The AI speedup comes with a security bill

Two numbers from the same body of Gartner research, and they're almost never quoted together. First: 90% of engineering leaders report improvements from AI coding tools, for a net productivity gain around 19%. Second: unreviewed AI-generated code has 23% higher bug density, and 14.3% of AI code snippets contain security vulnerabilities, compared to 9.1% for human-written code.

The first number gets the headline. The second one gets the incident report six months later. They belong in the same sentence.

The speedup is real — and so is the debt

I'm not here to wave off the 19%. It's real, it's measured, and the productivity gain from directing agents is the whole reason I work the way I do. But a gain quoted without its cost isn't a measurement — it's a sales pitch. The honest version reads: AI made us ~19% faster and shipped code with a meaningfully higher defect and vulnerability rate.

Both halves are true. The speedup and the security bill are produced by the exact same thing — generating a lot of plausible code fast — which is why you can't have one without budgeting for the other.

"Unreviewed" is the load-bearing word

Notice where the bug-density number lives: in unreviewed AI code. That's the tell. The defects aren't an inherent property of the model being dumb; they're what you get when generation speed runs ahead of verification. Fast writing with no matching increase in checking is just fast accumulation of unexamined risk.

This is the same point I keep landing on: when the agent writes most of the code, your leverage moves to the review. The speedup is gross. The net is gross minus whatever the unreviewed bugs cost you later — and "later" is where vulnerabilities are most expensive.

How to keep the speed and pay the bill down

You don't fix this by slowing down. You fix it by making the check scale with the writing:

• Make review deliberate and measured. Not a glance — a real gate that produces a signal before code merges. The faster you generate, the more this matters.
• Add security-specific checks. The vuln rate is higher, not lower, so lean on SAST and a second model red-teaming the diff. Don't assume generated code is safe because it runs.
• Build review-able code on purpose. Principles like SOLID, DRY, and KISS aren't aesthetics here; clean, structured code is code a human or an agent can actually verify. Slop hides bugs.
• Track defect rate alongside velocity. If you measure only the speedup, you'll optimize the number that flatters you and ignore the one that bills you.

The bottom line

The productivity win from AI coding is genuine. It also comes with a measurable increase in bugs and vulnerabilities that the celebratory version conveniently leaves out.

The +19% speed and the +14% vulnerability rate are the same story — so quote them together and pay the bill with review. Scale your checking as fast as your generation, lean hard on security review, and keep the code clean enough to inspect. The speedup is real. So is the invoice.