Is AI generated code safe for production?
Jul 13, 2026 · 10 min read · By Tomas Eklund, Staff Engineer
AI generated code is safe for production when it goes through the same review process as human code: a pull request, a passing test suite, your security scanners, and a required human approval before merge. It is not safe when it is pasted straight into a branch because it looked plausible. The risk lives in the process, not in the model.
That framing matters because most of the anxiety about AI code is aimed at the wrong target. Teams worry about whether the model is smart enough. The failures that actually reach production come from review shortcuts, and those are entirely within your control.
What the real risks are
There are four failure modes worth taking seriously. None of them are exotic, and all of them are things a good review catches.
- Plausible but wrong. This is the big one. AI code reads well. It has sensible names, reasonable structure, and a confident shape, which means it passes the eyeball test far more easily than the equivalent bad code from a tired human. Reviewers relax exactly when they should not.
- Silently wrong at the edges. The happy path works and the edge cases quietly do not: an empty list, a null, a timezone, a concurrent write. If your tests do not cover the edge, neither the agent nor your reviewer will notice.
- Outdated or invented APIs. A model can reach for a library method that was deprecated two versions ago, or one that never existed. This usually fails loudly at build or test time, which is why running the tests is not optional.
- Dependency risk. Code that pulls in a package to solve a small problem, where the package is unmaintained, oversized, or not something you would have chosen.
Notice what is not on that list: the model deliberately doing something malicious. That is not the threat model for a coding agent working on your repo. The threat model is competent-looking work that nobody checked properly.
Does AI generated code introduce security vulnerabilities?
It can, in the same ways human code does: injection through unsanitized input, missing authorization checks, secrets committed by accident, unsafe deserialization. An AI agent has no special insight into your authorization model, so it will reproduce whatever pattern it sees in your existing code. If your codebase has a weak pattern, the agent will scale that weakness faster than a human would.
This is the strongest practical argument for keeping AI code inside your existing scanning pipeline rather than beside it. Static analysis, secret scanning and dependency review are all more valuable now than they were, because the volume of code arriving for review has gone up while reviewer attention has not. Run them on agent pull requests exactly as you run them on human ones, and treat a scanner finding on agent code as a hard block rather than a note.
There is a separate and newer class of risk once agents start calling tools and reading untrusted content, where a malicious instruction hidden in a web page or a ticket can steer the agent into doing something you did not ask for. That is prompt injection, and it is worth understanding as its own problem: if you run agents with real tool access, you need to think about how those agents are constrained at the tool and data boundary and not just about the code they emit. For a coding agent whose only output is a pull request you review, the blast radius is bounded by design, which is a large part of the point.
The controls that make it production-safe
None of this is novel. The controls that make AI code safe are the controls you already have, applied without exceptions.
- The pull request is the boundary. If the agent's only way to affect the codebase is to open a PR, then every governance mechanism you already trust applies automatically: branch protection, required reviewers, CODEOWNERS, CI gates. The agent inherits your process rather than routing around it.
- Tests run before a human looks. A failing test suite should mean the change never reaches a reviewer. Human attention is the scarcest thing you have, and spending it on code that does not even pass its own tests is waste.
- A human approves every merge. Not as a formality. The reviewer is the control, and the moment approval becomes a rubber stamp the whole model collapses.
- Scanners are non-negotiable. Static analysis, secret scanning, dependency review. Automated checks scale with code volume in a way that reviewer attention does not.
- Least-privilege repo access. The agent should reach the repositories you connected and nothing else.
- No training on your code. Get it in the contract, not in the marketing copy.
Agentcode is built around the first three: it opens a pull request and stops, it runs your existing test suite and shows it green before you look, and it never merges on its own. The enterprise AI coding assistant page covers how this maps onto SSO, audit logs and a security review.
How do you review AI generated code properly?
Review it more skeptically than human code, and in a different order. The instinct that serves you well on a colleague's PR, scanning for style and obvious mistakes, is exactly the instinct that AI code defeats, because it is stylistically clean and superficially obvious-looking.
- Read the tests first, not the diff. The question is not whether the code looks right. It is whether the tests would have caught it being wrong. Weak tests plus passing tests equals no information.
- Check the edges the tests do not. Empty inputs, nulls, concurrency, timezones, failure paths. This is where plausible code quietly breaks.
- Verify every API it used is real and current. Especially anything unfamiliar.
- Ask what it did not change. Missing work is invisible in a diff. Did it update the migration, the docs, the type definitions, the other three call sites?
- Read the plan against the outcome. If the agent wrote a plan, check the diff actually does what the plan said. Divergence is a signal.
We wrote a longer walkthrough of this in how to review an AI pull request, including what to do when the diff is too large to review honestly.
Who is liable if AI code breaks production?
You are. This is worth being blunt about, because some teams adopt these tools with a vague sense that the vendor absorbs some of the risk. No AI coding vendor takes responsibility for a defect that a human reviewed and merged into your product, and none of them should be expected to.
That is precisely why the human approval step is not bureaucracy. It is the point where accountability attaches. An engineer who approves an agent's pull request is making the same professional judgment they make when approving a colleague's, and the organization treats it identically. A team that internalizes this reviews properly. A team that treats agent output as pre-blessed does not, and finds out later.
What about code quality over time?
The medium-term risk is not a single bad merge. It is drift: a codebase that slowly accumulates code no human on the team fully understands, because it arrived fast, looked fine, and passed the tests. This is a real cost and it does not show up in any single review.
The mitigation is the same as it is for any fast-moving team. Keep changes small enough to review honestly, and reject a pull request that is too large rather than skimming it. Hold agent code to your existing conventions instead of letting it invent its own. Keep test coverage strong, since coverage is what lets you refactor later with confidence. And be deliberate about what you delegate: well-scoped work on code with good tests is the right target, and open-ended architectural decisions on a poorly tested module are not.
So, is it safe?
Yes, under conditions you control, and no, if you skip them. AI code that passes a real test suite, clears your scanners, and gets a genuine human review is about as safe as code from a competent new engineer, which is to say safe enough to ship and worth reviewing carefully. AI code that gets merged because it looked convincing and the tests were green is a bet you will eventually lose.
The comforting part is that the safety work is not new work. If your organization already has a defensible answer for how human code reaches production, that same answer covers agent code, provided the agent is forced down the identical path. That is the entire design premise behind an AI coding agent that only ever opens a pull request, and it is why review-first is a security property rather than a UX preference.