npmrunseb
FR EN
← All writing
Essay · Jun 17, 2026 · 8 min

AI doesn't make you ship faster: it funds the quality you used to sacrifice

AITestingSecurityDependenciesSDD

March 2026. A team I work with ships in two days a feature that would have taken five. The agent did the heavy lifting and the lead is thrilled with the speed gain. The time saved, the team poured straight into the next feature.

Three weeks later, a CVE surfaces on a transitive dependency nobody had ever looked at. Tests showed 82% coverage; opening them up, half of them asserted nothing real. The time AI had saved hadn’t bought more safety. It had bought more surface to defend.

AI didn’t create this problem; it sped up the rate at which we manufacture it. The real gain from agents isn’t delivery speed: it’s a reclaimed effort budget, often called the AI dividend. And the only question that matters is where you reinvest it.

TL;DR — AI agents can significantly cut the cost of producing code. That gain doesn’t improve quality on its own; it frees up time, and therefore a budget that can finally be allocated to the historical blind spots: the real quality and coverage of tests, dependency hygiene, security. Spec-Driven Development is the framework that makes this reinvestment systematic rather than optional. The limitation: the dividend only materializes if a deliberate strategy decides to spend it there. Otherwise, it turns into debt.

Where does the time AI saves actually go?

Into more features, almost always. And that’s exactly the mistake to avoid.

When the marginal cost of a feature drops, the natural pull is to produce more of them. The backlog empties faster, management watches velocity climb. The gain is visible, immediate, rewarded. Nobody gets credit for turning two days saved into two days of hardening a codebase that already worked.

It’s a well-documented trap. According to the 2024 DORA report from Google Cloud, a 25% increase in AI adoption was associated with an estimated 7.2% drop in delivery stability. AI accelerates production. It stabilizes nothing by default.

The AI dividend isn’t time to spend on ever more output. It’s a budget to reallocate toward what you never had time to do.

Is test coverage enough to measure quality?

The answer is simple: no. Coverage measures executed lines, not verified behaviors. And AI makes that misunderstanding more dangerous than ever.

Asking an agent to “write the missing tests” produces, in seconds, a suite that pushes coverage to 90%. The problem: a test can execute a line without asserting anything useful about it. You get tautological assertions, mocks that validate the mock, duplicated happy paths and zero edge cases. The green bar lies; it says “covered”, not “protected”.

The real metric is the mutation score: you deliberately introduce bugs into the code (a > that becomes >=, a + that becomes -) and measure how many the test suite catches. A tool like Stryker Mutator reveals what coverage hides: suites at 85% coverage that kill 40% of mutants. This is where the AI dividend gets interesting. The time saved on producing code pays the cost, long deemed prohibitive, of testing the quality of the tests themselves.

Screen showing colourful lines of code on a dark background A green test suite proves the code runs, not that it’s protected. Photo: Chris Ried on Unsplash.

So the useful reinvestment isn’t “more features shipped” or “more AI-generated tests”. It’s “more tests that kill mutants”: useful, high-value tests, not tests that look good on a dashboard. It’s the same principle as Object Calisthenics turned into machine contracts: you formalize the requirement upfront, the agent handles the repetitive part. The thinking stays human; the grind becomes free.

Why is dependency management the most profitable blind spot?

Because it’s where risk is highest and attention often lowest. Most of a project’s vulnerabilities don’t live in the code you wrote; they live in the code you installed without reading.

According to the 2024 Sonatype State of the Software Supply Chain report, the vast majority of open source vulnerabilities come from transitive dependencies: the ones no developer chose explicitly, pulled in by the dependencies you did decide to use and rarely question. An npm install drags in hundreds of packages whose maintainer nobody on the team knows. It’s the attack surface you neglect precisely because you can’t see it.

Historically, holding this line cost a lot: tracking CVEs, triaging updates, telling the urgent security patch apart from the cosmetic bump, testing that nothing breaks. Thankless work, endlessly postponed. It’s exactly the kind of task the AI dividend lets you fund:

  • Automate detection: Dependabot and Renovate open the version-bump PRs; an agent triages them, reads the changelogs and groups what can be grouped.
  • Assess risk upfront: a tool like Socket analyzes a package’s real behavior (install scripts, network access, filesystem access) before you add it, where manual audit never happened.
  • Validate non-regression: this is where the test quality from the previous section pays its interest; a suite that kills mutants lets you merge a security patch with confidence.

The reinvestment here is almost pure gain: work nobody wanted to do, now within reach because the time exists to supervise it.

Does security really shift upstream with AI?

Yes, provided you spend the dividend on it rather than pocketing it as features. Generated code isn’t safe by nature; it reproduces the patterns from its training, along with the legacy code around it, vulnerabilities included.

Green characters falling on a black background, Matrix-style code rain An agent faithfully reproduces the vulnerabilities it saw in training. Photo: Markus Spiske on Unsplash.

SQL injection, hardcoded secrets, unsafe deserialization, forgotten access controls: an agent faithfully reproduces what it has seen a thousand times, and the catalog of what it has seen includes the entire OWASP Top 10. As code volume grows, the volume of potential vulnerabilities follows. Pouring the time saved into hardening isn’t a luxury; it’s what keeps speed from becoming a security debt with deferred interest.

Concretely, this budget funds what you never instrumented enough: a SAST scan on every PR, threat modeling on sensitive features, focused review on the system’s boundaries (user input, external APIs, authentication). And above all, it funds wiring those controls into the CI/CD pipeline as blocking gates, not as reports you read on Friday. A vulnerability that breaks the build gets handled; a vulnerability in a report gets ignored.

How does SDD turn this dividend into quality discipline?

By writing the quality and security requirements into the contract, where they become non-negotiable instead of depending on the goodwill of a sprint’s final hours.

Everything above shares one weakness: it rests on a team decision to “do it right”, and that decision is the first one sacrificed under pressure. Spec-Driven Development settles this upstream. When the specification is the source of truth that the AI agent consults before every implementation decision, you encode directly into it the criteria that would otherwise evaporate:

  • Acceptance criteria include the edge cases to test, not just the happy path.
  • Architectural invariants include security constraints (“this service never receives unvalidated input”, “no secret outside the secrets manager”).
  • The dependency policy becomes an explicit constraint, not an oral custom.

The AI dividend and SDD complement each other exactly. AI frees the budget; the spec decides where it goes, and makes it enforceable. Without a spec, the time saved falls by gravity back into the “more features” bin. With one, quality and security become part of the definition of “done”, on the same footing as “it compiles”.

The dividend isn’t automatic

AI is an amplifier, not a corrector. It amplifies what’s already healthy in an organization, and it amplifies just as faithfully what’s broken. A team that was cutting tests and ignoring its dependencies won’t become rigorous because it codes faster: it will just accumulate its debt at a higher cadence, as the drop in stability observed by DORA suggests.

The quality dividend is real, but it’s an allocation choice, not a mechanical consequence. The time AI hands back only turns into robust tests, healthy dependencies and hardened code if someone explicitly decides to spend it there, and writes it into the contract. For the teams that make that choice, it’s the first time in a long while that doing it right doesn’t cost more than doing it fast.

Related reading: Specifications, the backbone of AI-assisted development · Object Calisthenics as machine contracts · Securing a GitHub Actions pipeline

FAQ

Does AI automatically improve code quality?

No. AI cuts the cost of producing code, which is a different thing. The time saved only improves quality if the team decides to reinvest it in tests, dependencies and security; otherwise it goes into producing extra features, and debt accumulates faster. The 2024 DORA report from Google Cloud even observed that an increase in AI adoption was associated with a drop in delivery stability. Quality remains an explicit allocation decision, not an automatic side effect of the tool.

Why isn’t test coverage enough to measure a suite’s quality?

Coverage measures the lines of code executed by tests, not the behaviors actually verified. A test can execute a line without making any useful assertion about it, which inflates coverage without protecting anything. It’s a risk amplified by AI, which easily generates high-coverage but low-value suites. The relevant metric is the mutation score: you introduce artificial bugs into the code and measure how many the suite detects. A tool like Stryker Mutator reveals the gap, often wide, between reported coverage and real protection.

How should you manage dependencies added or generated by an AI agent?

By treating adding a dependency as a decision subject to control, not an implementation detail. Most vulnerabilities come from transitive dependencies, never chosen explicitly. Concretely: a behavioral analysis tool like Socket evaluates a package before adoption, Dependabot or Renovate automate version bumps, and a robust test suite validates non-regression on every patch. The time budget freed by AI is what makes this long-postponed work finally sustainable day to day.

Does Spec-Driven Development really strengthen security?

Yes, by shifting security constraints upstream, where they no longer depend on end-of-sprint discipline. A specification encodes security invariants (input validation, secrets handling, access controls) as acceptance criteria the agent consults before generating code. Security stops being an optional review and becomes a condition of “done”. Coupled with blocking gates in the CI/CD pipeline, this approach turns security from a report you ignore into a constraint that breaks the build until it’s satisfied.