The AI productivity conversation almost always stops at year one.
Faster feature delivery. Reduced time-to-merge. Lower cost per story point. The numbers look good. The board approves the rollout.
What doesn't appear in year one: the maintenance curve.
AI-generated code is optimized for the problem in front of the developer in the moment it is written. It is not optimized for the engineer who reads it six months later, the team that extends it at scale, or the incident responder who debugs it at 2 AM. Those costs don't show up in the delivery metrics. They show up in the operations budget. In year two.
WishTree's analysis across multiple case studies puts the maintenance multiplier at 4×. IBM's Institute for Business Value is more specific: organizations that price in technical debt upfront in their AI business cases project 29% higher ROI than those that don't.
That 29% is not a bonus. It's the cost of planning properly.
There is also a security dimension that belongs in the same conversation. MIT Tech Review and Veracode found that 45-48% of AI-generated code contains OWASP Top 10 vulnerabilities. For teams operating under EU AI Act Phase 2 or GDPR — which is most of the DACH market — that is not a code quality issue. It is a DPIA and compliance risk.
The business case math changes significantly when you include year-two maintenance, security remediation, and compliance exposure.
IBM's recommendation is not to slow AI adoption. It is to build the audit cost into the plan from day one.
Has your team modeled year-two maintenance costs in the AI tooling ROI calculation? I'm curious how many have — and how many assumed the cost stays flat.