In a world where government systems often run on legacy code dating back decades, the Province of Alberta has turned to AI to close security gaps that would have taken years to address manually. Since 2025, the Alberta Ministry of Technology and Innovation has been using Anthropic’s Claude Code—leveraging both Opus and Sonnet models—to scan 466 million lines of code across 1,280 applications and 3,400 repositories. The result: a comprehensive security review completed in 20 hours that the team estimates would have taken roughly 6.5 years using traditional approaches.
This effort is not just about speed. The ministry, responsible for all 27 provincial government services—from tax collection and social services to wildfire response—had never undertaken a systematic security audit of its entire portfolio. Accumulated technical debt, outdated languages, and insufficient documentation created billions of dollars in potential risk. Traditional static analysis tools often miss the contextual vulnerabilities that a large language model can catch, because they rely on pattern matching rather than semantic understanding. The scan identified issues previously undetected, and Claude was able to generate patches, write missing tests, and even rewrite entire legacy systems in modern languages—such as a 25-year-old Java-based subsidy portal that originally took five months to build, but was reconstructed in four to five days.
The ministry’s approach goes beyond one-time cleanup. They deployed a continuous security review pipeline using specialized Claude agents: a “red team” agent simulates attacker behavior, mapping potential exploit paths; a “blue team” agent then evaluates defenses against international security standards and produces a remediation plan with exact file references. Each application is checked against roughly 95 security controls per pass. This constant vigilance is a stark contrast to the typical government practice of reactive patching. The real value of AI in cybersecurity isn’t just finding bugs faster—it’s embedding security into the entire software development lifecycle.
Some critics, however, caution that relying on AI for security audits introduces its own risks. For instance, AI models may generate false positives that overwhelm teams, or they could miss novel vulnerability patterns not represented in their training data. Moreover, governments must ensure their use of AI complies with privacy regulations, since sending sensitive code to a third-party API could raise data sovereignty concerns. Alberta has addressed these worries by running Claude in a controlled environment and requiring human review for every patch before deployment. Still, the debate underscores a broader tension: AI systems that are powerful enough to find subtle vulnerabilities are also powerful enough to introduce them if not carefully governed.
The broader context is instructive. Governments worldwide struggle with legacy systems—the U.S. federal government alone spends over $90 billion annually on IT, much of it on maintenance of aging systems. While private sector automation has advanced, public sector cybersecurity has lagged due to budget constraints, fragmented procurement, and risk aversion. Alberta’s experiment offers a replicable blueprint. The ministry has published technical white papers and will host an industry day in Edmonton this July, with plans to scale the approach across all provincial ministries starting this fall. Notably, they have also launched the Alberta AI Academy, training over 10,000 government employees and citizens in AI literacy, aiming to spread the expertise beyond a single team. When governments share their AI failures as openly as their successes, the entire public sector learns faster.
Looking ahead, the ministry intends to use Claude to analyze 185 legacy applications in one department—currently expensive to maintain and hard to update—and consolidate them into 16 reusable modern applications. This modernization project alone could reduce operational costs and improve service reliability for citizens. The challenge is not whether AI can handle government code, but whether government culture can adapt to the speed and transparency that AI demands.
In summary, Alberta’s case demonstrates that large-scale government system security can be dramatically accelerated with AI, provided proper oversight and human-in-the-loop validation are in place. The project shows that responsible AI use in the public sector is not only possible but urgent—especially when citizens’ sensitive data depends on the resilience of systems built decades ago. For other governments, the takeaway is clear: start small, share learnings, and never assume your code is clean just because it hasn’t been scanned yet.