ENDASV · soonNO · soon

JOURNAL

Alberta secured 466 million lines of code with Claude in 20 hours

A Canadian province ran a security review of its entire codebase with AI. Here is the method, and how a Nordic company can use it at smaller scale.

7 July 2026·10 min read·claude news · ai security · claude code · ai-implementation · technical-debt · human-in-the-loop · gdpr

TL;DR. The Canadian province of Alberta put AI to work on something most companies never get to: a systematic security review of their entire codebase. About 50 Claude agents reviewed 466 million lines of code in roughly 20 hours, found vulnerabilities and fixed them. A human approved every fix before it shipped to production.

This is not a story about a new model. It is a story about a way of working that you can copy at smaller scale. AI does the heavy mapping and fixing, the human keeps control, and every finding can be verified file by file. That is the kind of AI implementation that holds up in an audit.

All figures come from Alberta and Anthropic and are not independently verified.

Anthropic case study on the Government of Alberta (6 July 2026)

What Alberta actually did

Alberta's Ministry of Technology and Innovation runs the IT systems for all 27 provincial ministries, from social services to wildfire response. That is roughly 1,280 applications and 3,400 code repositories, the folders where a system's source code lives. Most of it had never been reviewed systematically for security, and the accumulated technical debt runs, according to the ministry, into the billions of dollars. Technical debt is the bill that grows when code is left old, insecure and half-documented instead of being maintained.

The systems hold some of the most sensitive data a citizen has: tax records, procurement data and social services case files. In 2025 the ministry set up an internal team to make the systems more secure and easier to maintain, with Claude Code as the tool.

What the ministry highlights: a review of 466 million lines of code in about 20 hours, vulnerabilities fixed across the systems, and a set of new tools that keep watch going forward. The team estimates that the same review with traditional methods would have taken around 6.5 years.

We accomplished in hours what would have taken a traditional approach years to complete.
Nate Glubish, Alberta Minister of Technology and Innovation, via Anthropic, not independently verified
Four key numbers from the Alberta case: 466 million lines of code, 20 hours, about 50 agents and about 95 security controls
The Alberta case in numbers. Alberta's own figures, not independently verified.

What the method looked like, step by step

The method is the same whether you have 466 million lines of code or one old system nobody dares touch.

First, a broad scan. About 50 agents, meaning independent AI workers that run in parallel and each take a share of the job, went through every repository. Claude Code ran in two stages. First a rules engine that flags known vulnerability patterns. Then a review of those flags, where Claude pointed to the exact file and line for each finding. That reference matters. It means a developer can verify the finding instead of trusting the machine blindly. According to the case study, the scan found issues that ordinary automated tools had missed.

Then the fixes. Where the scan found a vulnerability, Claude Code could often write the fix, test it and build it. Where a system lacked automated tests, Claude wrote the tests first. Where the code was too old or too tangled, Claude rebuilt it in a newer language. The case study mentions a subsidy program portal, originally hand-coded in Java about 25 years ago, which took five months to build back then and was rebuilt in four to five days. No fix shipped to production until the ministry's own engineers had approved it.

Finally, the standing oversight. Alberta built dedicated review agents on top of the Claude Agent SDK, the developer kit you use to build your own Claude agents. A red team agent attacks the application from the outside, the way an attacker would. A blue team agent measures the defenses against an international security standard and writes a remediation plan pointing to the files that need fixing. Every application is checked against roughly 95 security controls on each pass.

Four steps in Alberta's method: scan broadly, review with file and line, fix with human approval, and monitor with red team and blue team
How Alberta found and closed the holes, with a human approving every fix.

Why an ordinary scanner did not catch it

Most companies already have some form of automated code scanning. Yet the Alberta team found things the old tools had missed. The difference is in the two stages. A rules engine is good at catching known patterns, but it does not understand context, and it often drowns the team in false alarms. By letting Claude review the flags afterwards, with a reference to file and line, the list gets shorter, more precise and actionable. It is not that AI is magic. It is that a language-model layer can read the code in context and separate real problems from noise before a human spends time on them. For a company that means fewer hours wasted on false alarms and a prioritized list developers can actually get through.

Here is my view

466 million lines in 20 hours is an impressive number, but it is not the thing to take away. That number belongs to a province with 1,280 applications. What can be copied is the way of working. AI does the systematic mapping and fixing, a human approves every step, and every finding can be verified file by file.

Access to strong models has never been the bottleneck. Implementation is. Alberta did not have a secret model nobody else can get. They had a method, a clear division of labor and discipline around approval. That is the part most companies are missing, and it is the part that decides whether AI delivers results or just a bill.

One more view I stand by. Copy the method, not Alberta's assumptions about data. Alberta is a Canadian province under different rules than we are. The approach transfers directly. Where and how your code and data are processed must be decided under Danish and European rules, not under a Canadian case.

What it means for Nordic B2B SaaS companies

If you build and sell software, technical debt is not a side project but a direct risk to your customers and your compliance. Old code, undocumented dependencies and missing tests are both a security risk and a brake on new features.

The Alberta method fits almost one to one. An AI-driven review that points to file and line gives your developers a prioritized list instead of a gut feeling. And because every finding can be verified, you can document to customers and auditors what you have found and closed. For a company that sells on trust, that is a sales argument, not just an internal cleanup.

What it means for telemarketing and sales teams

Here the link is more indirect, but it is there. Alberta shows that several AI agents can work in parallel on a well-defined task and deliver output a human can trust, because it can be verified. That is the same principle behind a well-built AI agent in sales. It qualifies, follows up and prepares, but a human owns the decision.

For a sales team the point is simple. Trust in AI comes from output that can be checked, not from believing in it. If you build an agent that touches customer data or books meetings, build it with the same discipline: clear boundaries, traceability and a human in the loop.

What it means for professional services firms

Law firms, accountants and advisory houses sit on two things at once: highly sensitive client data and a lot of repeated, heavy work. The Alberta case brings those two together. Work was done on critical systems with sensitive data, and control was still held through human approval and traceable findings.

Transfer that to your world. An AI that reviews documents, contracts or cases has to deliver findings you can point back to the source with. A claim without a reference is useless in a field where you have to stand behind every piece of advice. Verifiable output and a human in the loop is the only approach that holds in a regulated advisory business.

What it means for founders and scale-ups

Alberta plans to consolidate 185 old applications in one ministry into 16 modern, reusable apps. Same function, far less to maintain. The portal that originally took five months was rebuilt in four to five days.

That shifts the math between building new and rebuilding. An old system that is expensive to keep alive used to be something you postponed, because a rebuild was too big a job. If you have grown fast and sit on legacy code from the early days, the case is a concrete reference point for how fast a rebuild can go. Just remember that speed without verifiability is only faster debt. It is the reference to file and line that makes the speed defensible.

Modernization: 185 old applications consolidated into 16, and a Java portal rebuilt from five months to four or five days
Modernization in practice. Same function, far less to maintain.

GDPR, EU hosting and what applies to companies here

For a company here the first question is not whether AI can do the work, but where your data is processed while it does. Native Claude.ai and the Anthropic API are hosted in the US and do not have EU hosting by default. If you have sensitive data, you can instead run Claude through AWS Bedrock or Google Vertex AI in a European region, so data stays in the EU and a data processing agreement is in place.

Two things from the case are worth bringing into an audit. First, the human in the loop is not decoration. No fix shipped to production without an engineer's approval. That is exactly the question an ISO 27001 or ISO 42001 audit asks: who approves, and can you document it. Second, verifiability is built in. Every finding pointing to file and line means a human can verify instead of trusting blindly. That is an audit-friendly property, and it is worth its weight when you have to stand behind output for SOC 2, ISO 27001 or ISO 42001.

One honest note to close. The same class of tools that finds security holes can, in other hands, be used to look for holes to exploit. That is why clear policies for what the tool may do, and who approves, are not up for negotiation.

How to start in your own company

You do not need a whole ministry to use this. Start by picking one system. Take either the one that touches the most sensitive data, or the one that is most expensive to maintain. Limit the first review to that one system, so the result is easy to grasp. Set a firm rule that no proposal goes live without a person's approval, and keep the reference to file and line for every finding, so you have a trail for a later audit. Run a first pass, measure what it found, and decide from there whether to widen the method. That is exactly how a Brinvik engagement starts: a bounded audit, a clear goal and a division of labor your team can take over afterwards.

What Alberta did at large scale is exactly what Brinvik builds for companies at their scale. Claude put directly into your own systems and workflows, under your own data and security rules, with a human in the loop and your team ready to keep building after I leave. If you want to see where a security review or a cleanup of technical debt would pay off most, start here: Internal AI tools with Claude.

Sources

Primary source:

Background:

All results and figures come from Alberta and Anthropic and are not independently verified by Brinvik.

Transparency about the work

This work was produced in collaboration with AI. Overall: AI roughly 73 percent, Kim roughly 27 percent. Production only: AI roughly 89 percent, Kim roughly 11 percent. The numbers are a qualified estimate, not a measured log.

Table showing how the work on the Alberta task was split between AI and Kim
Division of the work on this task. AI did most of the production, Kim set the direction and caught the errors. Qualified estimate, not a measured log.

FAQ

Frequently asked questions

Run Claude through AWS Bedrock or Google Vertex AI in a European region, so data stays in the EU, and put a data processing agreement in place. Handle sensitive data on a principle of data minimization, and keep a human to approve output. Brinvik sets up the deployment so it can stand up to a GDPR and ISO audit.

Yes. The method scales down. Instead of 466 million lines of code, you put AI on one old system or one heavy, recurring task. The important part, verifiable findings and a human who approves, is the same regardless of size.

Human in the loop means a person approves the AI proposals before they take effect. In the Alberta case, no code change shipped to production without an engineer approving it. That gives both better quality and the documentation an audit requires.

Get new essays by email.

Roughly twice a month. Same voice. No list rental, no retargeting.

Sign up for the Brinvik journal. Unsubscribe anytime. See our privacy policy.

Protected by Cloudflare Turnstile. No challenge, no CAPTCHA. Brinvik never shares your address.