Resources · Framework

How to Scope a Project When AI Can Already Do Most of the Build

Last updated: Jul 2026By Jigar Panchal, DirectorFounders and product managers writing a spec or brief in the AI era — for themselves, a freelancer, or an agency.
Sticky notes arranged on a whiteboard during project planning
Photo: RDNE Stock project / Pexels
The short answer

Scope for the part AI can’t do. AI tools now generate a large share of new code — Microsoft says up to 30% of its code is AI-written, and Google puts its new-code share higher — but they don’t decide architecture, data models, security, or edge cases. Write the spec around those: define the hard boundaries, non-negotiable requirements, and acceptance tests first, then let AI (or a team) fill the generative middle. Scope the judgment, not the typing.

— Key takeaways
  • AI generates a large share of code now — Microsoft’s CEO said up to 30% of its code is AI-written (2025), and Google reported its new-code AI share climbing through the year — but generation is the easy 70%.
  • The “70% problem”: AI does the visible build fast, then stalls on the last 30% — architecture, integration, security, and edge cases — which is exactly what a scope must nail down.
  • Specify the judgment, not the keystrokes: boundaries, data model, non-negotiable requirements, and acceptance criteria.
  • Write acceptance tests first. When AI can produce code in minutes, the bottleneck becomes knowing whether the code is correct.
  • Scope for handoff from day one — decisions, constraints, and docs — so a freelancer, an in-house hire, or an agency can take over without archaeology.
  • If you can write a tight spec and own the 30% yourself, you may not need an agency at all — the framework works solo.
— Compare your options

What to specify yourself vs hand to AI

The workCan AI do it well?Who should own itWhy
UI scaffolding & layoutYes — quicklyYou + AILow-risk, easy to review and change
CRUD & boilerplate codeYes — reliablyYou + AI, or a freelancerRepetitive, well-represented in training data
Architecture & data modelNo — needs judgmentIn-house lead or agencyExpensive to change later; sets the ceiling on scale
Security & authenticationNo — high riskAgency / senior engineer~45% of AI code fails security tests; mistakes are costly
Edge cases & error handlingPartly — needs specifyingYou define, AI draftsAI handles the happy path; real users don’t
Integrations & third-party APIsPartly — brittleFreelancer or agencyAuth, rate limits, and failure modes need real testing

How much of the build can AI actually do?

More than most scopes assume — and less than the hype claims. In 2025, Microsoft’s CEO said up to 30% of the company’s code was AI-written (varying by language), and Google reported the share of new code generated by AI climbing steadily through the year. A widely-cited rule of thumb, the “70% problem,” captures the shape: AI gets you about 70% of the way fast, then the last 30% turns hard.

That framing is what should drive a scope. The 70% AI does well — scaffolding, boilerplate, standard patterns — barely needs specifying; it’ll get generated either way. The 30% it does badly — architecture, security, integration, edge cases — is precisely where a vague scope turns into rework. So scope inverts: spend your effort defining the hard 30%, not documenting the easy 70%.

What should you scope yourself vs hand to AI?

Split the work by how much judgment it needs. Hand AI the low-risk, high-volume parts: UI scaffolding, CRUD operations, boilerplate, standard integrations you can review. These are well-represented in training data and cheap to change if they’re wrong.

Own the parts that are expensive to get wrong: the data model, the architecture, the security and authentication design, and the genuinely tricky business logic. These set the ceiling on how far the product can scale and are painful to change once code depends on them. The table above is a starting split — the principle is that anything costly to reverse belongs to a human, and anything cheap to redo can go to AI.

How do you write a spec when AI writes the code?

Shift the spec from “how” to “what must be true.” When code is minutes away, describing implementation in detail is wasted effort — the AI (or engineer) will generate it. What’s scarce is a clear statement of boundaries and non-negotiables: the data model, the security requirements, the performance targets, and the rules the system must never break.

Write acceptance criteria first, and make them testable. The real bottleneck in AI-assisted building isn’t producing code — it’s knowing whether the code is correct. A scope that says “a logged-out user must never see another account’s data” or “checkout must be idempotent” gives both the AI and any reviewer something concrete to build and verify against. Specify the tests, and the implementation can vary freely underneath them.

How do you scope so an agency or future dev can take over?

Assume someone else will inherit this — because they usually do. AI can generate code without leaving a trail of why, so the scope has to carry the reasoning: the decisions made, the constraints assumed, and the parts deliberately left simple. That context is what lets a freelancer, an in-house hire, or an agency extend the work instead of reverse-engineering it.

Practically, that means documenting the data model and the key architectural choices, keeping requirements and acceptance tests versioned alongside the code, and controlling access to repositories and infrastructure yourself. Google’s DORA research is consistent on this: AI amplifies the practices already in place — strong process gets stronger, weak process gets faster at producing mess. A scope built for handoff is how you stay on the right side of that.

When is scoping enough that you don’t need an agency?

If you can write a tight, testable spec and personally own the hard 30% — the architecture, the security, the judgment calls — you may not need an agency at all. Paired with AI tools and maybe a freelancer for volume, a capable technical owner can take a well-scoped project a long way. That’s a legitimate, cost-effective path, and we’ll say so when it fits.

You need more than a scope when the 30% is beyond what you can own — when security, scale, or reliability carry real consequences and no one on your side can be accountable for them. At that point the value isn’t writing code AI could generate; it’s the engineering judgment that decides what to build and confirms it’s safe. That’s the line between scoping a build and needing a team to run it.

— FAQ

Questions buyers ask before they decide.

QWhat should a spec include when AI writes the code?
Boundaries and non-negotiables, not implementation detail: the data model, security requirements, performance targets, the rules the system must never break, and testable acceptance criteria. When code is minutes away, describing “how” is wasted — a clear statement of “what must be true” is what both the AI and any reviewer actually need.
QWhat parts of a build can’t AI decide for you?
Architecture, the data model, security and authentication design, and the genuinely tricky business logic. These need judgment, are expensive to change later, and set the ceiling on how far the product can scale. AI is strong on scaffolding, boilerplate, and standard patterns — the parts that are cheap to redo if they’re wrong.
QDo I still need detailed requirements if AI is so fast?
Yes — arguably more than before. Speed of generation makes correctness the bottleneck, not typing. Without clear, testable requirements, AI will happily produce large amounts of plausible code that solves the wrong problem. Requirements are how you steer that speed instead of being buried by it.
QHow do I scope so an agency can take over later?
Document the decisions and constraints, not just the features — AI generates code without recording why. Keep the data model, architectural choices, and acceptance tests versioned alongside the code, and control repo and infrastructure access yourself. That context lets a team extend the work instead of reverse-engineering it.
QHow detailed should acceptance criteria be?
Detailed enough to test. Each should be a concrete, verifiable statement — “a logged-out user must never see another account’s data,” “checkout must be idempotent.” Vague goals (“make it secure”) can’t be checked; testable criteria let the implementation vary freely while still guaranteeing the behavior you care about.
— Get a straight answer

Tell us what you're building. We'll tell you honestly.

Whether you need a full team, a few senior engineers, or just a sounding board for your AI-built prototype — a short call will tell you which.

— WHEREVER YOU ARE
hello@indianic.comWhatsApp Chat
RESPONSE TIME
< 4 hours
NDA
On request
FREE POC
3 – 5 days