This week made one thing obvious: AI coding speed is up, but trust in code is now your real bottleneck. The biggest AI risk in software teams right now is not bad output, it’s bad provenance. Most senior devs I know can smell shaky code in a PR. We’ve trained that instinct for years. What’s newer (and nastier) is code that looks fine, ships fast, and quietly breaks ownership, traceability, or security assumptions. If your workflow still treats AI as “just a faster autocomplete,” you’re defending the wrong perimeter. A few trend signals lined up this week in a way that matters: --author flag strategy. Not glamorous, but very real: identity and attribution are now active attack surfaces.Different stories, same direction: we’re shifting from “Can AI write code?” to “Can our system verify who/what changed code, why, and under what guardrails?” In a solo project, you can vibe-code and recover. In a team, ambiguity compounds. Here’s what I’m seeing across real delivery environments: The painful part: velocity looks great on paper right until one messy incident forces a freeze, and then everyone pretends this was unpredictable. It was predictable. AI didn’t remove software engineering constraints. It moved them. You used to spend more time producing code; now you spend more time proving code deserves to exist. “Which model should we standardize on?” That’s not useless, but it’s not first-order anymore. Model choice matters, yes. But teams are overfocusing on model IQ while underinvesting in workflow integrity. A stronger model in a weak workflow just lets you create ambiguity at higher throughput. Contrarian angle: for most teams, upgrading process quality will outperform upgrading model quality. Not forever, but definitely this quarter. If your branch strategy is chaos, your review contract is vague, and your commit identity rules are loose, model gains are mostly cosmetic. Ask this instead: “At which exact handoffs can low-context AI output become high-impact production risk, and what lightweight controls close those gaps?” Then run this playbook. Every AI-assisted PR should include: Keep it short and mandatory. You’re not writing a thesis; you’re creating an audit trail. If bot noise or unclear authorship is possible in your flow, lock this down now: The HN bot-spam story is your warning shot: attribution is a security control now. Stop using one giant “AI helped” bucket. Create 3 lanes: drafting : scaffolding, boilerplate, test seed generationtransforming : refactors, migrations, repetitive editsdeciding : architecture, security-sensitive logic, data contractsLane 3 always gets human-first review. No exceptions. Most teams polish generation prompts and ignore review prompts. Use reviewer checklists tuned for AI-heavy diffs: Treat review as an explicit system, not heroics. Pick one, start simple: Don’t build a dashboard empire. One honest metric beats ten vanity charts. Document decisions AI should not make alone in your codebase: This avoids vague arguments mid-PR and protects your senior engineers from becoming nonstop escalation points. AI didn’t kill software engineering fundamentals; it just made the fundamentals bill you daily. Teams that win this year won’t be the ones with the flashiest model, they’ll be the ones with the cleanest trust pipeline from prompt to production.
Stop Using TypeScript as a Type Checker — Start Using It as a Design System