The tech debt conversation just split in two, and one half is on fire.
For decades, tech debt has been a quiet negotiation with the future. You cut a corner today (a hardcoded value, a skipped test, a workaround stacked on a workaround) and pay for it later in slower delivery, brittle systems, and refactoring work nobody wants to own. Stripe’s research pegged the cost at roughly 42% of developer time.
Then AI showed up and changed three things at once.
1: Anyone can now generate tech debt at machine speed. GitHub reports 41% of committed code is AI-assisted. Vibe-coded debt accumulates invisibly because the code passes tests and looks reasonable. The architectural mismatch then surfaces months after it goes into production.
2: Security-related tech debt became a ticking time bomb. IBM’s 2026 X-Force report found a 44% increase in attacks exploiting public-facing applications, driven by AI-enabled vulnerability discovery. At RSAC this year, Alex Stamos warned that exploit discovery has gone exponential and foundation model companies are sitting on thousands of unverified bugs. Anthropic is delaying their latest model in large part so software companies can prepare for the apocalyptic level of vulnerability discovery they are anticipating. The space between “discoverable” and “exploited” is approaching zero.
3: That same AI can pay down tech debt faster than ever. AlixPartners found AI-based refactoring delivers 1-3x reductions in refactoring time and 15-20% labor cost drops. Modern tools are able to execute multi-file refactors from a single prompt, generate tests for untested legacy code, and modernize patterns across entire repos. The boring and complex cleanup work that nobody wanted to do is suddenly low hanging fruit.
For enterprise IT, I suspect this is going to be disruptive. The tech debt backlog you’ve been deferring for five years is now cheaper to fix than ever. But the security-adjacent portion of that backlog is now a loaded weapon that any motivated attacker can find in hours. And your own staff, helped by the same AI, could be piling new debt on top of the old pile faster than traditional code review can catch it. The old playbook of treating all tech debt as one prioritized backlog is dead. Structural debt and security debt need different urgency and different escalation paths.
“We’ll get to it later” used to be a defensible position. Now it’s a risk acceptance decision that deserves a signature.