# Hallucination Detection and Mitigation
AI coding assistants are incredible productivity multipliers—until they confidently generate code that looks perfect but does something entirely wrong. These "hallucinations" are one of the most dangerous pitfalls in vibe coding, and learning to detect and mitigate them is essential for maintaining code quality and security.
In this lesson, you'll learn practical techniques to catch AI hallucinations before they make it into your codebase, develop habits that minimize their occurrence, and build verification workflows that keep your code secure and reliable.
## Understanding AI Hallucinations in Code
An AI hallucination occurs when your coding assistant generates plausible-looking code that contains incorrect logic, non-existent APIs, or security vulnerabilities. The danger lies in their convincing nature—the syntax is correct, the structure looks professional, and the AI presents it with unwavering confidence.
Here's a real example of a subtle hallucination:
```python
# Prompt: "Create a function to securely hash passwords"
import hashlib
def hash_password(password: str) -> str:
"""Securely hash a password using SHA-256"""
return hashlib.sha256(password.encode()).hexdigest()
# Usage
hashed = hash_password("user_password_123")
```
This code runs without errors and looks reasonable at first glance. The AI even included a helpful docstring claiming it's "secure." But it's dangerously flawed—SHA-256 alone is inadequate for password hashing because it's too fast, making brute-force attacks feasible. A proper implementation needs a slow hashing algorithm like bcrypt or Argon2 with salt.
This is exactly the kind of hallucination that can slip into production if you're not vigilant.
## Common Types of Code Hallucinations
### API and Library Hallucinations
AI assistants sometimes invent methods or parameters that don't exist:
```javascript
// Hallucinated code - this API doesn't exist
const users = await database.findAllWithRelations({
include: ['posts', 'comments'],
orderBy: 'created_at',
paginate: { page: 1, limit: 10 }
});
```
The AI might combine features from multiple libraries or frameworks it's seen, creating a fantasy API that seems logical but doesn't actually work.
**Detection strategy**: Always verify method signatures against official documentation, especially for methods you haven't used before.
### Logic Hallucinations
The AI generates syntactically correct code that doesn't accomplish the intended goal:
```python
# Prompt: "Filter out duplicate items while preserving order"
def remove_duplicates(items):
# HALLUCINATION: set() doesn't preserve order in Python < 3.7
# and even in 3.7+, this creates a new order, not the original
return list(set(items))
# What you actually need:
def remove_duplicates(items):
seen = set()
result = []
for item in items:
if item not in seen:
seen.add(item)
result.append(item)
return result
```
### Security Hallucinations
Perhaps the most dangerous, these involve the AI generating code with subtle security vulnerabilities:
```javascript
// Hallucinated "secure" code with SQL injection vulnerability
app.post('/login', (req, res) => {
const { username, password } = req.body;
// DANGER: Direct string interpolation in SQL
const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
db.query(query, (err, results) => {
if (results.length > 0) {
res.json({ success: true });
}
});
});
```
The AI might have learned patterns from outdated or insecure code in its training data and confidently reproduce them.
## Building Your Detection System
### The Three-Layer Verification Approach
Effective hallucination detection isn't about distrusting AI—it's about building systematic verification into your workflow.
**Layer 1: Immediate Red Flags**
Train yourself to spot instant warning signs:
- Unfamiliar method names or parameters
- Promises of "secure" or "optimized" code without visible implementation details
- Code that seems too simple for a complex requirement
- Missing error handling for operations that typically need it
- Hard-coded values where configuration should exist
**Layer 2: Rapid Testing**
Before integrating AI-generated code, create quick sanity checks:
```python
# AI generated a date formatting function
def format_date(date_string):
# ... AI-generated implementation ...
pass
# Quick sanity test before using it
test_cases = [
"2024-01-15",
"invalid-date",
None,
"",
"2024-13-45" # Invalid month/day
]
for test in test_cases:
try:
result = format_date(test)
print(f"Input: {test} -> Output: {result}")
except Exception as e:
print(f"Input: {test} -> Error: {e}")
```
This quick test would immediately reveal if the AI's implementation handles edge cases properly.
**Layer 3: Integration Validation**
Before committing, verify the code in context:
```javascript
// AI generated an authentication middleware
// Test it in your actual route structure
describe('Auth Middleware', () => {
it('should reject requests without tokens', async () => {
const response = await request(app)
.get('/protected')
.expect(401);
});
it('should accept valid tokens', async () => {
const token = generateValidToken();
const response = await request(app)
.get('/protected')
.set('Authorization', `Bearer ${token}`)
.expect(200);
});
it('should reject expired tokens', async () => {
const expiredToken = generateExpiredToken();
const response = await request(app)
.get('/protected')
.set('Authorization', `Bearer ${expiredToken}`)
.expect(401);
});
});
```
## Mitigation Strategies That Work
### Strategy 1: Constrained Prompting
Instead of broad requests, provide specific constraints that reduce hallucination opportunities:
**Vague prompt (hallucination-prone):**
```
"Create a function to fetch user data from the API"
```
**Constrained prompt (hallucination-resistant):**
```
"Create a function to fetch user data using our existing axios instance (imported as 'api').
The endpoint is /api/v1/users/:id. Return the user object or throw an error if status is not 200.
Use TypeScript with proper typing for the response."
```
By specifying exact dependencies, endpoints, and error handling requirements, you leave less room for the AI to invent details.
### Strategy 2: Incremental Generation with Validation
Break complex features into smaller pieces and validate each before proceeding:
```python
# Step 1: Generate just the database query
# Verify it works correctly
# Step 2: Add input validation
# Test with various inputs
# Step 3: Add error handling
# Verify errors are caught properly
# Step 4: Add logging
# Check logs are meaningful
# Step 5: Integrate everything
# Full integration tests
```
This approach catches hallucinations early, before they compound into larger problems.
### Strategy 3: Reference Implementation Pattern
When asking for unfamiliar functionality, first ask the AI to explain the standard approach:
```
You: "What's the standard way to implement rate limiting in Express.js?"
AI: [Explains express-rate-limit middleware]
You: "Now implement rate limiting for my /api/upload endpoint using
express-rate-limit with max 5 requests per minute per IP"
```
This two-step approach helps you verify the AI is using real, established patterns rather than inventing approaches.
### Strategy 4: Documentation Cross-Reference
Make documentation lookup a reflex action:
```javascript
// AI suggests this:
const result = await prisma.user.findUniqueOrThrow({
where: { email: userEmail }
});
// Before using it, verify in Prisma docs that:
// 1. findUniqueOrThrow exists (it does, in Prisma 4+)
// 2. The where clause syntax is correct (it is)
// 3. The error behavior matches your needs (check docs)
```
This habit takes seconds but prevents hours of debugging later.
## Real-World Hallucination Case Studies
### Case Study 1: The Authentication Bypass
An AI assistant generated this JWT verification code:
```javascript
// HALLUCINATED CODE - DO NOT USE
function verifyToken(token) {
try {
const decoded = jwt.decode(token);
if (decoded && decoded.userId) {
return decoded;
}
} catch (err) {
return null;
}
return null;
}
```
The developer integrated this without testing because it looked reasonable. The critical flaw? **jwt.decode() doesn't verify the signature**—it just decodes the JWT without validation. Anyone could create a valid-looking token.
**Correct implementation:**
```javascript
function verifyToken(token) {
try {
// jwt.verify() checks the signature
const decoded = jwt.verify(token, process.env.JWT_SECRET);
return decoded;
} catch (err) {
throw new Error('Invalid token');
}
}
```
**Lesson**: Any security-related code deserves extra scrutiny and testing with malicious inputs.
### Case Study 2: The Performance Killer
An AI generated this database query optimization:
```python
# HALLUCINATED "OPTIMIZATION"
def get_user_posts(user_id):
"""Optimized query to get user posts"""
all_posts = Post.objects.all() # Fetch ALL posts
user_posts = [p for p in all_posts if p.user_id == user_id] # Filter in Python
return user_posts
```
The AI labeled this as "optimized," but it's actually doing the opposite—fetching the entire posts table and filtering in application code instead of using the database's query capabilities.
**Lesson**: When AI claims optimization, benchmark before and after. Performance hallucinations often hide behind plausible-sounding explanations.
## Building Hallucination-Resistant Habits
### The "Explain Back" Technique
After receiving AI-generated code, prompt it to explain:
```
You: [AI generates 30 lines of code]
You: "Explain line by line what this code does and why each part is necessary"
AI: [Provides detailed explanation]
```
If the AI's explanation doesn't match your understanding or reveals assumptions you didn't make, you've caught a potential hallucination.
### The Simplification Test
If generated code seems complex, ask:
```
"Can this be simplified? What's the minimal version that accomplishes the core requirement?"
```
Often, hallucinated code includes unnecessary complexity from the AI combining multiple patterns it's seen. The simplification process reveals what's essential versus what's invented.
### The Alternative Approach
Request multiple implementations:
```
"Show me 3 different ways to implement this feature, with pros and cons of each"
```
Hallucinations are often inconsistent across alternatives. Real approaches will show logical trade-offs, while hallucinated ones will reveal contradictions.
## Integration with Your Security Workflow
Hallucination detection should integrate with your existing security practices:
```yaml
# Add to your code review checklist
ai_generated_code_review:
- [ ] Verified all method calls against official documentation
- [ ] Tested with edge cases and invalid inputs
- [ ] Security-sensitive code reviewed by human expert
- [ ] Dependencies are real and correctly versioned
- [ ] Error handling covers expected failure modes
- [ ] No hard-coded secrets or configuration
- [ ] Performance characteristics tested with realistic data
```
For critical paths, consider pairing AI generation with human review. As discussed in our [when-not-to-use-ai](/lessons/when-not-to-use-ai) lesson, some scenarios warrant manual implementation.
## Automated Detection Tools
While human vigilance is essential, automation can catch common hallucinations:
```javascript
// Pre-commit hook to catch suspicious patterns
const suspiciousPatterns = [
/password.*=.*['"].*['"]/i, // Hard-coded passwords
/api[_-]?key.*=.*['"].*['"]/i, // Hard-coded API keys
/eval\(/, // Dangerous eval usage
/exec\(/, // Dangerous exec usage
];
function scanForHallucinations(code) {
const issues = [];
suspiciousPatterns.forEach(pattern => {
if (pattern.test(code)) {
issues.push(`Suspicious pattern detected: ${pattern}`);
}
});
return issues;
}
```
Static analysis tools and linters catch some hallucinations automatically. Configure them strictly for AI-generated code sections.
## Moving Forward
Hallucination detection isn't about being paranoid—it's about being professional. The most effective vibe coders maintain a balanced skepticism: they leverage AI's power while verifying its output.
Remember these key principles:
1. **Trust, but verify**: AI is a powerful tool, not an infallible oracle
2. **Test immediately**: Quick validation catches problems while context is fresh
3. **Document uncertainties**: If something seems odd, investigate before moving on
4. **Build incrementally**: Small, verified pieces compound into reliable systems
5. **Learn patterns**: Each detected hallucination teaches you what to watch for
As you continue developing your vibe coding skills, you'll develop an intuition for when AI-generated code needs extra scrutiny. This intuition, combined with systematic verification, will help you avoid the [over-reliance](/lessons/over-reliance) trap while maximizing AI's benefits.
In our next lesson on [managing-tech-debt](/lessons/managing-tech-debt), we'll explore how to prevent AI-generated code from becoming a maintenance burden over time.