Why agent-written code passes review and is still wrong, or insecure

The code looks right, reads cleanly, and a reviewer waves it through. The danger is that the agent made the human more confident and less careful at the same time.

B

Balagei G Nagarajan

3 MIN READ


A reviewer nodding at clean-looking code while a hidden flaw sits unexamined
Clean code reads as correct code, and AI is excellent at clean.
— from “Why agent-written code passes review and is still wrong, or insecure”

Key facts.

  • In Perry et al.'s controlled study, developers with an AI assistant wrote significantly less secure code than those without and were more likely to believe it was secure.source
  • Participants who trusted the AI less and engaged more critically with their prompts produced fewer vulnerabilities, so skepticism measurably helped.source
  • Independent testing finds nearly half of AI-generated code carries a known vulnerability, so the plausible-looking code is wrong at a meaningful rate.source

Why does plausible code defeat review?

Because review runs on suspicion, and AI-generated code suppresses it. A human reviewer scrutinizes code in proportion to how risky it looks. AI output looks clean, conventional and confident, which lowers the perceived risk and the scrutiny with it. Perry's study captures the trap precisely: the AI did not just produce less secure code, it made developers more confident that the code was secure. The people best positioned to catch the flaw were the ones least inclined to look for it. The vulnerability is plausible, the reviewer is reassured and the code passes. This is worse than a human writing the same bug. That happens because a human-written bug at least does not come pre-packaged with false confidence that discourages the review.

The deeper issue is that fluency and correctness are decoupled, but human reviewers use fluency as a proxy for correctness. Clean code reads as correct code, and AI is excellent at clean. So the reviewer's instinct, refined on human work where messy often meant risky. Misfires on AI output where clean says nothing about whether it is safe.

A review process where AI-generated code is routed to deeper scrutiny and automated security checks rather than waved through

What review actually catches it?

Skeptical review backed by automated checks. Treat AI-generated code as guilty until verified, the opposite of the confidence it invites and run it through security scanning. Tests and static analysis as a hard gate rather than relying on a reviewer's eye that the code is busy disarming. Perry's finding that more critical engagement produced fewer vulnerabilities is the actionable part: the skepticism is not paranoia. It measurably reduces the bugs that ship. The reviewer's job on AI output is to distrust the fluency and check what the fluency is hiding.

Review posture on AI codeResult
Trust the clean appearancePlausible vulnerabilities pass
Skeptical review plus automated checksHidden flaws caught despite the fluency

Catching what the fluency hides is part of what VibeModel does as the Pattern Intelligence Layer. We model the patterns of plausible-but-wrong generated code and check for them automatically. The agent's confidence does not become your reviewer's blind spot.

Frequently asked questions

Why review AI code more harshly than human code?
Because it comes with false confidence that suppresses scrutiny and it is insecure at a measurable rate. The skepticism corrects for the disarming fluency.

Does critical engagement really help?
Yes. Perry found developers who trusted the AI less and engaged more produced fewer vulnerabilities. Skepticism is protective.

Can automated checks replace the reviewer?
They catch much of it, but the reviewer handles what scanners cannot. The point is to pair skeptical review with hard automated gates.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.