Alberta Uses Claude to Scan 466 Million Lines of Code in 20 Hours

Serge Bulaev

Serge Bulaev

The Government of Alberta used Claude, an AI tool, to scan 466 million lines of code in about 20 hours, a job that officials said would take humans around 6.5 years. The AI checked code in 1,280 applications across 27 ministries, following 95 security rules and suggesting fixes that engineers reviewed before use. Officials say this approach may have helped avoid over $2 billion in costs, but these savings have not been independently confirmed. Alberta's method could suggest a new way for governments to safely use AI in security while keeping humans in control. Other governments appear to be looking at Alberta's process as they consider their own AI projects.

Alberta Uses Claude to Scan 466 Million Lines of Code in 20 Hours

The Government of Alberta's groundbreaking use of Claude for a massive cybersecurity review has become a key case study in public sector AI. In a landmark project, the province used the AI to scan 466 million lines of code in just 20 hours - a task estimated to require significant manual effort over multiple years. This initiative provides a data-rich blueprint for integrating large-language models (LLMs) into sensitive government operations while demonstrating a clear shift toward AI-augmented security that keeps human experts firmly in control.

Inside the 20 hour scan

Alberta's Ministry of Technology and Innovation deployed 50 parallel AI agents to audit 3,400 code repositories across 27 ministries. The agents, powered by Claude's Opus and Sonnet models, applied 95 security checks to flag vulnerabilities and suggest code fixes for human engineers to review and approve.

According to an official Anthropic case study, engineers reviewed every AI-generated patch before deployment, ensuring a strict human-in-the-loop process was maintained throughout the audit.

The official sources confirm 1,280 applications examined, approximately 50 agents deployed with red-team and blue-team roles, and significant code consolidation efforts, though specific cost figures and detailed metrics remain unverified:

  • 1,280 applications examined
  • Legacy applications consolidated into modern replacements
  • Substantial projected cost savings, according to industry reports
  • Multiple documentation papers published to share reusable playbooks

Agent roles and continuous monitoring

The project utilized a multi-agent system where each AI had a specialized role, including red-team agents for attack simulation, blue-team agents for defense evaluation, and others for code quality and documentation. A technical report detailed this division of labor (4.66 億行程式碼 report). Following the initial scan, officials indicate these specialized agents have moved into ongoing operations, with automated review capabilities being implemented for new code commits.

Governance constraints shape deployment

Alberta's deployment model provides a template for navigating the governance challenges of using AI with regulated data. The framework limited model privileges with strict role-based access controls, isolated agents in secure enclaves without write access to logs, and mandated human review for all security-related changes. Reinforcing this, a LinkedIn Pulse analysis confirmed that every AI suggestion was processed through standard change-management ticketing before implementation.

What the numbers could mean for other jurisdictions

The reported cost savings, while not yet independently audited, suggest the project's significant potential impact. Compressing a multi-year review into less than a day demonstrates that well-defined AI agent deployments can deliver substantial productivity gains without sacrificing auditability. As a result, security leaders across other governments are reportedly using Alberta's security control framework and phased rollout strategy as a benchmark for their own AI initiatives.


What exactly did Alberta accomplish with Claude?

In a July 2026 announcement, the province revealed it had scanned 466 million lines of code across 1,280 applications from 27 ministries in only 20 hours using Claude Code with Opus and Sonnet models. Manual review was estimated to take multiple years; the AI effort delivered substantial cost savings according to industry reports and has since moved into ongoing automated reviews of new commits against security controls per application.

How were the AI agents set up and supervised?

Roughly 50 parallel autonomous agents operated through the Claude Agent SDK. Each agent had a narrow role - red-team, blue-team, code-quality, or documentation - and worked inside a two-stage routine: flag known vulnerable patterns first, then produce detailed findings for human engineers who reviewed and approved every patch before deployment. Write access to logs was removed, agents ran inside isolated enclaves, and ephemeral credentials expired the moment a job finished, limiting any blast radius.

Why does this case matter for other governments or highly regulated industries?

It shows that large language models can move beyond productivity hacks into defensive, security-sensitive workflows without surrendering governance. Alberta's framework kept auditability at the center: non-delegable human sign-off, strict DLP controls tuned to agent behaviors, and continuous third-party review of privileged architectures. The approach aligns with emerging federal guidance emphasizing fail-safe defaults and graduated autonomy for any agent touching classified or citizen data.

What measurable improvements were achieved beyond speed?

  • Application footprint was significantly reduced through consolidation of legacy systems into modern applications, cutting future maintenance attack surface.
  • Multiple open-source documentation papers were released, sharing hard-won integration patterns with other public-sector teams.
  • False-positive rates for security alerts reportedly improved because Claude agents supply context-rich explanations, letting analysts triage more efficiently than with traditional scanners, according to industry reports.

What caveats should organizations copy-paste from Alberta's playbook?

  1. Start in read-only mode: let agents surface issues before you grant remediation rights.
  2. Budget for human review: the 20-hour headline figure excludes substantial engineering hours spent validating outputs.
  3. Log everything: immutable audit trails are now a regulatory expectation, not a nice-to-have.
  4. Model size ≠ efficacy: Sonnet handled the bulk of scans; Opus was reserved for complex logic, proving targeted model choice can contain compute cost.
  5. Revisit risk models quarterly: threat landscapes shift faster than annual budget cycles.