[0:08] Shinobi: Welcome back to Sushi Bytes, the podcast where we break down software, security, open source, and supply chains one byte at a time. I’m Shinobi, and today we’re talking about software composition analysis in the AI era – because AI is changing how software gets written. But here’s the real question: if AI is writing more of the code, who’s making sure it’s secure, compliant, and legally safe? That’s where software composition analysis comes in. And as usual, to unpack this, I’m joined by Jen.
[0:39] Jen: Hi everyone. And yes, today we’re answering the question that inevitably shows up once AI starts generating code – Cool, but what did the robot just copy from the internet.
The Three Major Shifts in AI-Assisted Development
[0:08] Shinobi: Exactly. So let’s start with the bigger picture, because the way developers use AI is already changing fast. Right now, we’re seeing three major shifts in how AI fits into development workflows, and each one changes how we think about compliance and supply chain integrity.
Shift 1: From Conversations to Agents
[1:09] Shinobi: At the beginning of the AI boom, the interaction model was simple. You open ChatGPT, you wrote a prompt, it gave you code, then you refine the prompt, then it gave you better code.
[1:20] Jen: Prompt, response. Prompt, response. Basically autocomplete with a personality.
[1:27] Shinobi: Exactly. But that’s not where things are heading. Instead of guiding AI step by step, developers are increasingly giving agents a goal – something like “refactor the authentication module, update the tests, and make sure CI passes” – and then the AI agent figures out how to do it.
[1:42] Jen: Which means developers stop micromanaging prompts and start reviewing outcomes.
[1:48] Shinobi: Right? The unit of work shifts from a prompt to a task, and the developer becomes more of a reviewer and verifier – which makes guardrails like tests and policies incredibly important.
Shift 2: From Prompt Engineering to Tools
[2:00] Shinobi: This shift is about capabilities. Early on, people talked endlessly about prompt engineering – how to structure prompts, how to phrase instructions, how to carefully guide the model into giving better answers.
[2:16] Jen: Which was basically duct-taping context into a paragraph and hoping for the best.
[2:20] Shinobi: Kinda. But modern agents don’t rely on prompts alone. They use tools – things like APIs, code repositories, databases, browsers, execution environments.
[2:30] Jen: So that means the prompt stops being the whole system. It becomes just one input.
[2:33] Shinobi: Right, again. The real question becomes: what tools does the agent have access to? Because those tools define what the agent can actually do.
Shift 3: From Prompts to Specifications
[2:48] Shinobi: This third shift is about development methodology. Instead of trial-and-error prompting, teams are moving toward something called Spec-Driven Development.
[2:58] Jen: Translation: stop guessing and start writing down what you actually want.
[3:01] Shinobi: Yeah. Instead of a prompt, the primary artifact becomes a specification that can include requirements, architectural constraints, acceptance criteria, and testing expectations. The AI reads the spec and generates the implementation.
[3:15] Jen: Which is honestly how software development should have worked all along.
[3:19] Shinobi: And because specs are structured, they can be version controlled, reviewed, and reused – just like code.
Where Does SCA Fit?
[3:26] Shinobi: So now we have AI agents writing code. They have tools. They’re working from specs. Where does SCA fit? Turns out – everywhere. Because if AI agents are generating code, then compliance tools need to work with those agents, not just with humans. This is where things get interesting for us AppSec nerds. Traditional SCA workflows assume a human developer: developer writes code, developer runs a scan in CI, developer reviews the results. But in an agentic environment, the AI needs to participate in that loop
[3:56] Jen: Meaning the agent should be able to scan its own code before a human even sees it.
[4:01] Shinobi: Exactly. This is the fun part. The agent writes code, then it calls a tool. The tool analyzes the code for open source components, vulnerabilities, and licenses – and the agent adjusts if something’s wrong. Another important point: large language models are great at generating code, but they’re not great at provenance analysis. They can’t reliably tell you where a snippet originated, what license applies, or whether a component has known vulnerabilities.
[4:29] Jen: Because LLMs are guessing patterns – they rely on probability and reasoning. Compliance tools are analyzing actual code fingerprints. That’s a deterministic task, a totally different job.
[4:41] Shinobi: Exactly. So the solution isn’t better prompting – it’s giving AI agents access to specialized SCA tools that do that analysis properly. Even with the right tools, the agent still needs guidance, because interpreting compliance results requires domain knowledge.
[4:57] Jen: Like the difference between “small MIT snippet, probably fine” and “oops, you just copied GPL code into proprietary software.”
[5:06] Shinobi: You’re so right yet again. It’s like you’re an AI agent yourself, Jen. Humans understand those nuances, but AI systems need that logic encoded as policies and workflows. Put all of this together and you get a new development model. An AI agent writes code automatically. It scans for open source components, checks for vulnerabilities, evaluates license obligations, applies policy rules, and adjusts the implementation if needed – all before the pull request.
[5:32] Jen: Which means SCA stops being a late-stage gate. It becomes part of how code gets written in the first place.
[5:39] Shinobi: Very cool, right? AI accelerates development, which means verification becomes even more important – not less.
Wrap-Up
[5:45] Shinobi: OK, we could nerd out much longer on this topic, but we have to wrap it up. I have a feeling we’ll tackle this further in another episode really soon. AI isn’t just changing how software gets written – it’s changing who writes it. And if AI agents are part of the development team, then security and compliance tools need to evolve too. SCA needs to become agent-accessible, tool-driven, and built directly into development workflows –
[6:10] Jen: Because in the AI era, governance cannot slow development down. It needs to make safe, automated development possible.
[6:17] Shinobi: True. Until next time – keep shipping, keep scanning, and stay curious. Thanks for listening to Sushi Bytes.