GitHub forecasts 14 billion commits in 2026—a 10x increase from pre-AI levels. Your security team is already feeling it. Pull requests arrive faster, code reviews pile up, and the quality of code coming through your pipeline is questionable.
The promise of speed didn't mention the cleanup bill.
What Changed in Your Codebase
AI-generated code has become a default workflow. Your developers use it for boilerplate, junior engineers rely on it for implementation patterns, and citizen developers now ship features they couldn't have written 18 months ago.
The curl project shut down its bug bounty program in January 2026. Not because they solved security—because AI-generated pull requests created an "unsustainable asymmetry" between submission volume and review capacity. If a mature open-source project can't keep up, your team probably can't either.
Five Costs You're Already Paying
1. Review Burden Exceeds Review Capacity
Your security engineers review code for logic flaws, not just syntax. AI generates syntactically correct code that passes linters but fails security context. Each pull request looks fine in isolation. Vulnerabilities emerge when AI-generated functions interact in ways the model never trained on.
You're now reviewing 3-5x more code with the same headcount. Something has to give—and it's usually depth of review.
2. Skill Atrophy in Your Engineering Team
Your mid-level engineers stopped writing authentication flows from scratch. They prompt, review, merge. After 18 months, they've lost the muscle memory for secure session management. When the AI generates a timing attack vulnerability in token comparison, they don't catch it because they never learned to look for it.
This isn't about junior developers learning bad habits. It's about your senior engineers forgetting good ones.
3. Quality Debt Compounds Faster Than Technical Debt
Technical debt is deferred work you chose not to do. Quality debt is degradation you didn't notice happening. AI-generated code introduces subtle patterns that look reasonable in isolation:
- Error handling that logs but doesn't fail securely
- Input validation that checks format but not business logic
- Database queries that work but create N+1 problems at scale
Your static analysis tools catch the obvious issues. The subtle ones accumulate until a security audit finds 40 instances of the same flawed pattern across 15 microservices.
4. Security Context Gets Lost in Translation
AI models train on public code, which is full of security antipatterns—hardcoded credentials in examples, SQL injection in tutorials, XSS in Stack Overflow answers marked as "accepted."
Your prompt engineering can't fix this. You can specify "use parameterized queries," but the model doesn't understand why parameterization matters. It generates code that looks like your secure patterns but misses the threat model. The difference between user.id === requestedId and user.id == requestedId is invisible to the model but critical for authorization bypass prevention.
5. Incident Response Gets Harder
When you find a vulnerability in AI-generated code, you can't just fix that instance. You need to:
- Identify every place the model generated similar patterns
- Determine if developers copied and modified the flawed code
- Update your prompts to prevent recurrence
- Retrain your team on the specific vulnerability class
The curl project's bug bounty shutdown isn't just about volume. It's about the impossibility of root cause analysis when the root cause is a statistical model making plausible-but-wrong decisions.
What This Means for Your Security Program
Your threat model just expanded. You're no longer securing code written by engineers who understand your architecture. You're securing code generated by a model that doesn't know your business logic, compliance requirements, or threat environment.
This affects three areas immediately:
Code Review Process: Your current review checklist assumes human-written code with human reasoning. AI-generated code requires different questions: Did the developer verify the AI's security assumptions? Does this pattern appear elsewhere in the codebase? What happens if this code interacts with other AI-generated functions?
Training and Skill Development: Your engineers need to maintain skills they're no longer exercising daily. If they're not writing authentication flows, they need structured practice to retain that expertise. If they're not designing database schemas, they need regular exposure to data modeling principles.
Security Testing Strategy: Your SAST tools catch syntax-level issues. Your DAST tools catch runtime vulnerabilities. Neither catches the semantic security issues that emerge when AI generates plausible-but-insecure logic. You need testing that validates business logic and security context, not just code correctness.
Action Items by Priority
Immediate (This Sprint)
Audit your last 90 days of merged pull requests. Flag any that contain AI-generated authentication, authorization, or data validation code. Review them specifically for semantic security issues—logic that's correct but insecure.
Add a required field to your PR template: "If AI-generated, what security assumptions did you verify?" This forces explicit review of AI output's security context.
This Quarter
Establish review capacity limits. If AI increases your commit volume 3x, your review depth can't stay constant. Either increase security engineering headcount or implement tiered review—intensive review for security-critical paths, lighter review for low-risk changes.
Create security pattern libraries for your AI tools. Don't just tell developers "use secure patterns." Give them verified, tested code snippets for common security functions in your stack. This reduces the chance they'll accept AI-generated antipatterns.
Next Six Months
Build skill maintenance into your engineering development plans. Your senior engineers need quarterly practice writing security-critical code without AI assistance. Your junior engineers need structured learning that builds security intuition, not just prompting skills.
Implement semantic security testing. Tools that validate business logic constraints, authorization boundaries, and data flow assumptions—the things AI gets wrong even when the syntax is perfect.
The Real Benchmark
GitHub's 14 billion commit forecast isn't a productivity metric. It's a warning about scale. Your security program was designed for human-speed code generation. You're now operating at AI speed with human review capacity.
The question isn't whether to use AI-generated code. You're already using it, whether you've formalized the practice or not. The question is whether you're accounting for its costs in your security budget, your hiring plans, and your risk assessments.
The velocity narrative is real. So is the cleanup bill. Budget for both.
AI and Security
