Independent technical due diligence · Codebase integrity audits

Every codebase now has a second author. Nobody has vetted its work.

AI now writes about 41% of the world's new code. It works at superhuman speed, remembers nothing about your architecture, holds no equity, and cannot be interviewed. INGENIZE runs the independent audit that tells founders, investors, and boards what the second author actually built — before a raise, an acquisition, or an enterprise deal depends on it.

Fixed price · 5–10 business days · Senior engineers and former CTOs only · We audit. We never sell the fix. · The doctrine
0%
of committed code is now AI-assisted
Stack Overflow 2025
increase in duplicated code blocks since AI assistants arrived
GitClear · 211M lines
0%
of the time, AI-generated code introduces a security vulnerability
Veracode 2025
1in5
dealmakers walked away from a deal over AI concerns about the target
2026 dealmaker survey
§ 01THE SHIFT What changed

Software changed authors.
Diligence never noticed.

For fifty years, evaluating software meant evaluating people. You interviewed the CTO. You read the commit history. You asked who built the billing system and whether she still worked there.

Every diligence checklist ever written rests on one assumption: a person wrote this, and a person can answer for it. That assumption quietly expired. In under three years, AI-assisted code went from novelty to roughly two-fifths of everything committed. Copy-paste now outpaces refactoring for the first time in recorded history — GitClear measured refactoring collapsing from 25% of all code changes to under 10%, while duplicated blocks rose eightfold. And newer models write more code, not safer code: the vulnerability-introduction rate has stayed flat at ~45% across model generations.

The volume of software is exploding. The number of humans who can answer for it is not.

Watch it happen — every line below entered a production codebase without a human answering for it:

repository of recordunvetted lines: 12,408
FINDING · HIGH
Tests assert the implementation, not the requirement. Coverage 94%. Assurance: minimal.

Read the evidence library →

§ 02RISK
CLASSES
The invisible risks

The second author leaves four kinds of risk behind. All four are invisible to a demo.

01 · PROVENANCE GAP

Nobody can say what the machine wrote

Ask a management team what share of their codebase is AI-generated, from which tools, reviewed under what policy — and watch the answer. Investor-side counsel now flags the absence of that answer as a material finding in itself. If no one can say what the second author wrote, no one can say what the company owns.

02 · DUPLICATION DEBT

One bug. Forty homes. Each drifting.

AI assistants don't know your existing modules exist, so they write new ones. Duplicated blocks are up eightfold; cloned code carries 15–50% more defects. When a security patch lands, every copy must be found and fixed independently — on its own schedule.

03 · COMPREHENSION COLLAPSE

Key-person risk, without the person

The old nightmare was the one engineer who understood the payment system. The new one is worse: code that no one on payroll fully understands. Three-quarters of developers using AI tools report shipping code they don't fully understand at least some of the time. It runs today. A buyer asks about the day it doesn't.

04 · CONFIDENCE INVERSION

The greener the dashboards, the less the green means

Here is the cruelest property of AI-generated code: it looks better than human code. Consistent formatting. Abundant comments. Passing tests — often written by the same model that wrote the bug. Your metrics were designed to catch human failure modes. This is not human failure.

"I don't think I have ever seen so much technical debt created in such a short period of time in my 35-year career."

— Kin Lane, veteran technologist, on AI-generated code (LeadDev)

§ 03INVERSION Flip the card. That's the audit.

What your dashboard says. What an auditor finds.

Two views of the same evidence. Click each card.

Illustrative composites drawn from the published evidence base and our calibration audits — not client data. How findings are scored →

§ 04THE GAP Why current due diligence misses it

Traditional due diligence audits the past. This risk lives in the last 24 months.

Standard technical DD was engineered for a different question: did competent humans follow a sane process? So it checks the SDLC, counts the senior engineers, reads the architecture diagram, scans for known CVEs and license conflicts. All still necessary. None of it detects a Provenance Gap or a Comprehension Collapse — those aren't process failures. The process was followed. The author changed.

The market already senses it. One in five strategic dealmakers walked away from a deal over AI-related concerns about the target. Roughly a third of deals collapse at the final diligence hurdle — increasingly over gaps that were knowable months earlier. And the cost of late discovery is documented: production-hardening machine-written code runs 2–4× the original build time. Whoever owns the codebase when that invoice arrives, pays it.

The question is no longer whether someone will audit the second author's work. It's whether you'll be holding the report — or receiving it.

§ 05TOOLS Why scanners aren't enough

Your scanner is not lying to you. It's answering a smaller question.

Static analysis, code-quality dashboards, security scanners — keep them all. We read their output as evidence. They measure what can be measured mechanically: syntax, known vulnerability signatures, complexity scores. Useful signal. But no tool can tell you:

whether the architecture was designed or merely accumulated;

whether the team can extend this codebase, or only prompt at it;

whether the roadmap the company just pitched is one the codebase can survive;

what a hostile diligence team will conclude — and how it will move the price.

Tools measure. Judgment decides. A Technical Integrity Audit is what happens when calibrated senior engineers apply one rubric, against benchmarks, to your codebase — and sign their names to the answer.

§ 06METHOD The INGENIZE methodology

One instrument. Five dimensions. A score a board can act on.

Every Technical Integrity Audit™ evaluates the same five dimensions, on the same published rubric, benchmarked against comparable-stage companies.

DimensionThe question it answers
1 · Architecture & ScalabilityDesigned or accumulated — and what breaks at 10× load.
2 · Code Quality & AI-Code RiskProvenance mapping, duplication debt, churn patterns. The four risk classes, scored.
3 · Security PostureThe vulnerability classes AI writes at a 45% clip — plus the classics.
4 · Delivery Capability & Key-Person RiskCan this team, as constituted, execute the roadmap it pitched?
5 · Documentation & IP HygieneWhat the data room will look like under hostile light.

Read-only access. NDA before anything else. Senior reviewers only — staff-level engineers and former CTOs, every one named in your report. Five to ten business days, fixed price, no surprises.

Read the full methodology →

§ 07REPORT What you hold at the end

The report is the product

  • The Integrity Report — scored across all five dimensions, written for an investment committee and a board, not just an engineering team.
  • The Risk Heatmap — every finding placed by severity and cost-to-carry.
  • The Provenance Map — the first honest answer to "how much of this did the second author write?"
  • The Priority Ledger — what to fix, in what order, with cost ranges. You fix it, or anyone you choose. Never us. That's the point.
  • A 72-hour red-flag call on buy-side engagements — deal-speed, before the full report lands.
FINDING F-031 · HIGH · DUPLICATION DEBT

Payment-retry logic duplicated in 14 locations, 3 already divergent. A regulatory change to retry behavior requires 14 independent patches. Est. carry cost: 6–9 engineer-weeks.

FINDING F-047 · HIGH · CONFIDENCE INVERSION

Authentication middleware AI-generated; test suite AI-generated by the same session. Tests assert the implementation, not the requirement. Coverage: 94%. Assurance: minimal.

FINDING F-112 · CRITICAL · COMPREHENSION COLLAPSE

No engineer currently on staff can explain the queueing subsystem's failure behavior under back-pressure. Original author: unknown (provenance untracked). Critical for the stated enterprise roadmap.

Illustrative composites — not client data.

§ 08BUYERS Who hires us

Three chairs at the same table

FOUNDERS

60–180 days before a raise or exit

Your buyer's diligence team is going to write a report about your codebase. The only question is whether you've already read it. Fix on your schedule, at your cost basis — not under term-sheet duress at 2–4× the price.

For founders →

INVESTORS & ACQUIRERS

Between term sheet and wire

Legal DD gets $40K without a blink. The asset you're actually buying — the code — gets a demo and a handshake. A fixed-price independent audit, IC-ready in days, is the cheapest insurance in the deal.

For investors →

BOARDS & CEOS

Before the question gets asked

"How exposed are we to AI-generated code?" is now a board-meeting question and an enterprise-procurement question. Arrive with a scored, independent answer instead of an engineering opinion.

AI-Code Risk Audit →

§ 09FAQ Questions we're asked before every engagement

Asked, answered, on the record

Q.01Do you fix what you find?

Never — and we're contractually barred from it. The moment an auditor profits from its findings, the findings inflate. Our report is credible to investors, acquirers, and boards precisely because nothing else is for sale. We'll hand you a disclosed, no-kickback list of third-party firms if you want remediation help.

Q.02We already run SonarQube / CodeScene / security scanning. Isn't this redundant?

Keep them — we'll read their output as evidence. Tools measure syntax and signatures. They cannot assess architecture intent, team comprehension, roadmap survivability, or what a hostile diligence team will conclude. Different instrument, different question.

Q.03Our investors will run their own technical DD. Why pay for ours?

Exactly — they will. A third of deals die at that hurdle, mostly on findings that were fixable months earlier. Sell-side audits exist so the first version of the truth is yours.

Q.04What access do you need?

Read-only repository access, architecture documentation, and two to four team interviews. NDA first, always. No integration, no agents, nothing installed.

Q.05How fast, really?

AI-Code Risk Audit: five business days. Full Technical Integrity Audit™: ten. Buy-side deals get a red-flag call within 72 hours of access. Fixed price, published on the pricing page.

Q.06What if the findings are bad?

Then they were bad before we arrived — invisibly, and compounding. Every finding comes with severity, cost-range, and priority. Founders who audit early raise on their own version of the truth. And if the report surfaces nothing your team didn't already know, we refund half the fee.

Q.07Who are the reviewers?

Staff-level engineers and former CTOs, individually named in your report, calibrated against a shared rubric on benchmark codebases before they ever score a client. No juniors, no anonymous benches. Methodology →

The next step

The demo was built in a weekend. The audit tells you what it costs to own.

Thirty minutes with a senior reviewer. We'll map your codebase's risk surface and tell you honestly which audit fits — or whether you need one at all.

Founders: raising in the next two quarters? Say so — founding-cohort pricing applies.