Aikido Security analyzed 150,000 repos and found AI-assisted PRs introduce 23% more bugs. Vibe coding generates 3.4x more security warnings per line than human code.
Key facts
- 23% more bugs per AI-assisted PR on average.
- 3.4x more security warnings from vibe coding.
- 150,000 repos analyzed by Aikido Security.
- 2.5x more hardcoded credentials in AI code.
- Only 12% of AI code passes static analysis clean.
The security firm Aikido Security examined 150,000 repositories using GitHub Copilot, Cursor, and Claude Code to quantify the impact of AI code generation on code quality. According to the firm's blog post the data spans PRs from January 2025 through June 2026.
Key Takeaways

- AI code assistants increase bug density by 23% per PR; vibe coding yields 3.4x more security warnings.
- Aikido analyzed 150k repos.
The bug density delta
AI-assisted pull requests introduce 23% more bugs per PR on average, Aikido reports. The finding contradicts vendor claims that AI coding assistants reduce defect rates. The effect is concentrated in complex logic — AI code is 2.5x more likely to contain hardcoded credentials than human-written code, and 18% more likely to have SQL injection vulnerabilities.
Vibe coding amplifies risk

The term "vibe coding" — where developers accept AI suggestions without review — correlates with a 3.4x increase in security warnings per line. Only 12% of AI-suggested code passes static analysis without warnings, compared to 31% for human code. Aikido's own security scanners flagged AI code for missing input validation at 2.1x the rate of human code.
What this means for engineering teams
The data suggests AI coding tools trade velocity for quality. Aikido recommends mandatory human review of AI-generated PRs, automated scanning gates, and banning vibe coding in production pipelines. The firm notes that teams using strict review processes saw the bug density gap shrink to 8%, implying process can mitigate but not eliminate the problem.
Google, which competes with OpenAI and Anthropic in the AI coding space via Gemini Code Assist, has not published comparable repo-scale data. [According to the knowledge graph] Google's Gemini 3 Pro and Gemma 4 models are used in its coding tools, but the company declined to comment on Aikido's findings.
What to watch
Watch for GitHub and Cursor to publish their own repo-scale quality data, and for Aikido to release per-tool breakdowns. The Q3 2026 DORA report may include AI code quality metrics.
Source: news.google.com
[Updated 14 Jul via gn_agentic_coding]
Port CEO Zohar Einy called ungoverned AI development "vibe coding slop" in an interview with The New Stack, warning that teams treating AI output as final code are creating a "technical debt bomb." Einy noted that Port's internal analysis of 2,000 engineering teams found those using AI without review processes saw a 40% increase in production incidents within three months [per The New Stack]. He echoed Aikido's call for mandatory human review, adding that organizations should treat AI-generated code as a "first draft, not a final commit."









