Underneath all this is a common denominator: “code”. We use code to train and build AI models as well as build harnesses and tooling that augment raw models into useful applications. The earliest AI tooling was handwritten, but now AI can self generate more code at an unprecedented speed and scale, unmatched by humans. Platforms are struggling to meet the AI scale requirements and Github forecasted a 10x jump to 14 billion commits in 2026. The barrier to building an application has never been lower, but it comes with hidden cleanup costs in the long run.

Who is writing AI-generated code, who is using it, and what is the cleanup cost?

The core set of users behind AI-generated code should fit into a handful of archetypes:

• The Inventors: these are the people and companies behind the core AI concepts, large language models (LLMs), and standards like MCP including OpenAI, Anthropic, and Google.
• The Researchers: academic labs, independent research groups, and benchmark creators who generate the long tail of ideas, talent, and evaluation methods the field runs on.
• The Platforms: the distributors, marketplaces, and tooling providers (GitHub, Hugging Face, Cursor, Apple, Webflow) whose policies and defaults shape what everyone else can build, ship, and market.
• The Engineering Orgs: in-house engineering teams at companies of all sizes, rethinking how they operate and embed AI into their products and employee workflows. Not just at tech companies, but healthcare providers, grocery chains, oil refiners, and beyond.
• The Independent Developers: these are power users who also build new AI applications or bridge existing solutions. They can be open-source developers, freelancers, or third-party developers creating apps within ecosystems such as Apple App Store or Webflow marketplace.
• The Citizen Developers: these are non-engineers (PMs, designers, marketers, analysts) who previously had little or no coding ability but can now generate working code and ship applications.
• The Regulators: these are governments, standards bodies, and sector-specific oversight entities shaping how AI can be built, deployed, and audited. Their decisions (EU AI Act, US executive orders, sector rules) increasingly define the guardrails everyone else operates within.
• ‍The Adversaries: threat actors ranging from individuals to hacktivist groups to nation states. As frontier AI models gain serious offensive capabilities, the gap between the attack and defense capabilities is widening fast.

There is barely a B2B or B2C solution untouched by AI, which means literally everyone is a user of AI-generated code. To keep this post focused, we'll set aside the Foundation and Distribution layers and zoom in on the Building layer: the Engineering Orgs, independent developers, and citizen developers actually generating, shipping, and maintaining the code. The hidden costs concentrate here, and so do the levers to do something about them.

Before we jump into these hidden costs, let's take a sneak peek at the AI-generated code benefits.

Shared benefits across the building layer

AI has enabled builders to develop and ship with velocity never seen before. New API endpoints are being developed, tested, and shipped in 30 mins to a few hours while bug fixes and prototypes are worked on with short flight delays. Internal tools and automation are also being developed faster for productivity boosts across the entire organization. This is letting leaner teams or solo entrepreneurs increase their capacity without additional headcount.

Another core benefit is the democratization of development. While engineers are working on complex features, citizen developers are able to build prototypes or fix paper cuts in the product. 

The users of AI enabled products are also able to move faster and from the comfort of their mobile devices. The following LinkedIn post was shared by a Webflow customer:

“Went to the gym after my shift was over. Laptop was closed. I was already away. A teammate urgently needed a full CMS collection export as a CSV. Hundreds of items, all fields included. I opened Claude on my phone. Described what I needed. Claude connected to the CMS through the MCP, pulled everything in paginated batches, mapped every field correctly, and handed back a clean structured CSV ready to share. Webflow MCP + Claude is one of the best bridges I’ve used in a production workflow. Every item, every field, zero data loss. The tools are ready. Most people just haven’t connected them”

Another solid benefit which is often less talked about is AI augmented learning, reviewing, and testing. AI assistants are now integrated across collaboration and documentation platforms, code hosting platforms, and the internet broadly. This reduces the barrier to learning unfamiliar technologies and understanding existing code and architecture a lot easier and time efficient. The builders often spend time planning their work with an AI assistant before the actual execution.

Unlike humans, AI does not tire out or need sleep and can reuse best practices for AI development and reviews to keep things consistent and pattern-aware. For a team of junior developers, AI is able to raise the floor by catching obvious mistakes early.

The benefits above are immense and a reason why AI is so widely adopted. However, some of these benefits are often front-loaded and it takes time for us to see the hidden cost in the long run. These costs often land further away from the wins and accolades.

Cleanup costs across the building layer

The Engineering orgs

Engineering organizations have been the biggest beneficiaries of AI augmentation, but they are also the ones that accumulate the largest cleanup cost in the long run.

Humans are still required to be in loop for high risk changes. The burden to review most of the high risk code written within an organization falls upon senior engineers who have contextual understanding.

Engineers who lean heavily on AI, especially those early in their career are prone to erosion of their software engineer skills. They may also find it hard to move to the next level in the career ladder if their thoughts are not their own.

Another huge hidden cost for AI-generated code is quality debt. In the quest to move fast and with AI in charge of low risk work or reviews, the code is prone to duplication and subtle logic flaws that can be exploited later. It also results in weak contextual understanding of the AI-augmented work in the long run. Incidents could also run longer with lack of ownership and understanding of the impacted surface area.  

Engineering orgs can also be hit with availability issues with AI vendor concentration. If a heavily relied on AI coding vendor has a downtime, the engineering productivity drops. If the product AI integration vendor is down, the customers feel the pain. And if the product relies completely on AI without a manual workflow, the AI vendor downtime is your downtime.

AI productivity gains do not come for free. There is a large operating cost to AI-augmented development and most of the companies still do not understand AI budgeting. Higher token burn per developer is being glorified and associated with higher productivity, which can lead to wasteful spends.

And last but not least, the security cost which deserves its own section.

Overall Risk level: High but distributed

The independent developers

Independent developers (freelancers, OSS maintainers, third party app developers) are able to see significant gains with AI adoption but it comes with a risk to their personal brand. The larger volume of code makes it harder to review with no peers to review or clean up the code. There is no legal team preventing copyright violations in your work or from your work. Unintended mistakes or bad reviews can get one suspended from a freelancer platform or the developer apps kicked out from an ecosystem. One vulnerable plugin shipped to thousands of customers, one license violation in a freelance deliverable, or one buggy release on the App Store can tarnish a developer's standing in that ecosystem.

Open source maintainers face a particularly cruel asymmetry: it costs a contributor five minutes to generate a low-quality AI pull request, and hours for the maintainer to verify and reject it. The curl project ended its bug bounty program in January 2026 after this asymmetry became unsustainable, and they were not the last project to do so.

Overall Risk level: High and personal

The citizen developers

This is the newest archetype and includes PMs, designers, marketers, and analysts. The citizen developers can now prototype and showcase their ideas instead of asking someone to build it for them. They can also fix minor issues in the code that are often lower priority but improve the customer quality of life. These developers can now also build internal tools which in the past required justification and prioritization of developer resources.

However, the code from citizen developers often carries quality issues. While the code solves the problem, it may contain code duplication, no tests, no error checking or logging, and has no security considerations. If their work touches high risk areas such as authentication or PII data, an engineering review will help fix these issues and also help them learn the tricks of the trade. Lighter and low risk changes may go straight to production. While bad code from citizen developers is less likely to bring a company down, a high concentration of such changes can reduce code quality in the long run.

When citizen developers contribute code to production, they are usually focused on solving a specific problem rather than thinking about long-term maintainability or incident response. If something breaks later, the original author may not have the depth to debug it, and fixes typically fall on the engineering org to test and ship, adding to their workload.

Overall Risk: Medium but can aggregate fast

The ecosystem problem

We just discussed different archetypes and the hidden cost within their own surface. However, there is a second-order effect when independent developers build for an ecosystem or platform owned by larger companies. This includes not just Apple and Google App stores, but marketplace ecosystems from the likes of Webflow, Shopify, and Github. The ecosystem owners have a shared responsibility for AI-generated code written by individual developers. 

When customers install an app and something goes wrong, they blame the platform, not the developers. This is because the marketplace reviewed and allowed the app to exist within their ecosystem. Every bad app that slips through the cracks, reduces customer confidence in the ecosystem as a whole.

With AI, independent developers are now shipping their creations faster, resulting in more submissions and reviews for the ecosystem owners. This includes a high volume of submissions with low-quality and insecure code. In the past, if we were able to manually review all apps, it is now not possible with the AI-augmented submission rate. Emerging ecosystems now are investing more in automated reviews, security guidelines, and developer education.

In addition to new app submissions, approved apps are now evolving with the help of AI. Developers are submitting updated app versions with increased capabilities but with similar problems we discussed above: needing higher permissions, insecure code, or license contamination. Ecosystem owners now have to deal with this problem without burning their social contract with the developer community.

Github being both an enterprise solution plus a community code hosting platform is facing infrastructure and resilience challenges with the sheer volume of AI-generated code generated through its AI product and hosted on its platform. This points to larger ecosystems grappling with scaling issues and increased operating costs. 

Overall Risk: High but quietly