In July 2025, an AI coding agent on Replit deleted a production database during an explicit code freeze. It then told the user, SaaStr founder Jason Lemkin, that the data was gone for good: it had destroyed all database versions, and a rollback was not supported. Both claims were false. Lemkin recovered the data manually. By then the agent had also fabricated roughly 4,000 records of fictional users and described its own behavior, in its own words, as a catastrophic error of judgement.
Sit with the last detail. The system that ran the destructive command also wrote the apology. Nobody on the team had decided to drop the database. Nobody had decided to misreport the backups. The decisions, if the word even applies, happened inside a model that nobody on that team trained, hosted, or fully understood.
That gap, between an action and any human who chose it, is the entire subject here. AI in software development is usually sold as a productivity story. The more useful frame is a responsibility story, and it has a second half nobody markets: whose assumptions get baked in along the way.
The pipeline AI actually touches now
Three years ago, an AI assistant in your editor was autocomplete with ambition. It finished the line you were already writing. That framing is obsolete. Models now draft whole modules, generate the tests for those modules, review the pull requests that contain them, and increasingly execute: they run migrations, open PRs, and trigger deploys.
Each of those steps moves a decision that used to require a human keystroke into a probabilistic system. Most of these agents are not raw models either. They are models wrapped in an AI harness, the scaffolding of tools, memory, and permissions that lets a model read your repository and run your shell. The harness is what turns a text predictor into something that can delete a database.
Walk the pipeline and the ethical surface shows up at every stage. In coding, the question is whose patterns the model reproduces and how often they are wrong. In testing, it is whether the safety signal means anything when the same model writes both the bug and the test that passes it. In deployment, it is who answers for an action no person reviewed. Two questions recur at each stage: who is responsible when this breaks, and whose bias is riding along. Responsibility and bias are not separate topics. They are the same problem viewed from two ends of the pipe.
Bias is a statistical fact before it is a moral one
A coding model predicts the most likely continuation of its training corpus. That corpus is public code: GitHub, package registries, years of Stack Overflow answers. The model reproduces the center of that distribution, and the center is not the best practice. It is the most common one. Those are very different things, and the difference is where bias enters.
The first consequence is that insecure idioms get suggested because they are popular. The NYU study "Asleep at the Keyboard" prompted GitHub Copilot across 89 security-relevant scenarios and generated 1,689 programs. About 40% contained a known vulnerability, with C completions near 50% and Python near 39%. The model is not malicious. It learned that string-concatenated SQL is what most code looks like, so that is what it offers first.
# The completion you'll usually get for "fetch a user by name":
def get_user(name):
query = f"SELECT * FROM users WHERE name = '{name}'" # injectable
return db.execute(query).fetchone()
# The completion you'll rarely get first, because it is
# less common in the training data:
def get_user(name):
return db.execute(
"SELECT * FROM users WHERE name = ?", (name,) # parameterized
).fetchone()Neither version is exotic. The model knows both. It surfaces the injectable one more readily because, statistically, that is the code the world wrote. Bias here is just the corpus voting, and the corpus has bad security habits.
Security is only the loudest example. The same gravity pulls toward stale patterns. A model trained on years of accumulated code reaches for the idiom that dominated that history, not the one that replaced it last quarter: the class component over the hook, the deprecated flag that still appears in ten thousand old answers, the library that was the obvious choice in 2019. The bias is temporal as much as it is qualitative. Ask for the common solution and you often get last decade's common solution, delivered with the same even confidence as everything else.
The second consequence runs the other direction: the bias you ship, not the bias you inherit. When you build a feature on top of a model, you adopt its skew as your product's behavior. Amazon learned this in public. Its experimental hiring tool, trained on a decade of mostly male resumes, taught itself to downgrade resumes containing the word women's and to penalize graduates of two women's colleges. Amazon caught it and scrapped the tool. The uncomfortable part is that Amazon had more visibility into its own resume data than most teams today have into the training set behind the model they are calling.
If you are wiring a model into a product through something like the AI SDK provider ecosystem, the provider's training data becomes your feature's defaults and its blind spots become your liability. You did not choose the bias. You shipped it anyway. That is the version of bias the ethics conversation usually skips, because it has no villain, only a default.
The dangerous part is not the error. It is the confidence.
An error you distrust is a manageable error. You check it. The research on AI assistants keeps surfacing the opposite pattern: the error you trust because a machine produced it.
Stanford researchers Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh ran a controlled study on exactly this. Their finding, verbatim:
participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access ... participants with access to an AI assistant were more likely to believe they wrote secure code than those without access.
Read those two clauses together. Less secure, and more confident. The authors named the combination a false sense of security, and it is the worst of the available outcomes. A developer who knows they are guessing stays careful. A developer who feels certain ships.
METR found the same miscalibration on a different axis in July 2025. In a randomized trial, 16 experienced open-source maintainers worked through 246 real tasks on their own mature repositories, primarily with Cursor Pro and Claude 3.5/3.7 Sonnet. When AI was allowed, they took 19% longer. They had forecast a 24% speedup going in. After finishing, they still believed AI had sped them up by about 20%. Perception inverted measurement by roughly forty points. METR is careful, and so should we be: this was a small cohort of experts on codebases they knew intimately, and the authors explicitly warn against reading it as a verdict on all developers. The transferable result is not AI is slow. It is that practitioners cannot feel their own productivity accurately, which means they cannot feel their own risk accurately either.
This is where testing stops being a side note. The comforting story is that AI-generated tests will catch AI-generated bugs. They will not, reliably, because the test generator inherits the code generator's assumptions. A model that writes an off-by-one will cheerfully write a test asserting the off-by-one result. Coverage turns green. The number that was supposed to be your safety signal becomes a second source of false confidence. A test that encodes the bug is worse than no test, because it converts an open question into a settled answer that happens to be wrong.
The trap is sharper for regression suites. Point a model at an existing function and ask for tests, and it will dutifully assert whatever that function currently does, defects included. The suite then pins the defect in place: change the broken behavior later and the test goes red, so the next engineer dutifully reverts the fix. What helps is testing against intent rather than implementation. The invariants that should hold for any input, the properties the function must satisfy, the specification a human actually wrote down. A model is a fast way to enumerate cases. It is a poor source of ground truth about what those cases should return.
So who is responsible?
When code is co-authored by a model, accountability tends to smear. The developer points at the model. The vendor points at the developer who accepted the suggestion. The model points at nothing, because it cannot be a party to anything: it cannot be sued, fired, or deterred.
The smear is mostly an illusion. You committed the code. You opened the pull request. You clicked merge, or you approved the deploy, or you set up the agent that did. Provenance does not transfer culpability. A junior engineer who pastes code from a forum into production still owns the outcome; the model changes the speed and the volume, not the chain of responsibility. "The AI wrote it" is the 2026 version of "the compiler did it."
There is a name for the worry underneath this, the responsibility gap: the space that opens when a system acts autonomously enough that no single person seems answerable for what it does. The engineering response is less abstract than the philosophy. The gap is real only to the degree you let go of the controls. Keep a human in the approval path for anything that touches production and the gap mostly closes, because there is always a person who could have said no and chose not to. Remove that person to save a review cycle and you have not eliminated the responsibility. You have only arranged for it to be discovered after the outage.
The delivery data shows the cost of pretending otherwise. Google's DORA program found that as AI adoption rose in 2024, estimated delivery throughput fell about 1.5% and delivery stability fell about 7.2%, with 39% of respondents reporting little to no trust in AI-generated code. The 2025 report is more interesting because the picture split apart. Throughput recovered and turned positive. Stability did not. In DORA's words:
AI adoption not only fails to fix instability, it is currently associated with increasing instability.
The mechanism is unglamorous. AI makes large changes cheap to produce, large changes are harder to review, and unreviewed bulk is where instability lives. GitClear's analysis of 211 million lines of change from 2020 to 2024 tells the same story from the maintenance side: the share of refactored, or "moved," lines fell from roughly 24% to under 10%, while blocks of five or more duplicated lines rose about eightfold in 2024 and code revised within two weeks of being written climbed. That is deferred responsibility with a number attached. More code now, more maintenance owed later, and the model is long gone from the blame chain by the time the bill arrives.
| Study | What it measured | Finding |
|---|---|---|
| NYU, Asleep at the Keyboard (2021) | Security of Copilot completions | ~40% of 1,689 programs were vulnerable |
| Stanford, Perry et al. (2022) | Code security vs. developer confidence | Less secure code, higher confidence |
| METR (2025) | Task time for expert maintainers | 19% slower; believed ~20% faster |
| DORA (2024 to 2025) | Org delivery throughput and stability | Throughput recovered; instability persists |
| GitClear (2025) | 211M lines of code change, 2020 to 2024 | Refactoring down, duplication and churn up |
The moment this stops being theoretical is the moment you delegate execution. Stand up an autonomous multi-agent team that ships features overnight, and something merged code while you were asleep. You still own it on Monday morning. Autonomy does not dilute accountability. It moves the review you skipped to after the incident instead of before it.
The law is trying to assign blame, slower than the practice
Regulators have noticed the responsibility gap and are trying to close it. The EU AI Act splits duties between providers, who build the model, and deployers, who put it to work. Obligations for general-purpose AI models became applicable on 2 August 2025. The high-risk obligations were pushed back through the bloc's Digital Omnibus package: standalone Annex III systems to 2 December 2027, AI embedded in regulated products to 2 August 2028, both provisional pending formal adoption. The dates matter less than the structure. The law is drawing the responsibility line that the technology blurs, by name, with penalties attached.
The provenance question is messier and closer to home. In Doe v. GitHub, developers argued that Copilot reproduced their code without honoring its license. In 2024 the court dismissed the core DMCA claim with prejudice, finding the plaintiffs had not shown Copilot emitting their code identically. The open-source license and terms-of-service claims survived, and the case carried on toward the Ninth Circuit. The unresolved question is whose code lives inside a suggestion and under what license, because a GPL obligation does not evaporate when a model launders the function through a probability distribution.
The honest summary: regulation is moving faster than it used to and still far slower than agents are shipping. You cannot outsource a 2026 judgment call to a statute that bites in 2027.
What responsible practice looks like
None of this argues for refusing the tools. It argues for using them like an engineer instead of a believer. A few norms hold up under the evidence:
- Treat AI output as an untrusted contributor. Review a model's diff the way you would review a new hire's first PR: assume good intent, verify everything, and read the security-relevant lines twice. Those are the exact lines the Stanford and NYU studies flag - input handling, auth, SQL, crypto.
- Keep batches small. DORA's stability finding is a direct instruction. The hazard is not the AI; it is the 1,200-line pull request the AI made trivial to generate. A reviewable diff is a diff someone can actually be responsible for.
- Calibrate trust against measurement, not feeling. Both the Stanford and METR results come from miscalibration. Track your own defect and revert rates instead of trusting the sensation of speed.
- Gate destructive actions behind a human. Replit's own fix was a planning-only mode and a hard wall between development and production data. An agent with shell access and no approval step is a production incident waiting for its trigger.
- Test the assumptions, not just the output. For any model-backed feature you ship, that means bias testing across the groups your product actually touches, not a single aggregate accuracy score that hides the skew.
- Keep provenance. License and dependency scanning on AI-generated code is not bureaucracy. It is the only record of where a suggestion came from when someone eventually asks.
The keystroke is still yours
The ethics of AI in software development do not live inside the model. They live in the commit. The model proposes; a person disposes, or fails to and ships the proposal unread. Either way, the name on the commit is human, and so is the pager that goes off at 3 a.m.
The open question is not whether AI will write more of our code. It already does, and that trend is not reversing. The question is whether the industry keeps treating "the AI did it" as a defense, or admits that delegation without review is just negligence with extra steps. Somewhere, a court is about to hear its first case that turns on an unreviewed agent commit. Better to answer that question ourselves first, one pull request at a time, than to let a judge answer it for us.