Existing Problems With AI-assisted Coding

|

AI-assisted coding tools (autocomplete, code generation, refactoring assistants, test generation, etc.) have transformed developer workflows — boosting productivity, reducing boilerplate, and helping junior engineers get unstuck. But they also introduce real, tangible problems that teams must recognize and manage. This article examines the most important problems with AI-assisted coding, demonstrates a few concrete failure modes with code examples, and outlines practical mitigations and best practices.

Overreliance and Loss of Deep Understanding

One of the first problems is cognitive: if developers rely too heavily on AI to write code, they may stop understanding the design decisions, edge cases, and invariants in their systems.

Example: a junior dev accepts a generated helper function without verifying its algorithmic complexity or correctness.

python
# Generated helper: returns the median of a list
def median(arr):
arr.sort()
n = len(arr)
if n % 2 == 1:
return arr[n//2]
return (arr[n//2 - 1] + arr[n//2]) / 2

At first glance this works. But what if arr is a generator or a very large list where copying/sorting is too costly? The generated code hides complexity decisions. Overreliance can cause performance surprises and brittle designs.

Mitigation: always review algorithmic complexity, add docstrings and unit tests, and ask the model to explain tradeoffs before accepting a suggestion.

Hallucinations and Incorrect Logic

Large language models can “hallucinate” — produce plausible but incorrect code, API names, or algorithmic steps. This is especially dangerous when the AI fabricates modules, function signatures, or database fields.

Example: generated database query using a non-existent column:

javascript
// Generated by an assistant
const sql = `SELECT id, name, email, is_active_user FROM users WHERE id = ?`;
db.query(sql, [userId], (err, rows) => { /* ... */ });

If database has is_active instead of is_active_user, the query silently returns null for that column — bug introduced by an imagined field.

Mitigation: cross-check generated code against real schemas, use typed interfaces (TypeScript, typed ORM models), and run quick integration tests.

Security Vulnerabilities Introduced Automatically

AI can introduce code that is insecure or unsafe — e.g., SQL injection, insecure deserialization, use of eval, misconfigured cryptography. Because generated code often looks idiomatic, it may pass cursory inspection.

Example: SQL injection through naive string interpolation:

python
# risky generated snippet
def find_user_by_name(db, name):
# BAD: direct string interpolation
query = f"SELECT * FROM users WHERE name = '{name}'"
return db.execute(query)

If name contains "'; DROP TABLE users;--", catastrophic damage may occur.

Mitigation: always use parameterized queries/prepared statements, input validation, static security scanning, and human review for security-sensitive code.

Licensing and Copyright Risks

AI models are trained on huge corpora that may include copyrighted code under various licenses. When a tool generates code, it may reproduce licensed snippets or patterns that create legal exposure.

Example: a generated function that mirrors a GPL-licensed implementation may oblige project-level license constraints if included verbatim.

Mitigation: implement license scanning of AI outputs, prefer training models on permissively licensed corpora, require legal review before including suspicious generated blocks, and ask the model explicitly to generate “original code” and include an attribution-checking step.

Inconsistent Style & Maintainability

Generated code can be inconsistent with a project’s style, naming conventions, or architecture. That increases cognitive load for future maintainers.

Example: mixing paradigms — a class-based design generated next to a functional-style codebase increases friction.

Mitigation: configure the AI tool with project settings (linting rules, code style), include style-checking CI jobs (linters, formatters), and prefer small, well-scoped generated changes.

Context Window Limitations & Missing Global State

AI models are constrained by context size. They might not see long files, many repository files, or long issue descriptions. This leads to suggestions that ignore global invariants.

Example: generating code that uses a global cache variable without the actual repository pattern having any cache:

javascript
// AI suggests using cache, but repo doesn't define it
if (cache.has(key)) {
return cache.get(key);
}

Mitigation: provide tools with broader repo context (code indexes, embeddings), but enforce human review and integration tests that exercise global state.

Propagation of Biases and Bad Patterns

If models learn from widely used but bad patterns (e.g., certain insecure defaults, anti-patterns), they can propagate them.

Example: generating code that trusts user-supplied JSON without validation — a pattern seen in many real-world examples.

Mitigation: curate training data, use rule-based checks, and run automated linters and security scanners that enforce policies.

Unclear Attribution & Who Owns the Code

When AI assists heavily in creating code, legal and organizational questions appear: who is the author? Who is responsible for bugs? Many teams haven’t settled on internal policies.

Mitigation: establish an internal policy that treats AI outputs as suggestions; require a human sign-off and maintain commit messages noting “AI-assisted” where appropriate.

Scalability of Generated Dependencies

AI may suggest adding new dependencies without vetting them — each new dependency increases surface area for vulnerabilities, maintenance, and licensing complexity.

Example: a generator suggests pulling in a small package for a single utility:

json
// package.json change suggested:
"dependencies": {
"left-pad-plus": "^1.0.0"
}

Mitigation: prefer standard library solutions, vet each dependency for maintenance health, license, and security, and enforce dependency review policies.

Prompt Injection & Supply-Chain Attacks

AI tools that execute code or prompts from untrusted sources are vulnerable to prompt injection — malicious inputs that manipulate model behavior and lead to unsafe code generation.

Mitigation: avoid executing raw, unverified prompts in production systems, sanitize inputs, isolate model execution environments, and log model outputs for auditing.

Poor Test Coverage for Generated Code

Generated code can look correct but may not be covered by tests. Relying on generation without testing increases bug risk.

Example: generated sorting routine not tested for empty lists or non-comparable elements.

Mitigation: require automated unit and integration tests for generated code. Many AI tools can generate tests alongside code — always review and extend these tests.

Example: Securing Generated SQL

Below is a safe refactor of earlier SQL example to avoid injection and to be robust:

python
# Safe parameterized query using psycopg2 (Postgres)
import psycopg2
from psycopg2.extras import RealDictCursordef find_user_by_name(conn, name):
with conn.cursor(cursor_factory=RealDictCursor) as cur:
cur.execute(“SELECT id, name, email, is_active FROM users WHERE name = %s”, (name,))
return cur.fetchone()

This example demonstrates explicit parameterization and typed cursor. Always run integration tests to verify columns and behavior.

Example: Adding Unit Tests for Generated Code

If an assistant generates a median function, write tests:

python

import unittest

def median(arr):
arr = list(arr) # ensure we can handle generators
arr.sort()
n = len(arr)
if n == 0:
raise ValueError(“median of empty list”)
if n % 2 == 1:
return arr[n//2]
return (arr[n//21] + arr[n//2]) / 2

class TestMedian(unittest.TestCase):
def test_odd(self):
self.assertEqual(median([3,1,2]), 2)
def test_even(self):
self.assertEqual(median([1,2,3,4]), 2.5)
def test_empty(self):
with self.assertRaises(ValueError):
median([])
def test_generator(self):
self.assertEqual(median(x for x in [5,4,6]), 5)

if __name__ == “__main__”:
unittest.main()

Tests protect against silent failures and force attention to edge cases.

Tooling: Static Analysis and CI Integration

AI-assisted coding should be combined with strong CI: linters, formatters, type checkers, SAST (static application security testing), dependency scanners (e.g., Snyk, Dependabot), and license scanners. Don’t allow generated PRs to merge without passing these checks.

Team Process and Governance

Tools alone won’t solve organizational risk. Adopt policies such as:

  • Treat AI outputs as drafts — always require human review and tests.

  • Tag commits that include generated code.

  • Enforce dependency and license checks for AI-suggested libraries.

  • Keep an allowlist of safe libraries and patterns for quick vetting.

  • Provide training so developers can spot hallucinations and security risks.

Future Directions: Model Explainability & Fine-Tuning

To reduce problems, teams should pursue:

  • Fine-tuning models on internal, curated code to match style and reduce hallucinations.

  • Using smaller, specialized models for code generation with stricter constraints.

  • Demand model explainability: require the assistant to produce a short justification for structural suggestions and complexity analysis.

Cost & Infrastructure Considerations

AI code generators add infrastructure costs, latency, and integration overhead. Running a private model for sensitive projects requires investment: storage, model updates, and compliance checks.

Mitigation: measure ROI, prefer on-prem or private-hosted models if data sensitivity requires it, and implement throttles and caching.

Ethical Considerations

AI-assisted coding may displace some tasks and create inequality in teams. Ethical policies should address fairness, attribution, and training opportunities for staff to use the tools effectively.

Conclusion

AI-assisted coding holds huge promise — it reduces repetitive work, accelerates prototyping, and helps developers write better code faster. But those benefits come with clear and present problems: hallucinations that create silent bugs, security vulnerabilities (like SQL injection or unsafe eval usages), licensing exposure, degraded developer understanding, inconsistent code style, and supply-chain risks from unvetted dependencies. These issues are not theoretical; they show up in PRs, production incidents, and legal disputes.

The pragmatic approach is multi-layered. First, treat AI outputs as suggestions, not finished features. Require human sign-off, tests, and integration checks before merging generated code. Second, enforce strong CI gates — linters, type checkers, SAST, dependency scanners, and license audits must be mandatory for PRs that include AI-generated code. Third, implement organization-wide governance: a policy for attribution, a vetting pipeline for new dependencies, and training so teams can spot hallucinations and security issues. Fourth, improve the tools: fine-tune models on curated internal code, configure the assistant to follow project style guides, and prefer models that can provide short, structured rationales along with code. Finally, maintain ethical and legal awareness — understand when generated code might carry license obligations and how to document AI assistance in your development lifecycle.

Concrete practices that teams can adopt immediately include parameterized queries, typed interfaces, unit and integration tests for generated code, and a “no-merge” rule without passing CI. Over time, invest in more advanced measures: private models for sensitive code, repository-aware assistants that index the whole codebase, and audit trails for AI suggestions.

In short: AI-assisted coding is a powerful amplifier — it accelerates both good and bad practices. The technical and organizational costs of ignoring its risks are real. By combining automated checks, human review, explicit governance, and developer education, teams can capture the productivity upside of AI while avoiding many of the pitfalls laid out above. The end goal should be a workflow where AI augments human judgment — not replaces it — and where every generated line is treated with the same rigor as manually written production code.