AI Generates Code, Who Takes Responsibility?

In my twenty-year career, most of my critical decisions weren't about writing a line of code, but about understanding a system from end to end and taking responsibility for that system. Now, the partner at the keyboard has changed: AI. So, when this new partner makes a mistake, whose desk does the word "responsibility" land on?

Today, almost every developer has an AI tool at their fingertips. Getting AI support to quickly write a function, create a complex regexp, or optimize an SQL query is now routine. But this convenience brings with it a not-so-easy question: When an issue arises in AI-generated code, who bears the cost?

AI's Brilliance and Hidden Shadows

AI can truly work wonders with the right prompts. I often consult AI when developing complex algorithms for my side product's financial calculators or creating frontend components for an operational ERP's operator screens. Sometimes, a single prompt can reduce hours of work to minutes. This speed is invaluable, especially for boilerplate code or complex but standard algorithms.

However, beneath this brilliance lie shadows that are often overlooked. AI cannot fully grasp the holistic architecture of a system, its network topology, specific security policy's, or the intricacies of the current workflow. It only provides the most probable solution based on its dataset and the prompt, which doesn't always mean it's the most accurate or optimized solution.

⚠️ An Example Case

In a manufacturing company's ERP, when I implemented a PostgreSQL index strategy suggested by AI, the performance of certain reports initially increased noticeably. However, a few weeks later, I realized that this new index was causing WAL bloat and crippling vacuum processes. Server disks began to fill up, and I/O latency increased. AI had suggested the best index for the current query but hadn't fully considered the long-term maintenance and performance dynamics of the system, i.e., PostgreSQL's internal workings and its effects on replication. This was not just a code line error, but a lack of architectural foresight.

Whose Fingerprint Is On That Line?

This is where the real issue begins. Does a developer who directly pushes AI-generated code to production assume full responsibility for that code? Or is the AI itself, or the company that developed the AI, responsible? From my perspective, the answer to this question is clear: whoever made that last commit, whoever deployed that code, the responsibility is theirs.

This isn't like copying and pasting a shell script. AI-provided code always requires in-depth review and adaptation to the system's context. Once, in a code snippet I got from AI for a network request in my Android spam application, I noticed that the JWT token was stored incorrectly and could easily bypass the rate limiting mechanism. If I hadn't seen unusual patterns in my Fail2ban logs, this security vulnerability might have gone unnoticed for months.

Architectural Vision and Pragmatic View

As a system architect, I always evaluate AI-provided solutions within the broader picture. For example, when splitting a monolith into microservices, it might be tempting to get code for an event-sourcing pattern from AI. However, when designing an event-sourcing pattern for a bank's internal platform, AI cannot manage the eventual consistency issues, the necessity of the transaction outbox pattern, or the complexity of distributed transactions that this pattern entails. These decisions require a deep understanding of workflow, data consistency, and fault tolerance.

For me, AI is like a co-pilot; it helps you chart the course, handles some automations, but the final decisions always rest with the pilot. In a client project, I even checked line by line the IPSec configs I received from AI for a complex VPN topology. Because issues like MTU/MSS mismatch or routing flap can be hidden even in a configuration that AI deems "logical." AI's understanding of how DSCP/QoS markings are affected at company egress points or whether VLAN segmentation is done correctly is not possible with today's technology.

# An example IPSec config snippet from AI (simplified)
# I always review such outputs carefully.
conn my_vpn
  left=%any
  leftid=@my_server
  leftsubnet=192.168.1.0/24
  right=peer.example.com
  rightid=@peer_gateway
  rightsubnet=10.0.0.0/24
  authby=secret
  auto=start
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!

Such outputs are a starting point, not the final solution. Understanding the impact of each parameter on the overall security and performance of the system is the architect's responsibility.

The Future of Code Partnership and the Evolution of Responsibility

AI's code generation capabilities are improving every day, this is undeniable. However, this does not reduce our responsibility; rather, it transforms it. Now, our job is not just to write code, but also to audit, verify, and integrate AI-written code into the entire system. Observability tools, feature flag mechanisms, and canary deployment strategies are becoming even more critical in this new code partnership.

ℹ️ My Approach

I have a set of services running on my own VPS that I continuously develop. For any systemd unit or Nginx reverse proxy configuration coming from AI, I first test it in a small sandbox environment. I check journald logs and cgroup memory.high limits. Because AI cannot know the resource consumption of other services on my bare-metal server or my current Redis OOM eviction policy settings. This is a pragmatic process that requires a manual audit.

So, in this digital partnership, whose conscience will we entrust that final git push to? For me, the answer is clear: always human. What do you think about this? How do you manage the risks brought by AI-generated code? What was your most expensive "AI-induced" mistake?