BairesDev

AI Coding Mistakes: Where AI-Generated Code Fails in Real Engineering Work

AI coding tools speed up output, but they can also create duplicated code, architectural drift, and review bottlenecks. Here’s what teams should watch.

Last Updated: July 13th 2026
Technology
13 min read
Verified Top Talent Badge
Verified Top Talent
Izcóatl Estañol
By Izcóatl Estañol
AI/ML Circle Leader & Software Engineer30 years of experience

Izcóatl is a technology leader with 30+ years of experience architecting software solutions and scaling global engineering teams. He architected Sky's AI-driven media platforms and developed blockchain gaming features at Yuga Labs. At BairesDev, he serves as AI/ML Circle Leader, driving internal research and development communities.

AI coding mistakes illustration featuring common development errors, code quality issues, debugging, and software engineering best practices.

AI-assisted coding tools are everywhere now. The output looks good, and the delivery timelines look great. And then the bugs start showing up in places nobody expected.


Key Points

  • Higher PR volume doesn’t always mean higher delivery velocity.
  • AI-generated code often looks correct while missing system context, team conventions, or failure modes.
  • Common mistakes include logic errors, duplicated utilities, weak error handling, and architectural drift.
  • Teams need stronger verification habits before scaling AI coding tool usage.

The Code Looked Perfect. It Wasn’t.

Last year, I was working with a very capable development team on a new internal tool. The first version was almost done, but then I noticed developers delivering 80% solutions over and over, with show-stopping bugs showing up during code reviews and internal demos. Everything required a lot of rework, putting the timeline and commitment at risk.

Capable developers were relying on AI-assisted coding tools to generate and debug their code, and it seemed like we were always so very close to delivery. Our project post mortem identified a slew of hard lessons learned.

This pattern repeated itself with other teams I worked with: AI-generated code was fun to generate and seemed to scratch that itch that most developers chase: completing tasks and feeling productive. Unfortunately, that great feeling also leads to quality and security issues unless those same engineers can develop a strong discipline and a new relationship with these AI coding tools. They’re powerful, but they’re not necessarily your friend. Sometimes they listen, and sometimes they get a wild hare and just do something “creative”.

Top all of that with the fact that that feeling of accomplishment also comes with a shallow understanding of the solution developed, unless accompanied by that same discipline I just mentioned. Beware that LLM-generated code carries the DNA from its training data. Not operational experience or your codebase.

The Uncomfortable Truth

  • AI-generated code fails in insidious ways. Confident, articulate code that passes muster, written by someone who doesn’t understand production considerations.
  • Stack Overflow’s Developer Survey highlights an increasing number of developers who now distrust AI tool accuracy, moving from 31% to 46% in just a year’s time. And amongst the most experienced developers? The “highly trust” rate is 2.6%. That number is both painfully low and surprisingly high.

Automation Bias: Why “Looks Right” Gets Merged

Let’s talk about the new relationship between AI-written code and developers.

Developers see seemingly well-structured code come back from their frontier LLM of choice (e.g., Claude Code), and their gut reaction is that “it looks right.” That’s automation bias, and once you start looking for it, you’ll see it everywhere.

So, how do I know this is the case? The proof is in the numbers. Code churn (lines revised within two weeks of commit) is significantly up, going from 3.1% to 5.7% between 2020 and 2024, an 84% relative increase tracking directly with AI adoption. Code that looked correct got merged, then had to be fixed. Over and over.

I’ve watched this play out on a team that adopted AI tooling without changing its review process. The CodeRabbit State of AI vs. Human Code Generation Report put numbers on it. Across 470 real-world pull requests, AI-generated PRs averaged 10.83 issues versus 6.45 for human-authored code. Roughly a multiple of 1.7 mistakes, and not trivial lint findings: 1.4 times more critical issues, 1.7 times more major ones. Logic errors, architectural violations, security findings, everything.

The thing that’s really got me reaching for the antacids is how the newer models are churning out code that, honestly, doesn’t crash.

We’re talking plausible stuff that sails right through the unit tests, which, let’s be real, the AI probably wrote too. But what about the quiet rot in the codebase? The kind of expensive, fatal security flaw that nobody notices right away? A crash or an obvious failure? Your team jumps on that instantly.

But a subtle mistake in the payment calculation pipeline? That’s a slow burn with a much more painful (and costly) timeline.

Risky vs. safe AI coding workflow showing prompt-to-deploy versus review, testing, and security checks before deployment.

Context Loss: The Architecture AI Cannot See

So, I’ll pose a question. What’s the first thing I see when I engage with teams embracing AI-assisted coding?

Context loss.

Let’s define that: context loss is when your AI model forgets or ignores important parts of the conversation, or loses track of requirements or details of its own analysis of your codebase within a session. AI tools shine when they’re allowed to be laser-focused, doing surgical analyses and targeted fixes.

Unfortunately, as the size of your codebase increases, AI struggles to hold all of it, and there are parts of your system built up over time in terms of architecture, naming conventions, and team decisions littered throughout the code. These things tend to be underdocumented anyway, and it is too easy to lose sight of the fact that AI doesn’t know about these or that it didn’t realize the why behind certain approaches in the code. And the context window, no matter how large it gets, cannot hold all of that at once.

Duplicated Utilities Everywhere

Once the context window fills up, the tool stops seeing what already exists. I treat this exactly like an onboarding failure: Your carefully built utility libraries get nudged out, and it starts reimplementing things from scratch, locally, per file, per feature. It might even follow your coding guidelines while doing it.

That doesn’t help when you end up with 14 near-identical HTTP retry wrappers scattered across the codebase. The tool doesn’t know what it doesn’t know. And unlike your newest hire, it won’t ask.

A new developer who ignores existing patterns and reinvents everything is a problem. The same rules should apply to LLMs.

Architectural Drift

Now, let’s talk about your architecture and, oh, by the way, consistent architecture is a good thing. It’s the thing that keeps everyone moving in the right direction. But, AI tools don’t always grok the overall vision. We’re back to picking on AI’s surgical view of things, and that AI creativity might not always color within the lines.

Case in point: I had my AI tool write what looked like a “perfectly reasonable” new API endpoint. Clean code. Good structure. One problem: it completely bypassed the service mesh authentication layer. Not good.

Remember that AI falls back to its training when it doesn’t have explicit instructions to follow, and sometimes still does even when you ask for something specifically. At a cursory glance, everything worked great in dev. A security audit found it after two sprints into production, and untangling it took the better part of a week. Nobody was happy.

Convention Violations

Let’s name a few things that aren’t the fun part of software development: style guides, naming conventions, error handling idioms, service boundary rules.

Not fun, but really important when you have a team size greater than one. The model skipped those meetings. It can’t see any of it unless you paste it into the prompt, every single time, for every single request. Most developers don’t.

A CMU study of 807 open-source repositories confirmed what most experienced teams already suspect: these tools generate code faster, but not necessarily better software. Faster and better are not equal. Too many teams figure that out after the fact.

Security: What Happens When Nobody’s Looking

Now, the part where we talk about making our code and systems production safe: security. The failures here are predictable and grow linearly with the pain. These are not obscure CVEs or untraveled attack surfaces. These are the main culprits, those on the OWASP Top 10. Your CISO and software lead force you to sit through orientation and brown bags to know this stuff.

Veracode’s 2025 GenAI Code Security Report says that 45% of AI coding tasks came back with at least one OWASP Top 10 vulnerability. That’s a lot, and very, very unacceptable. A coin flip’s chance of introducing a major security hole is present when the AI tool writes anything security-adjacent.

Remember that LLMs train on public repositories full of insecure code, and they remember exactly what they learned.

Missing Error Handling: The Happy-Path Problem

I’ve spent way too many late nights and weekends debugging production failures that traced back to a missing null check or an overlooked exception handler.

The real cause is the happy-path problem. The bane of junior developers, and what separates junior developers from more seasoned staff. AI tools, like those fresh interns, write code for when everything goes right: inputs are clean, services respond, the database is up, the network is fast. What they haven’t experienced yet are the extra-long crunch sessions. Those are the sessions that teach you to program defensively, with a healthy dose of paranoia.

Null checks get skipped, early returns get left out, and exception logic is incomplete or just missing entirely. I’ve seen AI-authored PRs with nearly 8 times more I/O operations than human-written ones. Stack Overflow’s Engineering blog reports that pull request volume is up 20% per author, but incidents per pull request climbed 23.5%. More code, more incidents. The “productivity” is real. The quiet rot is too.

Here’s the thing about happy-path code: it’s a survivor. Gets through CI, gets through smoke tests, looks great in demo. Then production does what production always does and the whole thing falls apart.

No Verification Discipline: The Gap That Eats Your Gains

Sometimes, I sound like a broken record. I hear myself saying that it’s “almost right, but not quite” where AI coding has crept in.

The fix is verification discipline.

This is the biggest gap I’ve had to address. Two-thirds of my developer colleagues say they should have just written it themselves rather than slogging through the AI output. And, unfortunately, fewer than half bother to verify AI output before hitting commit. I’ll let you sit with that. Complacency is the new trend.

I lived this one last quarter. One of the developers was using Claude Code heavily and honestly, the velocity numbers looked fantastic. Sprint reviews were great. Then we discovered three endpoints returning stale cached data under concurrent load. The caching layer, which was AI-generated (naturally), had a race condition that nobody caught because all the tests ran sequentially. After that incident, I put a hard rule in place: concurrent load testing before merge for anything touching caching or concurrency. No exceptions. Nobody gets to say “it’s probably fine.”

If you’re looking for a place to start, this is the minimum I’d build into every AI-assisted workflow:

Workflow Stage Minimum Check Why It Matters
Prompting Include ADRs, style guide snippets, error handling examples Context the model can’t see otherwise
Reviewing output Read it like it was written by a confident stranger Automation bias is real and it will get you
Before commit Does this handle failure states? Concurrent load? Happy-path code ships constantly
Before merge Has a human traced the execution path end to end? AI-written tests are not independent verification
Before deploy Dependency audit, security scan, integration test on real data Not optional, not “we’ll do it next sprint”

The structural problem isn’t going away. These tools accelerate writing, but what about testing? Your team cranks out 2 to 3 times more code, but reviewers stay the same. Same pipe, more pressure, same number of inspectors.

You’ve probably already run into hallucinated logic-code the model generated with complete confidence that is just logically wrong. Spelling mistakes and syntax errors are basically a thing of the past, but logic errors are getting worse. There’s no test that catches a hallucination unless somebody specifically wrote that test expecting it. Most teams haven’t built that muscle yet.

Two-column infographic comparing AI strengths with engineer strengths, including architecture, security, infrastructure, and domain logic.

PR Hygiene: What Your Metrics Are Trying to Tell You

Your PR volume is up, probably significantly. AI coding tools are letting developers push 2 to 3 times more code, and your review queue is feeling it. PRs are bigger, too. Commit messages describe what got done, but not why. If this sounds like your Monday morning, keep reading.

I started paying close attention to these signals after a quarter where our review cycles were quietly inflating and nobody could put their finger on why. Once I dug in, the patterns were consistent: roughly 25% longer review cycles for AI-heavy pull requests. The findings in those PRs are far more likely to be logic or correctness issues, and business logic errors show up more than twice as often.

Signal What It Tells You How to Track It
PR volume per author up 20%+ Output accelerating without verified delivery Git analytics, weekly
Code churn rate increasing Premature merges being fixed within two weeks GitClear or custom metric
Average diff size growing AI-generated PRs getting larger PR analytics
Logic/security defect rate rising AI-specific categories trending worse Defect tagging by category
Review time inflating Reviewers absorbing missing context Time-to-merge tracking
Repeated pattern violation comments Context loss, not individual carelessness Review comment categorization

The table tells you what to track. What it can’t tell you is what the patterns mean when you see them. For example, a 20-30% jump in PRs without matching story delivery isn’t a productivity signal. Churn climbing means premature merges. 

Teams usually find that their AI-assisted PRs are 2-3 times more likely to be reverted. And repeated review comments about existing patterns (“this utility already exists,” “this doesn’t follow our error handling idiom”) are context-loss signatures, not individual carelessness. That’s a prompt engineering problem, and you can fix it.

Grid of eight AI coding mistakes: blind acceptance, context loss, security gaps, error handling, verification, PR hygiene, duplicated code, and conventions.

The Takeaway

I’ve collaborated with teams that got burned, and experienced a few issues on my own team. I’ve watched genuinely talented engineers, people I’d trust to architect a critical system from scratch, ship vulnerabilities, and pile up technical debt because they trusted the output without interrogating it. Not because they were careless, but because the output looked right. The code was plausible, and that’s the key issue.

AI tools aren’t going away, and I wouldn’t want them to. The productivity gains are real. BairesDev’s Q3 2025 Dev Barometer found that developers save an average of 7.3 coding hours per week when using AI tools.

Pie Chart from the Q3 2025 Dev Barometer, showing how many hours per week developers save by using AI tools.

The developer experience is legitimately good, too, and the teams that figure out how to use them well are going to have a real edge. What I keep telling engineers is to stop treating AI tool adoption as a tooling decision and start treating it as a process and culture problem.

The model isn’t the risk. The gap between how much code it produces and how rigorously your team reviews it… That’s the risk.

If I had to name one trait the winning teams share, it’s this: they built verification habits before they scaled AI usage, not after. They decided what “done” looks like when AI is in the loop, wrote it into PR templates and onboarding docs, and held the line. The teams that struggled decided to figure it out later.

Later always costs more.

Frequently Asked Questions

  • No. The productivity gains are real, though often overstated by AI enthusiasts and marketers. The problem is discipline. Tools used without review rigor produce measurably worse outcomes, and I’ve seen this play out firsthand. Account for the fragility tax, or you’re setting yourself up for a painful conversation with your stakeholders.

  • It helps, but there are a lot of limitations. I’ve had good results injecting ADRs, style guides, and module references into prompts. But a 128k-token context window sounds enormous until you map it against a production service with hundreds of files. Better prompting makes a dent. Doesn’t solve it. You still need humans in the loop.

  • It did. At the old volume. When everybody’s output jumps 2 to 3 times, your senior reviewers either spend more time reviewing (eating their own delivery) or they triage, and some PRs get a lighter touch. Pick one: more reviewers or a higher defect rate. I haven’t found a third option.

  • Probably some of it, but not all. Context windows are growing, but the core tension is architectural: AI generates code faster than humans can verify it. A perfect model doesn’t solve the review gap if you don’t staff for it. Build the discipline now. Your customers aren’t going to wait. Besides, LLM development seems to be slowing, and the compute shortage is real, so I wouldn’t expect huge leaps from new models.

Verified Top Talent Badge
Verified Top Talent
Izcóatl Estañol
By Izcóatl Estañol
AI/ML Circle Leader & Software Engineer30 years of experience

Izcóatl is a technology leader with 30+ years of experience architecting software solutions and scaling global engineering teams. He architected Sky's AI-driven media platforms and developed blockchain gaming features at Yuga Labs. At BairesDev, he serves as AI/ML Circle Leader, driving internal research and development communities.

  1. Blog
  2. Technology
  3. AI Coding Mistakes: Where AI-Generated Code Fails in Real Engineering Work

Hiring engineers?

We provide nearshore tech talent to companies from startups to enterprises like Google and Rolls-Royce.

Alejandro D.
Alejandro D.Sr. Full-stack Dev.
Gustavo A.
Gustavo A.Sr. QA Engineer
Fiorella G.
Fiorella G.Sr. Data Scientist