logo
SolutionsCase Studies and InsightsEngineering Culture
logo

English

language icon
contact us

AI Code Ships Fast. So Do the Bugs.

img

The numbers on AI coding tools look great on a dashboard. Output is up. Lines committed per developer have tripled. Velocity metrics are positive.

But a different set of numbers is accumulating underneath the surface.

AI-generated pull requests average 10.83 issues per PR compared to 6.45 for human-authored PRs. That is 1.7 times more problems per change, not fewer. Code churn, meaning lines that get reverted or rewritten within two weeks of being committed, is up 39 percent in AI-heavy projects. And maintenance costs in organizations running unmanaged AI code are on track to reach four times traditional levels by year two.

So here is the actual situation: your team is generating more code faster, and that code is creating a maintenance and reliability problem that will be significantly harder to address in 18 months than it is today.

What the data actually shows

1.7x more issues per pull request in AI-authored code compared to human-authored code. Logic and correctness errors are 75 percent more common. Security issues are up to 2.74 times higher. (Source: CodeRabbit analysis of 470 GitHub PRs)

3x increase in lines of code per developer over two years, from 4,450 to 14,148. More code means more to review, more to test, and more surface area for bugs to hide in. (Source: Greptile State of AI Coding 2025)

4x the maintenance cost multiplier for organizations running unmanaged AI-generated code by year two. Year one runs 12 percent higher. Year two is where the real cost lands.

8x increase in large duplicated code blocks in AI-heavy projects. Refactored code as a share of all changes dropped from 25 percent in 2021 to under 10 percent in 2024. (Source: GitClear, 211M+ lines analyzed)

39 percent increase in code churn in AI-heavy projects. Code that gets reverted or substantially rewritten within two weeks of commit is not velocity. It is the appearance of velocity with the actual cost of rework.

The problem is not that AI writes bad code. The problem is volume.

AI coding tools are genuinely useful. That is not the argument here. The argument is that the way most engineering organizations have adopted them has created a structural mismatch.

Code review processes were designed for a world where a developer produces a certain volume of changes per sprint. When that volume triples and the issue density per PR increases, the same review process cannot maintain the same quality bar. Something gets through. And then something else.

After 18 months of compounding, you have a codebase that is technically larger, harder to navigate, and more expensive to maintain than the one you started with.

The Google DORA 2024 report found that a 25 percent increase in AI tool usage correlates with a 7.2 percent decrease in delivery stability. The metrics that most dashboards track are going up. The metric that matters for business outcomes is going down.

Where the quality gap actually shows up

Logic and correctness errors are 75 percent more common in AI code. These are the hardest bugs to catch in review because the code looks right. The syntax is correct, the structure is reasonable, but the behavior under specific conditions is wrong. The error only surfaces in production or in an edge case the AI model did not account for.

Security issues are up to 2.74 times higher in AI-generated code. This includes improper password handling, insecure object references, excessive I/O operations, and concurrency mistakes. Approximately 40 percent of AI-generated code in security-sensitive contexts contains critical vulnerabilities, per Apiiro's Fortune 50 analysis. Security findings per month increased 10 times between December 2024 and June 2025 in organizations that adopted AI coding tools at scale.

Readability problems are 3 times worse than in human-authored code. Code that is difficult to read takes longer to review, longer to debug, and longer to modify safely. New engineers take longer to onboard. Bug fixes are harder to scope. Features that should be straightforward become risky because no one is confident about what a change will touch.

67 percent of developers report spending more time debugging AI-generated code than expected. 75 percent of tech leaders are forecast to face moderate-to-severe technical debt by 2026.

What to do before the 18-month wall hits

First, measure what your current AI code adoption is actually producing. Pull your repository data for the past 12 months and look at three specific numbers: the percentage of PRs that require multiple review rounds before merge, your code churn rate, and the ratio of new code to refactored or deleted code. In most organizations that have adopted AI tools at scale, at least two of those three numbers will have moved in the wrong direction.

Second, rebuild your code review process for the volume AI tools produce. You have three options: scale review capacity proportionally (expensive), reduce the review bar (how bugs get through), or redesign the review process to handle higher volume without sacrificing quality. The organizations doing this well combine automated review tooling for the categories where AI makes consistent mistakes with human review focused on design decisions and business logic.

Third, protect your refactoring cadence as output volume grows. Refactoring dropped from 25 percent of all code changes to under 10 percent in codebases with high AI tool usage. Organizations that treat refactoring as a non-negotiable part of the sprint cycle consistently maintain better codebase health over time. This is a management decision, not a technical one.

Fourth, set a 24-month maintenance cost forecast before you scale AI coding adoption further. The year-one cost runs 12 percent higher than traditional code. The year-two cost is where the 4x multiplier lands. If your organization is planning to expand AI coding tool adoption, build the maintenance cost into the business case now, not when delivery slows down and no one can explain why.

The security angle CTOs are underweighting

The connection between AI code quality and your security posture is direct. An AI-generated codebase with 2.74 times more security issues and a 10x increase in monthly vulnerability findings is not just a maintenance problem. It is the attack surface your security team is trying to defend.

Paired with the patching gaps covered in the April 2026 Patch Tuesday brief, the picture for many organizations is a codebase that is generating new vulnerabilities faster than the existing ones are being closed.

The organizations managing both problems well are treating AI code quality as a security issue, not just an engineering quality issue, and giving their security teams visibility into the codebase health metrics, not just the CVE list.

Consult with us
logoPrivacyTerms of serviceEngineering CultureOpen RolesContact us

Case Studies

Talent Reinventors: Delivering value with and for peopleAI innovation is nonstop. Your cloud foundation should be too.The dawn of the agentic deal

Capabilities

Infrastructure & ReliabilityData & IntelligenceSystem Modernization & RefactoringCybersecurity & ComplianceAutomation & WorkflowsMarketing As CodeBusiness OpsToolkitsIndustries

Industries

TelecommunicationsBankingEnergyAutomotivesMedia

Get In Touch

+44 20 3286 8065

contactus@marchcroft.com