Skip to main content

How we really feel about AI

· 6 min read
Tana Berry
Tana Berry
Sr. Technial Content Editor at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source authentik project.

To share some insight into how security teams talk, when in the comfort of our own team meetings, here's a little snapshot from last week:

The incident at Okta, with the full-circle failure of AI and the poor Okta engineer who AI-ed himself into a hot mess, generated a whole lot of conversation and took over our Friday meeting.

As Joshua Rogers aptly called it, the “AI slop security engineering” incident started with a report of two security issues to Okta's auth0/nextjs-auth0 project, along with a PR to fix it.

The incredible response from Okta was a downward-spiral of AI doing everything in the worst possible way: stripping the name of the contributor from the PR and committing it, then using AI to apologize for itself, and finally refusing to remove the AI-generated details of the commit and restore the contributor's attribution.

Even more interesting than the lurid details of the Okta's AI chasing its own tail, and painfully catching it, was our look inwards to how we each feel about AI, how we use it (sure, of course, we each use it to some varying degree), and what the professional and personal/moral implications are. This started a discussion amongst our team on how we collectively use, and don't use, AI in our daily professional lives.

We also discussed how we want to talk about our limited use of AI with you, our community.

What does “limited use” mean?

What the team's conversation evolved into was a frank discussion (admission?) of how we each use AI. We even set up a thread on our team channel to capture both our usage of and our thoughts about using AI at work to code one of the most popular IdPs out there, authentik.

Here's a very non-exact breakdown of how we each use AI, with names withheld to protect the lazy/adventuresome/pragmatic amongst us:

  • Team member #1: Sure, of course, I use Claude to bounce ideas off of, to ask for improvements in a chunk of code, or even to come up with the first ideas for how to tackle a complex problem. Then I go off and write it myself. Kinda like we used to use Encyclopedias.
  • Team member #2: I use Copilot to do the behind-the-scenes, busy brainless work; create boilerplate code, or generate and insert comments. I review it, I integrate that code into my manualy crafted code, it gets tested, and off we go.
  • Team member #3: Absolutely never, what are you implying, you heathen?? I'm a purist, please, just stop.
  • Team member #4: Never!! Oh, ummm, actually I am completely in love with the AI summaries at the top of the search results. But I only use that content to learn more about the topic, or to concretize my understanding of deeply technical issues. And maybe a little to confirm how phrases are turned around this subject matter.
  • Team member #5: I think it's fine for code that you don't want to write because it's tedious and very self contained and or has tests; and to get over a blank page and get something to start with, regardless it should always be code you understand and have it reviewed and can confirm it does what you want it to.
  • Team member #6: Mostly for blank page stuff, but never for infra or core components work. I always end up rewriting the whole thing anyway, but it's great to get out of a writer's block.
  • Team member #7: I use it for a mixture of research, for getting started when I'm not sure where to go, or stuff that needs a extra fancy find and replace function, etc.
  • Team member #8: Lately I've been using LLMs as a search engine for source code, it's pretty accurate with stuff like "link me the source file for [thing I can't seem to find] in [library] on GitHub".

And the list goes on, with variations on the above. The recurring theme is that we don't use it for the main features and functionality, and we all make sure we understand what the generated results are (and usually rewrite it anyway).

The talk

It's a serious topic, and a challenge, to define how we want (and need) to be transparent about our use of AI. And your use of AI, if you are a contributor to authentik.

The internal discussions are ongoing about rules and regulations for the use of AI. Do we declare it openly, if and when we use AI to do meaningful work on the product, and explain how and where we used it? Do we create a rule for contributors, that if a PR is created with the help of AI, you have to declare it your PR description?

We are open to suggestions and ideas and input, but mostly for the purposes of this blog, we want to update you on our current AI stance.

Our collective stance

As we stated in a post from last year, we're not rushing to embed AI 'features' everywhere in our product. While many of us on the team are trying out new AI tools to help with our work, we're also not overly eager to hand over the reins entirely to AI when it comes to creating and maintaining authentik.

We write the code, work the craft, and rely on hard-earned experience to figure out the hard stuff - sometimes with AI tools to assist us, but always with a human to make the final decisions. And we for sure do not cut the easy corners (that don't even need to be cut!) by relying on AI to interact with the most important part of our product: our community.

We won't reply to your PRs with AI slop, promise. You deserve our full human attention.

Future? We shall see ...

Of course we continually discuss AI, assess where the industry is now, if and when we might actually start carefully adopting more.

We aren't just stubborn fools, entirely refusing to use AI, but rather we aim to be informed and judicious coders, with security and respect for our users always at the forefront of every decision.

What are your thoughts about this topic, and our team's view? What are your thoughts about AI in general, and specifically within the Security field and for Identity Providers? Share your thoughts on GitHubDiscord, or with an email to [email protected].