← Back to Blog

What is the AI Slop Index? A New Metric for Code Quality

29 June 2026 · 7 min read · Craig, Founder of Thuban
AI Slop Index Code Quality Metrics Due Diligence

Every codebase now has AI-generated code in it. GitHub says 46% of new code is written by Copilot. Cursor, Claude Code, and Windsurf are accelerating that number. The question isn't whether your codebase contains AI-generated code — it's how much of it was generated without proper review.

That's what the AI Slop Index measures.

It's a single number — 0 to 100 — that tells you how much unreviewed, low-quality, AI-generated code is lurking in your repository. A score of 0 means your codebase is clean. A score of 80 means nearly half your files have hallmarks of unreviewed AI output. Most codebases we scan land between 25 and 55.

Why “Slop”?

The term “slop” comes from the AI content world — low-effort, AI-generated text published without editing. AI code slop is the same concept applied to software: code that an LLM generated, a developer accepted without reading, and that now lives in production.

It's not about whether AI wrote the code. AI-generated code that's been reviewed, tested, and understood by a human is fine. The problem is the code that was accepted with a single Tab keypress and never looked at again.

That code has patterns. Detectable, measurable patterns. And that's what the AI Slop Index quantifies.

What the AI Slop Index Measures

The index is calculated from five signal categories. Each one detects a different symptom of unreviewed AI-generated code.

1. Phantom Imports

AI coding tools invent modules that don't exist. They'll confidently write import { validateSchema } from 'express-validator/schema' — a path that has never existed in any version of express-validator. The code parses. The linter passes. The build crashes at runtime.

// AI-generated — looks correct, doesn't exist
import { deepMerge } from 'lodash/deepMerge';
import { useServerAction } from 'next/server-actions';
import { createPool } from 'pg/pool';

// Correct versions
import merge from 'lodash/merge';
// useServerAction doesn't exist — it's a Server Component pattern
import { Pool } from 'pg';

Thuban checks every import against the actual file system and installed packages. If the module doesn't exist on disk or in node_modules, it's flagged as a phantom import.

2. Hallucinated APIs

Even when the import is real, AI tools call methods that don't exist on the imported module. They mix up API versions, confuse similar libraries, or simply invent function signatures.

// AI thinks this method exists on the Stripe SDK
const invoice = await stripe.invoices.createAndFinalize({
  customer: customerId,
  auto_advance: true
});

// Actual Stripe API — two separate calls
const invoice = await stripe.invoices.create({ customer: customerId });
await stripe.invoices.finalizeInvoice(invoice.id);

The AI Slop Index counts how many API calls in your codebase reference methods that don't exist on the target module. High counts indicate code that was accepted without testing.

3. Copy-Paste Patterns

AI tools generate code in blocks. When a developer asks for the same thing twice — or accepts a suggestion that duplicates existing logic — you get near-identical code blocks scattered across files. These aren't traditional code clones; they have the specific fingerprint of LLM generation: same variable names, same comment style, same structure with minor variations.

// File: src/utils/validate.ts
export function validateEmail(email: string): boolean {
  const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  if (!email) return false;
  if (email.length > 254) return false;
  return regex.test(email);
}

// File: src/components/SignupForm.tsx — same logic, regenerated
function isValidEmail(email: string): boolean {
  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  if (!email) return false;
  if (email.length > 254) return false;
  return emailRegex.test(email);
}

Thuban detects structural duplication — code blocks that share the same AST shape with cosmetic differences. Each duplicate pair adds to the slop score.

4. Dead Code

AI tools generate functions that are never called, variables that are never read, and exports that are never imported. This happens because the LLM generates “complete” solutions that include helper functions the developer never asked for and never uses.

// AI generated all three — developer only uses formatDate()
export function formatDate(d: Date): string { ... }
export function parseDate(s: string): Date { ... }    // never imported
export function isValidDate(d: Date): boolean { ... } // never imported

Dead code isn't just clutter. It's a maintenance burden. Every refactor has to consider whether the dead function might be used somewhere. Every code review has to read through it. And it inflates your line count, making your codebase look larger than it functionally is.

5. Deprecated API Usage

LLMs are trained on historical data. They confidently use APIs that were deprecated months or years ago. The code works today — until the next major version upgrade breaks everything.

// AI uses the pre-v13 Next.js API
export async function getServerSideProps(context) {
  const data = await fetchData(context.params.id);
  return { props: { data } };
}

// Next.js 13+ uses Server Components
export default async function Page({ params }) {
  const data = await fetchData(params.id);
  return <Component data={data} />;
}

Thuban maintains a database of deprecated APIs across major frameworks and flags usage in your codebase. Each deprecated call adds to the slop score.

How the Score is Calculated

The AI Slop Index isn't a simple count. It's a weighted composite that accounts for severity and density.

Slop Index = Σ(signal_count × weight × severity) / total_files × 100

Normalised to 0–100, where 0 = clean and 100 = critical

Each signal category has a different weight based on its impact:

SignalWeightWhy
Phantom Imports5.0×Build-breaking — code literally cannot run
Hallucinated APIs4.0×Runtime crash — fails when the code path is hit
Deprecated APIs2.5×Time bomb — works now, breaks on next upgrade
Copy-Paste Patterns1.5×Maintenance drag — bugs must be fixed in multiple places
Dead Code1.0×Noise — inflates complexity without adding value

Severity is also factored in. A phantom import in a core authentication module scores higher than one in a test utility. A hallucinated API in a payment flow scores higher than one in a logging helper.

Why normalise by file count? A 500-file codebase with 10 phantom imports is in worse shape than a 5,000-file codebase with 10 phantom imports. The index measures density, not raw count.

What Your Score Means

ScoreRatingWhat It Means
0 – 15CleanAI code has been properly reviewed. Minimal hallucination residue.
16 – 30HealthySome AI artifacts remain. A few hours of cleanup needed.
31 – 50ConcerningSignificant unreviewed AI code. Likely runtime risks in production.
51 – 70High RiskMajor portions of the codebase are unverified AI output. Expect production incidents.
71 – 100CriticalThe codebase is predominantly unreviewed AI slop. Immediate remediation required.

Why Investors Care About Your Slop Score

Technical due diligence is changing. Five years ago, investors checked for test coverage, CI/CD pipelines, and architecture diagrams. Today, the first question a technical advisor asks is: “How much of this was AI-generated, and was it reviewed?”

A high AI Slop Index tells an investor three things:

  1. The team ships without reviewing. If phantom imports made it to production, what else slipped through? Security vulnerabilities? Data leaks? Hardcoded credentials?
  2. The codebase is fragile. Hallucinated APIs and deprecated calls mean the next dependency update could break the entire application. That's operational risk.
  3. The line count is inflated. Dead code and duplicates make the codebase look larger than it is. The team isn't as productive as the commit history suggests.

We've seen due diligence reports where a high slop score directly reduced the valuation. One SaaS company had their technical assessment downgraded from “strong” to “requires remediation” after a Thuban scan revealed 34 phantom imports and 12 hallucinated API calls across 200 files.

Why CTOs Care About Your Slop Score

For CTOs, the AI Slop Index answers a question that's been impossible to answer until now: “Is my team actually reviewing the AI-generated code they're shipping?”

You can mandate code reviews. You can require PR approvals. But if a developer accepts 40 Copilot suggestions in a session and the reviewer rubber-stamps the PR, the review process is theatre. The slop score measures the outcome, not the process.

Track it over time and you get a trend line:

# Thuban scan output — weekly trend
Week 1:  Slop Index 42  — 18 phantom imports, 7 hallucinated APIs
Week 2:  Slop Index 38  — 14 phantom imports, 5 hallucinated APIs
Week 3:  Slop Index 31  — 9 phantom imports, 3 hallucinated APIs
Week 4:  Slop Index 24  — 5 phantom imports, 1 hallucinated API

# Team is learning to review AI output before committing

A declining slop score means your team is developing AI code literacy — the ability to read, evaluate, and correct AI-generated code before it enters the codebase. That's the skill that separates teams that use AI effectively from teams that are drowning in AI-generated tech debt.

How to Improve Your Score

The AI Slop Index isn't a punishment. It's a diagnostic. Here's the playbook for reducing it:

Step 1: Run the Scan

# Get your current score
npx thuban@latest scan .

# Output includes:
# - Overall Slop Index score
# - Breakdown by signal category
# - File-by-file issue list
# - Prioritised fix roadmap

Step 2: Fix the Critical Issues First

Phantom imports and hallucinated APIs are the highest-weighted signals. They're also the easiest to fix — either the import exists or it doesn't. Start there.

  1. Phantom imports: Check each flagged import. Either install the missing package, correct the import path, or remove the dead code that references it.
  2. Hallucinated APIs: Look up the actual API documentation. Replace the invented method call with the real one.
  3. Deprecated APIs: Check the migration guide for the framework. Update to the current API.

Step 3: Deduplicate

Copy-paste patterns are the second-easiest win. Thuban shows you which code blocks are duplicated and where. Extract the shared logic into a utility function and import it.

// Before: duplicated in 4 files
function isValidEmail(email) { ... }

// After: single source of truth
// src/utils/validation.ts
export function isValidEmail(email: string): boolean { ... }

// src/components/SignupForm.tsx
import { isValidEmail } from '@/utils/validation';

Step 4: Remove Dead Code

Dead code is the lowest-weighted signal, but it's the easiest to fix. If a function is never called and never exported, delete it. Your codebase gets smaller, your complexity score drops, and your slop index improves.

Step 5: Add to CI/CD

The real value of the AI Slop Index is as a gate. Add Thuban to your CI pipeline and fail the build if the slop score increases above your threshold.

# .github/workflows/quality.yml
- name: Check AI Slop Index
  run: |
    npx thuban@latest scan . --threshold 30
    # Fails if slop index exceeds 30

This creates a ratchet effect: the score can only go down. Every PR that introduces new AI slop gets caught before it merges.

The Bigger Picture

The AI Slop Index exists because the industry needed a way to measure something that didn't have a name two years ago. We had metrics for test coverage, cyclomatic complexity, and code churn. We didn't have a metric for “how much of this code did a human actually understand before it shipped?”

Now we do.

It's not about being anti-AI. AI coding tools are genuinely useful. They accelerate development, reduce boilerplate, and help developers explore unfamiliar APIs. But they also generate code that looks correct and isn't — and they do it at a scale that manual review can't keep up with.

The AI Slop Index gives you a number. A number you can track, a number you can improve, and a number you can show to investors, board members, and new hires to prove that your team takes code quality seriously — even in the age of AI.

What's your score?

Most codebases land between 25 and 55. The best teams we've seen are under 15.

Scan your codebase now

npx thuban@latest scan .

Zero install. Zero config. Get your AI Slop Index in under 30 seconds.

thuban.dev — Free for up to 100 files, 5 scans/month

Craig is the founder of Thuban and has scanned over 200 codebases across SaaS, fintech, and healthtech. The average AI Slop Index? 41. The best? 6. The worst? 89.