Simon Willison, co-creator of Django and the person who coined the term prompt injection, sat down with Lenny Rachitsky recently for a wide-ranging look at where AI-assisted software development stands going into 2026. Willison has spent the last two decades as a working engineer, and he’s been documenting his shift into agentic coding in near real time on his blog. The conversation is less a victory lap than a field report, and some of the most useful parts are the specific numbers and habits he shares.

Watch it on YouTube: https://www.youtube.com/watch?v=wc8FBhQtdsA

The November inflection point

Willison dates the current phase back to a specific moment. Anthropic and OpenAI spent 2025 pointing their training budgets at coding, building on the reasoning-model approach that started with OpenAI’s o1 in late 2024. In November, GPT-5.1 and Claude Opus 4.5 arrived. Neither was a dramatic leap over its predecessor on paper, but together they crossed a practical threshold: coding agents went from mostly working, which meant close supervision was still required, to reliably doing what they were told.

The shift shows up in his own numbers. He says roughly 95% of the code he produces now, he didn’t type himself, and a lot of it happens from his phone while walking his dog. Six months ago he would have called that scenario unrealistic.

The dark factory pattern

Willison borrows a term from factory automation to describe where this is heading: the dark factory, a facility so automated it doesn’t need lights on for people. The software equivalent isn’t just writing less code by hand. It’s a policy of not reading the code an agent produces, while still holding it to professional standards.

He points to StrongDM, a security access-management company, as a working example. Rather than a QA team testing manually, StrongDM built a swarm of simulated end users chatting in a fake Slack channel, requesting access to fake versions of Jira and Okta around the clock. Because real Slack and Jira enforce rate limits, they had coding agents build working simulations of those APIs directly from public documentation. The setup reportedly ran at around $10,000 a day in token costs, which bought them continuous, automated testing of security-sensitive software that no human was reading line by line.

Where the bottleneck actually is now

With code generation this cheap, the constraint has moved upstream. Willison used to be known for rapid prototyping; that used to be his edge. Now, since building a throwaway version costs almost nothing, he prototypes an idea three different ways before committing to one, using the results to figure out direction rather than to prove the concept works at all.

He’s less convinced AI closes the next gap: judging which prototype is actually good. He compares AI brainstorming to a group whiteboard session. Models are strong at generating the first, obvious two-thirds of ideas in a list. Pushing for extra rounds, asking for twenty more after the first twenty, tends to surface the stranger, more useful ones. But validating a direction still seems to need an actual person on a screen-share, not a simulated user.

Who this helps and who it doesn’t

Willison references a ThoughtWorks offsite where engineering VPs from several companies compared notes. Their read: AI tools clearly help experienced engineers, by amplifying skills they already have, and they clearly help new hires, by shortening onboarding. Cloudflare and Shopify were both cited as having scaled up intern hiring through 2025 partly because interns become productive faster with an AI assistant helping them ramp up.

The group the room agreed was most exposed: engineers in the middle of their careers, who haven’t built the deep judgement senior engineers use to direct these tools well, but no longer get the same relative lift beginners do from onboarding support. Willison’s advice to that group is to lean into more ambitious work rather than let existing skills sit idle, treating the tools as a way to attempt things previously out of reach rather than a shortcut through what they already know.

Habits that actually change results

A few concrete patterns came up, the kind meant to be copied rather than admired:

  • Start new projects from a small, consistent template instead of a long instructions file. Willison has found that agents pick up on a single existing test or a specific indentation style faster than they follow paragraphs of written preference. A thin skeleton with one working example does more than a detailed brief.

  • Use test-driven development, and specifically prompt for it using the shorthand “red/green TDD,” code for writing a failing test first, confirming it fails, then implementing until it passes. Agents recognize the term and follow the discipline reliably, even though Willison says he personally never enjoyed doing it that way as a human.

  • Keep a public backlog of what’s already been tried. Willison maintains a GitHub repository of small tools, currently around 193 of them, plus a separate research repository where he has agents investigate a library or technique and write up what they found. He later points new agents at these repositories directly, telling them to read the prior work before tackling a related problem.

The security problem that hasn’t gone away

The conversation turns to prompt injection, a term Willison coined in 2022 and now says was a mistake, since people assume it works like SQL injection, a solved problem, when the underlying issue isn’t solvable the same way. His sharper framing is the “lethal trifecta”: an agent becomes dangerous when it has access to private data, exposure to untrusted input, and a channel for sending data out. Cutting off any one leg, usually the exfiltration path, is the practical fix, since filtering malicious instructions written in natural language can’t reach full reliability.

He predicts what he calls a Challenger disaster for AI, referencing the concept of normalization of deviance from the inquiry into the Space Shuttle Challenger accident: repeated near-misses build false confidence until something fails badly. He’s careful to note he’s made a version of this prediction roughly every six months for three years, and it hasn’t happened yet.

OpenClaw, briefly

Willison also discusses OpenClaw, a third-party personal AI assistant that went from its first commit on November 25 to a Super Bowl ad about three and a half months later. He treats it as proof that demand for a personal AI assistant is real, security problems and all, including reports of people losing cryptocurrency wallets to it. He runs a copy himself, inside a Docker container on a Mac Mini bought specifically for the purpose, and describes the setup less as a tool he depends on than a pet in an aquarium he’s curious to watch.

What he’s building next

Willison’s day job remains open source tools for data journalism, work aimed at helping reporters pull structured information out of messy sources, PDF police reports being one example, with AI treated the way journalists already treat any unreliable source: useful, but always checked. He’s serializing a book on agentic engineering as blog chapters, has recently started earning money from the blog through sponsorship, and takes on small amounts of what he calls zero-deliverable consulting: paid time on a call, no written report attached.

AG
AgentCoding
A technical journal on AI security and engineering practice