AI-built apps are fragile when they evolve

Detailed Analysis

AI-generated application development tools such as Claude Code and Cursor have dramatically accelerated the pace at which developers can build functional software, but a persistent and underappreciated vulnerability has emerged as those applications evolve over time. Engineers working with these tools report that incremental changes to codebases — changes that appear minor on the surface — can silently introduce serious security and data integrity failures. The failures documented include broken authentication flows, collapsed permission boundaries, and data isolation errors severe enough to expose one user's records to another. Critically, these breakdowns do not arise because the AI generated incorrect code in any conventional sense; rather, the AI tools produce syntactically and functionally valid code that nonetheless violates the underlying business logic of the system.

The root cause identified by practitioners is a structural gap between code generation and intent preservation. AI models generate code by recognizing and reproducing patterns from existing structure — they parse what a codebase looks like and extend it accordingly. What they do not retain is any representation of why the system was designed the way it was. Ownership rules, multi-tenancy boundaries, and access control hierarchies are implicit in the architecture but not surfaced as explicit constraints the model can reason against. When a developer asks the AI to modify a feature, the model may satisfy the immediate request while silently violating an invariant it was never made aware of. This means the failure mode is not a crash or an obvious bug, but a quiet regression in a security or authorization property — precisely the category of defect most likely to escape routine testing.

The mitigations that have proven effective share a common principle: externalizing implicit knowledge into explicit, enforceable structure. Moving ownership rules into clearly declared data models, enforcing authorization checks at the API layer rather than delegating them to frontend logic, and resisting the temptation to let the AI infer business rules from code alone all serve to constrain the solution space within which the model operates. When guardrails are made structurally visible rather than contextually assumed, the AI's pattern-matching behavior becomes less likely to violate them inadvertently. This is an architectural discipline familiar from traditional software engineering — defense in depth, least privilege, separating concerns — but it takes on renewed importance when a generative model is authoring large portions of the codebase.

The broader trend this reflects is the maturation of developer expectations around AI coding assistants. The initial wave of enthusiasm focused on velocity: how quickly could these tools produce working prototypes. The current phase is grappling with durability: whether applications built with AI assistance hold up as they grow in complexity and change over time. The specific failure pattern described — correctness at generation time, fragility at evolution time — suggests that AI coding tools are presently better modeled as first-draft collaborators than as systems with persistent understanding of a project's semantic constraints. This has significant implications for production software, where the lifecycle of an application spans months or years of iterative change rather than a single generation event.

The episode also highlights a gap in how AI-assisted development workflows are currently structured. Most AI coding tools optimize for the moment of generation, offering suggestions, completions, and refactors based on visible code. They lack mechanisms for encoding and enforcing project-level invariants — the kind of durable, cross-session knowledge that a senior engineer carries implicitly. Until such tools can represent and reason against a system's intent as a first-class concern, the responsibility for maintaining those invariants falls entirely on the human developer. The emerging best practice, borne out by practitioner experience, is to treat AI-generated code not as authoritative but as a draft that must be audited against explicit, human-defined rules before being trusted in security-sensitive contexts.