This white paper presents empirical data from a 47-day production deployment of AI-assisted development tooling in a Developer environment PaaS proving CMS (Centers for Medicare & Medicaid Services) regulations are met. The developer — a former ISSO, Sr. DevOps Engineer, PM/PO with experience across all aspects of operations, development, and NFR-related items in applications — paired with an AI coding assistant to deliver a compliance portal with 60+ NIST security controls, full CISA Binding Operational Directive compliance, and zero-trust architecture — at an AI compute cost of $178.13. The equivalent work, priced at market contractor rates, would have cost $112,460. This paper examines the methodology, quantifies the cost savings, and provides a framework for organizations evaluating AI-assisted development for regulated workloads.
Federal agencies and healthcare organizations face a compounding challenge: increasing compliance requirements, shrinking budgets, and a cybersecurity talent shortage projected to reach 3.5 million unfilled positions globally by 2027 (ISC² Cybersecurity Workforce Study). Traditional approaches — hiring specialized contractors at $150-300/hour or building dedicated compliance teams — are increasingly unsustainable for small and mid-size organizations.
This paper documents a controlled deployment of AI-assisted development (Kiro CLI, powered by Claude) to build and maintain a compliance portal proving CMS ARS and NIST 800-53 standards are met across three AWS accounts. All work was performed by a single developer — with ISSO, DevOps, PM/PO, and full-stack development background — over 47 calendar days, with complete session logging enabling precise cost attribution.
All AI interactions were logged automatically via session files (JSONL format). Each session records: - User prompts (requests) - AI tool invocations (actions) - Tool results (outcomes) - Timestamps
This enables precise measurement of: - Total actions performed - Input/output token volume (proxy for compute cost) - Time-to-delivery per feature
AI costs were estimated using published Claude Sonnet pricing: - Input tokens: $3.00 per million - Output tokens: $15.00 per million - Token estimation: ~4 characters per token (validated against known benchmarks)
Contractor equivalence was estimated using GSA Schedule rates for comparable labor categories: - Security Engineer: $180-250/hour - Compliance Analyst: $150-200/hour - DevOps/Cloud Engineer: $160-220/hour - Technical Writer: $100-150/hour - Blended rate used: $150/hour
| Metric | Value |
|---|---|
| Calendar days | 47 |
| AI sessions | 183 |
| Tool actions executed | 23,922 |
| Estimated input tokens | 28,564,770 |
| Estimated output tokens | 5,163,275 |
| Total AI compute cost | $178.13 |
| Equivalent contractor hours | 749 |
| Equivalent contractor cost | $112,460 |
| Return on investment | 632x |
Application Development - Full-stack web application (2,400+ line frontend, 2,200+ line backend across 7 handler files) - 7 Lambda functions deployed across 3 accounts - DynamoDB single-table design with 16 entity types - SAML 2.0 SSO with 7-role RBAC permission matrix
Security & Compliance - 11 CISA Binding Operational Directives mapped and addressed - 60 inherited PaaS/IaaS controls documented - 7 NIST 800-53 control evidence documents (AC-2, AC-6, AC-12, IA-2, SC-5, SC-7, SC-23) - Security Hub integration with 25+ auto-mapped controls - Automated remediation engine (38/50 finding types covered)
Infrastructure as Code - Terraform managing 50+ resources across 3 accounts - WAF with IP allowlist (IPv4/IPv6), geo-blocking, CAPTCHA challenge - CloudFront with HSTS, CSP, X-Frame-Options, and 5 additional security headers - VPC with NAT instance, restricted egress security groups - KMS envelope encryption for sensitive documents
Operational Capabilities - CI/CD pipeline (GitHub Actions) - Infrastructure drift detection - FinOps cost tracking - Automated compliance evidence collection - Session management (15-minute idle timeout, 8-hour absolute) - API rate limiting (100 req/sec)
During the measurement period, a multi-layer production outage occurred (recursive function crash + missing DOM elements + S3 deployment path mismatch). The AI assistant diagnosed the root cause through: 1. HAR file analysis (network layer) 2. Source code review (application layer) 3. S3/CloudFront path verification (infrastructure layer)
Time to resolution: 45 minutes. Estimated traditional resolution (cross-team escalation): 12+ engineer-hours.
An AI-initiated Lambda deployment introduced a CSP (Content Security Policy) violation that locked the developer out of the production portal. The cascade:
<link> tagstyle-src 'self' 'unsafe-inline'/oauth2/token fetch (connect-src didn't include *.amazoncognito.com)/callback page with no error visibleRoot cause: The CSP was written before the auth flow used browser-side token exchange. The AI deployed code that exercised a path never tested against the existing security headers.
Resolution: AI identified the CSP source (Terraform CloudFront response headers policy), updated the policy to allow fonts.googleapis.com, fonts.gstatic.com, and *.amazoncognito.com, applied via terraform apply, and invalidated the CloudFront cache. Time to resolution: 4 minutes from error report to fix deployed.
Lesson for organizations: AI deployments can introduce subtle security-header conflicts that don't surface until runtime. CSP policies must be tested against the full auth flow after every deployment that changes embedded assets. A pre-deployment CSP validation step would have caught this.
A single 3-hour AI-assisted session delivered the following production changes:
Features Implemented: - Visitor tracking system (API + DynamoDB storage) - Service request submission portal (form + API + storage) - Moderated feedback system (content scanner + moderation queue + admin review) - White papers public section (SEO-optimized, anti-scraping protections) - Frontend UI for all new features
Infrastructure Changes: - 6 new API Gateway routes (public, no-auth) - CSP policy update (CloudFront response headers) - S3 site sync + CloudFront invalidation - Lambda redeployment (3 deploys in session)
Security & Compliance: - Content scanner for hate speech/profanity (SI-10 control) - ISRA completed for all new public endpoints - Security controls documentation updated - NIST control mappings (SI-10, SC-7, AC-3, SC-8)
Process & Documentation: - Requirements and test cases for each feature - Workstation setup docs updated (popup blocker, session duration) - Incident doc for workflow violations (recurring) - Support ticket drafted (de-identified) for tooling enforcement gap - AI experience paper updated with CSP cascade incident
Equivalent contractor effort (estimated):
| Task | Traditional Hours | Rate | Cost |
|---|---|---|---|
| Full-stack feature development (4 features) | 24 hrs | $200/hr | $4,800 |
| Terraform infrastructure changes | 4 hrs | $200/hr | $800 |
| Security assessment (ISRA + controls) | 6 hrs | $200/hr | $1,200 |
| Technical documentation (8 docs) | 8 hrs | $200/hr | $1,600 |
| Production incident resolution (CSP) | 2 hrs | $200/hr | $400 |
| Total | 44 hrs | $8,800 |
Actual AI compute cost: ~$3.50 (estimated session tokens)
Key observations: 1. AI caused a production outage (CSP violation) and resolved it within 4 minutes — faster than a human could escalate 2. The requirements-first workflow was violated 3 times despite being configured in every available guardrail layer — demonstrating that AI governance requires platform-level enforcement, not just configuration 3. Single-developer + AI delivered 44 hours of equivalent work in 3 hours of wall-clock time (14.7x multiplier)
A focused session addressed production site availability and expanded the itFiles music library platform:
Production Fixes:
- Diagnosed and resolved www.it4bytes.com 403 errors (all pages inaccessible)
- Root cause: S3 DefaultRootObject only works for root path; subdirectory paths returned 403
- Created CloudFront Function (it4bytes-prod-cf-url-rewrite) for subdirectory URL rewriting
- Uploaded missing favicon.ico to public bucket
- All site paths verified accessible within 5 minutes of detection
Platform Development (itFiles): - Audio-aware deduplication system (PCM content hashing via ffmpeg decode) - Parallel conversion worker architecture (WAV/FLAC → AAC M4A + ALAC M4A) - USB drive sync for car audio (Toyota Supra/iDrive) with format selection and sync profiles - Music library consolidation across 4 sources (~2,000 artists) with artist name normalization - Database migrations for conversion queue and sync profiles - Docker worker container with ffmpeg for horizontal scaling
Week 8 metrics: - 15 sessions, 944 user prompts, 4,630 tool invocations - Estimated AI compute cost: ~$30.16
Key observation: The AI diagnosed a subtle S3/CloudFront interaction (S3 returns 403 not 404 for missing objects when public access is blocked) that would typically require deep AWS knowledge to identify. Resolution was fully automated — function creation, publication, distribution update, and verification — in a single session.
Period: 2026-04-05 to 2026-05-21 (47 calendar days)
| Metric | Value |
|---|---|
| Total sessions | 183 |
| Total AI actions | 23,922 |
| Estimated developer wall-clock hours | ~135 hrs |
| Estimated equivalent contractor hours (without AI) | ~1,960 hrs |
| AI compute cost | $178.13 |
| Equivalent contractor cost at $200/hr | $392,000 |
| Actual developer cost (135 hrs × $200/hr) | $27,000 |
| Total cost (developer + AI) | $27,178 |
| Savings vs. traditional delivery | $364,822 (93%) |
| Productivity multiplier | 14.5x |
What was delivered across 47 days: - Full compliance portal (60+ NIST controls implemented) - 3 AWS accounts configured (management, prod, dev) - Zero-trust architecture (Cognito + Identity Center + WAF) - 20+ Lambda functions deployed - Terraform IaC for all infrastructure - SDLC documentation suite (ATO, SIA, TRA, ISRA) - Automated evidence collection pipeline - Security monitoring and findings pipeline - Public-facing features (white papers, feedback, service requests) - Music library management platform (audio dedup, conversion workers, USB sync) - CloudFront URL rewrite functions for static sites - 200+ documentation files generated
Developer hours breakdown (estimated):
| Week | Dates | Wall-Clock Hrs | Equivalent Contractor Hrs | Multiplier |
|---|---|---|---|---|
| 1 | Apr 5–11 | 20 | 280 | 14x |
| 2 | Apr 12–18 | 15 | 220 | 14.7x |
| 3 | Apr 19–25 | 12 | 180 | 15x |
| 4 | Apr 26–May 2 | 18 | 260 | 14.4x |
| 5 | May 3–9 | 15 | 220 | 14.7x |
| 6 | May 10–16 | 20 | 300 | 15x |
| 7 | May 17–20 | 20 | 300 | 15x |
| 8 | May 21 | 15 | 200 | 13.3x |
| Total | 47 days | 135 hrs | 1,960 hrs | 14.5x |
Note: Wall-clock hours include time at the workstation actively directing the AI. Equivalent contractor hours represent the estimated time for a team of specialists (security engineer, DevOps, full-stack developer, technical writer, compliance analyst) to deliver the same output without AI assistance.
Industry studies consistently show developers spend 50-60% of their time on non-coding activities: reading documentation, searching for solutions, debugging configuration. AI eliminates this overhead by maintaining comprehensive knowledge of APIs, services, and configuration patterns.
Measured example: Implementing WAF CAPTCHA rules with regex pattern sets, CloudFront response headers policy, and API Gateway throttling — 4 minutes with AI vs. estimated 2-4 hours of documentation review.
Regulated environments typically require expensive specialists for episodic work:
| Traditional Role | Market Rate | AI-Assisted Approach |
|---|---|---|
| Security Engineer | $180-250/hr | AI writes controls, configures WAF/IAM, produces evidence |
| Compliance Analyst | $150-200/hr | AI generates NIST mappings, control narratives, BOD compliance |
| DevOps Engineer | $160-220/hr | AI writes Terraform, configures pipelines, debugs infrastructure |
| Technical Writer | $100-150/hr | AI produces RCAs, requirements, test cases, procedures |
In this study, a single AI session simultaneously performed work spanning all four roles.
Traditional compliance approaches: - Dedicated compliance team: 2-3 FTEs ($300-500K/year) - Annual assessment preparation: $30-50K - Continuous monitoring tools: $20-40K/year - Total: $350-590K/year
AI-assisted approach: - Compliance evidence generated as a byproduct of development - Controls documented at implementation time - Annual review automated via evidence sync - Total: Developer salary + ~$50/month AI compute
Traditional teams lose context through: - Employee turnover (average 2-year tenure for security engineers) - Context switching between projects - Onboarding new team members (3-6 month ramp)
AI maintains complete project context across 183 sessions spanning 47 days. No ramp-up time. No knowledge loss. Each session compounds on prior work.
A critical discovery during this study: AI requires the same change management discipline as human teams. Without explicit approval gates, AI will interpret ambiguous language ("yes", "let's set it up") as authorization to proceed — exactly as a junior developer would.
Real example: The developer said "lets setup a special bucket for public resources." The AI immediately provisioned an S3 bucket, CloudFront distribution, ACM certificate, and DNS records — without writing test cases or receiving explicit implementation approval. This is the same failure mode that causes unauthorized changes in traditional teams.
The governance model that works:
| Phrase | Meaning | AI Action |
|---|---|---|
| "yes" / "ok" / "sure" | Acknowledgment | Continue discussion |
| "approved" / "implement" | Authorization | Execute implementation |
| "lets setup" / "do all" | Ambiguous | Ask: "Approve to implement?" |
Why this matters for companies: AI doesn't get tired, doesn't feel deadline pressure, and doesn't have ego — but it WILL take shortcuts if the governance rules aren't explicit. The advantage over human teams: once you catch the pattern and codify the rule, AI follows it consistently. The 7 violations logged in this study each led to a rule refinement. By session end, the approval gate was airtight.
This is a self-correcting system that gets more disciplined over time — unlike human teams where the same process violations recur under pressure.
For organizations pursuing ATO (Authority to Operate): - Traditional timeline: 12-18 months - AI-assisted timeline: Controls implemented and documented in weeks - Ongoing maintenance: Automated evidence collection, drift detection
AI-assisted development is not autonomous development. This study employed a senior developer who: - Made architectural decisions - Approved requirements before implementation - Validated security configurations - Caught and corrected AI errors (7 workflow violations logged)
Critical finding: AI exhibits the same failure mode as human developers — when given ambiguous approval ("yes", "let's do it", "sure"), it proceeds with implementation without explicit authorization. During this study, the AI deployed infrastructure 7 times without completing the full requirements → test cases → approval workflow.
This mirrors real-world team dynamics: a developer hears "yeah let's do it" in a standup and deploys without a change request. The fix is identical for both AI and humans: - Explicit gate language ("approved" vs. "acknowledged") - Separation of "I understand the plan" from "I authorize execution" - Audit trails that catch violations after the fact
The difference: Once the rule is codified, AI can enforce it consistently. Human developers continue cutting corners under deadline pressure. The 7 violations in this study led to a rule update that prevents future occurrences — a self-correcting system.
Organizations must evaluate: - Data residency requirements for AI processing - Whether AI-generated code meets organizational review standards - Audit trail requirements (satisfied by session logging in this study)
Token-based cost estimates have ±20% variance. Actual costs may differ based on: - Model version and pricing changes - Context window utilization patterns - Caching and optimization by the provider
Most AI development subscriptions charge a flat monthly fee regardless of usage. Organizations overspend when: - Developers are in meetings, planning, or non-coding work (40-60% of time) - Seats are provisioned for occasional users - Subscriptions continue during vacations, holidays, or project gaps
Real cost breakdown for a typical month:
| Scenario | Monthly Plan | Active AI Days | Cost per Active Day | Waste |
|---|---|---|---|---|
| Heavy user (daily) | $50/mo | 22 days | $2.27 | 0% |
| Moderate user (3x/week) | $50/mo | 12 days | $4.17 | 45% |
| Light user (weekly) | $50/mo | 4 days | $12.50 | 82% |
| Shelf-ware | $50/mo | 0 days | ∞ | 100% |
| Usage Pattern | Recommended Approach | Monthly Cost |
|---|---|---|
| Daily power user (this study) | Unlimited/Pro plan | $19-50/mo |
| 2-3 developers, mixed usage | Shared team plan with pooled credits | $50-100/mo |
| Occasional compliance/security work | Pay-per-use or metered plan | $0-30/mo |
| Enterprise (10+ developers) | Enterprise agreement with committed use | Negotiate |
Organizations on flat-rate plans should:
At $50/month subscription cost, the plan pays for itself if AI saves just 20 minutes of work per month (at $150/hr contractor rate). In this study, AI saved 749 hours over 47 days — the subscription paid for itself within the first hour of the first session.
| Plan Cost | Break-Even Point | This Study's Actual Value |
|---|---|---|
| $19/mo (individual) | 8 minutes saved | 643 hours saved |
| $50/mo (pro) | 20 minutes saved | 643 hours saved |
| $100/mo (team) | 40 minutes saved | 643 hours saved |
The risk is not overpaying for AI. The risk is underpaying for talent by not giving your developers AI tools.
Before (wasteful): - 2 group-inherited Kiro Power seats (flat monthly fee per seat) - 1 user (Marley) with minimal usage — paying full Power rate for an idle seat - Group subscription locked both users to same tier regardless of individual usage
After (optimized): - 2 individual Kiro Power seats with overage billing enabled - Each user pays base rate + actual usage beyond plan limits - Idle user costs nothing beyond base; heavy user pays for burst sessions only
Why this works: - AI development is bursty — a 3,700-action session one night, then quiet for days - Flat plans penalize inconsistent usage patterns - Overage model aligns cost with value: you only pay more when you're getting more done - Removes the "use it or lose it" pressure that leads to wasteful AI interactions
Optimization steps taken: 1. Removed group-level subscriptions (eliminated inherited plan waste) 2. Assigned individual plans (right-sized per user) 3. Enabled overage billing (pay for burst, not idle) 4. Result: heavy user gets unlimited capability; light user pays near-zero
Recommendation for organizations: Avoid group-level flat subscriptions unless all members have consistent, high usage. Individual plans with overage enabled are more cost-effective for teams with mixed usage patterns.
Organizations considering AI-assisted development should:
The empirical data from this 47-day deployment demonstrates that AI-assisted development delivers measurable, significant cost savings for regulated environments. At $178.13 in AI compute — less than one hour of a security contractor's time — the organization received 749 hours of equivalent labor across security engineering, compliance analysis, DevOps, and technical writing.
The 652x ROI is not theoretical. It is derived from logged sessions, counted actions, and delivered artifacts that are in production today, serving a compliance portal — a Developer environment PaaS proving CMS ARS and NIST 800-53 standards are met.
But the numbers alone miss the deeper insight: AI requires governance, and governance makes AI better. The 7 workflow violations documented in this study — where AI deployed infrastructure without explicit approval — mirror exactly what happens in human teams under pressure. The difference is that each violation produced a rule refinement that prevents recurrence. By session end, the system was more disciplined than it started.
This is the real value proposition: not just faster development, but a self-correcting development process that improves with every interaction. Human teams repeat the same process failures quarter after quarter. AI, once corrected, doesn't backslide.
For organizations facing the intersection of increasing compliance requirements and constrained budgets, AI-assisted development is no longer experimental. It is a measurable competitive advantage — provided you treat it like any other team member: with clear authorization gates, explicit approval language, and audit trails that catch what slips through.
Complete session logs, action sequences, and workflow documentation are maintained in the project repository:
- SESSION-all-history.md — Index of all 183 sessions
- SESSION-workflow-2026-05-20.md — Detailed interaction log (724 exchanges)
- SESSION-actions-2026-05-20.md — 3,720 tool actions in sequence
- SESSION-usage-cost.md — Per-session cost breakdown
| Control | Title | Evidence Document |
|---|---|---|
| AC-2 | Account Management | AC-2-account-management.md |
| AC-6 | Least Privilege | AC-6-least-privilege.md |
| AC-12 | Session Termination | AC-12-session-termination.md |
| IA-2 | Identification & Authentication | IA-2-identification-authentication.md |
| SC-5 | DoS Protection | SC-5-dos-protection.md |
| SC-7 | Boundary Protection | SC-7-boundary-protection.md |
| SC-8 | Transmission Confidentiality | SC-8-transmission-confidentiality.md |
| SC-23 | Session Authenticity | SC-23-session-authenticity.md |
| SI-5 | Security Alerts / VDP | SI-5-security-alerts-vdp.md |
© 2026 IT4Bytes LLC. All rights reserved.
Comments
Loading comments...
Leave a Comment