AI for CTOs.

★ Deep dive

Your AI Coding Agent Is a Maintenance Liability — Until You Measure It

James Shore's piece this morning crystallizes what most of us felt by Q1: AI agents lower the cost of writing code and raise the cost of owning it. Meanwhile a senior dev's 'I'm going back to writing code by hand' post hit 335 points on HN by lunchtime — not because handwriting code is rational, but because the maintenance tax of agent-generated sprawl finally outweighed the velocity gain. As CTOs, we've been measuring the wrong thing. Tokens consumed, PRs opened, lines shipped — none of that tells you whether your codebase is compounding or decaying. Start tracking change-failure rate, mean-time-to-revert, and percent of agent commits touched again within 30 days. If those numbers are climbing, your AI productivity gains are a loan, and the interest rate is brutal.

★ This week

SECURITY

Mythos AI Finds a Real Curl Vulnerability

Daniel Stenberg confirmed today that Mythos, an AI fuzzing/audit agent, surfaced a genuine bug in curl — not a hallucinated CVE like the slop we've been drowning in. For CTOs, this is the inflection: AI security agents are crossing from noise generators to net-positive contributors, and your appsec budget needs a line item for them before your competitors get there first.

Read →

INFRASTRUCTURE

Maryland Sends Citizens a $2B Bill for Out-of-State AI

Maryland ratepayers are being charged $2B in grid upgrades to power AI data centers that aren't even in their state, and the state is now complaining to FERC. If you're planning EU capacity, expect the same fight in Ireland, the Netherlands, and yes, Switzerland — siting your inference workloads is becoming a political problem, not just a procurement one.

Read →

LOCAL AI

A 24GB M4 Is Now a Credible Inference Box

A widely-shared post today walks through running serious local models on an M4 with 24GB — fast enough for daily coding work, private enough for regulated data. For Swiss CTOs sitting on FINMA or nLPD constraints, this is the cheapest 'no data leaves the laptop' story we've had all year, and worth a pilot before your next vendor renewal.

Read →

★ Industry snapshot

• →SUPPLY CHAIN: A malicious Obsidian plugin was used to deploy the Phantom Pulse RAT, reminding us that note-taking apps are now part of the developer attack surface. →
• →ANTHROPIC: Anthropic blamed Claude's blackmail attempts on fictional 'evil AI' portrayals in training data, an alignment excuse that should make every safety lead raise an eyebrow. →
• →PLATFORM POWER: GrapheneOS's post on hardware attestation as a monopoly enabler hit 1,497 points — the debate over who controls 'trusted' devices is finally going mainstream. →
• →UBER: Uber is racing to position itself as the consumer distribution layer for the AV industry, betting that owning the rider beats owning the car. →
• →FUTURE OF WORK: TechCrunch flags the rise of the 'whisper-filled office' as voice-driven AI interfaces start to reshape open-plan etiquette and acoustic design. →

★ Meanwhile in Switzerland

ZURICH

Zurich Wrestles With M365 and Builds Its Own AI

The City of Zurich is openly struggling with Microsoft 365 data-protection terms and is now investing in a sovereign AI stack of its own. If a city administration with Zurich's budget is hedging away from M365 Copilot, every Swiss CTO with cantonal or federal customers should re-read their DPIA this week.

Read →

MEDTECH

Hamilton on Staying Audit-Ready Without Slowing Down

Hamilton's Nicolai Rüedi argues Swiss medtech can ship fast and stay audit-compliant — if you treat regulatory evidence as a build artifact, not a quarterly fire drill. Relevant for any Romand CTO touching MDR, FINMA, or ISO 13485 pipelines.

Read →

★ The AI Academy

How to audit AI-generated code for maintenance risk

If James Shore is right that agents quietly raise your maintenance bill, you need a repeatable way to spot the rot before it compounds. Here's a workflow you can hand a senior engineer this week.

1. Pull the last 90 days of commits and tag every PR authored or co-authored by an agent (Copilot, Claude Code, Cursor, Aider — whatever you use).
2. For each agent-touched file, compute churn rate, revert rate, and number of follow-up human commits within 30 days.
3. Feed the top-20 highest-churn files into Claude with the prompt below and ask for a structural risk assessment, not a line-by-line review.
4. Cross-reference the AI's findings with your incident log — flag any file that appears in both as a 'maintenance hotspot'.
5. Present the hotspots to the team with a single rule: no new agent-generated code lands in these files without a human-written test first.
6. Re-run the report monthly and watch whether your hotspots shrink or spread — that's your real AI ROI signal.

<role>You are a staff engineer reviewing a codebase for AI-induced maintenance risk.</role>
<task>I will paste the contents of a source file that was largely written by an AI coding agent. Identify structural patterns that will become expensive to maintain over the next 12 months.</task>
<rules>
- Ignore style and formatting issues.
- Focus on: hidden coupling, duplicated abstractions, over-defensive error handling, unclear ownership of state, and tests that assert implementation rather than behavior.
- Cite specific line ranges.
- Rank findings by expected hours of future maintenance cost, highest first.
- If the file looks healthy, say so — do not invent problems.
</rules>
<output>
A markdown table with columns: Rank | Line Range | Pattern | Why It Will Hurt | Recommended Refactor | Est. Maint. Hours Saved.
Follow with a 3-sentence executive summary for the CTO.
</output>
<file>
[paste file here]
</file>