>Every executive/leader I've shown Claude Cowork to has gone from 'what is AI' to 'vibecoding whole apps' in weeks.
Do you, and those executives, own the risks associated with that practice? Are those risks actually indemnified?
Its neat that 'anyone can do anything' but if they don't actually know what the risk to business or 3rd parties, why is this a good thing, especially in the enterprise where there are actors who are explicitly looking for this type of environment to exploit?
These are largely friends and peers, so they ultimately own their own risks. But I'm not saying it is good or bad. I'm just telling you what is happening in the real world. Every senior person I know, whether a high tech exec or a solo coffee bean importer, is vibing to some degree. Some will be more successful than others.
I've been working in tech since the late 90s. This is the biggest and most sudden change in company behavior I've ever seen. The only thing that comes close was the web 1.0 world in the 90s where everything suddenly became websites.
That creates tons of risks and opportunities. Good and bad. Maybe a great time to start a security company. But maybe a terrible time to be a small time web app developer when your clients can get 'good enough' in minutes for dollars on their own.
saying "every X i know" in all your comments is a bit ridiculous.
You comments read like reddit clickbait. How many of these executives/senior/coffee bean/whatever ppl do you even know and why you the one enlightening them with claude cowork ? . "Every X i know" sounds like a large sample size. Make ridiculous claims by prefixing " every X i know" .
I feel so angry at this linkedin speak. so infuriating. Hate that we've accepted these ppl without any pushback.
Hate it all you want but it’s a reality in this case. There’s a reason big consulting firms are making huge pivot to AI consulting. Everyone in the business world is doing this and trying to find value with AI. I’m a CFO and network regularly with other executives, board members who also are board members at other companies, investors, people who see a combined large population of companies and I’ve not spoken to a single person in the last year that isn’t adopting AI themselves for their own uses but also has AI strategy as company goal for current and into next year at least. When a trend catches fire like this the “everyone I know” speak is absolutely framing that context.
How many of those people, including yourself, actually understand what the technology is, what the risk factors are relative to your existing contracts/obligations, and how what you are doing with the technology interacts with the aforementioned questions.
I say this as someone who deals with sales/CRO/CFO functions quite regulary, I have to tell everyone that uploading contracts to Claude and/or ChatGPT does not hold confidentiality because files are not covered under enterprise ZDRs. [0] [1]
It comes down to 'everyone else is doing it' without an understanding of why, then past that, the what of how that applies to the specific business to find the unique value of AI to an organization that does not touch external networks.
Please give your GC the links below, let them look over your contracts and obligations to ensure you aren't exposing risk for no real reason other than saving a couple seconds for something that a SDR/BDR level employee could do.
[0] https://code.claude.com/docs/en/zero-data-retention#what-zdr...
[1] https://developers.openai.com/api/docs/guides/your-data#zero...
Most people don’t understand the tech but they understand it involves moving data into a cloud service like Anthropic and may have risk or breach associated. I think people are generally deciding to take that risk. Executives decide to take these kinds of risks all the time. Our GC would inform us of the risk and we would say “thank you for flagging the concern but let’s proceed anyway.” This is going to vary in all companies and industries of course. Healthcare needs to be careful of hippa and there’s pii concerns as well. But generally, everyone feels brazen enough to go forward. I do hear what you’re saying though, have had several talks with our GC and they simply can’t keep up with the pace and the business isn’t so risk adverse we’d put the breaks on AI due to said risk. That said, we do have many things that eventually get treated as a POC to eventually build out an internal AI tool for to reduce the risks.
It’s an interesting time.
i am not hating ai or whatever. I am hating how every interaction now is some ridiculous clickbait format like "every X i know" type shit.
If its so obvious that everyone is doing it then you dont need "every executive i know takes a shit" .
every interaction is now laced with ulterior motives like op trying to pitch himself as ai expert to sell his courses or whatever. He is apparently going around blowing executives minds with claude cowork. so ridiculous.
>But I'm not saying it is good or bad.
Wait, you exposed people to a technology, taught them how to use it, then you are not going to own the implications of that action without teaching them about the risks or telling them how they need to ensure they don't shoot themselves in the face or violate their duty of care?
Do you understand what you are saying and the implications of that in the real world relative to the insurance contracts that they have?
Your company is associated with HIPAA, you should have a much higher standard than this.
Play the ball, not the man, dude. Hectoring people on the Internet because you're stressed out about something isn't going to magically fix how you feel. Digging into their profile to make it personal is three steps too far.
We are talking about one person's introduction of a technology to persons and the implications of that action within the framework of enterprise governance and risk, it is one in the same. If anything, who a person is, their knowledge of the domain and the associated implications that action has on the domain has relevancy where someone who is ignorant of implications may have more grace than someone who has the experience to know better. The passive lack of accountability or responsibility relative to that does matter given the context.
I think the one thing you are not taking into account is that the investors on average fundamentally don’t care. Scale arbitrage means that small companies are fundamentally about velocity - and if they get sued due to regulations that do not pierce the corporate veil, they just fold. And the ones that did not get sued make money for the vc. And figure out later how to be hipaa etc compliant. Basically, I’ve been seeing over the last 10 years VCs are not caring about insurance or corporate liability - sink rate is so high it is irrelevant.
For big corps - this is different. But modulo hipaa - this is why they are gung ho hi about binding arbitration - they are trying to match velocity to some degree - and mostly failing…
VCs and investors are a massive issue, which is ironic saying that here, but once you get into contracts with other businesses, it changes things for the business and the leadership within who do carry liability when things go wrong, especially when they have made attestations.
What we are talking about is the conclusion you leapt to from 20 seconds of looking for evidence to suit a conclusion. Nothing in their comment "These are largely friends and peers, so they ultimately own their own risks" insists these are all people working in or on healthcare. Friends could be ... friends? Like the kind outside of work. And if someone is a peer (again, we have to assume the "at work" part), there isn't much you can do to prevent them from doing what they will. Educating them about trigger safety may be the best thing you can do.
>Every executive/leader I've shown Claude Cowork to has gone from 'what is AI' to 'vibecoding whole apps' in weeks. [0]
I think this is where we have the issue in my tone and approach to my comments. My response was based off of the OP stating that the people who they were introduction were 'executives/leaders' and not 'friends', which has a very different connotation when it comes to information security, liability, responsibility, accountability, and ownership. It was only in their response to my question about risk ownership that they described the persons as friends.
If they had said 'friends' from the very beginning, instead of 'executive/leader' I would not have had the reaction than I did. The reason why I brought up HIPAA was because of 'executive/leader', since the idea of duty of care extends to leadership within any organization, especially those who are involved with healthcare, which they know based off of their company.
[0] https://news.ycombinator.com/item?id=48131968
But even your pullquote insists on begging the question. No one said "Every executive/ leader at my place of business who does nothing except work with PII data all day", you presumed it.
>"I’m a CFO and network regularly with other executives, board members who also are board members at other companies, investors, people who see a combined large population of companies"
I have already addressed this elsewhere. [0]
The call to HIPAA wasn't about PII, it was about knowledge around standards and regulations such as HIPAA when it comes to application/information/network security is just baked in. Which is why the passivity around the statement made no sense given the risks/obligations/liability associated with vibe coding applications at the executive level, which someone who's company deals with HIPAA should understand and appreciate.
Never have I said that, and please quote me word-for-word otherwise, what I said applied to "very executive/ leader at my place of business who does nothing except work with PII data all day", that is a windmill you created yourself.
You can keep tilting at the windmill.
[0] https://news.ycombinator.com/threads?id=Ucalegon#48133230
Stop digging.
I am not digging, I am being consistent.
But I appreciate you trying to police the expression of my deeply held beliefs, but, like, nope!
You have to understand that people like you, that you that keep talking about enterprise governance and risk, should facilitate business users to do these things securely. This should have always been the case but somehow it has ended up more with restricting rather than facilitating. Hopefully tools like claude code will prove the value add more easily, changing everything I hate about corp IT.
I appreciate the feeling but this isn't so much driven by principle but by business risk through contract liability or other liability that exists within whatever place you happen to be doing business.
'Adding value' is a very interesting statement and way to judge the worth of something. Adding value to who? And if that value add also causes massive harms, how do we reconcile that? So you build a brand new app with does all of the things that all of your total addressable market wants, but it also exposes all of the IP your existing clients, does that mean you will be able to achieve that TAM?
Corp IT does not exist in a vacuum. Understanding the why of that isn't a 'you should just accept this' but more 'how can we make this better and avoid mistakes already made by others'. I will always point to aviation and 'bold text is written in blood' as a great model to understand all of this not as a blocker but, instead, as a building block.
There is no way to facilitate untrained users in the healthcare space to vibe code real applications touching patient data. There is no magic policy, firewall, or "facilitation technique" which can make vibe coded software reliably meet contractual and regulatory obligations with a high degree of security in the healthcare space.
If you care about data privacy, especially your own protected health information, that sentence should give you a lot of comfort.
In a HIPAA environment, people who are sufficiently trained on how to develop regulated software securely are called "software engineers".
In my opinion, agents will replace the majority of the rest of businesses before they are good enough at agentic engineering to be able to autonomously develop software that safely and reliably can manage PHI without a single mistake.
It goes without saying: never trust your PHI to any company who is vibe coding in production.
You guys have jumped to so many conclusions it’s amazing.
You are assuming like 12 things that aren't true in this response.
Explicitly name them then.
What kind of risk do you see?
Depends on what types of apps are being built, what data they touch, and what those apps are exposed to from a network perspective. Ie; all of the fundamentals of information/network security. Generally speaking, most executives do not have an information/network security background but do have privileged access to extremely valuable information, even if an attacker just has access to their email.
> most executives do not have an information/network security background but do have privileged access to extremely valuable information, even if an attacker just has access to their email.
In a properly structured organization, of which there are many and who are required by regulations and/or best practices, senior executives tend to have need/role-based access to information, just like everyone else in the organization. So they may have access to strategic business information, but not patient records or payroll. They may have access to planning data, but not the financial records of individual or clients. Etc. etc.
Smaller or newer orgs may not have this compartmentalization, but in general I think the principle holds true for orgs over a certain number of folks in size.
I do not disagree with anything you said.
Generally, when it comes to 'privileged' information within an executives inbox it is business information or trust releastionships and not specific PII/PHI of an user. It was me being terrible at trying to impart that even the most begin seeming access may have major consequences even if it is not a total compromise of everything given the massive scope of 'what could happen' with executives vibe coding applications, like something managing their inbox past their EA, or something trivial seeming.
Right but your Head of HR may have access to the drive with employee PII in it, or your CTO may be able to view your IT team's password manager.
These are 'proper' (sometimes) access controls, but can still be abused. Not from email...but you get the idea.
What risks? You don't even known what they are building and you start the FUD train.
I found the Microsoft guy!
What does this even mean?
Just going on and on about compliance when you have no idea about the details. It’s a classic example of how IT fails most large orgs.
Compliance isn't required due to a vendor.
Compliance is due to the legal obligations thanks to local regulations and obligations that are defined through contracts with 3rd parties.
Saying 'found the Microsoft person' expresses a lack of understanding of the domain.
You kind of just proved my point. Sorry I should not have been joking but i don’t think you have a grasp what’s going on around you.
This is how IT acts in my enterprise orgs. There is absolutely a need for compliance and governance but unfortunately the people in these roles are typically not technically minded and have low incentives to innovate so you get these folks only really arguing for their jobs.
Cool story bro.
Do you think the MSFT sales person, or anyone who has the financial incentive to innovate, doesn't want you to innovate? They want you on Azure and O365 regardless, they don't care.
Hell, Microsoft will give you will give you 150k [0] of credits to do so.
But keep talking as if you have some magical, unique, special insight that escapes contracts and the law, compared to the people who, sadly, have to deal with reality.
[0] https://www.microsoft.com/en-us/startups
What is your deal about contract law? It’s not some mystical thing. You can get red lines with Anthropic, you can get a DPA with Anthropic. You keep going on and on about governance and contract law on a thread about how Claude Code is pretty useful for nontechnical people.
Risk is always nonzero but you can already today get pretty comfortable with most of these orgs with some customization in the contracts.
Does Anthropic's DPA provide indemnity to code thats produced from the product and any damages associated with security vulnerabilities within that code?
We are talking about vibe coded applications by executives and the risks that are associated with that, nothing within a DPA covers that. Please, be my guest, link an Anthropic DPA which includes indemnity for damages associated with the code produced.
Again, you keep showing your lacking of understanding of the domain in some really fundamental ways which shows that you haven't negotiated B2B contracts nor have you held a position of responsibility where you hold liability.
But keep responding because this feels more like therapy for you, and your feelings about people like me, rather than the realities of the exposure that come from vibe coded applications for executives.
I concede that I started the thread with a joke but wow you really are upset. Let’s take a step back. Apologies again for that joke it just the entire discussion reads like non-technical non-legal advice you get from the typical corporate IT.
Each entity and group have to consider the risks. I don’t think anything you’re trying to point at though is really useful for the discussion at hand. There is absolutely a use case for Claude code/cowork/codex and related tools to be used by non-technical folks. There is also a lot of figuring out in each of these groups. Unfortunately IT in most orgs in what I have seen have ignored the art of what’s possible for the last 3 years and now that we have hit this inflection point are scrambling to catch up but sadly the incentives are usually not aligned so they are really only incentivized to not take any risks.
> I concede that I started the thread with a joke but wow you really are upset.
You went further than "a joke."
You continued making aggressive, non-substantive remarks that were out of line.[0]
#1 > you have no idea about the details.
#2 > i don’t think you have a grasp what’s going on around you.
#3 > What is your deal about contract law? It’s not some mystical thing.
You wasted everyone's time.
[0] https://news.ycombinator.com/newsguidelines.html
If I am wasting your time then stop replying with links to the rules. Like I keep saying you guys are pointing out specific legal questions that only a business can answer and are not constructive to the main thread. Lots of leaps to conclusions and finger pointing which anecdotally aligns with what I have seen in corporate IT.
There is a fundamental difference between non-technical users from using Claude, or any other LLM, for whatever reason and whatever they produce being produced into production.
There are significant reasons why an organization would not want to use Cowork, because it does not fall under Anthropic's ZDR [0], which is a huge issue for... anyone dealing with anything sensitive.
What I think this comes down to is that you value velocity regardless of whatever the costs. We will get to see how that solves itself, there are going to be a lot of billable hours that are going to figure that out.
But none of this means that you have any idea what you are talking about nor do you understand why individuals or organizations act the way that they do.
You are free to do it better. Please do.
[0] https://code.claude.com/docs/en/zero-data-retention#what-zdr...
Again you’re raising a bunch of issues that don’t matter in this thread and can only be answered by the specific business groups that are trying to utilize tools like Claude code. They are mostly worthy questions but you are attacking them very specifically and honestly I don’t think relevant to the discussion where someone talked about show the art of possible to people.
So we have moved the goalposts to this point.
I am sorry you feel this way, it does not change the facts of whats being discussed, its just that you disagree and you lacked the initial courage or intellectual capabilities to express that constructively, so you had to obfuscate through providing nothing of value to the discussion via low value comments. I get that YOU don't think something, but just because YOU feel something doesn't make it valid, grounded in reason, or should be listened too.
Have a great rest of your day and weekend!
Others pointed it out better but you jumped to a conclusion in 30 seconds pointing out pointed legal and risk asks that don’t apply to the thread. Just look at the other threads of conversation where you go massively downvoted. You can capitalize YOU all you want but my point still stands. Yall are jumping to oddly specific conclusions that don’t matter in this thread. There is an absolutely interesting discussion around risk to be had but you attacking someone’s 30second paragraph about their anecdote does not open the door.
I get that you lack the intellectual capability and capacity to make the point yourself, which is why you refer to others without linking, to make the point on your own, its ok. I also understand that your own internal bias and lack of actual ownership/responsibility/liability, which might be tied to the intellectual deficiencies noted up top, to understand the danger of executives/leaders shipping applications given their access to information.
But you are totally free to build a company where there is no oppressive corporate IT, where there is always an incentive to innovate and grow, you can build that future.
The reason why that will not happen might be contained within the first ten words of the first sentence of my first paragraph, but you can prove me wrong. Let me be your motivation! Your dream should be your reality!
This guy's acting in bad faith. Sorry you got swept into this.
I know. I don't expect them to come up with anything, but its fun to see how far they will backtrack/change the goalposts and how much they will tie themselves into knots to try and justify their lack of integrity.
Says the “Cool story bro” guy.
My point has been consistent. You jumped to specific conclusions from a 30second post that adds little to the parent discussion.
> You can get red lines with Anthropic, you can get a DPA with Anthropic.
IMHO,
1. Dismissing attorney client privilege is reckless
2. and the vast majority of users aren't aware of what "customization in the contracts" is needed to enable autonomous agents or if it's already contractually allowed.
This is still a fair question:
> Do you, and those executives, own the risks associated with that practice? Are those risks actually indemnified?
I think you guys are hitting on very specific issues that would only be constructive in the context of the business group using these tools. There is a discussion but I don’t really see the point in this thread. I see some folks from more of an IT background pointing fingers instead of the discussion at hand. Absolutely groups need to work with their legal representation to figure out an acceptable level of risk. Everything has non-zero risk. But again none of these specific points really hit on anything for this thread.