Somewhere in a secure facility, a software engineer is patching a system written in Ada. The original developers retired years ago and the documentation to support the critical code is sparse. This code controls a weapons platform, a satellite bus, a critical piece of infrastructure, all which cannot afford to fail. The engineer has a laptop, coffee, and no cloud connection for AI.
This plays out tens of thousands of times across the US defense industrial base, federal agencies, financial institutions, and critical infrastructure operators. While AI coding assistants like Claude Code or Codex have completely transformed commercial software over the past few years, regulated industries have completely been left behind.
The reasons for this are structural, if we don’t address them the gap between how fast Silicon Valley ships software compared to the Department of Defense will keep widening, exactly the moment where national security is being increasingly defined by software.
Key Takeaways
- Regulated industries struggle with outdated code in languages like Ada and COBOL, lacking adequate documentation and expertise.
- AI coding assistants fail to support these legacy languages effectively, leading to risks and inefficiencies.
- Compliance barriers hinder the use of cloud-based AI tools for sensitive environments, requiring air-gapped solutions.
- The Authority to Operate process delays the adoption of new software, making it difficult to patch vulnerabilities quickly.
- An AI-native IDE is essential to improve productivity and meet the unique challenges faced by regulated industries.
Table of contents
The Legacy Language Problem
Much of the critical code running critical systems wasn’t written this decade, not even the last. Major banks still process trillions of dollars in daily transactions through COBOL. Scientific and defense computing leans on Fortran.
Engineers truly fluent in these languages are retiring faster than the ones being trained. Industry surveys consistently put the average COBOL developer over 55. Ada and Fortran skill pools are even shallower. However, the codebases are enormous, millions of lines, with decades of tribal knowledge, undocumented edge cases, and patches layered on patches.
General AI coding assistants perform poorly here. They were trained overwhelmingly in newer open-source code. Ask them to reason about a 40-year-old Ada real-time control system and their outputs drift from unhelpful to dangerous. A suggestion that looks plausible on the surface but misunderstands the semantics of the language is a liability rather than a productivity boost.
The Compliance Wall
Even if the language problem were solved, there comes another barrier. Most popular AI coding tools route to cloud-hosted frontier models. That is a no go for classified work, IL-5+ workloads, or any environment where controlled data or sensitive information flows through the codebase.
NIST compliance, FedRAMP high, and similar frameworks aren’t just checkboxes on existing architecture, but they dictate where data can travel, who can see it, how it is logged and what happens if those controls fail. Air-gapped environments, machines with no connection to the open internet, are the standard in defense work. Air-gapped environments are the standard for defense work. These are machines that are entirely isolated, with no connection to the open internet. You cannot ship your codebase to a cloud API for completion when that codebase is classified, ITAR-controlled, or touching CUI.
This creates an unhappy choice for defense and regulated industry engineers; accepting the productivity of not using AI at all or using a stripped down local model that lags behind the frontier models by years and struggles with languages they actually write in.
The ATO Bottleneck
Then we have the Authority to Operate process. Before any new software touches regulated industries it has to pass through a comprehensive review of security, compliance, and operational readiness. ATO timelines consistently run 12 to 18 months, sometimes longer. For teams trying to respond to patch a newly discovered vulnerability, this is an eternity.
A meaningful chunk of ATO friction comes down to documentation and verification: can you prove the code does what you say it does, can you show every dependency, can you account for every change? Tasks like these are exactly where AI excels, generating bills of materials, producing compliant artifacts, translating informal specifications into formal ones, and writing the test coverage reviewers want to see.
But the tool has to live inside the boundary. It has to work on air-gapped networks, understand the legacy frameworks the critical code is actually written in, and produce output a human reviewer can trust with full reliability to source, not a hallucinated citation.
Software-Defined Everything
The strategic reality is that warfare, intelligence, finance, and critical infrastructure are all becoming more software defined by the year. The side that can write, review, and field correct code faster has a durable advantage. Commercial AI tooling has compressed software timelines dramatically for consumer companies. The same compression hasn’t reached the regulated sector. Procurement officers, system integrators, and program managers should be asking harder questions about what their tooling can actually do inside their environments, not in a demo over the public cloud, but on actual air-gapped workstation where the actual classified critical code lives.
The tool ecosystem needs to grow to match. What’s needed is a AI-native IDE that runs on device, supports the languages the critical systems are actually written in, integrates with formal verification frameworks and gives developers transparent diffs they can review. Human oversight can’t be an afterthought as studies repeatedly show that developer comprehension of their own codebase degrades sharply when AI takes over without good review surfaces.
This is the problem my team at Noah Labs (noahlabs.ai) has been working on with Sentinel, but the broader point transcends any single product. Regulated industries need a software tool that treats their constraints as starting conditions rather than afterthoughts.
Air-gapping is not a feature to add later. Compliance is not a checkbox. Legacy code support is not a stretch goal.
What Comes Next for The Most Critical Code
The engineer in that secure facility with the Ada codebase and the most critical code deserves the same productivity leap a frontend developer at a consumer tech company got in 2023. Getting here is both possible and necessary. The only real question is how long we’re willing to wait.
