Good Code but Bad Intent: Can AI Really Detect Malicious Intent in Software?

Ten years ago, I was working with a customer who had a bold and frankly fascinating idea. They wanted to build a system that could understand the intention behind code. Not just what the code was doing, but why it was doing it. Was the developer trying to comply with policy? Optimize performance? Or… was there something suspicious happening with sensitive data?

Their vision was that of an ethical compiler, an application that would parse code and raise a flag if it suspected anything untoward. For example: accessing PII without clear justification, silently exfiltrating data, or bypassing security checks with clever workarounds.

At the time, the idea felt almost philosophical. We had tools to scan code for vulnerabilities, bugs, and bad practices. But checking for intent? That was a different beast altogether.

When the customer floated the idea of detecting a developer’s intent from their code, I remember my response being more practical than philosophical: “You don’t need to detect intent, you need better role-based access controls.” At the end of the day, if someone shouldn’t have access to certain data, they shouldn’t be able to touch it at all, no matter what their code says.

And if you're relying on code audits to detect ethical behavior, then you're treating the symptom, not the disease. Because here's the truth:

If you can't trust your employees to respect data usage guidelines, you've got bigger problems than suspicious code.

No AI model or static analyzer will solve a broken culture. RBAC, zero-trust architecture, data classification, audit trails; those are your first lines of defense. Intent matters, yes. However, it only becomes a technical problem when it has already become a human one.

Why It Was Hard (And Still Is)

Even today, intent is a deeply human concept, one that’s hard to distill into logic. You can spot a function that deletes data. However, you can’t tell if it’s being done for GDPR compliance or a malicious cover-up; unless you have more context.

Let’s break down why this is so difficult, even with all the AI tools we now have at our disposal.

1. Code Is What, Not Why

Code tells you what is happening, not why. For example:

Looks fine. But was this written to comply with user deletion requests under GDPR? Or to erase traces of an insider breach? You can’t tell just by reading it.

2. Intent Lives Outside the Code

Intent often lives in commit messages, design documents, Slack threads, or the developer’s head. The same exact code snippet could have wildly different meanings depending on the business context. An AI model (or even a human reviewer) won’t know if the developer was:

• Acting on customer request

• Trying to fix a bug

• Or covering their tracks

3. Bad Actors Are Subtle

Malicious code rarely announces itself. In fact, the most dangerous code often looks boring:

• A quiet API call to a third-party URL

• A missing line in an authorization check

• Data access in a loop that’s “accidentally” overbroad

Good developers make mistakes. Bad actors make things appear to be mistakes.

So, What’s Changed?

Now, thanks to AI, we’re starting to inch closer.

Tools like GitHub Copilot, GPT-4, and CodeWhisperer can explain code, offer suggestions, and even infer likely purpose in plain English. Observability platforms can track how data flows through systems in real-time. Static code analyzers can detect risky patterns and flag suspicious behavior, sometimes even before code hits production.

Here’s where we’re starting to see progress:

AI-Powered Code Explanation

You can now ask questions like:

"Why is this script accessing user location data?"

And get a reasonable answer from a language model, especially if the code is documented and straightforward.

Context-Aware Analysis

Some systems now combine:

• Source code

• Commit history

• Issue tracking

• Runtime telemetry

...to build a fuller picture of what’s happening. Still not foolproof, but better than scanning isolated code blocks.

Ethical Guardrails Are Emerging

We’re also seeing conversations around ethical AI development, responsible coding, and policy compliance being integrated earlier in the dev process. Think: automatic checks for data usage, explainability, fairness, and security as part of your CI/CD pipeline.

But Let’s Be Honest, We’re Not There Yet

Despite the progress, we’re still far from a world where machines can reliably understand why code was written. AI can highlight suspicious patterns. It can help explain what’s happening. It can even say, “This looks similar to known malicious behavior.” But it can’t definitively say, “The developer’s intention was unethical.”

Because intention isn’t in the code, it’s in the context. And context is messy, distributed, and often invisible to machines.

The Philosophical Dilemma

This brings us to a deeper philosophical challenge, the is–ought dilemma posed by David Hume. Just because code is doing something (and doing it well), doesn’t mean it ought to. A perfectly functional feature can still compromise user privacy, undermine trust, or serve as a stepping stone for data misuse. Machines today can tell us what is, but they still struggle to reason about what ought to be, and that’s where human judgment, context, and ethics come in.

Where Do We Go From Here?

I believe the next wave of tooling will move from:

• Code correctness → to code's purpose ( by collecting more context)

• Bug detection → to behavioral pattern recognition

• Developer assist → to developer accountability

We’ll likely see more integration between:

• LLMs that understand language + logic

• Runtime analytics that observe real behavior

• Audit trails that capture why changes were made

The dream my customer had years ago of checking the intention of code might not have been possible back then. But it wasn’t naive. It was early.

What do you think? Have you encountered suspicious code in your projects that appeared fine on the surface but felt off in purpose?

I would love to hear how we can bridge this gap between what code does and why it was written.

Fawad A. Qureshi Transforming Business with AI, Data & Sustainability 🌎 | Field C…

I write weekly on different topics related to Data and AI. Feel free to subscribe to FAQ on Data newsletter and/or follow Fawad Qureshi on LinkedIn or FawadQureshi on X.