Last month, a company shipped an AI-generated auth module that stored passwords in plain text in localStorage. The code passed their automated tests. It looked clean. It even had comments explaining the logic. A senior engineer caught it during a Friday afternoon code review, two days before the planned production deploy.
That is not a rare edge case. We see variants of this every week. AI-generated code that compiles, runs, passes basic tests, and contains serious problems that only an experienced human would catch.
A Real List of Things We Have Caught
These are actual issues our senior engineers found in AI-generated code during review. All of this code was functional and would have passed CI.
Race conditions in a booking system. Two users could book the same time slot simultaneously because the AI used a read-then-write pattern instead of an atomic compare-and-swap. Under single-user testing, it worked perfectly. Under load, it double-booked 3-4% of appointments.
N+1 queries in a dashboard API. The AI generated a clean GraphQL resolver that fetched each user’s orders in a loop. For 10 users, response time was 200ms. For 500 users, it was 14 seconds and the database connection pool was exhausted.
Missing input validation on a file upload endpoint. The AI checked file extension but not file content. You could upload a PHP shell renamed to .jpg. The file was served from the same domain as the application.
Improper error handling in a payment flow. When Stripe returned a 402 (payment failed), the AI caught the error, logged it, and returned a 200 to the client. The frontend showed “Payment successful!” The user’s card was never charged but the order was created.
Auth bypass through parameter pollution. The AI-generated middleware checked req.user.role === 'admin' on the request object. But it did not validate that req.user came from the auth token and not from a JSON body parameter. You could add {"user": {"role": "admin"}} to any request and bypass authorization entirely.
Why AI Code Fails in Specific Ways
AI generates code that is locally correct but globally wrong. It solves the exact problem described in the prompt without considering the system around it.
A synchronous API call where the response takes 30 seconds under load and blocks the Node.js event loop. A direct database query on a table with 50 million rows and no index on the filter column. A caching implementation that never invalidates. Each piece of code works in isolation during development. Each causes incidents in production.
AI also consistently underestimates failure modes. It writes code for what should happen, not for what could go wrong. Senior engineers think about the network dropping mid-transaction, the third-party API returning malformed JSON, the user submitting a form 15 times because the button did not disable, the database disk filling up at 3am on a Saturday.
How We Review AI-Generated Code at Metafic
We treat AI like a fast but inexperienced engineer. It writes the first draft. Every line goes through a human review calibrated to the risk level of the code.
Low risk (UI components, docs, config files): Standard review for correctness. One senior engineer, same-day turnaround.
Medium risk (business logic, API endpoints, integrations): Detailed review focused on edge cases, error handling, and performance. The reviewer traces the full request path and checks failure modes at each step.
High risk (auth, payments, encryption, data access control): Comprehensive review from a senior engineer with domain expertise. For authentication and payment processing, we frequently write these modules from scratch rather than starting from AI output. The cost of getting it wrong is too high to start from a draft that might have subtle flaws baked in.
Before any human sees the code, it runs through automated security scanning (Snyk, CodeQL), static analysis (ESLint with security plugins, SonarQube), and our custom checks for common AI failure patterns. These automated tools catch maybe 40% of issues. The rest require a human who understands the system.
The Math on Review Time
A senior engineer spends roughly 30 minutes reviewing a medium-risk PR. That same PR, if shipped without review and containing an N+1 query, could cause a production outage that takes 4 hours to diagnose and fix, plus the customer impact.
The review is not overhead. It is the cheapest insurance you will ever buy.
If you are shipping AI-generated code without experienced human review, you are accumulating risk that will eventually surface at the worst possible time. We can show you exactly how our review process works and what it catches.