AI created a flood of code and companies have no idea what to do with it
Software development has entered a new era, and it came with a hefty price tag. A financial sector company that adopted Cursor, an artificial intelligence tool focused on code writing, saw its output jump from 25,000 to 250,000 lines per month.
Sounds amazing, right?
But the flip side of this story is that the 10x leap created a backlog of 1 million lines of code waiting for security review.
The person who brought this data to light was Joni Klippert, co-founder and CEO of StackHawk, a security-focused startup that was working directly with the company.
According to her, the problem goes beyond volume.
The sheer amount of code being shipped, and the increase in vulnerabilities, is something they simply cannot keep up with.
And that accelerated pace doesn’t stay contained within the engineering team. Departments like sales, marketing, and support also started feeling the pressure, creating, in Joni’s own words, a lot of stress across the entire operation. 😬
What this case reveals is that the productivity promise of artificial intelligence came hand-in-hand with a risk that many people didn’t anticipate, and companies are still trying to understand the real scope of the problem.
When shipping faster becomes a security problem
The logic seems straightforward: if an artificial intelligence tool can multiply a team’s code output by ten, the business grows faster, products hit the market sooner, and everybody wins. That narrative is real and has merit, but it ignores a critical detail that is becoming increasingly obvious in the daily lives of software development teams: producing more doesn’t mean producing better, and in the tech world that difference can be extremely costly.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
The additional volume of code generated by AI tools needs to go through the exact same quality and security scrutiny as any code written by hand. When the delivery pace explodes, the review capacity simply can’t keep up at the same speed. It’s like turning on every faucet in a house at the same time and expecting a single drain to handle the flow without overflowing.
The financial company case cited by Joni Klippert is a concrete example of this mismatch. With 1 million lines waiting for security analysis, the team responsible for identifying and fixing vulnerabilities found itself facing a queue that grows faster than it can process. This kind of situation creates a silent pressure inside organizations: developers ship more, managers are thrilled with the productivity numbers, but deep down there’s a growing layer of accumulated risk that nobody can clearly measure.
And the worst part is that while the backlog sits unreviewed, the code may already be running in production, exposing systems and data to real threats. In the financial sector, where sensitive customer data and transactions are at stake, that exposure takes on even more alarming proportions.
AI tools don’t replace good practices
It’s worth remembering that artificial intelligence tools like Cursor, GitHub Copilot, and similar ones were not designed to replace good software development practices. They speed up writing, suggest solutions, and reduce time spent on repetitive tasks, but they have no way to guarantee that the generated code is free of flaws or vulnerabilities.
The language model powering these tools was trained on massive amounts of code available on the internet, including code with bugs, bad practices, and even known security flaws. This means that no matter how impressive the output of these tools is, it still needs to pass through the critical eye of an experienced developer before going to production.
This point often gets lost in the excitement over productivity gains. The numbers are seductive — going from 25,000 to 250,000 lines per month is something any tech manager looks at with stars in their eyes. But when the security bill arrives, the picture changes quickly.
The impact of vulnerabilities beyond the development team
One thing that stands out in Joni Klippert’s account is that the problem didn’t stay confined to the engineering team. When the pace of code delivery ramps up dramatically and security processes can’t keep up, the stress spreads across the entire organization.
Sales teams need to answer client questions about system reliability. Support teams deal with incidents that could have been prevented. Marketing teams face the challenge of communicating innovation while behind the scenes, technical debt piles up. This cascading effect is often underestimated when companies plan the adoption of artificial intelligence tools in the software development process.
The original report published by The New York Times reinforces exactly this: as software development accelerated, departments like sales, marketing, and customer support were forced to pick up the pace as well, creating what Klippert described as widespread stress throughout the company.
Not all vulnerabilities are created equal
The vulnerabilities generated by this accelerated process aren’t easy to categorize either. Some are classic errors that any automated review can catch, such as:
- SQL injections
- Authentication failures
- Sensitive data exposure in logs
- Improper permission configurations
But others are more subtle and context-dependent, like business logic implemented incorrectly or third-party dependencies introduced by AI-generated code that never went through a risk assessment. When volume grows too fast, the ability to review this second type of issue drops dramatically, because it requires qualified human attention and time — two resources that become scarce precisely when productivity explodes.
The trap of a false sense of security
Another factor complicating the picture is the false sense of security that automation can create. When a developer writes code by hand, they tend to be more aware of what they’re doing and the risk associated with each decision. When artificial intelligence writes it, there’s a natural tendency to trust the result more. After all, the tool seems reliable and the surface-level tests pass without any major red flags.
This behavior has been identified in studies on the use of code assistants, and it represents a real risk to the software development process in any organization that adopts these tools without a clear plan for governance and review. It’s like driving a car on autopilot and stopping paying attention to the road: most of the time it works fine, but when something goes wrong, the consequences can be severe.
In the specific case of the financial sector, where regulations like LGPD in Brazil and GDPR in Europe demand strict data protection standards, an undetected vulnerability can result not only in direct financial losses but also in regulatory fines and reputational damage that takes years to repair.
The code overload phenomenon is not an isolated case
The case reported by The New York Times might seem extreme, but the truth is it reflects a trend that’s spreading rapidly across the tech industry. As generative artificial intelligence tools become more accessible and sophisticated, companies of all sizes are adopting code assistants to gain speed.
The problem is that the review and security infrastructure at most of these companies was designed for the old production pace. When code volume multiplies by ten overnight, existing processes simply collapse. It’s like widening a highway to handle ten times more cars without building a proportional number of inspection checkpoints.
This gap between production speed and review capacity is creating what many experts are already calling AI-accelerated technical debt. Unlike traditional technical debt, which accumulates gradually over months or years, this new type of debt can build up in weeks, making remediation far more urgent and complex.
What companies can do about this
The answer to this problem is not simply abandoning artificial intelligence tools or going back to writing everything by hand. That would mean ignoring a real productivity breakthrough that, when well managed, represents a massive competitive advantage.
The smarter path involves integrating security analysis directly into the software development workflow — what the industry calls a DevSecOps approach. In this model, vulnerability checks don’t happen at the end of the process, when the backlog has already piled up, but at every stage, from the moment code is written all the way through to production deployment.
Tools like StackHawk itself exist for exactly this purpose, helping teams detect security issues continuously and automatically, without relying exclusively on late-stage manual reviews. The idea is for security to keep up with the speed of production, rather than falling behind and waiting its turn in line.
Culture change is just as important as tooling change
Beyond technical integration, there’s an organizational culture issue that needs to be addressed. Teams adopting artificial intelligence to write code need to understand that the responsibility for the quality and security of what gets shipped remains a human one.
AI is a powerful tool, but it has no context about the business, doesn’t know the company’s compliance requirements, and doesn’t know which data is most critical to protect. That layer of knowledge has to be applied by the developers and architects who review what was generated, and that requires:
- Dedicated time for reviewing AI-generated code
- Ongoing training on security best practices
- Clear governance processes for adopting AI tools
- Metrics that go beyond the number of lines shipped
- Transparent communication between engineering and business teams
Many companies have not yet properly structured these elements for the new reality of AI-assisted software development. And as long as that structuring doesn’t happen, risk keeps silently piling up in code repositories.
A warning sign for the entire industry
The case reported by Joni Klippert is a warning sign that goes well beyond one specific financial sector company. It represents a pattern that’s likely to repeat across different industries as the adoption of artificial intelligence tools for software development continues to grow at a rapid clip.
Delivery speed will keep increasing. Review backlogs will keep piling up. Vulnerabilities will keep multiplying. Unless organizations invest proportionally in processes, tools, and training focused on security.
The challenge isn’t to slow down innovation but to make sure it happens in a sustainable and responsible way. Artificial intelligence brought an unprecedented capacity for code production, and now it’s up to companies to build the mechanisms needed to keep that production from turning into a ticking time bomb of vulnerabilities. The balance between speed and security will undoubtedly be one of the most important topics in software engineering in the years ahead. 🚀
