Domain 4 of 4 · Chapter 1 of 5

AI-Assisted Code: Benefits and Risks

What AI assistants do well, and where it stops

Ask an assistant for "an Ansible task that sets the MTU on a list of interfaces" and a runnable draft comes back in seconds, already shaped like the cisco.ios collection[1] you would have reached for. That speed is real, and it is the reason to use one. It is also the entire benefit, and knowing exactly where the benefit ends is what keeps AI-assisted automation safe.

One idea governs this whole page: an AI coding assistant is a drafting aid, not an authoritative source. It produces a first draft; a human, a test, and a review turn that draft into a change you can trust on a live network. Everything below is a consequence of that one line.

Where the speed comes from

The assistant earns its keep on work that is repetitive and well represented in public code:

  • Boilerplate velocity. Drafting the shapes you write constantly, an Ansible task, a Python REST client against a controller, a Jinja2 template, so a common pattern that used to take real time to hand-write comes back as a draft almost immediately.
  • API and SDK discovery. Explaining an unfamiliar SDK or API surface, for example the Catalyst Center Intent API[2] payload shape or a RESTCONF[3] request body, and explaining existing code you have inherited. This lowers the learning curve on a platform you have not used before.
  • Pattern consistency. Prompted with your team's standards, it can scaffold the same error handling, retry logic, and logging across a codebase, which makes the result more maintainable than a dozen engineers each inventing their own.

Where it stops

None of that makes the output correct, private, or safe to commit, and the rest of this page is the three ways it can be none of those:

  • Data egress is what your prompt sends out of the organization.
  • Intellectual property is what licensed code comes in with a suggestion, and what proprietary code leaks out.
  • Correctness is whether the generated code is even right.

Read the assistant as the fastest junior contributor you have ever had, and also the one whose work you would never merge unread. The velocity is worth having; the review is never optional, and the rest of this page is the review.

Data egress: what leaves your organization

Pasting a running configuration into a cloud chatbot is a data transfer to a third party, full stop. The moment the prompt leaves your network it is in the provider's hands, and unless a contract says otherwise it may be logged, retained, and used to train future models (OWASP LLM02: Sensitive Information Disclosure[4]). The common misread is that the HTTPS lock icon makes the exchange private: TLS[5] encrypts the prompt in transit so nobody on the wire can read it, but it does nothing about what the server does with the prompt after it arrives. Encryption in transit is not confidentiality after arrival. The diagram traces exactly what crosses the boundary.

Secrets are the sharpest case

Whatever is in the code you paste goes with it. An API key, a device password, or an SNMP community string embedded in a script is disclosed to the provider the instant you send it, and you cannot un-send it. Scrub or externalize secrets before any code reaches an assistant: keep them out of the source entirely, in a vault or an environment variable, so there is nothing sensitive to leak in the first place. Ansible's own answer is Ansible Vault[6], which encrypts variables at rest so a playbook references a secret without embedding its value; a repository secret-detection scan[7] is the backstop that catches the key you missed before it reaches a prompt or a commit.

Residency and jurisdiction

Even scrubbed of secrets, a prompt can still break a rule. Sending it to a cloud LLM can move regulated data, customer records, anything bound by a data-residency requirement, out of the jurisdiction where it is permitted to live. If the provider processes prompts in another region, the transfer itself can be the violation, independent of whether anyone ever misuses the data.

The mitigation and its price

Where the model runs decides all of this, which is the axis the comparison table at the top of the page lays out. A self-hosted or on-premises model keeps every prompt and every line of code inside the organization, so egress, secret exposure, and residency stop being risks at all. The price is capability and upkeep: an in-house model is usually less capable than the frontier cloud service, and you own running, updating, and securing it. An enterprise no-train tier is the middle path, the cloud model's capability under a contractual promise of zero retention and no training, and it is only ever as strong as that contract. Match the tier to the sensitivity of what the prompt carries.

Your organizationConfigs & topologyProprietary codeSecretskeys, passwordsSelf-hosted modelprompts stay insidePublic cloud LLMmay log or train on promptprompt leaves the orgTLS is not privacy
What crosses the org boundary: a prompt to a public cloud LLM may be logged or trained on, while a self-hosted model keeps code inside. TLS is not privacy.

Intellectual property: what comes in and leaks out

Treat an AI suggestion as third-party code, not first-party code, and most of the intellectual-property risk takes care of itself. The risk runs in two directions, and the diagram shows both: licensed code can flow in with a suggestion, and your proprietary code can leak out through the model.

Inbound: licensed code you did not write

A model trained on public repositories can reproduce code that closely resembles its training data, including code under a copyleft license such as the GPL (GNU General Public License). Merge that into a proprietary product unnoticed and you have imported a licensing obligation you never agreed to, the same class of supply-chain exposure OWASP calls out for AI systems (OWASP LLM03: Supply Chain[8]). The mitigation is exactly what you already do for any dependency: license-scan and review AI-suggested code before it merges, rather than trusting it as first-party work. A merge-request approval[9] gate is the natural place to require it.

The ownership question is unsettled

There is a second, quieter inbound problem: the copyright status of purely AI-generated code is legally unsettled, and jurisdictions differ on whether output with no human author can be owned at all. You cannot resolve that debate on a code review, but you must have a policy on it, whether AI-generated code may be committed and how it is marked, so the question is answered once by the organization rather than case by case by whoever accepted a suggestion.

Outbound: your code leaving through the prompt

The same channel runs the other way. Feeding proprietary code into an external model to train or fine-tune it can leak that intellectual property into other tenants' outputs later, because the model has learned from it. This is the inverse of the inbound case, and it is why a no-train contract, introduced in the data-egress section above, matters for intellectual property and not only for privacy: it is the promise that your submissions are not folded back into the shared model. Where there is no such promise, proprietary code simply does not go to an external training endpoint.

AI suggestioncode you did not writeLicense scan + reviewgate before mergeYour proprietary codebasefirst-party sourceTrain / fine-tune externallyleaks IP to other tenantslicensed code riskcleared to mergetraining leaks IP
Intellectual property flows both ways: licensed code can enter with a suggestion (gate it by review); proprietary code can leak out through training.

Correctness: is the generated code even right?

Code that imports and runs is not code that is correct. An assistant's output can execute cleanly and still call the wrong device semantics, invent an attribute that does not exist, or quietly disable a protection, so "it ran in a test import" is never evidence that a change is safe. There are three failure modes to catch, and one rule catches all of them: validate every suggestion against current, authoritative documentation.

Hallucinated APIs, modules, and paths

An LLM generates the statistically likely next token, not a verified fact, so it confidently produces plausible-looking things that do not exist: an SDK method with a sensible name that was never implemented, an Ansible module that is not in the collection, a RESTCONF[3] path or YANG[10] leaf that no device actually models. Trusting that output without checking is exactly why overreliance is itself a named risk (OWASP LLM09: Misinformation[11]). The check is to confirm every call against the real module[1] or platform API[2] reference, and for model-driven interfaces against the device's advertised YANG model, rather than against the model's confidence.

Insecure defaults

Assistants frequently reach for whatever makes the example "just work," which is often the insecure choice: disabling TLS certificate verification so a request stops complaining, hardcoding a credential inline, or granting a role far broader permissions than the task needs. Disabled certificate verification is the classic one. Setting verify=False in the Python requests[5] library turns off the check that the device on the other end is who it claims to be, which re-opens the man-in-the-middle exposure that TLS exists to close. Because the model's output should be treated as untrusted input, these defaults have to be caught in review, never assumed away (OWASP LLM05: Improper Output Handling[12]).

Stale knowledge from the training cutoff

A model knows nothing after its training cutoff, so it will happily suggest a module or API that has since been deprecated or removed: an Ansible module dropped from a newer collection, an endpoint retired in a platform release. The suggestion looks current and is not. Verify the currency of anything version-sensitive against today's documentation, not against the model's frozen snapshot of it.

The human stays accountable

Across all three failure modes, human validation before deployment is mandatory, and the accountability does not transfer to the model. Run the generated automation against a lab or a sandbox with a test harness such as pyATS[13] before it touches a production device, and record that a named engineer reviewed and approved it. The model drafted the change; the engineer owns it.

The review gate: shipping AI code safely

Nothing an assistant drafts reaches a device until it clears a review gate, and the gate is the same one you would run on any contributor's pull request with a few AI-specific checks added. The diagram shows the whole path: an AI draft enters an automated gate, passes through human approval, and only then merges and deploys; anything that fails goes back to the draft.

The automated checks

Each risk family from the sections above becomes one concrete, mostly automatable check, run before a human ever looks:

  • Secret scan. Catch a key, password, or community string before it is committed or, worse, sent to the assistant in the first place. A pipeline secret-detection[7] job fails the build when it finds one. (Data egress.)
  • License scan. Flag suggested code that carries a license you cannot accept, treating the AI output as the third-party dependency it is. (Intellectual property.)
  • Insecure-default lint. Reject disabled TLS verification, hardcoded credentials, and over-broad permissions automatically, so a verify=False never merges by accident. (Correctness.)
  • API and module currency check. Fail on calls to modules or endpoints that are deprecated or absent from the current collection and platform, which also catches most hallucinated APIs. (Correctness.)
  • Lab test. Run the automation against a sandbox with a harness such as pyATS[14] and assert the resulting state, so behavior is proven before production. (Correctness.)

The human gate

Automation narrows the risk; it does not close it, because the checks above are necessary, not sufficient. A snippet can be correctly licensed, secret-free, and syntactically current and still implement the wrong intent. A required merge-request approval[9] by a named engineer is the step that judges intent and carries accountability. That approval is the point where a human, not the model, takes ownership of the change, which is the non-negotiable rule from the top of the page made concrete. Deploy only what has passed both gates.

AI draftunreviewedAutomated gateSecret scanLicense scanInsecure-default lintAPI / module currency checkLab test (pyATS sandbox)Human reviewand approvalMergeand deploypassapprovereject: back to draft
The review gate: an AI draft passes automated checks (secret, license, insecure-default, currency, lab test) and human approval before merge and deploy.

Reading the stem: exam patterns and traps

The 350-901 does not ask you to recite these risks; it drops you into a short scenario and asks for the primary risk or the correct next action. Every such item rewards the same instinct from the top of the page: AI output is an unreviewed draft, so the right answer treats it as untrusted until validated, and the wrong answers treat it as authoritative, private, or correct because it looks that way.

Map the stem to the risk

What the stem describes Risk it is testing The right answer
Engineer pastes a running config or code into a public AI chatbot Data egress Data goes to a third party that may retain or train on it; scrub, then use an approved tier
"But the session used HTTPS / TLS" offered as reassurance Data egress (trap) TLS protects transit, not retention; encryption is not privacy
AI code imported and ran in a quick test, so ship it? Correctness (trap) Runs is not correct; validate against current docs and lab-test with human review
Generated function sets verify=False to make it work Insecure default Reject the insecure default; keep certificate verification on
Suggestion uses an Ansible module that no longer exists Stale knowledge Verify currency against today's docs; the training cutoff predates the change
Commit AI-suggested code straight into a proprietary repo Intellectual property License-scan and review first; treat it as a third-party dependency

Two worked stems

An engineer pastes a production running-configuration into a public generative-AI chatbot to troubleshoot a routing issue. What is the primary security risk?

The load-bearing words are production configuration into a public chatbot. The primary risk is the data egress: sensitive configuration, and any secret inside it, is disclosed to a third party that may log or train on it. The trap distractor says the exchange is safe because it used HTTPS, which confuses transit encryption with confidentiality. "The AI might give wrong advice" is a real concern but not the primary risk this stem is built around, which is the disclosure.

An AI assistant generates a Python script that configures interfaces; it imports without error in a quick test. What should happen before it runs against production switches?

The words imports without error are the bait. A clean import proves nothing about correctness: the script may call a hallucinated attribute, carry an insecure default, or use a deprecated call. The correct action is to validate it against current documentation and a lab test, with a human review and sign-off, before any device sees it. "It imported, so deploy it" is exactly the overreliance the question is testing against.

The pattern behind every distractor

The wrong answer almost always treats the assistant as an authority: private because encrypted, correct because it ran, safe to commit because it looks like ordinary code. Re-read the stem for which of the three families it names, data egress, intellectual property, or correctness, and pick the option that validates before it trusts.

Where the model runs: what leaves your organization

ConcernPublic cloud LLMEnterprise no-train tierSelf-hosted / on-prem
Prompt data leaves your orgYes; may be logged or trained onYes, under a no-train / zero-retention contractNo; stays inside the org
Secret exposure if unscrubbedHighHighContained to the org
Data-residency controlLittle; provider sets the regionOnly what the contract guaranteesFull; you choose where it runs
Model capabilityHighestHighestLower, model-dependent
Maintenance you ownNoneNoneHigh; you run and update it

Decision tree

Using an AI assistant on automation codeSensitive data in the prompt?secrets / proprietary / regulatedPublic cloud LLMgeneric boilerplate onlyMust the data stay in-house?residency or no-train requiredSelf-hosted / on-premmodel runs inside the orgSecrets scrubbedfrom the prompt?Scrub / externalizethen re-promptEnterprise no-train tierzero-retention contractAlways: license-scan, validate APIs against docs, human review before mergeNoYesStay in-houseContract okYesNo

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

AI assistants accelerate authoring of automation boilerplate

AI coding assistants speed up drafting of repetitive automation code such as Ansible tasks, Python REST clients, and Jinja2 templates, reducing time-to-first-draft for common patterns.

6 questions test this
AI assistants aid API/SDK discovery and code explanation

A benefit is helping engineers discover unfamiliar SDK/API usage (for example Catalyst Center or RESTCONF payload shapes) and explain existing unfamiliar code, lowering the learning curve.

1 question tests this
The assistant is a productivity aid, not an authority

The benefit is bounded: an AI assistant is a drafting aid, not an authoritative source, so its output still requires review and testing before it can be trusted for network changes.

6 questions test this
AI assistants can scaffold consistent coding patterns

When prompted with team standards, an assistant can scaffold consistent error handling, retries, and logging across a codebase, improving maintainability.

Pasting configs/code into a cloud LLM sends data to a third party

Pasting configurations, topology, or proprietary code into a cloud LLM transmits that data to a third party that may log or train on it unless a zero-retention or enterprise no-train agreement forbids it.

Trap Assuming TLS to the API endpoint makes the prompt private; encryption in transit does not prevent server-side retention or training.

10 questions test this
Secrets embedded in prompted code are exposed

Secrets inside code that is pasted into a prompt (API keys, device passwords, SNMP community strings) are disclosed to the provider; scrub or externalize secrets before sending code to an assistant.

5 questions test this
Self-hosted models mitigate data egress at a capability cost

Running a self-hosted or on-prem model keeps prompts and code inside the organization, mitigating egress risk, at the cost of model capability and maintenance overhead.

2 questions test this
Cloud LLM use can violate data-residency requirements

Sending prompts to a cloud LLM can breach data-residency or compliance boundaries when regulated data leaves its permitted jurisdiction.

AI output may reproduce licensed training snippets

AI-generated code can reproduce snippets resembling its training data, risking license contamination (for example copyleft/GPL code) inside a proprietary codebase.

7 questions test this
Copyright status of AI-generated code is unsettled

Ownership and copyright of purely AI-generated code is legally unsettled, so organizations must set policy on whether such output may be committed and how it is attributed.

4 questions test this
Mitigate IP risk with license review of AI suggestions

The mitigation is to license-scan and review AI-suggested code before merge, treating it like any third-party dependency rather than trusted first-party code.

7 questions test this
Submitting proprietary code to train a model leaks IP

Feeding proprietary code into an external model for training or fine-tuning can leak that intellectual property into other tenants' outputs.

LLMs hallucinate non-existent APIs, modules, and YANG paths

LLMs invent plausible-looking but non-existent SDK methods, module names, or CLI/YANG paths, so generated code must be validated against real API and module documentation.

Trap Assuming code that imports and runs is correct; it may still call the wrong device semantics or a fabricated attribute.

9 questions test this
Human validation of AI code is mandatory before deployment

Human review of AI-generated automation is mandatory before it touches devices, and the engineer, not the model, remains accountable for the resulting change.

7 questions test this
AI assistants often emit insecure defaults

AI assistants frequently produce insecure defaults such as disabled TLS verification, hardcoded credentials, or overly broad permissions, which must be caught during code validation.

4 questions test this
Training cutoffs cause deprecated API suggestions

A model's training cutoff means it may suggest deprecated or removed modules and APIs (for example a removed Ansible module), so the currency of suggestions must be verified.

3 questions test this

References

  1. https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_config_module.html
  2. https://developer.cisco.com/docs/dna-center/
  3. https://www.rfc-editor.org/rfc/rfc8040
  4. https://genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/
  5. https://requests.readthedocs.io/en/latest/user/advanced/
  6. https://docs.ansible.com/ansible/latest/vault_guide/vault.html
  7. https://docs.gitlab.com/user/application_security/secret_detection/
  8. https://genai.owasp.org/llmrisk/llm032025-supply-chain/
  9. https://docs.gitlab.com/user/project/merge_requests/approvals/
  10. https://datatracker.ietf.org/doc/html/rfc7950
  11. https://genai.owasp.org/llmrisk/llm092025-misinformation/
  12. https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/
  13. https://developer.cisco.com/docs/pyats/pyats-on-devnet/
  14. https://developer.cisco.com/docs/pyats/