What is Dark Code ? Nobody is asking the question yet.
And that’s the problem.
My team has overseen dozens of public sector RFIs, RFQs, and RFPs in the past two years.
Some small. Some massive.
Security? Covered.
Data residency? Covered.
SLAs, uptime, encryption, disaster recovery?
All covered.
But there’s a new category of risk quietly entering production systems…
And it’s not showing up anywhere in procurement.
It’s called dark code.
Code that works.
Code that passes tests.
Code that ships to production.
But code that no one actually understands.
Not the engineer who reviewed it.
Not the team maintaining it.
Not the CTO accountable for it.
Because increasingly…
It wasn’t written, it was generated.
If you’re evaluating software today, there’s a question that should now be mandatory:
“How much of your production code is fully understood by your team?”
Not tested.
Not observable.
Understood.
Because observability doesn’t equal comprehension.
From the outside, everything still looks compliant.
The vendor checks all the boxes. The system performs. The dashboards light up.
But underneath, something fundamental has changed.
Understanding is no longer required to ship.
And that breaks one of the core assumptions behind public sector procurement: That the vendor is in control of what they built.
This isn’t a security problem.
It’s bigger than that.
It’s an accountability problem.
If something fails in production…
Who explains it?
Who fixes it?
Who takes responsibility for behavior no one fully understands?
In the private sector, that’s already a risk. In government, it becomes a liability.
And here’s what makes this dangerous:
You won’t see it in a demo.
You won’t catch it in an RFP response.
You won’t detect it through traditional due diligence.
Because everything still “works.” Until it doesn’t.
We’re entering a phase where vendors can ship faster than they can explain.
And procurement frameworks haven’t caught up. Not even close.
And when things go wrong, that distinction matters.
This isn’t about slowing down AI.
That’s not happening.
It’s about recognizing that speed without understanding creates a new class of operational risk.
One that sits somewhere between technology, governance, and fiduciary responsibility.
Dark code isn’t a future problem.
It’s already in production.
The only question is: Who’s going to start accounting for it first ?