Editorial note: This is informational longform commentary from the specialist perspective of Kendrick. It is not advertising copy, legal advice, accessibility certification, cybersecurity certification, or a guarantee of search ranking.

From the infrastructure and security side, the problem is not that AI writes code. The problem is that AI makes it easy to accept code nobody understands. That is how security debt enters a web project quietly. A landing page generated quickly can look harmless, but modern websites are not just HTML on a screen. They involve forms, analytics, scripts, dependencies, hosting settings, headers, media files, user inputs, third-party services, and sometimes client data. Every piece has risk.

A real website deserves a deployment standard. Where is it hosted? What headers are set? Are forms protected from spam and abuse? Are dependencies necessary? Are scripts loaded from trusted sources? Are secrets exposed? Are assets optimized? Are backups or rollbacks possible? Is there a change history? Can someone else maintain it? AI-generated builds often skip these questions because the page appears to work locally.

DORA's caution about AI tradeoffs is relevant here. Productivity gains do not automatically translate into stable delivery. If AI helps someone ship faster but the team does not review, test, and control the environment, speed becomes risk. Web work is full of small decisions that become expensive later: one unnecessary library, one unsafe embed, one unvalidated form, one third-party script, one confusing redirect, one oversized asset.

Security debt is not always dramatic. Sometimes it looks like a contact form that sends to the wrong place. Sometimes it is a public file that should not be public. Sometimes it is a stale JavaScript dependency nobody owns. Sometimes it is no content security policy, no referrer policy, no clear deployment path, and no documented admin access. Those are not exciting issues, but they are the difference between a surface and an operating asset.

Performance and security overlap more than people think. HTTP Archive's page weight research shows that modern pages keep getting heavier, and JavaScript is expensive because browsers must parse and execute it. Unnecessary code is not only a speed problem. It is also a review problem. The more code you ship, the more code you have to trust. The more third-party scripts you load, the more external behavior you invite onto your site.

Accessibility also connects to this. WebAIM's 2026 report found large numbers of detectable accessibility errors across the top one million home pages. That tells me many sites are still shipping without enough review. AI can generate accessible patterns, but it can also generate bad ARIA, unlabeled controls, weak contrast, and structures that appear fine visually while failing real users. Security, accessibility, and performance all punish teams that only inspect the surface.

A serious AI-assisted web workflow should include a security checklist before deployment. Static sites still need headers. Forms still need validation and spam controls. Media still needs size limits. Admin access still needs ownership. External services still need review. Scripts still need a reason to exist. If the site has a brain room, knowledge base, chat surface, or downloadable files, those assets should be intentionally public and documented.

The landing-page mindset says, 'It looks good, ship it.' The infrastructure mindset says, 'Who owns it after it ships?' That question changes everything. A website that no one can maintain becomes a liability. A website that no one can secure becomes a risk. A website that no one can explain becomes a dependency on luck.

My bottom line is that AI can assist a build, but it cannot be the only control point. If you use AI to generate web code, review it like code, not like copy.

That is the real difference between using AI and being used by AI. A serious operator can use the tool to move faster while still keeping the architecture, the standards, and the proof under human control. A weak operator lets the tool produce confidence before the business has earned it. In web development, that distinction shows up immediately: real websites answer harder questions than landing pages, and they keep answering them after the first impression is over.

The practical correction is not complicated, but it does require discipline. Before approving another AI-generated web page, I would ask the team to name the visitor, the decision, the evidence, the maintenance owner, the performance expectation, the accessibility check, and the next operating step. If those pieces are missing, the page may still be useful as a draft, but it is not ready to represent the company.

That is the real difference between using AI and being used by AI. A serious operator can use the tool to move faster while still keeping the architecture, the standards, and the proof under human control. A weak operator lets the tool produce confidence before the business has earned it. In web development, that distinction shows up immediately: real websites answer harder questions than landing pages, and they keep answering them after the first impression is over.

The practical correction is not complicated, but it does require discipline. Before approving another AI-generated web page, I would ask the team to name the visitor, the decision, the evidence, the maintenance owner, the performance expectation, the accessibility check, and the next operating step. If those pieces are missing, the page may still be useful as a draft, but it is not ready to represent the company.

That is the real difference between using AI and being used by AI. A serious operator can use the tool to move faster while still keeping the architecture, the standards, and the proof under human control. A weak operator lets the tool produce confidence before the business has earned it. In web development, that distinction shows up immediately: real websites answer harder questions than landing pages, and they keep answering them after the first impression is over.

Research Sources

  1. DORA, 2024 Accelerate State of DevOps Report

    DORA found that AI adoption can increase individual productivity, flow, and job satisfaction, but also reported negative effects on software delivery stability and throughput when fundamentals are weak.

  2. Google Search Central, Core Web Vitals

    Google describes Core Web Vitals as real-world user experience metrics for loading performance, interactivity, and visual stability: LCP, INP, and CLS.

  3. HTTP Archive, 2025 Web Almanac: Page Weight

    HTTP Archive reported that median mobile home page weight reached 2,362 KB in July 2025, a 202.8% increase over the decade since July 2015.

  4. WebAIM Million, 2026 Accessibility Report

    WebAIM detected 56,114,377 accessibility errors across one million home pages in 2026, averaging 56.1 detectable errors per page.