[Andrei_dev]

Exactly. "Tests pass" and "code is secure" are just different things. AI code makes that gap worse.

I run static analysis on mixed human/AI codebases. The AI parts pass tests fine but they'll have stuff any SAST tool flags on first run — hardcoded creds, wildcard CORS, string-built SQL. Works in a demo, turns into a CVE in prod.

And nobody's review capacity scaled with generation speed. Most teams don't even have semgrep in CI. So you get unreviewed code just sitting in production.

The "10x" is real if you count lines shipped. Nobody counts the fix cost downstream though.