When AI Rewrites Legacy Code, the Real Battle Is Proving Nothing Broke
In regulated environments, AI can speed modernization work, but the hard part is not converting code - it is defending the behavior, the evidence, and the controls behind the change.
AI-assisted modernization is tempting because it compresses work that used to take weeks of reading, mapping, and documentation. But in banking, insurance, and public administration, speed alone is not the prize. The moment a legacy COBOL flow is touched, the question becomes whether the new system still behaves exactly like the old one, including the undocumented exceptions that often live only in code, logs, and long-retired staff knowledge.
Fast Facts
- AI can accelerate legacy code analysis and first-pass refactoring, especially in COBOL-heavy estates.
- Legacy mainframe modernization is a behavior-preservation problem, not just a language-conversion problem.
- DORA has applied since January 2025 and puts operational resilience, ICT assets, continuity, and third-party risk under formal control.
- The AI Act requires human oversight, documentation, and traceability for high-risk systems, while NIS2 adds cybersecurity and incident-reporting duties.
- Uncontrolled use of external AI tools can create confidentiality, supplier-risk, and auditability problems.
Why the risk sits in the seams
The technical trap is simple: a model may produce clean-looking Java or Python, but clean code is not the same as correct business logic. In legacy estates, the fragile parts are often transaction handling, edge-case calculations, and data dependencies that were never fully documented. If those rules are rebuilt incorrectly, the failure may not look like a crash. It may look like a subtle compliance drift that only appears under audit or in a real customer dispute.
That is why traceability matters. In a regulated migration, every transformation needs a trail: what input was used, what output was generated, who reviewed it, what test evidence exists, and why the change was approved. The AI Act pushes in that direction for high-risk deployments, and DORA pushes organizations to treat resilience and third-party control as operational obligations rather than optional hygiene. NIS2 adds another layer by requiring cybersecurity risk management and incident reporting discipline.
The timing question also deserves care. The AI compliance timetable has been shifting through EU simplification talks, but the operational lesson does not change with the calendar. Transparency duties remain relevant in 2026, and synthetic-content marking arrives shortly after. For defenders, that means governance cannot wait for a final deadline. If an AI tool is already touching source code, design documents, or logs, the organization has already entered a control problem.
There is also a quieter exposure: shadow AI. If staff paste sensitive code into unsanctioned tools, the organization may lose control over where that data travels and how it is reused. From a defensive perspective, the best modernization program is not the one that forbids AI, but the one that gives teams a safe path, clear approval rules, and human sign-off on business-critical transformations.
Public information does not fully establish the technical root cause of every modernization failure, the complete scope of downstream impact, or whether all related systems are affected. The available evidence supports a risk analysis, not a blanket claim that AI modernization is unsafe.
Conclusion
The lesson is sharper than a slogan about productivity. AI can make legacy estates easier to understand, but regulated modernization succeeds only when every change can be explained, tested, and defended. In that sense, the most valuable output is not faster code. It is proof.
WIKICROOK
- COBOL: A long-established programming language still widely associated with business processing on mainframes.
- DORA: An EU resilience regime for financial entities covering ICT risk, continuity, incident handling, and third-party control.
- NIS2: An EU cybersecurity directive focused on risk management and incident reporting for in-scope organizations.
- Traceability: The ability to reconstruct what changed, why it changed, and who approved it.
- Shadow AI: Unapproved use of AI tools by staff, often creating hidden data and governance risk.




