COXSWAIN AI Fleet · Human Command
RO EN

Tech log · 2026-06-12

What we find when auditing AI-built apps

AI can write a working application in a few hours. That's real, and it's impressive. The problem: working and production-ready are different things, and the difference doesn't show up in the demo. These are the patterns that keep appearing in code generated without engineering supervision.

1. Secrets in the code

API keys written straight into files, .env committed to the repository, database passwords in the frontend. AI optimizes for "make it work now", and the shortest path is putting the key where it's used. Anyone who sees the code sees the keys.

2. Authentication exists, authorization doesn't

Login works, but the server never checks whose data it's serving. Change an ID in the URL and you're reading another user's orders. It's the most frequent and most serious issue we find: the app looks secure because it has a password, but any logged-in client can read everyone's data.

3. Data without a safety net

Validation only in the frontend, no schema migrations, no backups, no transactions where money changes hands. It works until the day it doesn't, and then the data is gone, not just the app.

4. Many dependencies, old and unwatched

AI freely adds a package for every small thing, at the versions it remembers from training, not current ones. The result: dozens of outdated dependencies, some with publicly known vulnerabilities, none ever scanned.

5. Swallowed errors

Empty try/catch blocks, no logging, no monitoring. The app doesn't fail loudly, it fails silently: you find out from customers, a week later, that payments stopped processing.

6. LLM features without guardrails

Chatbots and AI features glued straight onto an API with no cost limits, no prompt-injection protection, and personal data sent to third parties without anyone deciding that. The unlimited invoice and the data leak are both one prompt away.

Why it happens

Not because AI is bad at coding. Because AI answers the question it was asked: "make it work". The questions nobody asks are the engineering ones: who is allowed to see this? What happens when it fails? What does it cost at 10,000 users? Who pays the API bill in an infinite loop?

AI isn't the problem. The missing verification is.

Have an AI-built application? COXSWAIN audits it: fixed price and timeline, a concrete report covering what's good, what's a risk, and a prioritized remediation plan.

Request an audit