In February 2025, Andrej Karpathy coined the term "vibe coding" to describe a workflow where a developer describes what they want in plain English and lets a model write, run, and often merge the resulting code without anyone reading every line. Within months the phrase stopped being a joke and became shorthand for a real fault line running through engineering organizations. Stack Overflow's 2024 Developer Survey found that developers under 25 report meaningfully higher trust in AI-generated code's accuracy than developers with 15+ years of experience, who registered the lowest trust levels of any tenure cohort the survey has tracked. That gap isn't a personality quirk — it shapes who reviews a pull request, who questions an AI-suggested dependency before it lands in package.json, and who catches a hardcoded credential before it merges to main. For a software supply chain security team, that split is the whole ballgame, because risk doesn't enter a codebase evenly. It enters wherever trust is highest and scrutiny is lowest.
Do younger developers actually trust AI-generated code more than senior engineers do?
Yes — and the gap is large enough to show up consistently across independent surveys, not just one outlier study. Stack Overflow's 2024 Developer Survey of over 65,000 developers found that respondents early in their careers were substantially more favorable toward AI tools than those with 15+ years of professional experience, even as overall trust in AI accuracy fell industry-wide between 2023 and 2024. GitHub's own 2023 research on Copilot adoption found similar skew: developers with less tenure adopted AI pair-programming tools faster and reported higher satisfaction, while veteran engineers were more likely to describe AI suggestions as "plausible-looking but wrong in ways that take longer to find than writing the code myself." The pattern tracks with career exposure rather than age alone — engineers who spent years debugging production incidents caused by subtle logic errors have a lower bar for what counts as "looks fine" than engineers whose entire career has included an AI assistant as a default tool.
Why are junior developers shipping AI-generated code faster than they can meaningfully review it?
Because the tooling is optimized for velocity, and junior engineers have less pattern-matching experience to know when generated code merely looks correct. Snyk's AI Code Security Report found that a majority of developers admit to skipping security review on AI-generated code specifically to preserve speed gains, and the effect concentrates among developers with under three years of experience, who are least equipped to spot the failure modes AI models reproduce most often: missing input validation, insecure default configurations, and dependency suggestions that were never vetted. This isn't a discipline problem — it's a calibration problem. A senior engineer who has spent a decade watching SQL injection, path traversal, and SSRF bugs reach production has an internal alarm that fires on pattern recognition alone, often before they've consciously parsed the vulnerable line. A developer two years into their career, working primarily through an AI assistant that writes syntactically confident code, hasn't built that alarm yet, and generative tools are specifically good at producing code that reads as confident regardless of whether it's safe.
Are senior engineers actually better at catching AI-introduced vulnerabilities, or just more skeptical?
Mostly better, but with a blind spot of their own: their threat models predate AI-specific failure patterns that didn't exist when they built their intuition. Experience does correlate with catching classic vulnerability classes faster, and senior reviewers are more likely to question an unfamiliar dependency before approving a PR. But researchers have identified attack patterns that specifically exploit AI-assisted workflows and that don't map cleanly onto pre-AI threat models — most notably "package hallucination," where large language models suggest plausible but non-existent package names, which attackers then register on public registries preloaded with malware. A 2024 academic study examining code generated by 16 popular LLMs found that roughly one in five generated package references pointed to packages that didn't exist at all, and that a meaningful share of those hallucinated names repeated consistently enough across runs to be pre-registered by an attacker — a technique the security community now calls "slopsquatting." A senior engineer scanning a diff for logic errors has no reason to suspect that requests-toolbelt-async isn't a real package unless they specifically check, because the exploit lives in the supply chain, not the syntax.
Is this generational divide showing up in real incidents, or is it still just a survey finding?
It's already showing up in real incidents, not just attitude surveys. In April 2023, engineers at Samsung's semiconductor division pasted proprietary source code into ChatGPT to debug it and summarize meeting notes, prompting the company to ban public generative AI tools on internal devices entirely after three separate leak incidents in under a month — a workflow shortcut that reflected exactly the trust-over-caution pattern surveys describe skewing younger. GitGuardian's State of Secrets Sprawl research has separately tracked a steady rise in hardcoded API keys and credentials detected in repositories with heavy AI-assisted commit activity, consistent with models trained on public code that itself contains exposed secrets, reproducing the anti-pattern for a new developer who has no reason to recognize it as one. Neither incident required a novel attack technique. Both required a human to trust an output because the interface made trust the path of least resistance, and in both cases the people closest to the shortcut were the ones with the least institutional memory of why the shortcut was risky.
What happens when today's junior developers, who trust AI code the most, become tomorrow's senior reviewers?
The trust gap doesn't automatically close with tenure — it risks becoming permanent, because the review culture and tooling being normalized today will be the baseline the next generation inherits. If a cohort of engineers spends its first five years treating AI-suggested dependencies and boilerplate as trustworthy by default, the informal checks senior engineers currently perform — the "wait, why does this need network access" instinct — don't automatically develop just because someone gets promoted. GitLab's Global DevSecOps research has flagged this as an organizational risk rather than an individual one: security ownership is shifting left toward developers at the exact moment a growing share of those developers report the least confidence in manually verifying what a model produced. Without structural controls that don't depend on any individual reviewer's calibration, organizations are effectively betting that institutional caution will regenerate itself. There's no evidence that it does automatically. It has to be engineered into the pipeline instead of assumed to live in someone's head.
How Safeguard Helps
Safeguard is built on the premise that code review calibration — whether it comes from a cautious senior engineer or a trust-first junior developer — should never be the last line of defense against supply chain risk. Safeguard verifies every dependency introduced into a build, whether it was typed by a human or suggested by a model, against real registry data, catching hallucinated and slopsquatted package names before they're pulled into a pipeline regardless of who approved the pull request. It scans AI-assisted commits for hardcoded secrets and insecure defaults at the point of commit, closing the exact gap that let leaked credentials and copy-pasted proprietary code slip through workflows optimized for speed over scrutiny. Safeguard also generates continuous SBOMs and provenance attestations across the software supply chain, so that a dependency's trustworthiness is established by verifiable data rather than by whether the engineer reviewing it happened to have fifteen years of pattern recognition or fifteen months. That matters precisely because the generational divide in trust isn't going away on its own — the developer population is getting younger relative to AI tool adoption every year, not older. Safeguard's approach doesn't ask organizations to bet on any individual reviewer's instincts. It replaces that bet with policy-as-code gates, automated provenance checks, and continuous monitoring that catch what a rushed or under-calibrated review misses, whether the code came from a keyboard or a prompt.