This asymmetry will become one of the central problems of software engineering over the next decade.
Over the last months I built a system to address it: a deterministic verification pipeline for AI-generated software.
The system is already in use on a real project with: 100+ iterated releases, 2,446+ automated tests, 12 static analysis modules, 9 supply chain verification phases.
Only after building the system did I write the paper that describes it: Deterministic Artifact Verification Pipelines for AI-Generated Software Systems (Bilotta, 2026).
The central idea: instead of verifying commits or code snippets, we treat every AI output as a complete release artifact. Each artifact passes through a deterministic pipeline that verifies structure, policy, tests, runtime, dependencies, security, and operational behavior.
Concrete example: if the AI modifies a file but doesn't declare it in the manifest, the pipeline halts. Verification under real network traffic. Dependency audit, SBOM, CVE check.
Each phase produces structured evidence artifacts (logs, stack traces, diffs, security reports). These artifacts are then fed back to the AI as correction context.
In this way the pipeline becomes a "deterministic oracle" that separates the AI's probabilistic generation from release decisions.
The framework directly addresses the software supply chain security problem in the age of generative AI: how to distinguish a verified artifact from a merely plausible one.
Software artifacts are hypotheses. They are never trusted. They are verified.
Paper: "Deterministic Artifact Verification Pipelines for AI-Generated Software Systems" — Bilotta, Draft v1.0, March 2026