Back to articles
The New Rules of Software Engineering in the Age of AI

The New Rules of Software Engineering in the Age of AI

February 24, 202615 min readBy Vyacheslav Lukin
Software EngineeringAICode QualityEngineering Leadership

The tools have changed. The principles haven't.

There's a number that stops conversations in engineering rooms right now: 26.9%. That's the share of code currently hitting production that is AI-authored — meaning merged with minimal human intervention. Data from 121,000 developers across 450 companies (November 2025 to February 2026) puts this figure at 26.9%, up from 22% just the previous quarter. For developers using AI tools daily, that number has crossed 30%. Nearly one third of what daily AI users ship to customers was written by a machine.

And we're only getting started.

GitHub Copilot alone helps developers complete tasks 55% faster — confirmed by a 2022 controlled study by GitHub and Microsoft. McKinsey puts the broader productivity uplift from AI tools at 20 to 45 percent across software development tasks. These are not marketing numbers. They're real, and they're significant.

But here's what I keep coming back to: faster code is not better code. More code is not more value. And I'd bet most engineering leaders reading this have already seen the first signs of this — a PR that looks fine at a glance but hides something subtle underneath. A feature shipped fast that needed three rounds of fixes. A codebase that grew quickly but became harder to navigate with every sprint.

The question worth asking right now isn't "are we adopting AI?" It's "what happens to quality when nearly a third of what we ship was written without meaningful human oversight?"

The productivity illusion has a price tag

The same dataset puts monthly AI tool usage among developers at 92%, with 75% using tools weekly. The tooling shift has happened. The debate is over.

What's more interesting than the adoption numbers is what's happening to the gains. Self-reported time savings have plateaued at around 4 hours per week — roughly a 10% productivity gain. Not nothing, but far below the transformational numbers the hype cycle promised. A July 2025 MIT study of 152 organisations explains why: high adoption, but low transformation. The ceiling exists because most teams are applying AI to individual tasks at a developer's desk. The gains plateau when AI stays localised. Breaking through requires rethinking entire workflows, not just individual tools.

And there's a second problem, hiding underneath the productivity conversation.

The 2025 Veracode GenAI Code Security Report found that 45% of AI-generated code samples failed security tests and contained OWASP Top 10 vulnerabilities — the classics: SQL injection, broken authentication, insecure deserialization. The ones we've known about for decades. A separate 2025 Cloud Security Alliance study found that 62% of AI-generated code solutions contain design flaws or security vulnerabilities.

I want to be very clear about what this means. The model isn't broken. It's doing exactly what it was designed to do — pattern-match on training data. That training data contains vulnerabilities. So the model reproduces them, faithfully, at speed. It has no concept of "this is wrong." It has context and probability.

I use AI tools. Most people I respect do too. AI-generated code deserves the same engineering discipline as any human developer's output — or even more.

The problem is that we know how to work with humans. We have decades of practice giving feedback, setting expectations, running code reviews, structuring accountability. With AI, most teams don't have that yet — the knowledge, the habits, the processes. And that gap leads to the most dangerous default in engineering: "let it do its thing." No oversight. No checkpoints. Just output, shipped.

The data backs this up. Nearly 1 in 3 developers admit to deploying AI-assisted code without always performing a human review. Only 34% of teams use tools that enforce any AI-specific review policies. And when AI review tools are enabled, 80% of pull requests have no human comments at all — the automation runs, the box gets ticked, and the code ships. That's not a review process. That's a rubber stamp.

AI is an amplifier. Whatever you have, you'll get more of it.

A July 2025 MIT study of 152 organisations identified what they called a "Big Bang" multiplier effect, and I think it's the most important finding in AI engineering research right now.

Teams with healthy engineering practices — clear requirements, good test coverage, solid CI/CD, genuine code review culture — saw 50% fewer customer-facing incidents after adopting AI. They shipped faster. Quality held or improved. AI accelerated what was already working.

Teams without those foundations — unclear ownership, fragile pipelines, poor test coverage, shortcuts normalised — saw twice as many customer-facing incidents as before adoption. Twice. The same AI tools, dramatically worse outcomes.

This is what I tell every engineering leader I speak with: AI is a multiplier on whatever you already have. If your engineers write clear specs, design before building, test properly and review rigorously — AI will make them faster and your customers will feel the benefit. If they don't, AI will produce more of the wrong thing, faster, and the bill will arrive sooner than you expect.

Barry Boehm calculated that the cost of fixing a defect grows by 5x to 100x depending on how late in the lifecycle it's caught. That was 1981. The underlying dynamic hasn't changed — but the speed at which defects can propagate has. A developer shipping 500 lines an hour with a flawed assumption baked in has a much bigger problem than one shipping 100. CISQ already estimated US technical debt at $1.52 trillion in their 2022 report — before generative AI went mainstream. I genuinely don't want to see their next one.

The question worth asking your team right now isn't "are we using AI?" It's "are we in good enough shape to benefit from it?"

What changes. What doesn't.

I want to be precise here, because there's a lot of noise in this debate.

What genuinely changes with AI:

Counterintuitively, software engineering matters more now. The discipline is just finally getting to do what it was always supposed to do.

When AI handles the boilerplate, the scaffolding, the repetitive implementation — good riddance — engineers get to spend more time on the work that actually determines whether a product succeeds or fails: designing architecture, validating and stress-testing decisions, evaluating tradeoffs. Less time typing code, more time actually thinking about software. That's not a demotion. That's what the job was always supposed to look like.

A working prototype is now a few prompts away. The barrier to "let me just show you what I mean" has collapsed — which is genuinely exciting. And junior engineers can produce at volumes that previously required years of experience, which creates real opportunity alongside real supervision challenges.

But none of this changes the upstream work. It accelerates the downstream.

What doesn't change — at all:

  • Requirements have to be understood correctly before code can be correct. Garbage in, garbage out, now just faster.
  • Architecture decisions — how you decompose systems, where complexity lives, how data flows — these determine whether a product survives at scale. AI assists with implementation. Judgment stays with the engineer.
  • Tests are the only honest measure of whether software does what it should. If AI writes the implementation, a separate agent or engineer must own the tests — never the same one that wrote the code.
  • Security and reliability don't emerge from autocomplete. They require deliberate design.

There's a hard truth hiding in that last point on tests. Manual code review of AI-generated output — which today means hundreds or thousands of lines per day per developer — is simply not going to scale. It's already borderline unreliable. The answer isn't to review harder. It's to tighten the feedback loop: comprehensive automated tests, strict CI/CD gates, and security scanning that runs on every commit. The system has to catch what human eyes will inevitably miss.

The discipline of specifying clearly, designing before building, and automating verification ruthlessly — this was never really about compensating for slow human typing. It was always about the fundamental challenge of building complex systems that behave correctly under real-world conditions. That challenge hasn't changed.

The engineer's job is getting more important, not less

Here's what gets lost in the "AI will replace developers" conversation: the hardest parts of software engineering were never about writing code. They were about everything that happens before and after it.

Knowing which problem is actually worth solving. Writing a spec tight enough that the implementation has no room to go wrong and aligned with bigger system architecture. Recognising that the architectural decision made in week two will make the product unmaintainable in 12 months time. Understanding which tradeoffs matter now and which ones will hurt you later.

AI is exceptionally good at generating code within a given context. It is not good at questioning whether the context is right. That's the senior engineer's job — and it just became the whole job.

The implication is significant. A senior engineer who defines clear architecture, sets the right constraints, and designs the verification systems that validate AI output is now a force multiplier on an entire team's output. The influence radius has expanded dramatically. So has the responsibility.

There's a concrete signal in the onboarding data worth noting. Between Q1 2024 and Q4 2025, the time for a new engineer to merge their 10th pull request was cut in half across the industry. Brian Houck at Microsoft has shown "Time to 10th PR" is a statistically significant predictor of an engineer's productivity for their first two years. That acceleration is real — but it only materialises inside codebases where the architecture is clear, the constraints are defined, and the standards are enforced. Which is exactly what senior engineers build.

What good looks like in practice

The teams I see handling this well share a few habits:

1. They keep agent responsibilities strictly separate. The agent that writes code doesn't write the tests. Requirements are read-only for development agents — they can't be modified by the thing executing against them. This isn't bureaucracy. It's the same separation of concerns we've applied to human teams for decades, now applied to AI agents.

2. They've automated verification end-to-end. Tests, CI/CD gates, security scanning, linting — all mandatory, all blocking. When nearly half of AI-generated code fails security benchmarks, anything that isn't automated won't happen consistently.

3. They design before they generate. Architecture conversations happen before anyone opens a prompt window (for writing code). Actually, AI is very helpful to challenge architecture design and tradeoffs. Important part is that the AI works within a defined structure, not around one.

4. They track technical debt deliberately. Because AI can accumulate it faster than any team in history, and it will if no one's watching.

5. They reframe infrastructure investment as "Agent Experience." Leadership will often fund improvements for AI agents that they wouldn't fund for human developers — better test coverage, cleaner CI/CD, sharper documentation. Cisco deployed AI tools to 18,000 engineers and achieved a 50% reduction in code review cycle times, but only after investing in the infrastructure underneath. Use this reframe. The infrastructure AI needs to work well is exactly the infrastructure your engineers needed all along.

None of this is complicated. Most of it is good engineering practice applied consistently — just now with higher stakes and less margin for skipping steps. The teams that struggle aren't failing at AI adoption. They're skipping the fundamentals and discovering, slowly, that velocity without structure is just a faster way to create a mess.

The bottom line

The engineers and teams that will define the next decade aren't the ones generating the most (or more) code with AI. They're the ones shipping the most reliable, secure, and maintainable software — using AI as a force multiplier on their engineering discipline.

Dijkstra, Brooks, Boehm — none of them were writing about humans specifically. They were writing about the fundamental difficulty of building complex systems that behave correctly. Every word still applies. To every line of code. Regardless of who — or what — wrote it.

Speed is a means. Quality is what ships.

I keep coming back to one idea from the latest research on AI adoption: if your engineering foundations are broken, AI doesn't fix them — it just gets you to the consequences faster. You're taking your garbage to space. It arrives sooner. It's still garbage.

I've seen both sides of this. Teams where AI genuinely accelerated great engineering. And teams where it just accelerated the accumulation of things that will need to be unpicked later. The difference was never the tools. It was always the discipline underneath.

This is only the top of the iceberg — there's a lot more to unpack on agentic workflows, measurement frameworks, and what "good" looks like at scale.

Sources: GitHub/Microsoft (2022), Microsoft Research (2023), McKinsey (2023), Stack Overflow Developer Survey 2023, Barry Boehm — Software Engineering Economics (1981), CISQ (2022), Veracode GenAI Code Security Report (2025), Cloud Security Alliance (2025), Index.dev (2026), Qodo (2025), Greptile (2026), Laura Tacho/DX (2026)

© 2026 Vyacheslav Lukin. All rights reserved.