The review burden is what leadership teams most often miss. When developers accept less than half of what AI generates and spend nearly a tenth of their time cleaning output, that cost is real. It falls on your most experienced people.
Security risk adds to this. One large study found average hallucinated package rates of at least 5.2% for commercial models and 21.7% for open-source models. A separate study of 733 AI-generated code snippets found security weaknesses in 29.5% of Python samples and 24.2% of JavaScript samples. In fintech, payments or any regulated product, a single bad dependency or weak code path can wipe out significant productivity gains.
DORA’s 2025 research adds a system-level warning. A 25% increase in AI adoption was associated with a 1.5% reduction in delivery throughput and a 7.2% reduction in delivery stability. AI behaves like an amplifier. Strong engineering systems get stronger. Weak ones get noisier.
Speed at the keyboard is not the same as shipping correct change faster. The right question is not whether AI can write code. It is whether the team ships the right change faster once review, testing, cleanup and rollback are counted.
That question leads to a practical operating model.
Divide work into three zones and apply them consistently.
| Zone | Work types | AI role |
| Green | Tests, documentation, adapters, boilerplate, internal tools, reporting scripts, low-risk refactors | AI works freely |
| Yellow | Shared business logic, integration work, cross-module refactors | AI assists with strong tests and human review |
| Red | Payment flows, reconciliation, authorisation, secrets handling, compliance controls, cryptography, core infrastructure | AI drafts only; human authorship required |
The red zone is not theoretical caution. In regulated products, a hallucinated dependency or a weak authorisation path carries commercial and legal consequences, not just technical ones.
Track the full delivery flow, not just how fast code appears.
Metrics that matter:
Code volume and typing speed are not useful signals. METR is a reminder that developers can feel faster while the system gets slower. DORA confirms that local optimisation does not automatically improve delivery.
Keep pull requests small. AI increases the volume of change, and that only helps if the rest of the system can safely absorb it. Small batches, strong CI, automated tests, human review and easy rollback matter more after AI adoption, not less.
The tools are improving. In February 2026, METR noted that newer agentic tools likely outperformed the early-2025 versions, though selection bias in the follow-up data made the exact improvement hard to measure. The percentage will keep moving. The management principle will not. Trust measured outcomes, not demos or vendor claims.
AI works best as a fast but uneven junior pair. Give it bounded tasks, demand tests, keep changes small and never confuse draft generation with engineering judgement.
At WislaCode, we apply this directly in our fintech and payments work. Every AI-generated change has to be explainable by an engineer, validated by automated tests and safely reversible before it goes near production.
Divide work into risk zones. Use AI freely on tests, documentation, boilerplate and low-risk refactors. Apply human review on shared business logic and integration work. Keep payment flows, authorisation, secrets handling and compliance controls under human authorship at all times.
Track lead time for changes, review time per pull request, reopen rate, rollback rate and escaped defects. Code volume and typing speed are not useful signals. DORA research shows that local speed gains do not automatically improve system-level delivery throughput or stability.
The main hidden cost is review burden. Developers in real teams accept less than half of AI-generated output and spend measurable time cleaning the rest. That overhead falls on senior engineers and compounds when security weaknesses or hallucinated package references slip through into regulated codebases.
Tasks with a clear, testable definition of done are the safest. These include test generation, documentation, API adapters, data mapping, boilerplate and bug fixes that start from a failing test. The common factor is that output is easy to verify, easy to roll back and low-risk if wrong.
No. Research shows results vary significantly by task type and codebase maturity. Experienced developers working in large, complex repositories can be slower with AI tools because the verification overhead outweighs the generation speed. Junior developers on well-scoped tasks tend to see stronger gains.
Viacheslav Kostin is the CEO of WislaCode. Former C-level banker with 20+ years in fintech, digital strategy and IT. He led transformation at major banks across Europe and Asia, building super apps, launching online lending, and scaling mobile platforms to millions of users.
Executive MBA from IMD Business School (Switzerland). Now helps banks and lenders go fully digital - faster, safer, smarter.
