
Key facts.
- Differential patch testing found SWE-bench Verified resolve rates can be inflated by up to roughly 6 percentage points, so headline scores overstate real capability. source
- Nearly half of AI-generated code carries a known vulnerability, so output that is ungated reaches production with flaws. source
- Measured productivity can be negative even when developers feel faster, so honest measurement is the discriminator. source
What do the successful teams do differently?
Differential testing inflated SWE-bench rates ~6 points; burned teams trust the upgrade number, survivors measure the agent themselves. (arXiv:2310.06770)
They refuse to take the agent on faith, in three specific ways. First, they measure honestly: not the vendor benchmark, which differential testing shows is inflated and not the developers' feeling of speed, which the METR trial shows can be the opposite of reality, but the actual cycle time and quality in their own codebase. Second, they gate the output: because nearly half of generated code is insecure, they run every change through security scanning, tests and review as a hard requirement, so the flaws do not ship. Third, they scope the agent: they identify the changes where it reliably helps, the well-bounded, well-understood ones and route the legacy-tangled, high-fan-out or judgment-heavy work to humans. None of these is about having the best model. They are about treating the agent as a fallible tool whose output you verify, measure and bound.
The teams that get burned invert all three. They trust the headline benchmark, ship the agent's output without gates and let it loose on the whole codebase, then discover the inflated score did not translate, the ungated code carried vulnerabilities and the agent stalled on the complex work. The model was the same. The discipline around it was not.

How do you put this into practice?
Build the discipline before you scale the agent. Measure the agent against your real baseline, including verification cost and ignore both the vendor benchmark and the felt speedup. Make security scanning and tests a hard gate on every change. Scope the agent to the changes where your context makes it reliable and widen that scope only on measured evidence. This is the unglamorous recipe the successful teams follow and it is available to you regardless of which agent you run.
| Practice | Burned team | Successful team |
|---|---|---|
| Measurement | Trusts the headline score | Measures real cycle time and quality |
| Output | Ships ungated | Gates every change |
| Scope | Whole codebase | Where the agent reliably helps |
Encoding that discipline is the core of what VibeModel does as the Pattern Intelligence Layer. We model the patterns of honest measurement, effective gating and right-sized scope, so your team uses coding agents like the ones that succeed rather than the ones that get burned.
Frequently asked questions
Why not trust the benchmark score?
Differential testing shows it can be inflated by several points and it measures isolated tasks, not your repo. Measure your own outcomes.
Is gating really necessary if the code looks fine?
Yes. Nearly half of generated code is insecure and fluent code hides flaws. Gating is what keeps them out of production.
How do I scope the agent?
Start with the changes where your context makes it reliable, measure and widen only on evidence. Keep the complex and high-fan-out work human.

