Embracing Static Analysis in the AI Era
June 15, 2026
Blog
Large language models have made remarkable strides over the past few years, to the point that entire aspects of software engineering that once required careful, manual human attention are on the cusp of automation. This evolution is akin to the introduction of the first calculators, the first high-level language compilers, or the first search engines, or perhaps the shift from horses to cars as the primary means of locomotion, albeit at a pace unmatched in history.
One of those activities is code review and bug finding. For decades, we have grown accustomed to static analysis tools that enable us to systematically analyze large codebases against known bug patterns, from intrinsic errors such as division by zero or buffer overflows to established coding standards, including the well-known MISRA family.
Coding agents can already answer questions like "find all the bugs you can think of in this piece of code." When combined with contextual information and appropriate tooling, they can provide highly relevant and useful insights.
Given that large parts of software development are going to be automated, where is the future of static analysis headed?
The Role of Traditional Static Analysis
Then comes the question of traditional static analysis tools. What is their role in a future increasingly shaped by AI? In all likelihood, they will become more important and useful than ever before.
An AI agent is not a mathematical proof. It is fundamentally an extraordinarily complex and powerful stochastic process, but it is nonetheless governed by the laws of probability. Static analysis tools, on the other hand, can claim something very different:
"I have run a systematic review against every single line of code and evaluated the paths through that code using techniques like abstract interpretation*, and here is the list of violations to review."
Both approaches have their limits, but together, they augment each other in ways neither can achieve alone.
Static analysis can now feed AI with otherwise unmanageable lists of findings, something practically impossible for humans to review at any useful scale. It can also provide rich contextual data: the code sequences that may lead to a given finding, or internal program states that are difficult for humans to readily parse and internalize. AI can then explain those findings, suggest remediations, and contextualize their severity, capabilities that simply did not exist before. Then, static analysis, again, can serve as a deterministic oracle to validate a change proposed by the model. Together, this creates a feedback loop of trust that further informs the end user of the validity of findings and dramatically increases the productivity of verification processes.
Conversely, static analysis can process millions of lines of code at very low cost and present only points of interest to the LLM. While, as discussed above, there can be many findings, this is orders of magnitude cheaper than asking LLMs to process entire codebases systematically.
The Practical Constraints
In safety-critical industries, such as automotive, aerospace, and medical devices, standards such as ISO 26262, DO-178C, and IEC 62304 do not merely recommend systematic analysis; they mandate it, with auditable, reproducible evidence of coverage. An AI agent, however capable, cannot sign off on that evidence. Its outputs are probabilistic and difficult to trace, where certification bodies require exactness and accountability. Static analysis tools, with their formal rule sets and deterministic reports, are built precisely for this purpose.
Then there is cost and availability. This is the ideal scenario: a symbiotic relationship between large language models and traditional static analysis, where all tools are available to all users at all times. Unfortunately, this will not always be the case. LLMs are expensive to run; they require large volumes of data to be transmitted over cloud networks; and they are inherently non-deterministic, potentially providing different answers to the same question. In this light, static analysis can also serve as a first line of defense in environments where LLMs are not yet available, are too costly to deploy, or operate under constraints that rule out cloud-based inference.
There is also a subtler, perhaps more ironic, dynamic at play: the rise of AI-generated code, entire functions or modules written by coding agents with minimal human authorship, does not reduce the need for static analysis. It increases it. Code written by an AI carries the same classes of bugs as code written by a human, and sometimes new ones are introduced by the model's training biases or context limitations. The more development is automated, the more critical it becomes to have a systematic, rule-based backstop that does not rely on the same probabilistic foundation as the tool that produced the code in the first place. In this sense, the growth of AI in software development is itself an argument for static analysis, not against it.
The Human Side
Before we finish this exploration, we must discuss the human dimension. Coding agents are an augmentation of human capability. While a developer might only be able to meaningfully review a handful of findings from static analysis tools at a time, AI can analyze dozens, if not hundreds, augmenting each with contextual information and providing the human reviewer with a far richer environment in which to make decisions: Is this issue real? Is it worth fixing? How should it be fixed?
But AI will not bear responsibility for those decisions. It also reasons within an intrinsically limited context, missing key information that was either unavailable at the time of analysis or simply impossible to fit within its context window. At the end of the day, the decision and the responsibility for whether a problem is worth fixing and whether a proposed fix is sound will rest in the hands of a human being; however, that person will have far more information at their disposal to make that call.
Conclusion
The rise of AI does not diminish the value of static analysis; it amplifies it. As coding agents become more capable, the demand for systematic, verifiable, and deterministic analysis will only grow. The future belongs not to one approach or the other, but to their thoughtful integration: AI bringing speed, context-awareness, and natural language reasoning; static analysis bringing rigor, completeness guarantees, and reproducibility. Organizations that embrace both rather than treating them as competing paradigms will be best positioned to build safer, more reliable software in the age of AI-assisted development.
*Abstract interpretation is a mathematical technique to statically simulate all possible executions of a program by approximating the values of variables and the impact of statements, typically used to find defects in software.
Quentin Ochem is the Chief Product Officer at AdaCore, overseeing product management. His involvement with AdaCore began in 2002 during his school years, officially joining in 2005 to work on IDE and cross-language bindings. Quentin has a background in software engineering, particularly in high-integrity domains like avionics and defense. His roles expanded to include training and technical sales, leading him to build the technical sales department and global product management in the US. In 2021, he stepped into his current role, steering the company’s strategic initiatives. Quentin holds a master's degree in Computer Engineering from Polytech Marseille, awarded in 2005.
