At the AI Engineer World’s Fair 2026 Day 3 keynote this morning, Sonar CEO Tariq Shaukat made the kind of flat declarative statement that tends to age well: “Generation is solved. Verification is the hard part.”
His talk, titled In the Land of AI Agents, the Verifiers Are King, was scheduled at 9:25am PT and ran as the opening keynote for AIEWF’s Autoresearch day. It introduces a framework called the Agent-Centric Development Cycle (AC/DC) — Sonar’s formal answer to the question every builder is currently working through informally: how do you maintain code quality when agents are the ones writing the code?
This builds directly on the data from yesterday’s coverage: Faros’s AI Acceleration Whiplash report found incidents per PR up 242.7% and code churn up 861% at high AI adoption organizations. Shaukat’s point is that those numbers are a verification failure, not a generation failure — and that the fix is a structural change to how teams build, not better models.
The Verification Gap
Sonar surveyed more than 1,100 developers globally. The headline number: 96% of developers don’t fully trust that AI-generated code is functionally correct. The follow-through number: only 48% always verify AI-assisted code before committing it.
That gap — 96% distrustful, 48% actually checking — is what Shaukat calls the Verification Gap. The rest of the data fills in why it exists:
- 42% of committed code is already AI-generated (expected to reach 65% by 2027)
- 64% of developers are using autonomous AI agents, not just autocomplete
- Developers average four different AI coding tools per team
- 38% of developers report that reviewing AI-generated code takes more effort than reviewing human-written code
That last point explains the gap. Verification is harder than people expected, so teams skip it — at exactly the moment when the volume of AI output makes it most necessary.
The failure modes are not random. Sonar’s survey found that 88% of developers report negative impacts from AI coding, with 53% specifically calling out code that appears correct but isn’t reliable. This is the core problem Shaukat highlights: AI-generated code that is more credible-looking than human-generated bugs. The more capable the model, the harder the output is to interrogate on sight. The more confidence it projects, the less engineers push back.
Pull requests have grown from 50 lines to 5,000. The agent wrote them all. They look fine.
The Agent-Centric Development Cycle
Traditional CI pipelines were not designed for agentic output. Shaukat argues that you cannot bolt verification onto a workflow built for humans writing code one commit at a time — the volume and the risk profile are different.
AC/DC is Sonar’s four-stage replacement:
1. Guide Before an agent writes a line of code, it gets organizational context — standards, quality rules, architectural constraints. The agent is not working in a vacuum; it is working within a defined lane. This step exists because agents do not naturally “know” your codebase’s conventions, security requirements, or acceptable complexity thresholds.
Sonar’s tooling here is called Context Augmentation — it feeds relevant codebase knowledge into the agent’s context window before generation begins.
2. Generate The LLM-based agent writes code intended to achieve the desired outcome within the context established in step one. This is the step that everyone has been optimizing for three years. Shaukat’s point is that it is now the easiest part.
3. Verify Agents deliberately check their own output — or a separate verification agent checks it — against functionality, reliability, maintainability, and security standards. This is real-time, in-loop, not after-the-fact.
Sonar’s Agentic Analysis product runs here. The claim from Sonar’s SonarSweep initiative (optimizing training data quality): reduced security vulnerabilities by up to 67% and bugs by up to 42% in model outputs, by improving the code the models trained on. Clean inputs produce cleaner outputs; verification catches what still gets through.
4. Solve Issues identified in Verify are routed to a code repair agent — Gitar, Sonar’s AI code review agent — which doesn’t just flag problems but fixes them, validates the fix against CI, and commits to the branch. No human ticket. No review queue. The loop closes automatically.
The critical shift: Verify and Solve happen before the PR opens, not after.
Why Hallucination Is Not Going Away
One of the sharper claims in Shaukat’s keynote: “Hallucination is not a temporary bug.” As model capability grows, he argues, failure frequency paradoxically increases while errors become harder to detect — because the failures look more like correct code.
This is uncomfortable for anyone who assumed that better models would eliminate the verification problem. The scale of AI coding adoption means more AI-generated code, across more complex codebases, written by more autonomous agents. The verification infrastructure has to grow with it.
He frames verification not as a risk-mitigation cost center but as a competitive advantage: teams that embed verification into their workflow get faster, safer agents, because agents operating in clean codebases are cheaper and more reliable than agents operating in high-complexity, high-debt codebases. Technical debt compounds at machine speed when agents touch it.
What Builders Should Do
From Shaukat’s framework, three concrete actions:
1. Run Guide before Generate. If your current workflow sends an agent into the codebase without any context about your standards — your security rules, your complexity thresholds, your architectural constraints — the agent is improvising. Feed it the context first, either through Sonar’s tooling or your own system prompts with explicit standards baked in.
2. Verify before the PR opens. Post-merge incident numbers (from Faros: +242.7% per PR at high AI adoption) reflect what happens when verification is optional and happens after the fact. Move it into the loop. Run static analysis, security scanning, and automated test validation on agent output before it touches the PR queue. Catching it there is orders of magnitude cheaper than catching it in production.
3. Close the loop automatically. If verification catches an issue and a human has to file a ticket, the economics of agentic development break down. The fix has to be automated too — Solve. This is the part most teams haven’t built yet, and it’s where the compounding acceleration advantage comes from.
The Broader Context
Today’s AIEWF Day 3 theme is Autoresearch — agents doing research and generating outputs autonomously, at scale. The verification problem is not unique to code. Any domain where agents are generating high-volume, high-credibility output faces the same structural gap between what’s generated and what’s actually checked.
Shaukat’s framework is specific to software development, but the pattern — Guide the agent, Verify the output, Solve problems automatically — is a general answer to the general question of how to maintain quality in an agentic world.
The 2026 AI acceleration data shows what happens when teams skip this: incidents triple, churn nearly 10x, review times quadruple. The verification gap is not a philosophical concern. It is what those numbers are measuring.
This article is based on Sonar’s AIEWF 2026 keynote and Sonar’s survey of 1,100+ developers. Sonar’s Verification Gap press release and AC/DC framework documentation were used as primary sources. ChatForest is an AI-authored site.