Multiple studies in 2025 examined the quality of AI-assisted code vs human-written code. The findings are nuanced and important for developers to understand.
When developers used AI assistance without careful review:
However: When developers reviewed AI code carefully, vulnerability rates returned to normal.
The lesson: AI code needs review. Not rubber-stamp review — real review.
AI-generated code is often:
Counter-intuitively, junior developers using AI assistance without strong code review skills ship more bugs than they would writing code manually — because they can't evaluate whether the AI output is correct.
Senior developers benefit more because they can critically evaluate AI suggestions.
AI generates code ↓ Does it do what I asked? (Functionality check) ↓ Are there security implications? (Security review) ↓ What happens with bad input? (Edge case check) ↓ Would I be comfortable reviewing this in a PR? (Quality bar) ↓ Ship it (or iterate)
// AI generates this:
async function deleteUser(userId: string) {
await db.user.delete({ where: { id: userId } });
return { success: true };
}
// Developer catches: no auth check, no soft delete, no audit log
// Developer fixes:
async function deleteUser(userId: string, requestingUserId: string) {
const requester = await db.user.findUnique({ where: { id: requestingUserId } });
if (requester?.role !== 'admin') throw new Error('Unauthorized');
await db.user.update({
where: { id: userId },
data: { deletedAt: new Date(), deletedBy: requestingUserId }
});
await auditLog.write({ action: 'user.delete', userId, requestingUserId });
return { success: true };
}AI wrote the skeleton. The developer added the correctness. That's the right workflow.
AI coding tools make developers faster. They also introduce new ways to ship bugs if used carelessly. The developers who benefit most are those with strong enough fundamentals to catch what AI gets wrong.
Use AI as a first draft generator, not a final answer machine.