXBean
Reverse-engineering documentation

@cyriux
Please generate a brief ADR file to explain and justify the
hexagonal architecture here. This ADR file will be the root
of the project in an ADR/ folder.
Adding the documentation to the
projet (less need for reverse-
engineering next time)

@cyriux
Please generate a brief ADR file to explain and justify the
hexagonal architecture here. This ADR file will be the root
of the project in an ADR/ folder.
Adding the documentation to the
projet (less need for reverse-
engineering next time)
?!

New Claim Management as Single Source of Truth until the claim is
accepted by the customer
Accepted on 01/12/2015
Context
We want avoid confusion arising from unclear authority of data, which
consumes developer time to fix failing reconciliations. This requires that
only source of truth (aka Golden Source) can exist at any point in time for a
given piece of domain data.
Decision
We decide that Claim Management is the only source of truth (aka Golden
Source) for Claim on claim inception and until the claim is accepted by the
customer, at which time it is pushed to the legacy claim mainframe. From
the moment it is pushed, the only source of truth is the legacy claim
mainframe (LCM).
ADR
Decision Log

@cyriux
in-situ
knowledge:
less to put into the prompt

@cyriux
AI UNDER CONTROL (HUMAN + TOOLS)
WE’RE EXPERIMENTING!

@cyriux
reverse-engineer tests (characterization tests
& oracles)
guide mass-refactoring, done by deterministic
tooling (codemods), under control from static
analysis (linter & tools like Packmind)
AI UNDER CONTROL (HUMAN + TOOLS)

Preventive
Linters
Packmind
Tests, ArchUnit tests
AI tools rulesets
Living Documentation,
ADR’s
Clean or hide horrors
Reviews in small batches
Refactoring decisions
Retrospectives
Machine
Defensive
Human
knowing what we want discovering what we really wanted
Training, upskilling
Mob-programming
Team standards
43
2 1
LES QUADRANTS
automation before commits automation after commits
AI Under Control: Good techniques matter

4PGUXBSF
&OHJOFFSJOH
Since 1970

Wow.
That’s
very old,
isn’t it?

4PGUXBSF
$SBGU
Since 2009

Wow.
That’s
also old,
isn’t it?

http://www.meetup.com/paris-software-craftsmanship/
PARIS SOFTWARE CRAFTERS COMMUNITY
Since 2011.
5000+ members

That’s a
lot of
people,
isn’t it?

@CYRIUX
Craft
RAISING THE
BAR
WORKING CODE
IS NOT ENOUGH

Build the right thing.
Build it right.

PROGRAMMING
BY COINCIDENCE

Software Craft

@CYRIUX
BENEFITS
TIME TO MARKET
RELEASE FREQUENCY
DEFECTS BY RELEASE
TIME TO RECOVER
EASIER EVOLUTIONS & MAINTENANCE
REDUCED COST OVER TIME
MORE VALUES DELIVERED
DIGITAL FRUGALITY

@cyriux @arollafr
It’s NOT
about AI!

TDD
BDD
DDD
Legacy
Continuous
Delivery
Software
Craftsmanship
FP-style
Clean
Code
DevOps

Test = Just enough Specification
Code = Just enough Code
Refactor = Just enough Design
TDD

Test = Quality gate
Code = let AI do its thing
Refactor = Human supervision
Agentic loop

Pair-Programming

Driver-Navigator

Pair-Programming with AI

TDD
BDD
DDD
Legacy
Continuous
Delivery
Software
Craftsmanship
FP-style
Clean
Code
DevOps

Domain
Language
Conversations
Intent
3 amigos

Intent.
Personas.
Specific Language.
Concrete examples.
BEHAVIOR-DRIVEN DEVELOPMENT

Learning to prompt

Intent.
Personas.
Specific Language.
Concrete examples.
BEHAVIOR-DRIVEN DEVELOPMENT

Intent.
Personas.
Specific Language.
Concrete examples.
PROMPT ENGINEERING

TDD
BDD
DDD
Legacy
Continuous
Delivery
Software
Craftsmanship
FP-style
Clean
Code
DevOps

Craft
attitudes

THE SYSTEM
=
THE SOFTWARE
+
THE PEOPLE

@cyriux
https://cloud.google.com/resources/content/dora-impact-of-gen-ai-software-development
The "productivity paradox"
Going faster doesn’t mean delivering faster

@cyriux
Copilot is lost.
How do I get
back on track?

BABY STEPS

MICRO-SIZE

Generate stuff.
Not too much at a time, so
you can review.

Generate stuff.
If it’s hard to review,
it’s too big.

TASTE FOR SIMPLICITY

NAMING THINGS IS HARD
& IMPORTANT

THE MORE STANDARD THE BETTER
fogus
@fogus

LIVING DOCUMENTATION
= PROMPT YOU DON’T
HAVE TO WRITE

@cyriux
VIRTUOUS LOOP
BETTER
BETTER

Testing techniques: property-based testing, parallel run
diff analysis, test pyramid, golden master, fuzzing,
approval testing, model-based testing, characterization
testing, manual test plans…
Code improvement techniques: macro & large-scale
refactorings, large-scale renaming, domain language
clustering, reverse-documentation, living
documentation
REJUVENATE OLD / COSTLY TECHNIQUES

@CYRIUX
WHAT SKILLS FOR AI

‣Investigative skills
‣Analytical skills
‣Curiosity / learn to learn
HUMAN SKILLS FOREVER

@CYRIUX
FRUGAL AI - HOW TO BE GREEN WITH AI?

Avoid
irrational
usage

Small models FTW!
Multiple dedicated models of various sizes (intent-
extraction, text, coding) or (reasoning, executing)

IA is powerful! It’s
so powerful it can
replace itself.
Great
News

1. LLM to solve the problem (a
few times)
2. LLM to generate code that
solves the problem (from now
on, until it drifts)
FRUGAL AI

@CYRIUX
CONCLUSION

Louis-Guillaume MORAND, Eric GRENON - Microsoft (DevoxxFR 2023) : https://www.youtube.com/watch?v=vQqOV83ZMpE
History of AI

AI won’t disappear
overnight.
We all have to
adopt and adapt.

If you only use AI for
autocomplete, you
haven’t really started yet.

AI is a general purpose
technology.
There’s no user manual
on how to use it best.

Try things. Learn.

Co-Intelligence:
Living and
Working With AI
by Ethan Mollick

Try to use AI in everything
you do.
See for yourself when it’s
great, or frustrating.
From the book: Co-Intelligence: Living and Working With AI by Ethan Mollick

AI works best with
human help.
Be the human that knows
how best to help the AI.
From the book: Co-Intelligence: Living and Working With AI by Ethan Mollick

impressive
on topics
we know
little about.
AI IS OFTEN…

impressive
on topics
we know
little about.
AI IS OFTEN…
frustrating
on topics
we know
very well.

@cyriux
YOU NEED MORE
EXPERTISE, NOT LESS,
WITH IA FOR CODE
STUFF!

@cyriux
arolla.fr + newsletter
Thank you!

AI Under Control : accélérer en sécurité

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

AI Under Control : accélérer en sécurité

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

Slide 78