top of page

Tutorial 9: When Not to Use AI

  • Contributor
  • 4 days ago
  • 2 min read

AI accelerates many things. Some it should not touch. Knowing the line.

Step 1: Security-Critical Code (15 min)

Don't trust AI for:

  • Auth flows

  • Cryptography

  • Permission checks

  • Input validation for security

  • Anything generating credentials / tokens

AI happily writes:

hash = md5(password)  # broken crypto

Read security guidance from humans. Write security-critical code yourself; pair-review.

Step 2: Novel Architecture (10 min)

AI is great at "match a pattern." Less great at:

  • Designing entirely new systems

  • Trade-off decisions specific to your business

  • Choosing between two unfamiliar approaches

Talk to humans. Use AI for parts; not the whole design.

Step 3: Business Logic With Unwritten Rules (10 min)

"Calculate the discount for premium members."

AI generates a plausible-looking calculation. Is it right? Depends on rules that exist only in product manager's head.

Don't AI-generate code where:

  • Acceptance criteria aren't fully written

  • The "spec" is a vague PM message

  • Edge cases require business judgment

Clarify first; then implement.

Step 4: Code You Don't Understand (10 min)

If AI generates:

# Some clever optimization

And you can't explain why it works:

  • Don't ship it

  • Study it

  • Or pick a simpler version

You'll maintain this. Future-you needs to understand.

Step 5: Legal / Compliance Sensitive (10 min)

GDPR, HIPAA, PCI-DSS code:

  • Get specific requirements from legal

  • Implement deliberately

  • Audit by humans

  • Don't shortcut with AI patterns

The cost of getting compliance wrong: massive fines + reputation.

Worth slower.

Step 6: Production Hot Paths (10 min)

Code that runs millions of times:

  • Performance matters

  • Bugs amplify

  • Side effects spread

Read carefully. AI doesn't profile. AI doesn't know your latency budget.

Pair-review hot path changes specifically.

Step 7: Concurrency-Heavy Code (10 min)

Races, deadlocks, atomicity:

  • AI suggests "looks right" code that subtly races

  • Human review with concurrency expertise needed

  • Use deterministic concurrency tools (Go race detector, ThreadSanitizer)

For multithreaded / async code: think carefully; AI is one input.

Step 8: When You're Learning (10 min)

Junior engineers especially:

  • Resist using AI for everything

  • Write from scratch sometimes

  • Learn the fundamentals

If AI does it all: you don't grow.

Use AI like a senior pair — they explain; you understand; you write.

Step 9: When AI Confidence Is Suspicious (10 min)

AI says: "Definitely use X."

If X is:

  • Old advice (out of date)

  • A confident-sounding but rare library

  • An approach that doesn't fit your codebase

Push back. Ask "are you sure?" — sometimes AI revises.

Confidence != correctness.

Step 10: When Your Org Forbids It (10 min)

Some orgs:

  • Don't allow AI assistants on the codebase (IP)

  • Restrict to specific tools (compliance)

  • Require human authorship for certain code (legal)

Respect those rules. Even if individually you'd benefit, the org's posture matters.

What You Just Did

When not to AI: security, novel arch, vague business logic, code you don't understand, compliance, hot paths, concurrency, learning, suspect confidence, org rules. Knowing the line.

Common Failure Modes

AI generates security code; you ship. Vulnerability.

AI generates concurrency code; you ship. Race in production.

AI handles entire feature; you don't understand it. Can't maintain.

Use AI for novel architecture. Pattern-match doesn't apply.

Org said no; you used anyway. IP risk.

bottom of page