Trail of Bits, a well-regarded security research firm, published an account in March 2026 of its progress toward becoming “AI-native.” The firm has standardised its consultants on Claude Code, written an internal AI usage policy and developed an AI Maturity Matrix. It also reports that AI-augmented auditors find approximately 200 bugs a week. The case is instructive for any organisation trying to integrate AI into high-trust work.
Why AI-native auditing is harder than it sounds
Security auditing is a trust business. Clients rely on auditors to find issues that automated tools miss, to report accurately and to protect sensitive source code and systems. Introducing AI into this workflow changes the economics but also the risk profile. A hallucinated vulnerability wastes client time. A missed vulnerability because the model was over-relied upon damages reputation. Mishandled client code undermines confidentiality.
Trail of Bits’s response is to treat AI as a controlled capability rather than a free-for-all. Standardising on one tool, writing a policy and creating a maturity model are governance moves first and technology moves second.
The AI usage policy as a control
An AI usage policy for auditing should answer several questions. Which client engagements allow AI assistance? What code or data can be shared with a model? How are outputs validated? Who is accountable when an AI-assisted finding is wrong? What training and logging are required?
Without clear answers, consultants will make inconsistent decisions. Some will avoid AI and fall behind on productivity. Others will use it liberally and create confidentiality or quality risks. A policy sets the guardrails without prescribing every keystroke.
The maturity matrix
The AI Maturity Matrix is a useful concept for any professional services firm. It maps teams or individuals across dimensions such as tool proficiency, review discipline, client consent and quality outcomes. This makes it possible to match consultants to engagements appropriately and to identify where training or process improvement is needed.
Maturity models also help with client conversations. A client asking whether AI was used in their audit deserves a clear, defensible answer. A maturity framework makes that answer easier to give.
Productivity without trust is not progress
Finding 200 bugs a week is an impressive throughput figure, but it only matters if the findings are accurate, relevant and responsibly reported. Trail of Bits’s approach suggests that the productivity gain is paired with quality controls. That pairing is the hard part.
For organisations adopting AI in security, compliance, legal or other high-trust functions, the lesson is to invest in the operating model at the same time as the tooling. Choose tools, write policies, train people, measure outcomes and keep human accountability at the centre.
Practical steps for other firms
Start with disclosure. Decide whether and how clients will be informed about AI use. Then define scope: which tasks may use AI, which require human-only execution and which need client approval. Finally, build feedback loops. Track false positives, missed issues and client outcomes, and refine the policy as the tools evolve.
AI can make expert work more productive. Maintaining trust while doing so is a deliberate design problem, not a side effect.