Sonar CEO Tariq Shaukat argues that in a world of increasingly capable coding agents, the verifiers are king: models generate plausible-but-not-necessarily-correct code, so verification has to be baked into the software development lifecycle rather than treated as an afterthought. He introduces Sonar's agent-centric development cycle (AC/DC) — guide, verify, solve — built on zero-trust, multi-layered verification that combines algorithmic and agentic checks.
Shaukat opens by noting that Sonar works almost exclusively with enterprises, where the dominant conversation is not "AGI is here" but the question-mark version: is it? He points to headlines — KPMG and EY reports retracted over hallucinations, law firms in trouble over made-up citations and case law — as evidence that getting value out of AI is genuinely hard.
The core problem, he argues, is that models are incredible at generating very plausible output that sounds correct. Whether in professional services, legal, marketing, or finance, the unanswered question is how you actually know if the output is true, good, or just slop.
Using METR data, Shaukat shows coding agents improving on an exponential curve, with the latest models completing tasks that would take humans 16–18 hours. The critical caveat is that this is measured at a 50% success rate; raising the bar to 80% accuracy shrinks the achievable task horizon to roughly 3.5 hours — and even 80% wouldn't survive a performance review, as one customer CTO told him.
Sonar's own benchmarking across over 4,000 problems finds that models handle functional correctness extremely well, but still produce code that is complex, buggy, and insecure. This is the output flowing into agentic workflows — not a claim that AI is fake, but a question of how to get production-grade value from it.
A Carnegie Mellon study, Shaukat says, mirrors what he sees firsthand: an initial 3–5x boost in velocity that dissipates within about three months back to pre-agent baselines. The reason is the red lines on the chart — rising security, maintainability, reliability, and complexity issues. Teams generate technical debt as fast as, or faster than, they generate code, creating a new bottleneck.
His framing: while code may be provable, software at scale is not — large codebases are messy, dependency-laden, and already full of debt. So verification can be treated as an afterthought (old-school code review) or baked into the process, and baking it in yields materially better outcomes.
Sonar's framework, playfully abbreviated AC/DC, puts verification-powered agentic loops at the center and surrounds code generation with three disciplines: guide, verify, and solve. Guide splits into context (architectural awareness, semantic navigation of the codebase) and constraints (guidelines, allowed/disallowed dependencies, coding standards, intended architecture) — Shaukat cites a newly launched product, Sonar Vortex, and reports over a 30% reduction in tokens by making the agent's job easier.
Verification itself is zero-trust and multi-layered: because every model has biases and a character, you use different models and techniques, fusing algorithmic verification (data flows, control flows, known patterns, secrets) with agentic verification (intent, business logic, unknown unknowns). Solve adds active, verified code maintenance — remediation agents and discipline that keep the codebase clean, which agents benefit from just as human developers do.
Shaukat argues verification must live inside a system of three deliberately designed loops: the agentic (inner) loop with in-loop verification, the CI verification loop for pull-request review and quality gates, and the code maintenance loop. Designed well, these form a self-reinforcing, compounding system — but neglecting quality sends teams into a downward spiral, exactly the dissipation the Carnegie Mellon study documents.
The results he cites: partners using multi-layered verification report 44% fewer AI-derived production outages, and a large bank using cutting-edge agentic tools achieved a 92% reduction in issues by applying guide-verify-solve inside its agentic loops — a benefit that compounds over minutes and hours rather than being a one-shot gain.
The models are incredible at generating very plausible output. They're incredible at generating things that sound correct, but are they correct?
You can treat verification as an afterthought or you can bake verification into the process.
We call it the agent centric development cycle. For shorthand we call it AC/DC sometimes.
They are reporting AI derived production outages being 44% less frequent than the ones who do not.
| Time | Topic |
|---|---|
| 00:00 | Intro: Sonar, verification, and "Is AGI here?" |
| 01:03 | AI slop everywhere — KPMG, EY, and legal hallucinations |
| 02:40 | METR data: longer tasks, but only 50% success rate |
| 04:14 | Sonar's 4,000-problem benchmark: correct vs. complex, buggy, insecure |
| 05:49 | Carnegie Mellon study: velocity boost dissipates into tech debt |
| 08:23 | AC/DC — the agent-centric development cycle: guide, verify, solve |
| 11:00 | Zero-trust, multi-layered verification and 44% fewer outages |
| 14:07 | Three compounding loops and a 92% reduction at a large bank |