Getting Started & Best Practices¶
This page helps you get up and running with AI tools at DHI, and provides practical guidance on using them safely and effectively. For the full AI policy, see the AI Guidelines. It is oriented towards technical tasks such as software development.
Guardrails - A 3-Tier Lifecycle Model¶
Guardrails keep AI tools and agents operating safely, predictably, and within defined boundaries. Without guardrails, AI becomes unpredictable, small mistakes scale into big ones, confidence exceeds correctness, and security risks increase.
Tier 1: Before You Start¶
Before handing work to an AI tool, ask yourself:
- What can it touch? - Only give the tool access to the repos, branches, and files it needs. Don't grant blanket permissions. Tools like Claude Code follow least-privilege by default - keep it that way.
- Is my data safe to share? - Check the usage tiers and data sensitivity tiers. Redact credentials, PII, and client data before including them in prompts.
- Could the output carry licence risk? - AI may reproduce GPL/AGPL fragments. Be alert to this during review (see Tier 3).
Tier 2: While It's Working¶
Keep an eye on what the AI is doing as it runs:
- Don't let it run unchecked - Review what the tool is doing, especially when it executes commands, modifies files, or accesses external services. If something looks off, stop it.
- Watch out for prompt injection - If you feed external content (user input, web pages, files from unknown sources, let it search and read the files from the internet) into an AI tool, it will be manipulated. Be cautious with untrusted input.
- Set limits - If an AI agent is stuck retrying or looping, stop and redirect. Don't let it burn through time or tokens on a dead end. If the situation is ambiguous, have it stop and ask you.
- Cross-check critical output - For high-stakes work, consider having a second model or a colleague review the output independently. Having the model validate itself afterwards often proves fruitful as well.
Tier 3: After It's Done¶
Before you use or commit anything the AI produced:
- Run your tests - Unit tests, integration tests, linting, SAST - the same checks you'd run on any code. AI-generated code is not exempt.
- Look for secrets and vulnerabilities - AI can accidentally hardcode credentials, introduce SQL injection, or generate insecure patterns. Scan the output before committing.
- Spot hallucinations - AI may reference APIs, libraries, or parameters that don't exist. Verify against official documentation.
- Review it like you wrote it - Read the code, understand the logic, and take ownership. Use the standard PR review process. You are the author.
- Keep a trail - Git attribution and commit history should reflect AI involvement. This supports auditability and future debugging.
Prompt Engineering Best Practices¶
How you interact with AI tools directly affects both the quality of the output and the security of DHI's data. The following practices will help you get better results while keeping DHI's data safe.
Keep Your Data Safe¶
- Scrub before you share - Replace real customer names with
CUSTOMER_A, emails withuser@redacted, and keys with<API_KEY>. Never paste credentials, connection strings, or secrets into a prompt. - Generalise proprietary logic - If you need help with an algorithm or pattern, strip out the business-specific details first. See the full data protection rules for what you can and can't share.
Get Better Output¶
Some general rules for getting better output from AI tools:
-
Be specific - Vague prompts produce vague results. Include the language, framework, constraints, and expected behaviour.
- Bad: "Fix this code"
- Good: "Fix the null reference exception in
UserService.GetById. TheuserIdparameter can be null when called from the API controller. Use the guard clause pattern consistent with the rest of the service."
-
Show it what you want - Point the AI at existing code. Share relevant type definitions, interfaces, or function signatures so it understands your conventions.
- Bad: "Write me a unit test"
- Good: "Write a unit test for
OrderService.CalculateTotalusing xUnit and Moq, following the same Arrange/Act/Assert pattern used inOrderServiceTests.cs."
-
Use project config files - Both Claude Code (
CLAUDE.md) and GitHub Copilot (.github/copilot-instructions.md) support project-level instruction files. Put your coding standards, naming conventions, and tech stack there so you don't have to repeat yourself every session. -
Break complex tasks into steps - Instead of asking for everything at once, ask for each component separately.
- Bad: "Build an authentication system"
- Good: "Let's build authentication step by step. Start with the JWT token generation service. Use the
SecuritySettingsclass fromappsettings.jsonfor configuration."
-
Specify what you don't want - Explicitly state constraints.
- Bad: "Create a REST endpoint"
- Good: "Create a REST endpoint for fetching user profiles. Use ASP.NET Core 8 minimal APIs, return a
UserProfileDto, and do not add any external packages."
-
Iterate, don't restart - If the output is 80% right, refine it. Tell the AI what's wrong and what to change. Starting from scratch wastes the context it's already built up.
- Bad: Starts a new session when the output is almost right
- Good: "This is close, but change the error handling to return a
Result<T>instead of throwing exceptions, and rename the method toTryGetUserAsync."
-
Ask it to ask you questions - Have it keep asking one by one until it has a complete picture. It's faster to read and answer questions than to write a perfect prompt upfront.
-
Ask for explanations - When you get complex suggestions, ask the AI to explain its reasoning so you can verify correctness.
Reviewing AI Output¶
- Never accept output verbatim - AI output can contain errors, hallucinations, or subtle bugs. Match your review to the risk: spot-check and test for low-risk changes; do a thorough line-by-line review for production-critical work
- Watch for hallucinated APIs - AI models may reference functions, packages, or parameters that do not exist. Verify against official documentation
- Check for licence-encumbered patterns - If output looks like it was lifted from an open-source project, verify the licence before including it
- Test edge cases - AI-generated tests often cover happy paths but miss boundary conditions, null handling, and error scenarios
- Watch for over-engineering - AI loves abstractions. If it creates a factory pattern for something that needs three lines of code, push back
- Check consistency - Does the generated code follow the same patterns as the rest of your codebase? Same naming, same error handling, same project structure?
- Verify dependencies - AI may pull in packages you don't need, or reference outdated versions. Check what it added to your project files
Working with AI Agents¶
Copilot agent mode and Claude Code are agentic - they execute commands, modify files, and run tests autonomously. This requires different habits than chat-style prompting:
- Start with a plan - For complex tasks, ask the agent to propose a plan before it starts coding. Review the plan, then let it execute.
- Keep the scope tight - One feature, one bug, one migration at a time. Agents that try to do too much at once drift.
- Let it run your tests - The real power of agents is the feedback loop: code → test → fix → test. Let it iterate until tests pass rather than reviewing intermediate states.
- Review the diff, not the session - Agent sessions can be long and it can take detours. What matters is the final
git diff- review that like any PR.
Training¶
Mandatory¶
| Step | What | Who | Format | Est. time |
|---|---|---|---|---|
| 1 | Read and acknowledge DHI AI Guidelines (AI Guidelines, Getting Started, Software Development) | All | Self-study | ~1 hr |
| 2a | GitHub Copilot Fundamentals Part 1 of 2 + Best practices for using GitHub Copilot (~10 min) | GitHub Copilot users | Self-paced (Microsoft Learn) | ~2.5 hrs |
| 2b | Claude Code: A Highly Agentic Coding Assistant (DeepLearning.AI) + Best Practices for Claude Code (~20 min) | Claude Code users | Self-paced (DeepLearning.AI) | ~2.5 hrs |
| 3 | Live workshop: guardrails, responsible use, facilitated first-use on real project | Claude Code users | Workshop led by AI CoE | ~1.5 hrs |
Recommended¶
| What | Who | Format | Est. time |
|---|---|---|---|
| How Anthropic teams use Claude Code (blog) | Claude Code users | Reading | ~30 min |
| Claude Code in Action | Claude Code users | Self-paced (Anthropic Academy) | ~2.5 hrs |
| GitHub Copilot Fundamentals Part 2 of 2 (strongly recommended - covers Agent Mode, Coding Agent, MCP) | GitHub Copilot users | Self-paced (Microsoft Learn) | ~3 hrs |
| Enterprise Train the Trainer | CoE leads | Self-paced (Anthropic Academy) | 4 sessions |
| Driving enterprise adoption of Claude | CoE leads, managers | Self-paced (Anthropic Academy) | ~3 hrs |
| Prompt engineering for GitHub Copilot Chat | GitHub Copilot users | Reading | ~10 min |
| AI Fluency: Framework & Foundations | All | Self-paced (Anthropic Academy) | 2-3 hrs |
| Introduction to Model Context Protocol | Claude Code users | Self-paced (Anthropic Academy) | ~3 hrs |
| Introduction to agent skills | Claude Code users | Self-paced (Anthropic Academy) | ~2 hrs |
| Security (Claude Code docs) | Claude Code users | Reading | ~15 min |
| Getting Started with GitHub Copilot | GitHub Copilot users | Hands-on (GitHub) | ~1 hr |
| Mastering GitHub Copilot | GitHub Copilot users | Self-paced (Microsoft) | ~10 hrs |
| How to write better prompts for GitHub Copilot | GitHub Copilot users | Reading | ~10 min |
| Onboarding your AI peer programmer: Setting up GitHub Copilot coding agent for success | GitHub Copilot users | Reading | ~15 min |
| Simon Willison's Weblog | All | Reading | Ongoing |
Sharing Knowledge¶
Sharing effective prompt patterns within teams is encouraged as a way to build collective capability and avoid common pitfalls. Consider maintaining a shared collection of useful prompts and patterns that work well for your team's tech stack. A Viva Engage channel will be established for general knowledge sharing.