We're All Using AI Coding Tools Daily - But Do We Actually Trust Them?

General
1

I had a weird moment of self-awareness today. I was working through a gnarly refactoring task, and I realized I’d invoked GitHub Copilot at least 10 times in the past hour. Tab-complete, accept suggestion, move on. Rinse and repeat.

Then I caught myself second-guessing literally every suggestion it made. Reading the generated code line by line. Running tests. Checking edge cases. Basically treating it like code from an intern I didn’t quite trust yet.

Which got me thinking: If I don’t trust it, why do I keep using it?

The Numbers That Made Me Think

I came across some recent data that really crystallized this cognitive dissonance:

  • 91% of engineering organizations now use AI coding tools
  • But only 33% of developers actually trust the output
  • Meanwhile, 46% actively distrust it
  • Yet 51% of us use these tools daily

We’re in this weird paradox where AI coding assistants have become part of our daily workflow, but we fundamentally don’t trust what they produce. That’s… not how we’ve adopted other development tools, right?

The “Close But Not Quite Right” Problem

Here’s what really resonates with my experience: 66% of developers say they struggle with AI solutions that are close, but ultimately miss the mark.

This is the insidious part. It’s not like AI generates garbage code that’s obviously wrong. It generates code that looks professional, that seems reasonable, that passes a casual glance. But then you dig deeper and realize it’s missing a critical edge case, or it’s using a deprecated API, or it’s technically correct but architecturally wrong for your codebase.

45% of developers report that debugging AI-generated code takes longer than just writing it themselves. I felt that in my bones this week.

How This Is Different

Think about how we adopted other developer tools:

  • Stack Overflow: We learned to critically evaluate answers, check dates, understand context. We trusted the voting system and our own judgment.
  • IDEs and autocomplete: Built up over decades, deterministic, predictable. IntelliSense suggests method names - we trust it because it’s reading our actual codebase.
  • Linters and static analysis: Explicitly designed to catch mistakes. We trust them because they’re paranoid.

But AI coding tools are different. They’re probabilistic, not deterministic. They’re trained on massive amounts of code - both good and bad. They don’t understand our specific codebase context. They confidently generate code that can be subtly wrong in hard-to-detect ways.

My Working Theory

I think we’ve unconsciously outsourced the “easy stuff” to AI while keeping the verification burden entirely on ourselves.

AI is great at:

  • Boilerplate code
  • Common patterns we’ve seen a million times
  • Converting pseudocode to actual code
  • Writing tests for straightforward functions

But we still own:

  • Understanding if the generated code is correct
  • Verifying it fits our architecture
  • Ensuring it handles edge cases
  • Checking for security vulnerabilities
  • Making sure it’s maintainable

So we’re getting speed on the generation side, but we’re paying for it with increased cognitive load on the verification side. And I’m not sure that trade-off actually makes us faster overall.

The Question I Keep Coming Back To

Is this sustainable?

More importantly: What happens when junior developers grow up in this environment? If you learn to code by accepting AI suggestions and iterating based on test failures, do you develop the same mental models as someone who learned by writing code from scratch?

I’m genuinely curious about this. I came up writing code character by character, making mistakes, debugging them, learning patterns through repetition. Junior devs today are coming up in a world where the first draft is always AI-generated.

Are we creating a generation of engineers who are great at prompt engineering and verification but less strong at creative problem-solving and architectural thinking? Or is this just the natural evolution of the craft, and my concerns are the same as COBOL programmers had about high-level languages?

How I’m Handling It (For Now)

My current approach is pretty ad-hoc:

  1. Use AI for obvious boilerplate and well-established patterns
  2. Write security-critical and architecturally-important code myself
  3. Treat all AI suggestions as “code from an external library I’m vetting”
  4. Run comprehensive tests on anything AI-generated
  5. Do extra-thorough code review on my own AI-assisted PRs

But I feel like I’m making this up as I go along. I’d love to hear how others are thinking about this.

What’s your relationship with AI coding tools? Do you trust them? Should we?

2

Alex, this resonates so much with what I’m seeing across our organization. You’ve identified a critical tension that I think is fundamentally an organizational design problem, not just a tool adoption issue.

The Dashboard vs. Reality Problem

We’re eight months into widespread AI tool usage across our 80-person engineering team, and I’m watching this exact paradox play out in our metrics:

What looks great:

  • PR velocity up 20%
  • Developer satisfaction scores improved
  • Self-reported productivity gains around 25%

What doesn’t:

  • Production incidents up 23.5%
  • Time senior engineers spend on code review has doubled
  • Rollback rate increased by 30%

The dashboards tell leadership one story. The on-call engineers are living a different reality.

Senior Engineers Are Becoming AI Code Reviewers

Here’s what’s happening that worries me most: Our most experienced engineers are spending increasing amounts of time reviewing AI-generated code from mid-level and junior engineers.

Is this the best use of their expertise? Should our principal engineers be debugging why an AI assistant generated an inefficient database query, or should they be designing the next generation of our platform architecture?

We’re creating an invisible tax on senior engineering time, and I’m not sure we’re accounting for it properly in our productivity calculations.

What We’re Trying

I’m approaching this as a leadership and process challenge, not a technology problem. A few experiments underway:

1. Explicit AI Review Checkpoints
We’ve added a field to our PR template: “Percentage AI-generated” with three options: None, Partial, Mostly. If “Mostly,” it requires review from a senior engineer who’s been trained on AI-specific code review patterns.

2. New Mental Models for Code Review
Traditional code review asked: “Is this code correct and maintainable?”

AI-era code review adds: “Does this code demonstrate understanding of the problem, or is it a copy-paste solution that happens to work?”

3. Redefining Senior Engineering
If AI can generate code, what makes a senior engineer valuable? I’m increasingly convinced it’s:

  • Problem decomposition skills
  • System design and architectural thinking
  • Code review and verification expertise
  • Mentoring on when NOT to use AI

These are the skills we’re now explicitly developing and promoting.

The Sustainability Question

You asked if this is sustainable. My honest answer: Not in its current form.

What I think needs to change:

  • We need better tooling for flagging AI-generated code that needs extra scrutiny
  • Engineering education needs to adapt (more on verification, less on syntax)
  • Our definitions of productivity need to include code quality and system stability
  • We need to develop new roles or specializations for this era

The junior developer question you raised keeps me up at night. I’m seeing brilliant young engineers who can ship features incredibly fast but struggle when asked to debug something they didn’t write. Their problem-solving muscles aren’t being developed the same way ours were.

What’s Working

Despite my concerns, I’m not anti-AI tools. The teams that are successful have a few things in common:

  • Explicit guidelines about when to use AI (boilerplate, tests, docs) vs. when not to (core business logic, security-critical code)
  • Strong mentorship culture where senior engineers help juniors understand why AI suggestions might be wrong
  • Emphasis on testing - AI-generated code must have comprehensive test coverage
  • Curiosity about how things work - encouraging engineers to understand AI suggestions, not just accept them

The goal isn’t to slow down development. It’s to make sure our velocity is pointed in the right direction.

What are other engineering leaders seeing in their organizations? Are your metrics telling the same story as ours?

3

Trust is the wrong metric here. Let me reframe this from a security perspective.

We Don’t Trust Compilers Either - We Verify

Nobody asks “Do you trust your compiler?” We trust that it follows predictable rules, but we still:

  • Write comprehensive tests
  • Run static analysis
  • Do code reviews
  • Monitor production behavior

AI coding tools need the same approach. The question isn’t “Can we trust AI?” It’s “How do we verify AI output effectively?”

The 45% Problem

Recent research shows 45% of AI-generated code contains security vulnerabilities. Let me put that in perspective:

If your junior developer submitted PRs where nearly half contained security flaws, you’d dramatically increase review scrutiny or rethink their role. Yet we’re accepting this from AI tools and calling it “productivity.”

From my bug bounty work, I can tell you: AI-generated code is a goldmine for vulnerability hunting. The patterns are predictable:

  • Missing input sanitization (most common across all models)
  • Insecure deserialization
  • XSS vulnerabilities (2.74x more likely than human-written code)
  • Improper authentication handling (1.88x more likely)

The False Confidence Problem

Here’s what makes AI code particularly dangerous: It looks more trustworthy than it is.

A junior developer’s insecure code often has telltale signs - awkward patterns, obvious gaps, questionable naming. You can spot it in review.

AI-generated code looks professional. Clean formatting. Consistent naming. Comments even. It passes the “glance test” but fails the “security test.”

This is worse than obviously bad code, because it bypasses our natural skepticism.

Practical Mitigation

Stop thinking about trust. Start thinking about verification layers:

1. Treat AI Code as Untrusted Input
Same mental model you’d use for:

  • Code from a contractor you haven’t worked with
  • Open source dependencies you’re evaluating
  • External API responses

Never assume it’s secure. Always verify.

2. Security-Specific Prompting
Research shows that adding explicit security requirements to prompts improves outcomes. For Claude Opus 4.5 with security reminders: 66% secure code vs 56% without.

Simple addition: “Ensure this code includes input validation and follows OWASP security best practices.”

3. Critical Code Zones
Some code should have zero AI involvement:

  • Authentication and authorization logic
  • Cryptographic implementations
  • Payment processing
  • Security patch code
  • Anything handling PII or credentials

The risk-reward doesn’t make sense in these areas.

4. Static Analysis + AI Review
Your static analysis tools should scan AI-generated code with the same rigor as human code. Better yet, add AI-specific checks:

  • Flagging common AI vulnerability patterns
  • Checking for outdated library usage (AI models suggest pre-cutoff libraries)
  • Verifying security-critical functions weren’t AI-generated

The Developer Skill Question

Alex, you asked about junior developers growing up with AI. From a security lens, this terrifies me.

If developers don’t learn to recognize common vulnerability patterns manually, they can’t spot when AI makes security mistakes. Understanding WHY code is insecure is fundamental to writing secure systems.

Security isn’t about following rules. It’s about threat modeling, understanding attack vectors, thinking like an adversary. Can you learn that by accepting AI suggestions and fixing test failures?

I’m skeptical.

My Recommendation

Use AI tools. They’re here to stay and they do provide value. But change your mental model:

OLD: “AI assists me in writing code”
NEW: “AI generates code I must verify”

Shift from assistance to generation + verification. Make verification a first-class part of your workflow, not an afterthought.

And for the love of secure systems: Never copy-paste AI-generated authentication, authorization, or cryptographic code into production without deep security review.

The 45% vulnerability rate is not a tool problem. It’s a process problem. Build processes that assume AI output is insecure until proven otherwise.

4

This conversation is so familiar! I’m seeing the exact same pattern in design tools, and I think there are some interesting parallels. :sparkles:

Design Tools Are Having The Same Crisis

In the design world, we’ve got:

  • Figma AI generating layouts from text prompts
  • Midjourney creating images that look professional
  • AI tools suggesting color palettes and typography

And designers are in the same weird headspace you’re describing. We use these tools daily but trust them about as far as we can throw them.

The 60/40 Rule I Live By

From my experience (including a failed startup where we shipped too fast with poor UX), here’s my mental model:

AI gets you to 60% really quickly.
Humans do the critical 40%.

That 40% is:

  • Understanding user context and edge cases
  • Making sure it fits the broader system
  • Applying judgment about what “good” actually means
  • Catching the subtle things that make the difference between okay and great

Sound familiar to what you’re describing with code? :blush:

The Startup Failure Lesson

My startup failed partly because we optimized for velocity over quality. We used every shortcut, every tool, every hack to ship features fast.

Users didn’t care how fast we shipped. They cared whether the product actually solved their problem well.

The lesson that cost me a year of my life: Velocity without quality just gets you to the wrong place faster.

AI coding tools feel like the same trap at scale. Sure, you can generate code faster. But if that code is subtly wrong, or doesn’t integrate well, or creates technical debt… have you actually sped up? Or have you just front-loaded work that will cost you more later?

The Context Problem

What I’ve noticed with design AI (and I’m curious if this matches code AI):

AI tools lack contextual understanding.

They can generate a button component that looks great in isolation. But they don’t know:

  • How this button relates to the design system
  • Whether this pattern is consistent with the rest of the product
  • If this is accessible to users with disabilities
  • What the business constraints are

I’m guessing code AI has similar blindspots? It can generate a function that works, but doesn’t understand:

  • Your team’s architecture patterns
  • Performance implications for your specific use case
  • How this fits into your existing codebase
  • What your actual requirements are beyond the immediate prompt

Junior Designers Face The Same Question

You asked about junior developers growing up with AI. I’m seeing junior UX designers who can use AI to create mockups incredibly fast but struggle to explain WHY a design works.

They skip the research phase (AI can generate a design without user research!). They don’t develop taste because AI averages out to “pretty good.” They can’t defend design decisions because they didn’t make them - they accepted suggestions.

It’s creating a skill gap that concerns me. But I’m also trying to stay open-minded - maybe this is just the evolution of the craft? :thinking:

What I’m Telling My Mentees

When I mentor bootcamp UX students, my advice is:

  1. Learn the fundamentals first - Understand design principles before using AI shortcuts
  2. AI is for exploration, not production - Use it to explore options fast, but make conscious decisions
  3. Always ask why - If you can’t explain why the AI suggestion is good, don’t use it
  4. Human judgment is your value - Tools will get better, your judgment is what makes you valuable

I wonder if similar advice applies to junior engineers?

The Question I Keep Coming Back To

Is there a world where AI makes us better at the important stuff by handling the routine stuff?

Like, maybe if AI handles boilerplate, junior developers can focus more on system design and architecture earlier in their careers?

Or maybe (my fear) they never develop the muscle memory and intuition that comes from writing thousands of lines of code manually?

I don’t know the answer. But I appreciate you starting this conversation, Alex. The trust paradox is real, and I don’t think we’ve figured out the healthy relationship with these tools yet. :thought_balloon: