Introduction
In the rapidly evolving landscape of software engineering, a new paradigm has emerged: agentic development. This approach leverages autonomous AI agents to plan, write, test, and even deploy code with minimal human intervention. While the promise of accelerated development cycles and reduced manual effort is enticing, ensuring the quality of code produced by these agents remains a critical challenge. A recent in-depth article on Habr, based on the experience of developers at Avito, provides a detailed look into how one of Russia's largest tech companies tackled this very problem. The material examines the systematic approach they took to integrate agentic workflows without sacrificing reliability, maintainability, or security.
The core issue is not whether AI can write code—it clearly can. The question is whether that code is correct, efficient, and safe. The Avito team encountered a series of specific pitfalls: agents generating syntactically valid but logically flawed code, introducing subtle security vulnerabilities, and producing inconsistent outputs across different runs. Their solution was not to abandon AI but to build a robust quality assurance layer around it, combining automated testing, human-in-the-loop validation, and strict process guardrails.
This article synthesizes the key findings and methodologies from that experience, offering a practical guide for any engineering organization looking to adopt agentic development responsibly. We will explore the quality challenges unique to AI-generated code, the testing strategies that work, and the operational processes that help maintain high standards.
The Unique Quality Challenges of Agentic Development
Agentic development differs fundamentally from traditional human-written code. An AI agent does not possess a deep understanding of business logic, system architecture, or long-term project history. It operates based on patterns learned from vast datasets, which means it can produce code that looks plausible but fails in subtle ways.
1. Logical Correctness vs. Syntax Correctness
A common observation from the Avito team was that agents rarely produce code with syntax errors. Modern large language models (LLMs) are exceptionally good at generating syntactically valid Python, JavaScript, or SQL. However, the code often fails logic tests. For example, an agent might implement a sorting algorithm that sorts correctly but mutates the input array unexpectedly, breaking downstream functions. In their experiments, approximately 15% of agent-generated code passed all unit tests but still introduced subtle logical bugs that were only caught in integration testing.
2. Security Vulnerabilities
AI agents may inadvertently generate code with security flaws. Because their training data includes a wide range of public repositories, they can learn and reproduce insecure patterns—such as SQL injection vulnerabilities, hardcoded credentials, or improper input validation. The Avito article highlights a case where an agent generated a GraphQL resolver that exposed sensitive user data due to a missing authorization check. This is a critical concern for production environments, as such vulnerabilities can be harder to spot when the code is not written by a human who understands the security context.
3. Inconsistency and Non-Determinism
Unlike human developers, AI agents are non-deterministic. Running the same prompt twice may yield different implementations. This inconsistency can be a nightmare for code review and maintenance. The Avito team reported that, in early trials, the same feature request would produce three different implementations across separate runs, each with different trade-offs in performance, readability, and correctness. This makes it difficult to establish a predictable development workflow.
4. Lack of Contextual Understanding
Agents often lack awareness of the broader codebase. They may generate functions that duplicate existing utilities, use inconsistent naming conventions, or break architectural patterns that the rest of the project follows. The material notes that, without careful prompting and context injection, agents can produce code that is functionally correct but stylistically misaligned with the project, increasing technical debt over time.
A Systematic Quality Assurance Framework
To address these challenges, the Avito team designed a multi-layer quality assurance framework. This framework is not a single tool but a set of processes and automated checks that wrap around the agentic development pipeline. The key components are described below.
Layer 1: Structured Prompting and Context Injection
The first line of defense is how you communicate with the agent. The article emphasizes that vague prompts lead to vague code. The team developed a standardized prompt template that includes:
- Explicit requirements: What the code must do, with edge cases described.
- Constraints: Performance limits, library versions, coding style guidelines.
- Context: Snippets of related code from the existing project, such as interfaces or base classes.
- Negative examples: What the code must NOT do (e.g., "do not use global variables").
This structured approach reduced the incidence of logically flawed code by about 40% in their controlled experiments.
Layer 2: Automated Testing Pipeline with Mutation Testing
Standard unit tests are insufficient for AI-generated code. The Avito team implemented an enhanced testing pipeline that includes:
- Unit tests: Generated alongside the code by the agent itself, then reviewed by a human.
- Integration tests: Focused on interactions with databases, APIs, and external services.
- Mutation testing: A technique where small changes (mutations) are introduced into the candidate code to see if the existing tests catch them. If tests pass despite mutations, the test suite is considered weak. This proved highly effective at identifying fragile code that passed initial tests but would break under real-world conditions.
The article reports that mutation testing flagged an additional 12% of agent-generated code as potentially problematic, compared to standard test suites alone.
Layer 3: Human-in-the-Loop Code Review with AI Assistance
While automation is powerful, human judgment remains essential. The team established a code review process specifically for AI-generated code:
- Diff review: Reviewers compare the generated code against the original prompt, not just against existing code.
- Security audit: A dedicated security engineer reviews all AI-generated code that touches sensitive data or authentication flows.
- Style consistency check: Automated linters and formatters are run, but a human also verifies adherence to project conventions.
The key insight from the article is that reviewers should be trained to spot "AI-typical" mistakes—such as overly complex one-liners, unnecessary abstraction, or missing error handling in edge cases.
Layer 4: Controlled Rollout and Monitoring
Before agent-generated code reaches production, it goes through a staged rollout:
- Sandbox environment: Code runs in an isolated environment with synthetic data.
- Canary deployment: Code is deployed to a small subset of users (e.g., 5%) with enhanced monitoring.
- Full deployment: Only after metrics show no regressions in error rates, latency, or user-reported issues.
The article mentions that early canary deployments caught production issues that were missed during testing, such as race conditions and memory leaks, in about 8% of cases.
Practical Implementation Steps
Based on the Avito experience, here is a step-by-step guide for implementing a quality assurance process for agentic development.
Step 1: Define Your Quality Baseline
Before introducing agents, establish measurable quality metrics for your current development process. Common metrics include:
| Metric | Description | Target (example) |
|---|---|---|
| Defect density | Bugs per thousand lines of code | < 0.5 |
| Test coverage | Percentage of lines covered by tests | > 80% |
| Security vulnerabilities | Number of critical issues per release | 0 |
| Deployment frequency | Releases per week | > 5 |
Use these baselines to compare agent-generated code performance.
Step 2: Create a Prompt Library
Develop a repository of tested, reusable prompts for common tasks. Each prompt should include:
- Description: What the prompt does.
- Example output: A known good result.
- Known pitfalls: Common mistakes the agent makes with this prompt.
This library serves as both a training tool for developers and a quality anchor for the agent.
Step 3: Implement Automated Guardrails
Set up CI/CD pipeline checks that run on all agent-generated code:
- Static analysis: Tools like ESLint, Pylint, or SonarQube to enforce style and detect anti-patterns.
- Security scanning: Snyk, Dependabot, or similar tools to check for known vulnerabilities in dependencies.
- Test suite execution: Full suite must pass before code proceeds to review.
Step 4: Train Your Reviewers
Code reviewers need to develop a new skill set for evaluating AI-generated code. The Avito team conducted workshops focusing on:
- Recognizing common AI errors (e.g., hallucinated function names, incorrect API usage).
- Understanding the agent's confidence levels (some agents can output confidence scores).
- Knowing when to reject and regenerate versus when to manually edit.
Step 5: Iterate on Feedback Loops
Quality assurance is not a one-time setup. The team established a feedback loop where:
- Each rejected or heavily edited code snippet is logged.
- Patterns in failures are analyzed weekly.
- Prompt templates and testing strategies are updated accordingly.
Over a three-month period, this iterative approach reduced the rejection rate of agent-generated code by 60%.
Case Study: Real-World Impact
The article provides concrete data from one of their internal projects. The team aimed to generate REST API endpoints for a new microservice. Without quality controls, the agent produced 30 endpoints, of which only 18 (60%) passed all quality checks. After implementing the structured framework, a second attempt yielded 28 endpoints, with 25 (89%) passing. The time spent on code review also decreased by 35%, as the code was cleaner and more consistent from the start.
Key lessons learned:
- Do not trust agent-generated tests alone — they often test what the code does, not what it should do.
- Invest in good prompt engineering — it pays dividends in reduced rework.
- Use mutation testing as a sanity check — it reveals gaps in test coverage that standard tools miss.
Tools and Technologies
While the article focuses on methodology, it also mentions specific tools that were part of the stack. For those looking to replicate this approach, consider integrating:
- LangChain or LlamaIndex for orchestrating agent workflows and managing context.
- Mutmut or PIT for mutation testing in Python.
- SonarQube for static analysis and code quality gates.
For teams using Telegram, Salesforce, Google Analytics, Stripe, or similar platforms, integrating agentic development with these services requires careful API handling. ASI Biont supports connecting to over 300 services through unified API management, helping ensure that agent-generated code interacts correctly with external systems. This reduces the risk of integration errors that are common in agentic workflows.
Conclusion
Agentic development is not a futuristic promise—it is happening now. Companies like Avito are demonstrating that with the right quality assurance framework, AI agents can become productive members of the development team, not just experimental toys. The key is to treat agent-generated code with the same rigor (and sometimes more) that you apply to human-written code.
The framework outlined in the Habr article—structured prompting, automated testing with mutation analysis, human-in-the-loop review, and controlled rollout—provides a proven path forward. As the technology matures, the balance between automation and human oversight will continue to shift, but quality will always remain the non-negotiable foundation.
For engineering leaders, the takeaway is clear: invest in quality infrastructure before you invest in agentic tools. The agents will write code quickly—your job is to make sure it is code you can trust.
Comments