Here at Goldmund, we've been openly publishing more and more articles on the use of AI. We've tried to find a balanced truth in this topic, which is commonly over-hyped or under-played depending on biases and interests.
In this article, we want to start addressing Project Managers, Product and Business Owners about some considerations and things to think about when it comes to finding a reliable partner for your software and technical needs.
Disclaimer
Using AI tools can potentially expose sensitive information about your organization—not just code, but also structural and personal details. Your API keys and other confidential information could theoretically be stored or trained on, along with potentially sensitive data about users, team members, and other exploitable information.
When using any AI tool, always operate under the assumption that the information you share is neither sensitive nor confidential.
Legal & Commercial advice
In this article we mention considerations, but do not provide specific legal or commercial advice. Please review internally with your company resources to find a path and solution that works best for you.
Applicability
The advice in this article mentions considerations we've made with our clients, which can be seen as a form of advertisement, but the advice and considerations in this article are applicable regardless of the vendors.
This article may not cover everything, but we will update it or make more publications in the future with more insight and experience.
Getting what you paid for
The most important thing I personally believe in, is making sure our customers get what they paid for. There's a reason they are outsourcing this project and typically that outsourcing isn't cheap. If we're then providing them a cheaper solution by heavily relying on AI, we're not only risking our own reputation but also exposing the client to problems and additional costs.
The risks of software development
There's always risks with building software, there are a lot of practices and tooling to minimize the risk and to be honest, the introduction of AI doesn't change too many of those risks. Finding an unreliable partner will be costly, but potentially because of AI it may be harder to spot reliability from the onset.
- Software can always contain bugs or be constrained to resources and spikes in demand
- Software can always regress over time, be rushed, under-developed or lack tooling and insights
- Software can always be affected by external sources, such as Apple or Android (Native development)
- Etc.
In truth not too much has actually changed, so in theory a lot of your current legal agreements and considerations are valid and will still largely cover you.
What this article strives to achieve is refreshing those considerations and also giving more insight into the AI aspects.
So what does AI change
The first and major risk is sensitive information being leaked, this could be API keys, .env variables etc. This can more commonly happen by simply providing the codebase as the context for a prompt or by drafting specification and legal documents using AI and real-world data.
1) Is AI being used? Where and how much?
Is this provider also using AI to draft specification documents, architecture, legal documents etc? Could there be mistakes, sensitive information or other considerations?
Make sure you've protected yourself in regards to sensitive information and liability. If information is sent to the cloud for AI processing, make sure the liability and restrictions are clear and enforceable from the start.
So the next question to ask yourself is, if you're paying x amount an hour, but an AI is doing a lot of the work and also sharing potentially sensitive information to the cloud, is that worth it?
2) How much reliance does your provider have on AI? My advice here is to ask this critically in your calls and meetings, figure out how they're using AI, to what extent, and what exactly it is you're paying for.
Having some AI processing is actually a good thing, can speed things up, potentially reduce costs in the amount of hours needed, but over-reliance means you could be paying a premium for a black-box of potential risks and problems.
Some considerations to think about:
- AI cannot be used for critical parts of the infrastructure
- Remaining areas must be limited, scoped or protected
- Provider must have deep insight and knowledge of the project and must be able to share it
- Documents must be template drafted, then filled in manually with specifics and critical/sensitive information
This is similar to the current problem people have faced, of potentially developers being too reliant on external packages and software for too much of the project scope. Too many projects I have adopted have relied on dozens of external packages to solve small basic elements of the project, that caused issues with upgrades and maintenance.
But the added aspect is the reliance on AI to draft documents that may also contain sensitive information.
Ownership
Typically when you pay for a service, you're paying for a license to use the software made for you, or you have ownership of the source code and relating material.
If we look at image and design generation through tools like Midjourney, the copyright and ownership there is anything but straightforward.
- Images generated are in the public domain
- Images generated are trained on pre-existing copyright material
There are currently open lawsuits and international discussions on the legal impact of such tools, so if your provider is relying a lot on Midjourney for the design, without transformative changes that make it unique and specific, you open the door for others to use your design and you'll have no legal right to battle it (to my understanding).
- Ensure you include clauses on the correct and rightful transferring of ownership of the design and code
Bear in mind the design will use Fonts and Iconography in the public domain, maybe stock photos or assets with commercial licenses, Open source packages for core aspects of the technical foundation, all of which are perfectly normal.
However, if the design is 1-1 or largely from services like Midjourney and code largely written by AI, it opens up a ton of questions on ownership.
What can you do in finding a technical partner?
Goldmund prides itself in getting its current experience with AI in non-commercial projects. We've taken the time to build things in-house to test the scope and complications of such tools, well before even beginning to adopt them in commercial projects.
We've offered full transparency in the projects we've used AI to assist us with, scoping it to specific areas and putting things into place to protect our customers.
Finding a good technical partner
I wish I could provide a tool or guide that would make this a straightforward process so you can find the right partner for your needs. In truth, just like with finding any supplier, there's sometimes very little you can do other than check into their credentials and reputation.
Unlike with House maintenance here in the Netherlands, there's no registry or certificates for reliable software developers.
So, what can you do? Find transparent partners
The first thing is find a supplier that is transparent about its processes, tools, team, services etc. Any company that offers full transparency into their process, what considerations they make, is a great place to start.
If you hear them mentioning "Oh yeah we use co-pilot, it's great and allows us to develop fast and effective code" without mentioning the things they do to protect the code and information that may be considered sensitive, might be a red flag.
Ask meaningful questions
As a commercial person, knowing technical specifics shouldn't be required, but there's a line of questioning you can pursue to get some indicators:
- What about these technologies or libraries make you think they're best for our project?
- What do you expect to be the most challenging aspect of the project?
- What are your error margins or concerns with the project?
At Goldmund we'll always be open on all these details, sometimes what our customer thinks is complex "reporting", may not be what we find most complex "Data models" and by being transparent on those aspects we give our customers insight on our thinking and reasoning in the project.
Get a clean specification document Then when it comes to the technical scope document they provide, things you want to check for:
- Use of AI and AI services
- Error handling and monitoring
- Breakdown of hours/complexity on aspects of the project
- Considerations made to not go with other solutions or software
- Considerations for protecting data and information
The goal should be to see their thinking and reasoning behind the project. Is this just another template project? A project they'll solve as they go? A project they plan to use a lot of external services and AI for? etc.
Take-aways
Question where the solution comes from
The risk has always been there that you might hire someone who's not experienced enough for the project you hire them to do, the only additional consideration is that AI might mask that or make it harder to spot.
Real time conversations, questioning and dialog on specifics has always been the way you try and figure out if the supplier is right for you.
If in doubt, reach out - We're always looking for new and exciting projects and connections, feel free to reach out if you have a new project or concerns with an existing project.
Want to reach out?
Did you find the article interesting, want to discuss it or ways that Goldmund might be able to help you? Please feel free to reach out using one of the methods below.
Phone
+31 6 301 818 89Other Articles
