Spotify’s best engineers haven’t written a single line of code since December 2025. Their internal “Honk” system — built on Claude Code — lets engineers describe a bug fix on their phone during a commute and merge the deployment before reaching the office. That’s the headline. Here’s what the headline misses: 43% of AI-generated code changes still require manual debugging in production, even after passing QA and staging. AI is generating code faster than any team in history. The question is whether anyone can verify it.
The Reliability Tax: AI Writes Fast, Developers Debug Longer
Lightrun’s “State of AI-Powered Engineering 2026” surveyed 200 SRE and DevOps leaders across the US, UK, and EU. The numbers are precise: developers now spend 38% of their working week — roughly two full days — on debugging, verification, and environment-specific troubleshooting of AI-generated code. For 88% of companies in the survey, this “reliability tax” consumes between 26% and 50% of weekly engineering capacity. Not a single respondent reported being “highly confident” that AI-generated code would behave correctly after deployment.
The speed gain is real. The downstream cost is systematically underreported. Teams measuring productivity by lines of code generated are missing the full picture.
The Trust Paradox: 92% Adoption, 29% Trust
92% of US-based developers already use AI coding tools at work. Yet according to the Stack Overflow 2025 Developer Survey of 65,000+ respondents, developer trust in AI accuracy has dropped from 40% to 29% year over year. Favorability fell from 72% to 60%. Only 9% believe AI code can ship without human oversight. 66% say they spend more time fixing “almost-right” AI code than they expected when they adopted these tools.
The adoption curve is one metric. The trust curve is another — and the two are moving in opposite directions.
Security: The Risk Accelerating Under the Surface
According to ProjectDiscovery’s 2026 AI Coding Impact Report, CVEs directly traceable to AI-generated code went from 6 in January to 15 in February to 35 in March 2026 — tripling in three months. Veracode testing across 100+ LLMs found that AI introduced security vulnerabilities in 45% of cases. One in five organizations has already experienced a serious security incident linked to AI-generated code. The same AI tools increasing velocity are also expanding the attack surface — and security teams lack tooling to keep pace.
Code Verification Becomes a Discipline — Qodo’s $70M Signal
In March 2026, Qodo raised a $70M Series B, bringing total funding to $120M, with backing from Qumra Capital and investors including OpenAI’s Peter Welinder and Meta’s Clara Shih. Its customers include Nvidia, Walmart, Red Hat, and Intuit. Qodo’s mission: “Artificial Wisdom” — ensuring AI-generated code is correct, not just generated. It ranked #1 on Martian’s Code Review Bench at 64.3%, more than 25 points ahead of Claude Code Review. Meanwhile, cURL shut down its bug bounty program after being overwhelmed by “AI slop” — low-quality auto-generated submissions that reviewers could not process. The signal is clear: AI code generation without verification infrastructure is a compounding liability.
What Engineering Teams Should Implement Now
The organizations gaining real leverage from AI coding tools share a common trait: they treat verification as a first-class engineering concern, not an afterthought.
- Mandatory CI/CD gates for AI-generated code — no agent output reaches production without passing automated test suites. This requires prior investment in test coverage, not improvisation after adoption.
- Static analysis on every AI-generated PR — tools like SonarQube, Checkmarx, or Snyk running automatically on every pull request, with results visible before review, not after.
- Security scanning specific to LLM output patterns — AI tends to generate plausible-looking but insecure code: hardcoded credentials, insecure deserialization, overly permissive API surfaces. Standard SAST rules need to be supplemented.
- Runtime observability before scaling agents — 60% of teams in the Lightrun survey cite lack of runtime visibility as the primary bottleneck. Instrument with OpenTelemetry before expanding agentic use cases.
Conclusion
AI coding tools are not going away — and they shouldn’t. But the teams that will extract lasting value are those that treat code verification as infrastructure, not overhead. The bottleneck has shifted from writing to verifying. The engineering discipline to address it is still forming. Building that discipline now, before scaling agentic workflows, is the difference between sustained productivity and a growing reliability debt. Want to discuss how your engineering organization should approach this transition? Let’s talk.