devdot
Start a project
← All postsEngineering ·

AI Wrote Most of Your New Code This Year. Duplication Just Quadrupled.

AI coding tools are now in 91% of engineering orgs, but code duplication has risen fourfold and nearly half of generated code ships with vulnerabilities. The speed is real. So is the maintenance bill.

The numbers from this year are hard to argue with. Around 91% of engineering organisations have adopted AI coding tools. Adoption is no longer the story. What happens to the code afterwards is.

Here are two findings worth sitting with. Code duplication has risen fourfold since teams started leaning on AI generation. And roughly 48% of AI-generated code has been found to carry a security vulnerability. Most teams have rolled out the tools without rolling out anything to govern what the tools produce.

That gap is where the next two years of pain lives.

Why Duplication Is the Quiet Killer

When a developer needs a function, they tend to look for the existing one first. An agent usually does not. Ask it to add a date formatter, a retry wrapper, or a validation helper, and it will happily write a fresh one, even if three near-identical versions already exist three folders away.

Each copy looks fine in isolation. The pull request passes. The feature works. The cost shows up later, when a bug lives in all four versions and someone fixes one of them. Now your behaviour is inconsistent across the codebase and nobody knows it until a customer does.

Duplication is not a style complaint. It is a multiplier on every future change you make.

Speed Without Verification Is Just Faster Debt

The trade most teams accepted was speed for a bit of mess. That trade is fine if you have a way to catch the mess. The problem is that AI generation got dramatically faster while the review layer stayed exactly the same size. One reviewer, the same hour in the day, now facing three times the volume of code that was written in seconds rather than typed over an afternoon.

Reviewers compensate by skimming. Skimming is how a vulnerability in nearly half of generated code makes it to main.

The fix is not to slow the agents down. It is to make verification something the system does, not something one tired human does at 5pm.

What Actually Works

A few practices separate the teams that are pulling ahead from the ones quietly accumulating debt:

  • Run duplication detection in CI. Tools like jscpd or built-in linters can fail a build when a new block closely matches existing code. Make the agent confront the duplicate before a human ever sees the PR.
  • Treat security scanning as a default gate, not a quarterly audit. Static analysis and dependency scanning on every PR catches the bulk of the 48% before it ships.
  • Give your agents context about what already exists. A lot of duplication comes from agents that cannot see your shared utilities. Point them at your internal libraries and conventions so the first instinct is to reuse, not rewrite.
  • Measure code health as a real metric. Track duplication rate and vulnerability density over time the way you track uptime. What you do not measure, you will not defend.

The Real Takeaway

AI made writing code cheap. It did not make owning code cheap. The teams that win this phase are the ones who understood that shipping faster only pays off if the thing you shipped is still maintainable in six months.

Governance is not the boring tax on velocity. It is what keeps velocity from eating itself.

We're here to help founders and teams design and build digital products that are built to scale with you, not slow you down. If you're looking to build something, get in contact with us today!

NEXT POST →Long Context Just Got Cheap. Now Rethink Your RAG Pipeline.