AI Broke Your SDLC Abstractions (Now What?)

---

Why this matters this week

AI in software engineering just crossed a line most teams aren’t acknowledging clearly:

• It’s no longer a toy for “writing boilerplate.”
• It’s not yet reliable enough to own production changes end-to-end.
• But it is now good enough to reshape your SDLC: testing, code review, rollout patterns, incident response.

If you run an engineering org, you’re quietly accumulating AI debt:

• Shadow usage of codegen tools influencing your codebase.
• Tests generated by models that nobody fully understands.
• “Quick wins” in productivity that trade off against long-term maintainability and security.

The risk isn’t “AI will write bugs.” You already have bugs.

The real risk is: your process assumptions break:

• The mental model that “every line of code had a human author who understood it.”
• The belief that “tests are a ground truth, not another model output.”
• The idea that “code review is mostly about logic, not about validating a generator pipeline.”

This post is about updating those assumptions in a way that is boring, safe, and actually ships.

---

What’s actually changed (not the press release)

Three concrete shifts matter for teams that ship production systems.

1. Codegen moved from autocomplete to “partial implementer”

Modern LLMs are:

• Capable of implementing entire small features from a ticket description and surrounding code.
• Good at propagating API and pattern usage across a codebase.
• Still fragile around:
  • Edge cases and concurrency
  • Security-sensitive flows
  • Performance characteristics
  • Non-obvious invariants

Result: The model can complete the shape of the solution, but not the guarantees.

2. Testing is now both cheaper and less trustworthy

AI-driven test generation has become:

• Fast at generating:
  • Unit tests with typical and naive edge cases
  • Golden-file tests from examples
  • Basic property tests from typed interfaces and comments
• Weak at:
  • Identifying missing invariants
  • Exercising cross-service workflows
  • Understanding implicit contracts not documented in code

Your test suite can get bigger and more duplicated without getting meaningfully stronger.

3. SDLC artifacts are now “model substrates”

Key SDLC artifacts are being partially or fully generated:

• Design docs
• API specs
• Migration plans
• Release notes
• Incident timelines

That changes their role:

• They become both:
  • Inputs to future AI tooling (RAG, context for codegen/testing)
  • Outputs from current tooling (generated docs, change summaries)

If you don’t design for this, you get:

• Poorly structured, verbose, AI-written docs that are:
  • Hard for humans to scan
  • Hard for models to consume later (no consistent schema, no clear sections)

---

How it works (simple mental model)

Use this mental model for AI + software engineering:

AI is a pattern amplifier sitting inside your SDLC, not a replacement for your SDLC.

Break it down:

1. Pattern detector

   • Trained mostly on open-source code and natural language.
   • Learns:
     • Common API usage patterns
     • Idiomatic error handling
     • Style and naming conventions

2. Pattern amplifier

   • Given your local context (files, repo, tickets), it:
     • Projects learned patterns into your codebase
     • Fills in missing scaffolding
     • Suggests plausible tests and documentation

3. Pattern blind spots
   The model has no guaranteed grasp of your:

   • Latency budgets
   • Failure domains
   • Data sensitivity boundaries
   • SLOs and non-functional requirements

This yields a simple rule:

Let AI propose “what” and “how,” but keep humans as owners of “why” and “where.”

Concretely:

• AI:
  • Writes code scaffolding
  • Suggests tests
  • Drafts design-doc sections
  • Writes migration scripts with guardrails
• Humans:
  • Define invariants and constraints
  • Choose rollout patterns
  • Own irreversible operations (schema deletions, data wipes)
  • Decide which modules are “AI-writeable” vs “handcrafted only”

---

Where teams get burned (failure modes + anti-patterns)

Here are the main failure modes showing up in production teams.

Failure mode 1: “Shallow green” test suites

Pattern:

• Team adopts AI test generation.
• Coverage reports go up.
• Bugs in integration flows remain unchanged or get worse.

Why:

• The model writes tests that:
  • Assert obvious behavior already implied by types.
  • Duplicate each other with slightly different inputs.
  • Miss system-level invariants (e.g., “no double-charge” across services).

Anti-pattern indicators:

• Lots of:
  • test_happy_path_* variants
  • Repetitive assertions on trivial getters/setters
• Few or no:
  • Tests that span multiple services/components
  • Negative tests at boundaries (timeouts, partial failures, stale data)

Mitigation:

• Restrict AI tests to:
  • Unit tests for leaf functions (pure logic, utilities)
  • Golden tests where input/output examples are well-defined
• Require human-authored test plans for:
  • Cross-service flows
  • Security and authz logic
  • Billing, compliance, data retention

Failure mode 2: “Style-consistent” bugs

Pattern:

• The AI produces code that:
  • Looks idiomatic
  • Follows existing patterns
• Reviewers see consistency and under-review the logic.

Example (anonymised):

• A fintech team let AI refactor their retry logic.
• It preserved:
  • Logging format
  • Metrics
  • Config wiring
• It changed:
  • Retry semantics from “at-least once” to “at-most once” for a subset of failures.
• No one noticed until live customer impact.

Mitigation:

• Explicitly flag semantic-risk zones:
  • Idempotency and retries
  • Money movement
  • Deletion and archival
  • Auth and permission boundaries
• For those zones:
  • Either ban AI-generated changes, or
  • Require:
    • Human-written test cases
    • Reviewer checklist focused on semantics, not style

Failure mode 3: “Prompt-flavored” production code

Pattern:

• Developers copy/paste prompt instructions directly into code comments.
• Over time:
  • Comments become long, vague, and model-oriented.
  • Humans stop trusting comments; treat them as noise.

Example:

• A SaaS team allowed “prompt comments” like:
  • // LLM: when adding fields here, remember to update the serializer above.
• Six months later:
  • Half were stale.
  • None were enforced.
  • New hires misread them as guarantees (“this is handled”).

Mitigation:

• Enforce a distinction between:
  • Machine-consumable metadata (annotations, structured comments)
  • Human documentation (rationales, trade-offs)
• If it’s for tools, make it:
  • Short
  • Structured (e.g., @ai-invariant: …, @ai-safe: false)

Failure mode 4: “Invisible shadow tools”

Pattern:

• Individual devs use personal AI tools with no org-level visibility.
• Code quality changes, but you can’t attribute cause.

Example:

• A team noticed a spike in:
  • Subtle security regressions
  • Unusual libraries being introduced
• Only later discovered:
  • Several devs were using models that hallucinated insecure patterns and rare packages.

Mitigation:

• Don’t ban; standardise.
• Provide:
  • Approved tools
  • Logging at least of:
    • Which tool generated a diff (not prompts, not secrets)
    • Which files were heavily AI-modified
• Use that to:
  • Tune code review focus
  • Identify training/education needs

---

Practical playbook (what to do in the next 7 days)

Assuming you’re a tech lead / manager / CTO with an existing codebase.

1. Draw your AI “blast radius” map (2–3 hours)

Classify your code into three zones:

• Green (AI-first allowed):
  • UI components
  • Data mappers
  • Glue code
  • Internal tools
• Yellow (AI-assisted, human-led):
  • Core business logic
  • Public APIs
  • Performance-sensitive paths
• Red (human-only):
  • Security/authz
  • Compliance flows
  • Data deletion/retention
  • Money movement and ledger logic

Capture this in a short doc; share it widely.

2. Update your code review checklist (1–2 hours)

Add explicit AI-awareness to your checklist:

• If the change was AI-generated:
  • Are all new functions covered by non-trivial tests?
  • Does this touch any Red zones? If yes, reject or reimplement.
  • Are there any silent semantic changes (retries, timeouts, error handling)?
• For test changes:
  • Does this test express a real invariant?
  • Or is it just restating types and happy paths?

Make this checklist short and visible in PR templates.

3. Introduce an AI-aware testing policy (half day)

Constrain how you use AI for software testing:

• Allowed:
  • Generate candidates for:
    • Unit tests of pure functions
    • Example-based tests from explicit requirements
  • Convert bug reports into regression tests.
• Required:
  • Human-written:
    • Test plans for new features
    • Integration and end-to-end tests
    • Security and auth tests

Add 1–2 “AI smells” to your review guidelines:

• Test only asserts what the code currently does, not what it should do.
• Test repeats other tests with small, meaningless variations.

4. Run a small, measured experiment (2–3 days)

Pick one Green area, for example:

• Internal admin UI
• Analytics ETL job
• Low-risk internal tool

Run a structured experiment:

• For one week:
  • Encourage heavy AI use for:
    • Codegen
    • Test scaffolding
    • Basic docs
• Measure:
  • Time to complete tickets
  • Review comments per LOC
  • Number of post-merge regressions

You’re not trying to get perfect data, just directional signals for:

• Where AI helps
• Where review breaks down
• What patterns you want to standardize

5. Add minimal metadata for future AI integration (1 day)

Prepare your SDLC artifacts to be machine-usable without drowning humans:

• Design docs:
  • Standard headings:
    • Context
    • `In