
AI agents no longer just answer questions: they now audit entire IT systems. On July 6, 2026, Anthropic published the case of the Government of Alberta (Canada), which used Claude agents to scan 466 million lines of code in 20 hours, a task estimated at 6.5 years using traditional methods. For an SMB leader, this raises a concrete question: is AI-assisted cybersecurity already accessible to a small business, or is it still reserved for large organizations?
In brief
- On July 6, 2026, Anthropic published the case of Alberta's Ministry of Technology and Innovation, which has been using Claude Code agents since 2025 to audit its systems (source: Anthropic).
- 466 million lines of code were scanned in 20 hours by around 50 AI agents working in parallel, versus an estimated 6.5 years for a manual audit.
- The method relies on two agent roles: a "red team" agent that simulates an attack, and a "blue team" agent that assesses defenses and writes a precise remediation plan.
- Each application is checked against roughly 95 security controls, based on an international standard.
- For an SMB, the lesson is not to replicate Alberta's scale, but to adopt the same logic: detect, prioritize, fix, with human oversight at every step.
The Alberta case, in detail
The Government of Alberta manages 27 ministries, 1,280 applications, and 3,400 code repositories, according to figures published by Anthropic. Given this volume, a classic security audit run by human teams was considered too slow to keep pace with threats.
The cybersecurity team therefore built specialized Claude Code agents, organized around a classic security principle: attack and defense.
Red team agent
Probes an application from the outside, the way an attacker would. Maps exploitable vulnerabilities and how they could be used.
Blue team agent
Assesses the application's defenses against an international security standard. Writes a remediation plan pointing to the exact files to fix.
Result: around 50 agents scanned 466 million lines of code in 20 hours, applying close to 95 security controls per application. One ministry consolidated 185 legacy applications into just 16 modern ones. A grants portal, originally estimated at five months of development in Java, was rebuilt in 4 to 5 days.
Key takeaway
Alberta is the first Canadian province to publish a formal AI-assisted cybersecurity case study at this scale. The principle (red team / blue team agents, final human review) is transferable to an organization far smaller than a government.
Why the 20-hour figure is misleading if taken at face value
Comparing 20 hours to 6.5 years is striking, but misleading if applied directly to an SMB. Alberta mobilized a dedicated cybersecurity team, months of agent preparation, and strict governance over which fixes were applied. A business with 15 or 50 employees has neither that budget nor that organization.
What genuinely transfers is the method, not the scale: use an AI agent to spot common flaws (outdated dependencies, hardcoded passwords in code, overly broad access rights), then keep a human review before any fix reaches production.
| Approach | Traditional security audit | AI-agent-assisted audit |
|---|---|---|
| Speed | Weeks to months for a broad scope | Hours for a first pass |
| Cost for an SMB | External provider, often one-off | AI subscription + internal oversight time |
| Coverage | Limited by the auditor's available time | Can cover the entire codebase continuously |
| Main risk | Flaws missed due to lack of time | False positives, fixes applied without validation |
| Human role | Central, from start to finish | Still required to validate and prioritize |
How an SMB can draw on this case without government-level resources
Map what exists
Run a first AI pass
Prioritize with a human
Fix in batches
Repeat regularly
This gradual approach echoes recommendations already given for governing AI agents connected to business tools (see our article on securing AI connectors): an agent's autonomy must always stay supervised.
Limits to keep in mind
An AI-agent security audit does not remove the need for human expertise, it relocates it. The agent speeds up detection, but deciding to fix, defer, or accept a risk remains a governance choice. An SMB with no internal technical skills will need to rely on a provider to interpret the results, or risk fixing the wrong priorities or introducing new bugs by moving too fast.
Another limit: Alberta's case concerns code written and maintained in-house. For an SMB that mostly relies on off-the-shelf software (SaaS, ERP, CRM), the relevant security audit focuses more on configuration and access rights than on source code to scan.
FAQ
What is a "red team" or "blue team" AI agent?
These are two roles borrowed from classic cybersecurity. The red team agent simulates an attack to find exploitable flaws. The blue team agent assesses existing defenses and proposes a precise remediation plan.
Can an SMB really use this method without a dedicated IT team?
Yes, provided the scale is adapted. A one-off AI scan, followed by a review from a cybersecurity provider, is within reach of a small business. The key rule is never to apply a fix without human validation.
Is Alberta's case verifiable?
Yes, it was published directly by Anthropic on July 6, 2026, with precise figures on the number of lines of code, the scan duration, and the number of controls applied per application.
Does this approach replace a traditional cybersecurity audit?
No. It speeds up the detection phase, but prioritization, validating fixes, and regulatory compliance remain steps that require human judgment, whether internal or external to the company.
Conclusion
Alberta's case shows that AI agents are changing the scale of cybersecurity: what used to take years can now be scanned in hours. For an SMB, the point is not to copy this deployment, but to take away the method: detect fast with AI, decide slowly with humans. That discipline, more than the technology itself, is what separates a useful audit from a poorly managed risk.
To go further, check out our AI resources for SMB leaders or discover how other companies structured their AI projects in our success stories.


