1.7× Increase in Issues from AI-Generated Code: Are We Trading Quality for Speed Without Realizing It?

General
1

Building on Maya’s bottleneck discussion, I want to address something that’s been concerning me: quality degradation from AI-generated code.

The Data We’re Seeing

Recent research shows AI-assisted code has a 1.7× higher issue rate compared to human-written code when governance isn’t in place (Panto AI analysis).

In our own engineering org:

Post-AI adoption (6 months of data):

  • Production incidents: +23%
  • Security vulnerabilities flagged in code review: +31%
  • Post-deployment bugs requiring hotfixes: +18%
  • Technical debt accumulation (SonarQube): +27%

Meanwhile:

  • Individual developer velocity: +26%
  • Story points completed: +19%
  • PRs merged: +34%

We’re shipping faster, but we’re shipping worse.

The Leadership Dilemma

Here’s what I’m dealing with:

Developers love AI tools. Engagement is up. Retention has improved. Taking AI away would crush morale.

But quality metrics are declining. Customer-facing bugs are up. Security team is flagging more issues. Technical debt is accumulating faster than we can pay it down.

How do I reconcile developer happiness with declining product quality?

Root Cause: AI Optimizes for “Works,” Not “Good”

The fundamental problem: AI coding assistants are trained to generate code that compiles and runs, not code that’s maintainable, secure, and aligned with best practices.

AI doesn’t understand:

  • Your company’s architectural patterns
  • Your security requirements and compliance needs
  • Your design system and consistency standards
  • The difference between “works now” and “maintainable later”

Result: Developers get code that functions but:

  • Introduces security vulnerabilities (SQL injection, XSS, auth bypasses)
  • Violates accessibility standards (WCAG failures)
  • Creates technical debt (hard-coded values, missing error handling, poor abstractions)
  • Bypasses design systems (works, but inconsistent)

Specific Examples from Our Org

Security: Developer used AI to generate authentication logic. It worked in testing. Code review missed a subtle timing attack vulnerability. Caught in security audit before production—barely.

Accessibility: AI generated a data table component. Fully functional. Failed screen reader testing. Inaccessible to keyboard-only users. Took longer to fix than building from scratch would have.

Technical Debt: AI refactored a service to “improve performance.” Performance did improve—by hard-coding configuration that should have been dynamic. Created a maintenance nightmare.

All three were shipped by senior developers who should have known better. But AI made the wrong thing easy.

The Governance Gap

Most organizations (including ours until recently) had no AI-specific governance:

  • No review checklist for AI-generated code
  • No automated security scanning gated on AI usage
  • No quality gates before merge
  • No training on what to watch for in AI code review

We treated AI-generated code like human code. That was a mistake.

What We Need: Quality WITH Speed

The question isn’t “AI or quality?”—it’s “how do we get AI speed AND quality?”

I’m proposing a framework, but I want community input.

Layer 1: Automated Quality Gates

  • Security scanning (SAST/DAST) before merge, not after
  • Accessibility testing integrated into CI/CD
  • Design system compliance checks
  • Performance benchmarking

Layer 2: AI-Specific Review Practices

  • Explicit “is this AI-generated?” flag on PRs
  • Review checklist for common AI failure modes
  • Paired review for complex AI-assisted features
  • Senior engineer approval required for AI code in critical paths

Layer 3: Developer Accountability

  • Developers own quality of AI-generated code (not the AI)
  • AI assistance must include tests, not just implementation
  • Quality metrics weighted equally with velocity metrics

Layer 4: Training and Culture

  • Training on reviewing AI-generated code
  • Examples of AI failure modes specific to our stack
  • Culture shift: AI is a tool, not a replacement for thinking

The Hard Question

Should we accept lower quality as the cost of higher velocity?

My answer: Absolutely not.

Speed without quality is technical debt accumulation at scale. We’ll pay the cost later—in incidents, customer trust, developer productivity (when the debt comes due), and engineering team morale (when they’re stuck maintaining garbage code).

But that means being willing to slow down AI adoption if quality can’t keep pace.

Your Experiences?

  1. Are you seeing quality degradation post-AI adoption?
  2. What governance practices have actually worked to maintain quality?
  3. How do you balance developer desire for AI tools with quality concerns?
  4. Have you had to slow down or rollback AI adoption because of quality issues?

I’m especially interested in what’s actually working, not just what sounds good in theory.

Because right now, I’m watching velocity go up and quality go down, and I need to figure out how to fix this before it becomes a crisis.

2

Keisha, the accessibility example you gave hits exactly what I’m experiencing in design systems.

AI Doesn’t Understand Design Language

Your data table example is perfect. Here’s what I’m seeing consistently:

AI generates code that:

  • :white_check_mark: Renders visually
  • :white_check_mark: Compiles without errors
  • :white_check_mark: Passes basic functional testing
  • :cross_mark: Violates design system token usage
  • :cross_mark: Fails WCAG accessibility standards
  • :cross_mark: Breaks on mobile viewports
  • :cross_mark: Doesn’t match our voice and tone guidelines

The code “works”—but it’s not our code.

Specific Failures I’ve Seen

Accessibility (the most common):

  • Missing ARIA labels and roles
  • Color contrast failures (AI picks colors that “look good” without checking ratios)
  • Keyboard navigation broken (works with mouse, fails with keyboard-only)
  • Screen reader support missing or broken
  • Focus indicators removed (AI thinks they’re ugly)

Design system violations:

  • Using hex color values instead of design tokens
  • Creating new spacing values instead of using our scale
  • Inventing new font sizes instead of our typography system
  • Custom animations that don’t match our motion guidelines

Responsive design problems:

  • Desktop-only implementations
  • Breakpoints that don’t match our system
  • Mobile layouts that break or look terrible

The Time Paradox

Here’s the frustrating part: Fixing AI-generated design system violations often takes longer than building the component correctly from scratch.

Recent example:

  • Developer uses AI to build a modal component in 45 minutes
  • I spend 2.5 hours in design QA fixing:
    • Accessibility issues (keyboard traps, missing ARIA)
    • Design token violations (8 different hardcoded color values)
    • Responsive breakpoints (completely custom, not our system)
    • Animation timing (didn’t use our easing curves)

Net time: Negative productivity.

Why This Happens

AI training data is “code from the internet”—mostly StackOverflow, GitHub repos, tutorials.

That code is:

  • Often not accessible (most web code isn’t WCAG compliant)
  • Doesn’t follow any specific design system
  • Uses whatever values “work” without systematic thinking
  • Optimizes for “it looks fine in Chrome on my laptop”

AI learned from average code. Average code is not accessible, not systematic, not maintainable.

What’s Actually Working

Your Layer 1 (Automated Quality Gates) is critical for design systems:

Pre-merge automation:

  • Accessibility linting (axe-core, eslint-plugin-jsx-a11y)
  • Design token validation (custom ESLint rules)
  • Visual regression testing (Percy, Chromatic)
  • Responsive breakpoint testing

These catch 60-70% of AI design violations before human review.

Layer 2 (Review Practices):
We added a “Design QA” checkbox to PR templates:

  • Uses design tokens (no hardcoded colors, spacing, fonts)
  • Passes accessibility audit (keyboard nav, screen reader, contrast)
  • Responsive across breakpoints
  • Matches Figma designs

Forces developers to verify these things instead of assuming AI got them right.

The Harder Fix: Custom AI Training

Your Layer 4 (training and culture) is necessary, but I think we need more:

Can we train AI on our design system specifically?

Instead of generic GitHub Copilot, can we:

  • Fine-tune on our component library
  • Provide design token schema as context
  • Include accessibility requirements in prompts
  • Reference our Figma design system

I don’t know if this is technically feasible, but generic AI clearly doesn’t understand design systems.

The Brutal Truth

AI makes it easier to ship bad code faster.

Without governance, we’re just accumulating design debt and accessibility debt at AI-accelerated speed.

Then we hit the audit (accessibility, security, compliance) and have to retrofit quality. That’s when the “productivity gains” evaporate.

Better to build it right with AI assistance than to build it wrong at AI speed.

How are others handling design system compliance with AI tools? Any success stories?

3

Keisha’s security examples are exactly what we’re dealing with in financial services. The stakes are even higher here because of regulatory compliance.

Security Vulnerabilities Are the Biggest Risk

Your 31% increase in security vulnerabilities flagged in code review—we’re seeing similar numbers.

Types of vulnerabilities AI introduces:

1. Input validation failures

  • SQL injection (AI generates string concatenation instead of parameterized queries)
  • XSS vulnerabilities (AI doesn’t sanitize user input)
  • Command injection (AI uses string interpolation with user data)

2. Authentication and authorization bypasses

  • Missing permission checks (AI copies code patterns without security context)
  • Insecure token handling
  • Session management flaws

3. Data exposure

  • Logging sensitive data (PII, credentials)
  • Exposing internal details in error messages
  • Missing encryption on sensitive fields

AI generates code that works functionally but fails security review.

Why Financial Services Can’t Accept This

In fintech, shipping vulnerable code isn’t just bad practice—it’s:

  • Regulatory violation (PCI-DSS, SOX, GDPR)
  • Potential data breach (massive liability)
  • Audit failure (blocks going public, fundraising, partnerships)

We literally cannot ship fast if code fails compliance.

So for us, the question isn’t “quality vs speed”—it’s “quality is a requirement, speed is conditional.”

What We’re Doing: Security-Gated AI Usage

Your Layer 1 (automated gates) is mandatory in our org:

Pre-merge requirements:

  • SAST (static security analysis) must pass
  • Dependency vulnerability scanning
  • Secrets detection (AI sometimes suggests hardcoded API keys from training data!)
  • SQL query analysis for injection vulnerabilities

These are blockers, not recommendations. PRs don’t merge if these fail.

Post-merge (but pre-production):

  • DAST (dynamic security testing) in staging
  • Penetration testing for new features
  • Manual security review for authentication/authorization changes

Layer 2 (review practices):

We added explicit security review checkpoints:

  • Any AI-generated code touching authentication requires security architect review
  • Any AI-generated database queries require manual SQL review
  • Any AI-generated API endpoints require threat modeling

This slows us down. But the alternative is shipping vulnerabilities.

The Cost-Benefit Reality

Here’s the uncomfortable math:

Scenario A: Ship fast with AI, accept vulnerabilities

  • Higher velocity (more features shipped)
  • Higher risk (security incidents, regulatory fines)
  • Potential catastrophic cost (data breach = $millions + reputation damage)

Scenario B: Ship carefully with AI + governance

  • Moderate velocity (some of AI gains consumed by quality gates)
  • Lower risk (vulnerabilities caught before production)
  • Sustainable (no catastrophic incidents)

In fintech, Scenario A is not an option.

The Developer Frustration

Keisha mentioned developer happiness. We’re seeing the opposite side:

Developers are frustrated that AI-accelerated code is getting blocked in security review.

“I wrote this feature in 2 hours with Copilot, why did it take 3 days to get through security review?”

Because the AI introduced 4 security vulnerabilities that you didn’t catch.

This creates tension:

  • Developers feel productive (they coded fast)
  • Security team feels like a bottleneck (they’re blocking PRs)
  • But the security team is doing their job (preventing incidents)

The root cause: AI made it easy to write insecure code quickly.

The Training Gap

Your Layer 4 (training) is critical. We’re implementing:

1. Secure coding with AI training

  • How to review AI-generated code for security issues
  • Common vulnerability patterns AI introduces
  • When to use AI (low-risk refactoring) vs avoid it (authentication logic)

2. Prompt engineering for security

  • Include security requirements in AI prompts: “generate a secure API endpoint with input validation and authentication”
  • Reference security standards: “follow OWASP guidelines”
  • Specify frameworks: “use parameterized queries, not string concatenation”

Better prompts → better AI output → less security review burden

My Controversial Take

Some code should not be AI-generated, period.

We’ve banned AI usage for:

  • Authentication and authorization logic
  • Cryptographic implementations
  • Payment processing
  • PII handling

These are too high-risk. The time savings aren’t worth the security exposure.

Developers can use AI for:

  • UI components (with design review)
  • Test generation
  • Documentation
  • Refactoring low-risk code

Strategic AI usage, not blanket AI usage.

The Quality Imperative

Keisha asked: “Should we accept lower quality as the cost of higher velocity?”

In regulated industries: No. Quality is non-negotiable.

In consumer products with lower risk tolerance, maybe the tradeoff is different. But for fintech, healthcare, infrastructure—quality failures have catastrophic consequences.

We need to optimize for sustainable velocity, not maximum velocity.

How are others in regulated industries handling this? What governance is actually working?

4

This discussion is forcing me to confront something I’ve been avoiding: We might need to pump the brakes on AI adoption until governance catches up.

The Technical Debt Accumulation Problem

Your quality degradation data, Keisha, matches what we’re seeing. But I want to add a dimension: long-term maintainability.

Current quality issues (bugs, security vulnerabilities, accessibility failures) are painful now.

But technical debt from AI-generated code is a time bomb for the future.

What Technical Debt Looks Like at AI Scale

Example 1: Hard-coded configuration

Developer uses AI to “optimize” a service. AI hard-codes configuration values that should be environment-specific.

  • Works perfectly in dev and staging
  • Breaks in production because production uses different values
  • Worse: The hard-coding is subtle, buried in AI-generated logic
  • Debugging takes 4 hours because no one understands the AI’s approach

Example 2: Inconsistent patterns

Different developers use AI to solve similar problems. AI generates 5 different patterns for the same use case.

  • All 5 work functionally
  • But now we have 5 places to update when requirements change
  • No consistent team pattern emerges
  • New developers are confused: “which pattern should I follow?”

Example 3: Missing abstractions

AI generates code that works for the specific use case, but isn’t generalized or reusable.

  • Feature ships quickly
  • Next feature needs similar logic
  • Developer copies AI-generated code, modifying slightly
  • Now we have duplicated logic in 3 places
  • When business rules change, we update 1 place and miss the other 2

These are all forms of technical debt that AI makes easier to create.

The Compounding Cost

Technical debt compounds:

Year 1: Ship features fast with AI, accumulate debt
Year 2: Debt slows new development (code is harder to change)
Year 3: Debt creates incidents (hidden assumptions break)
Year 4: Massive refactoring required (expensive, risky)

We’re in Year 1. The bill comes due later.

Research suggests that without quality governance, AI productivity gains are temporary—they reverse when technical debt accumulates enough to slow everything down.

The Governance Framework We’re Implementing

Building on Keisha’s four layers, here’s what we’re requiring:

Layer 1: Automated Quality Gates (Pre-Merge)

  • Security scanning (SAST)
  • Code quality analysis (SonarQube)
  • Complexity metrics (flag overly complex AI-generated code)
  • Test coverage requirements (AI must generate tests, not just code)
  • Design system compliance (for UI code)

Layer 2: Human Review (AI-Specific Checklists)

For AI-generated code, reviewers must verify:

  • Follows our architectural patterns (not just “a” pattern)
  • Handles edge cases (not just happy path)
  • Includes proper error handling (not minimal or missing)
  • Uses appropriate abstractions (not one-off solutions)
  • Integrates with existing systems correctly (doesn’t duplicate logic)
  • Includes tests that verify behavior, not just implementation

Layer 3: Developer Accountability

New team rule: “You’re responsible for code quality, regardless of who or what generated it.”

  • AI-generated code is not an excuse for poor quality
  • Developers must understand and be able to explain AI code
  • If you can’t debug it, you can’t ship it

Layer 4: Bounded AI Usage

We’re creating guidelines:

Green zone (AI encouraged):

  • Test generation
  • Documentation
  • Boilerplate and scaffolding
  • Refactoring well-understood code

Yellow zone (AI allowed with extra review):

  • New features in existing patterns
  • UI components
  • API endpoints

Red zone (AI prohibited):

  • Authentication/authorization
  • Security-critical code
  • Novel architectural decisions
  • Database migrations

The Cultural Shift Required

Luis mentioned developer frustration. We’re seeing it too.

The mindset shift we’re trying to create:

:cross_mark: Old: “AI wrote this code, it must be good”
:white_check_mark: New: “AI suggested this code, I verified it’s good”

:cross_mark: Old: “Review should be fast because AI code is usually correct”
:white_check_mark: New: “Review is critical because AI code often has subtle issues”

:cross_mark: Old: “We’re slow because review is blocking my AI-generated code”
:white_check_mark: New: “I’m accountable for shipping quality code, regardless of how it was generated”

This is hard. Developers love AI. They don’t love being told to slow down and verify quality.

The Leadership Decision

Keisha asked how to reconcile developer happiness (AI tools) with quality concerns.

My answer after this discussion: Short-term friction for long-term sustainability.

  1. Keep AI tools (developer satisfaction matters)
  2. Add governance (quality is non-negotiable)
  3. Accept slower gains (sustainable trumps maximum)
  4. Invest in training (teach people to use AI well)

Velocity will be lower than if we had no governance. But it will be sustainable.

The alternative—ship fast now, deal with quality crisis later—is not acceptable.

The Honest Question

Has anyone successfully maintained both high velocity AND high quality with AI tools?

Or is the tradeoff inevitable—governance reduces velocity, lack of governance reduces quality?

I’m hoping there’s a path to “quality at velocity,” but I’m not seeing it yet.

What’s actually working in practice?

5

Jumping in from the product side to add a dimension that hasn’t been discussed yet: customer impact of quality issues.

Quality Issues Affect Customer Trust

Michelle mentioned technical debt as a time bomb. But quality issues also have immediate business impact that’s measurable.

Our data from the last quarter:

Customer-facing incidents:

  • Production bugs requiring emergency fixes: +22%
  • User-reported issues: +18%
  • Support tickets related to broken functionality: +27%

Customer satisfaction:

  • NPS score: -4 points
  • Feature satisfaction ratings: Down from 4.2 to 3.8 (out of 5)
  • Churn from bugs/quality issues: +0.3% (small but meaningful)

Meanwhile, engineering is celebrating productivity gains.

There’s a disconnect: We’re shipping faster, but customers are less happy.

The Product Perspective on Quality

Keisha asked: “Should we accept lower quality as the cost of higher velocity?”

From a product perspective: It depends on what “quality” means.

Quality dimensions that matter to customers:

  • Functionality (does it work as promised?)
  • Reliability (does it work consistently?)
  • Performance (is it fast enough?)
  • Usability (is it easy to use?)

Quality dimensions that matter to engineers but customers don’t see:

  • Code elegance
  • Architectural purity
  • Test coverage percentage
  • Adherence to design patterns

We need to be specific about which quality we’re talking about.

The Business Tradeoff

Here’s the uncomfortable product truth:

Some technical debt is acceptable if it accelerates time-to-market for high-value features.

Example:

  • AI helps us ship a customer-requested integration 3 weeks faster
  • The code has some technical debt (hard-coded values, not perfectly abstracted)
  • But customers get value 3 weeks sooner
  • We can refactor later if needed

That’s a reasonable tradeoff.

But other quality issues are NOT acceptable:

  • Security vulnerabilities (breach risk)
  • Accessibility failures (legal risk, excludes users)
  • Reliability issues (breaks customer workflows)
  • Performance problems (affects all users)

These have direct customer and business impact. They’re not negotiable.

What Product Needs from Engineering

Luis’s “banned AI usage” list makes sense for high-risk code. I’d extend that concept:

Risk-based AI governance:

Low-risk changes (AI encouraged, light review):

  • UI refinements that don’t affect core flows
  • Performance optimizations in non-critical paths
  • Internal tools and scripts

Medium-risk changes (AI allowed, standard review):

  • New features in established patterns
  • Refactoring with good test coverage
  • Non-customer-facing improvements

High-risk changes (AI with extra scrutiny):

  • Customer-facing features with business impact
  • Payment or data handling
  • Core user workflows

Critical changes (AI usage requires approval):

  • Authentication and security
  • Regulatory compliance features
  • Integration with external systems

Different risk levels → different governance.

Measuring Quality Impact on Business

To Michelle’s question about velocity + quality, I think we need to measure quality in business terms, not just engineering terms.

Metrics that connect quality to business outcomes:

  • Customer-impacting defects (not all bugs, just ones customers experience)
  • Time to resolution (how fast do we fix customer-facing issues?)
  • Feature adoption rates (do quality issues prevent adoption?)
  • Support cost (quality issues increase support burden)
  • Customer satisfaction by feature (correlate quality with satisfaction)

These tell us if our quality is “good enough” from a business perspective.

If we’re shipping fast, maintaining customer satisfaction, and keeping support costs reasonable—we have the right quality bar.

If we’re shipping fast, but NPS is dropping and churn is increasing—our quality bar is too low.

The Balanced Scorecard Proposal

Instead of “velocity OR quality,” measure both:

Velocity metrics:

  • Features delivered per quarter
  • Time to market for customer requests

Quality metrics:

  • Customer-impacting defects per release
  • Customer satisfaction by feature
  • Support ticket rate

Productivity = Velocity × Quality

If velocity is up but quality is down, net productivity is flat or negative.
If both are up, we’ve achieved real productivity gains.

Right now, most orgs only measure velocity. That’s incomplete.

My Answer to Keisha’s Question

“Should we accept lower quality as the cost of higher velocity?”

No—but we should be specific about which quality dimensions are non-negotiable.

  • Security: Non-negotiable
  • Accessibility: Non-negotiable
  • Customer-facing reliability: Non-negotiable
  • Perfect code architecture: Negotiable
  • Zero technical debt: Negotiable (as long as it’s manageable)

The goal isn’t maximum quality—it’s appropriate quality for the business context.

Does this resonate? Am I being too pragmatic about technical debt?