The Bottleneck Moved

Anthropic just shipped something that tells you everything about where software engineering is headed: an AI security tool designed specifically to catch vulnerabilities introduced by AI code generation. Let that sink in. We've reached the stage where AI needs to check AI's homework.

Claude Code Security integrates directly into the coding workflow and "reasons through code like a security researcher," scanning for the specific class of bugs that LLMs love to produce—the ones that compile cleanly, pass tests, and quietly open your database to the world. It even suggests automated patches.

This isn't paranoia. CodeRabbit's analysis this week found that AI-authored code carries 2.74x more security issues than human-written code. When a quarter of your production codebase is machine-generated (and climbing), that multiplier starts to look existential.

Here's a problem nobody saw coming when we celebrated the democratization of code generation: open-source maintainers are getting buried under AI-generated pull requests that look right but aren't.

The pattern is insidious. An AI generates a PR that compiles, passes CI, reads like idiomatic code. A maintainer reviews it, maybe catches one issue, merges with minor edits. Six months later, a subtle logic error surfaces in production. Who owns that bug? The contributor who typed a prompt? The model that hallucinated the edge case? The maintainer who didn't have four hours to deeply audit what appeared to be a clean contribution?

InfoWorld calls it "the asymmetry between the speed of AI code generation and the time required for human review." That asymmetry is crushing volunteer-run projects. It costs nothing to generate a 500-line PR. It costs hours to properly review one. And once merged, the maintainer inherits the support burden for years.

This is an economic attack on open source disguised as contribution. The intent is good. The net effect is toxic. Some major projects are now requiring contributors to certify that code wasn't AI-generated—a bandaid on a systemic problem.

The numbers are in, and they're brutal. Senior engineers using AI tools are shipping 2.5x more code—but PR review times have ballooned 91% and PR sizes have inflated 154%. We didn't eliminate the bottleneck. We moved it.

Here's what actually happened: AI made code generation trivially fast, so junior developers (and, let's be honest, senior ones too) started shipping more of it. But code review—the thing that actually catches architectural mistakes, subtle bugs, and security holes—still requires a human brain that understands the codebase. There's no --skip-review flag for production software.

The result is a crisis of throughput. Your most experienced engineers—the ones who should be designing systems and mentoring juniors—are now spending their days reading through mountains of machine-generated code, much of it solving problems that didn't need solving. CodeRabbit's data shows AI-generated code has 1.7x more issues overall and 2.74x more security vulnerabilities than hand-written code.

The uncomfortable truth: AI made the cheap part of software engineering cheaper. The expensive part just got more expensive.

Technical debt has a new cousin, and it's worse. Researchers are calling it "cognitive debt"—what accrues when developers accept AI-generated code without building the mental models of why it works.

We all know the pattern. The AI suggests a solution. It compiles. Tests pass. You move on. But here's the thing: you never actually reasoned through the problem. Six weeks later, when that code breaks at 2 AM, you're debugging something you never understood in the first place. Your memory traces of the logic are "faded"—because they were never formed.

The research found that experienced developers are sometimes working slower with AI assistance. Not because the tools are bad, but because the cognitive shortcut of accepting generated code means they skip the deep reasoning that usually happens during implementation. When that reasoning doesn't happen, post-incident triage and debugging times explode.

This doesn't mean you should stop using AI tools. It means you should treat every Accept button as a question: "Do I understand this well enough to debug it at 2 AM?" If the answer is no, take the five minutes to trace the logic. Future-you will be grateful.

This is the chart that should humble every AI hype cycle participant: 92.6% of developers now use AI coding assistants at least monthly. Three-quarters use them weekly. AI-authored code in production hit 26.9%, up from 22% last quarter. And productivity gains? Flatlined at roughly 10%—about 4 hours saved per week—since mid-2025.

The initial surge was real. AI autocomplete genuinely helped developers skip boilerplate, scaffold projects faster, and cut "time to the 10th PR" in half for new hires. But once every team had GitHub Copilot or Cursor or Claude Code, the marginal returns collapsed.

Why? Because the easy wins—autocomplete, boilerplate generation, test scaffolding—have natural ceilings. The hard parts of software engineering (architecture, debugging distributed systems, navigating ambiguous requirements) are exactly the parts that current AI tools handle poorly. The next wave of productivity gains will require fundamentally different tools: ones that reason about systems, not just individual functions.

The smart money is now moving toward AI for maintenance and onboarding rather than raw generation. If the tool can help a new hire understand a legacy codebase in days instead of months, that's worth more than any autocomplete.

The data is now unambiguous: the developer labor market has split into two trajectories, and they're moving in opposite directions. Median salaries for general software development roles dropped 9% year-over-year in both the US and UK. Meanwhile, AI/ML engineering roles climbed 4.1%, and AI infrastructure specialists are seeing double-digit increases.

Companies are openly using the "AI narrative" to suppress wages for undifferentiated roles. The argument is straightforward, if cynical: if AI can write CRUD endpoints, why pay a premium for someone whose primary skill is writing CRUD endpoints? Whether or not the premise is true (see: the productivity plateau above), the perception is real enough to move compensation committees.

The more concerning trend is what WhatJobs flags beneath the salary data: junior hiring is declining significantly. If companies stop investing in growing new developers because AI handles the entry-level work, where do senior engineers come from in five years? You can't accelerate a career path that doesn't exist.

The advice writes itself, even if it's frustrating: specialize. The era of the well-compensated generalist who "knows a bit of everything" is narrowing fast. Systems thinking, security expertise, AI tool orchestration, and deep domain knowledge are the premiums. "I can code" is table stakes.