AI Revisited

What It Covers

David Heinemeier Hansson explains 37signals' shift toward AI adoption after years of hesitation. The breakthrough came from agentic AI models running autonomously in terminal environments rather than auto-complete tools, plus dramatic improvements in model capability during late 2025. He details internal applications for security review automation and debugging assistance.

Key Questions Answered

• •Agentic AI vs Auto-complete: AI agents running autonomously in terminal mode from scripts represent a fundamental shift from intrusive auto-complete tools in code editors. These agents execute bash commands, run programming tasks, and search the web independently for 10 seconds to multiple minutes, producing work developers can keep rather than interfering with their typing flow and thought process.
• •HackerOne Security Review Automation: 37signals deployed AI to pre-screen security vulnerability reports from external researchers, filtering low-quality submissions from legitimate threats. The system accesses historical report data and researcher credibility scores to identify high-value reports requiring human attention, functioning like spam detection applied to security research quality rather than blocking malicious content outright.
• •Console Access Log Auditing: Biweekly reviews of programmer access to production systems and customer data get automated through AI analysis. The system verifies that staff members access data only within granted customer permissions, handling the tedious work of checking 42-plus access events per review cycle that previously required manual human verification to ensure compliance.
• •80-20 Code Generation Rule: AI agents consistently deliver 80 percent complete solutions that developers can either iterate with the agent or finish manually. The remaining 20 percent requires human refinement, but even 20 percent completion provides value if the output contains no counterproductive errors requiring more cleanup time than writing from scratch would take.
• •Multi-Model Draft Strategy: Using OpenCode terminal interface to query Claude, Gemini, OpenAI, and open-weight models simultaneously on the same problem generates five different working solutions in 2.5 to 6 minutes each. This approach surfaces diverse implementation ideas and working prototypes faster than single-model iteration, even when the final solution combines elements rather than accepting any single draft.