Felipe Hlibco — AI, Engineering Leadership & DevRel

/home

/posts

/projects

/reading

/skills

/tools

/talks

/about

~/Posts/ AI-Generated Code: The Trust and Verification Gap

AI-Generated Code: The Trust and Verification Gap

Felipe Hlibco

There’s this moment I keep seeing on my team. An engineer gets a Copilot suggestion. It looks right. It passes the quick mental check. They tab-accept and move on.

Twenty minutes later, a test fails. The bug trace leads back to that accepted suggestion — a subtle null handling issue the generated code glossed over.

This happens more than anyone wants to admit. And it scales.

The paradox in numbers #

Three statistics that, taken together, should alarm anyone running an engineering org:

96% of developers say they don’t fully trust AI-generated code. Sounds like healthy skepticism, right? Good?

But then: only 48% report they always verify AI-generated code before committing. Nearly half the time, code that developers themselves don’t trust goes into the codebase unverified.

And the kicker: 38% of developers say reviewing AI-generated code takes more effort than reviewing human-written code.

So the code is less trusted AND harder to review AND not always reviewed.

That’s the verification gap. The delta between how much developers trust AI code (not much) and how rigorously they check it (not enough).

Why the gap exists #

I’ve talked to our engineers about this. The reasons aren’t surprising once you hear them.

Speed pressure. AI tools increase output velocity. That velocity creates an implicit expectation — from managers, from product, from the engineers themselves — to maintain pace. Slowing down to carefully verify every suggestion feels like defeating the purpose of using the tool.

Cognitive fatigue. Reviewing code someone else wrote is already tiring. Reviewing code an AI generated — which often looks plausible but lacks the contextual reasoning a human colleague would bring — is more tiring. After the tenth suggestion in an hour, verification discipline erodes.

The “looks right” trap. AI-generated code is syntactically clean. It follows patterns. It uses reasonable variable names. It looks more correct than it often is.

Human-written code has idiosyncratic formatting, personal style, sometimes messy-but-functional approaches that are easier to scrutinize precisely because they look imperfect. AI-generated code’s polished surface makes bugs harder to spot.

Unclear ownership. When you write code yourself, you own the mental model. You know what you intended, so you can verify against that intent. When AI generates code, you’re reverse-engineering intent from output.

That’s a fundamentally different cognitive task — one developers aren’t trained for and that current workflows don’t support well.

What the bugs actually look like #

Over the past few months at DreamFlare, I’ve been tracking the types of bugs that trace back to AI-generated code. The patterns are consistent enough to be useful:

Input validation blind spots #

AI-generated functions frequently handle the happy path well but skip edge-case validation. A function that processes user input might correctly parse the expected format but silently accept malformed data instead of throwing.

The code works in tests (which use well-formed fixtures) and fails in production (which receives the internet’s creative interpretations of your API contract).

Exposed configuration #

Generated code sometimes includes hardcoded values that should be environment variables — API endpoints, default ports, feature flags. Not secrets exactly (AI assistants are pretty good about not generating literal API keys), but configuration that shouldn’t be baked into the source.

These aren’t bugs per se; they’re deployment hazards that slip through because the code “works” in development.

Stale patterns #

AI models are trained on internet-scale code, which means they’ve absorbed years of deprecated patterns. I’ve seen Copilot suggest componentWillMount in React, request library usage in Node.js (deprecated since 2020), and outdated TypeScript patterns that predate strict mode improvements.

The code compiles. The code runs. The code uses patterns that the rest of your codebase explicitly moved away from.

Logic that’s almost right #

This is the most insidious category. Code that works correctly for 95% of inputs and fails silently for the rest.

Off-by-one errors in pagination logic. Timezone handling that works for UTC but breaks for offsets. Async operations that resolve in the expected order during testing but race in production.

These bugs are hard to catch in review because the logic looks correct. You have to reason carefully about edge cases — exactly the kind of deep analysis that gets skipped when verification discipline is low.

The cultural dimension #

This isn’t just a tooling problem. It’s a culture problem, and that’s what makes it hard.

At most companies, code review culture evolved around human-written code. The reviewer assumes the author had intent, made deliberate choices, and can explain their reasoning in PR comments. Review focuses on architecture, correctness, and style.

AI-generated code breaks those assumptions. The “author” (the AI) had no intent. It can’t explain its reasoning. It can’t answer “why did you choose this approach?” in a PR comment. The reviewer has to bring more of their own reasoning to fill that gap.

Most review cultures haven’t adapted. The same review processes designed for human-to-human code review get applied to AI-generated code without adjustment.

That’s where the verification gap lives — in the mismatch between the review process and the nature of the code being reviewed.

What we’re trying at DreamFlare #

I’m not going to pretend we’ve solved this. We haven’t. But we’ve started experimenting with practices that seem to help:

AI-origin tags in commits #

We ask engineers to tag commits that contain significant AI-generated code. Not every Copilot autocomplete (that would be noise), but substantial blocks — functions, modules, or architectural patterns that came from AI suggestions.

This gives reviewers a signal: “scrutinize this more carefully.”

It’s imperfect. People forget. The boundary between “AI-generated” and “AI-assisted” is fuzzy. But the tags have caught real issues in review that would have otherwise slipped through.

Dedicated verification time #

We’ve made an explicit cultural decision: AI-generated code saves time in writing. Some of that saved time must be reinvested in verification.

If Copilot cuts your implementation time in half, you should spend a meaningful chunk of the saved time on testing, edge case analysis, and review.

This sounds obvious. In practice, it requires active reinforcement because the default human behavior is to pocket the time savings and move to the next task.

Edge-case-first testing #

For AI-generated code, we write edge-case tests before reviewing the implementation. The reasoning: if the AI handles the happy path well (it usually does), the bugs live in the edges.

Writing edge-case tests first forces you to think about the boundary conditions the AI likely missed.

// Write these BEFORE reviewing the AI-generated function
describe('parseUserInput', () => {
  it('handles empty string', () => { /* ... */ });
  it('handles null/undefined', () => { /* ... */ });
  it('handles extremely long input', () => { /* ... */ });
  it('handles unicode characters', () => { /* ... */ });
  it('handles input with embedded SQL', () => { /* ... */ });
});

This practice has caught more bugs per hour invested than any other change we’ve made.

Architecture reviews that question AI patterns #

When an engineer proposes an architecture that came largely from AI suggestions (ChatGPT architectural advice, Copilot-generated scaffolding), we explicitly ask: “What did the AI not know about our system?”

The AI doesn’t know our deployment topology, our traffic patterns, our latency requirements, our team’s operational capacity. Forcing that question surfaces assumptions that AI-generated architecture silently bakes in.

The skill that actually matters #

Reviewing and validating AI-generated code has been identified as the most important skill for the AI era of software development.

I agree, but I’d push further: it’s not one skill, it’s three.

Pattern recognition. Spotting the common failure modes (input validation, stale patterns, happy-path-only logic) quickly enough that review doesn’t become a bottleneck.

Adversarial thinking. Looking at code and asking “how does this break?” rather than “does this look right?” The former catches AI bugs; the latter misses them because AI code always looks right.

Specification discipline. The clearer your requirements, the better AI-generated code is — and the easier it is to verify. Engineers who invest in clear specifications before engaging AI tools produce code that’s both better and more reviewable.

The organizational blind spot #

Here’s what worries me most: most engineering organizations measure productivity, not correctness.

If AI tools boost lines of code, features shipped, or PRs merged per week, the metrics look great. The verification gap doesn’t show up in any dashboard. It shows up in production incidents, technical debt, and the slow erosion of code quality that only becomes visible months later.

The organizations that navigate this well will be the ones that measure verification effort alongside productivity. That might mean tracking test coverage specifically for AI-generated code, monitoring the bug rate by code origin, or explicitly budgeting review time as a percentage of development time.

We’re not there yet. Nobody is, as far as I can tell. But the gap between how fast we can generate code and how well we can verify it is widening, and closing it is — genuinely — one of the most important engineering challenges of the next few years.

Where I land #

AI coding tools are phenomenal. I use Copilot daily. Our team uses it daily. The productivity gains are real, measurable, and valuable.

But we’ve built a system where the rate of code creation far exceeds the rate of code verification. The tools generate code at machine speed; we verify it at human speed (and with human discipline, which is inconsistent).

That asymmetry is the verification gap, and pretending it doesn’t exist doesn’t make it go away.

The answer isn’t to stop using AI tools. The answer is to build verification into the culture and the workflow with the same urgency we brought to adopting the tools themselves.

Treat verification as a first-class engineering activity, not an afterthought.

Trust the tools. But verify the output.

Every time.

OpenAI Codex: Structuring AI-Native Teams
Developers Share What Helped Them Land New Roles in 2024
back to top