Skip to content
CZ
Back to notes
June 10, 2026·5 min read

The 5 most common mistakes when bringing AI into a developer workflow

A practical look at the mistakes teams make most often when adopting AI into development — shadow IT, speeding up without a test net, vanity metrics, governance as an afterthought, and buying a tool instead of building a process.

AIdeveloper experiencecontext engineeringgovernanceDORA

Over the past year I've worked with a string of teams that wanted to "roll AI out into development." The failure patterns repeat so consistently that I'm writing them down here. The problem isn't a shortage of tools — there's a glut of coding agents and IDE plugins today. The problem is that adoption gets treated as an installation, not as a change to how the team works. Here are the five things I see most often.

1. Shadow IT: personal AI accounts on company code

Symptom: Developers move faster than procurement. Before the company approves anything, half the team is already pasting company code into a personal ChatGPT or Claude through an unapproved extension.

Why it hurts: You have no visibility into where the code goes, whether it's being trained on, or any audit trail. For regulated clients that's a leaky security posture — proprietary logic, keys left in comments, the shape of your internal APIs all walk out the door into a service with no data processing agreement.

What I do instead: Ship an approved option faster than a ban can go stale. A zero-retention endpoint, SSO, a clear list of sanctioned tools. A ban with no alternative doesn't work — people route around anything that stops them being productive.

2. Speeding up without a test net = instability

Symptom: Throughput shoots up. More PRs, more merges, more features per sprint. Leadership is thrilled.

Why it hurts: DORA metrics come in pairs. If you only lift the speed metrics (deployment frequency, lead time) and never touch the stability ones (change failure rate, time to restore), you haven't sped up delivery — you've just manufactured instability faster. AI is an accelerator. An accelerator with no safety net means more unreviewed code reaches production, sooner.

What I do instead: The accelerator and the safety net go in together, not one after the other. Concretely:

  • automated tests and CI gates before I raise the volume of generated code,
  • review stays mandatory — AI writes, a human approves,
  • I track all four DORA metrics, not just the "pretty" ones.

3. Measuring vanity metrics instead of real ROI

Symptom: "We've got an 80% suggestion acceptance rate!" "AI generated 40% of our lines!" Hero numbers for the management deck.

Why it hurts: Acceptance rate doesn't measure value — it measures how often someone hit Tab. Percentage of generated lines correlates more with verbosity than with productivity. These numbers are trivial to inflate and tell you nothing about whether the license pays for itself.

What I do instead: I measure outcomes, not activity. Cycle time from opening a ticket to merge. Change failure rate before and after. How many review iterations a PR needs. And I ask developers directly — perceived load and flow are a valid signal when you collect them systematically. ROI is the difference in delivered value, not a token count.

4. Governance and regulation as an afterthought

Symptom: The tool has been running for six months. Then legal or security asks: "And how does this line up with GDPR? With the EU AI Act?" Silence.

Why it hurts: DORA (the Digital Operational Resilience Act), the EU AI Act, and GDPR aren't optional. When you bolt governance on after the fact, you discover the agent has access to things it never should have — production databases, secrets, authentication logic. At that point it's an incident, not a risk.

What I do instead: I set the boundaries up front, not after the audit. A hard rule I give every team:

# Where the AI agent MUST NOT reach — a guardrail, not a suggestion
deny:
  - auth/**          # authentication, authorization
  - payments/**      # payment flows
  - "**/secrets.*"   # keys, tokens, credentials
  - infra/prod/**    # production infrastructure

The agent generates features and tests. Auth, payments, and keys stay in human hands. This isn't distrust of the model — it's a division of responsibility you need to be able to show an auditor.

5. Deploying a tool instead of a process

Symptom: "We bought Copilot licenses for the whole team. Done — we have AI now."

Why it hurts: A tool with no process is just another icon in the IDE. A year from now a better tool shows up, you migrate, and the whole "adoption" starts from zero, because it never lived in people's heads or in the workflow — it lived in one vendor. This is the heart of the shift I describe as the move from software engineering to context engineering: the value isn't in the model, it's in how you feed it context and how you embed it into the team's work.

What I do instead: I build processes that don't depend on the tool. Concretely:

  • conventions for context (where the agent's instructions live, how they're maintained) survive a model swap,
  • a definition of "done" with AI in the loop — who reviews, what gets tested, what the agent may not touch,
  • onboarding that teaches how to think with AI, not which button to press.

When you swap the tool, the process stays. That's the difference between adoption and a purchase.

In closing

None of these mistakes are about AI not working. They're about it being introduced as a product rather than as a change in how people work. When you treat adoption as an engineering problem — measurable goals, guardrails up front, process over tool — it pays off. When you treat it as an installation, you pay for it later, and more dearly. Start small, measure outcomes, and draw your boundaries before an incident draws them for you.

Let's talkBack to notes