I've had three calls in the last month about the same problem. Someone paid an external team to build them something. The team used AI heavily. Now they need to go live and they genuinely don't know if what they got is solid.
Not whether it works - they can see it works. The question is whether it's actually ready. Is the authentication tight? Will it hold under real load? Is the data handling correct, or does it just look correct? Is there anything in there that would make a proper security reviewer wince before it's in production?
That specific anxiety - "it works but I don't know what I'm sitting on" - is new. A few years ago, if you commissioned a build, the team either had the expertise or they didn't, and you had a reasonable feel for which based on who you hired. That heuristic doesn't hold anymore. AI writes code that looks like it was written by someone who knows what they're doing. The variable names are sensible, the comments explain what each function does, there's error handling. It has the shape of something a senior engineer wrote.
But shape and substance aren't the same thing. A senior engineer brings ten years of watching things break - the accumulated experience that shapes decisions you can't see in the code. They write the spec and they know what the spec should have included. AI writes to the spec it's given and has no opinions about what's missing. The gap shows up in the ten things that weren't written, and why.
All three of these calls ended up as the same engagement: go in, map what's actually there, find what's wrong, tell them what to fix before they go live. Two had authentication issues - JWT handling that looked right but had expiry problems, session logic that would allow user enumeration under the right conditions. One had data validation that was solid at the API layer and fell apart when I traced it down to the database. In all three cases, the code had passed internal review and looked fine to the people who'd built it.
That last part matters. Carelessness wasn't the issue. The teams were too close to their own work to see what wasn't there. They knew what the code was supposed to do, so they saw what they expected to see. An independent eye is looking for what it was never told to expect.
The analogy I keep reaching for is a structural survey. You commission a building, you get a survey before you move in - not because you assume the builder cut corners, but because the builder isn't the right person to assess their own work. That's not a judgement on the builder. It's just how trust in structural work has always been established.
AI-assisted builds need the same thing. The fact that it isn't standard practice yet is probably just because this kind of build is new enough that the trust model is still being worked out. Give it two years and it's a line item on every serious project that touches production.
If you're about to go live with something built externally and nobody independent has looked at it, that's the gap.