How to Manage Technical Debt: A Practitioner's Guide

Written by

OpenHands Team

Published on

Imagine that security scanning flagged 200 vulnerabilities across 47 repos. Every one of those CVEs sits in code someone on your team wrote under a deadline, layered on top of code an engineer who left two years ago wrote under a different deadline. These problems, known as technical debt, compound through thousands of small decisions until every change costs more than it should.

Research by McKinsey shows technical debt can reach 20–40% of a company's technology estate before depreciation, based on its survey of large-enterprise CIOs. Coding agents are becoming a scalable tool for retiring that debt. But if they're left to run without review, they could end up creating technical debt faster than any team of humans could.

What is technical debt?

Ward Cunningham coined the metaphor at OOPSLA in 1992. In his original metaphor:

"Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite... The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."

Interest makes technical debt expensive when teams leave it unpaid. Cunningham later clarified the metaphor by drawing a distinction between sloppy code and code that reflects partial understanding: "I'm never in favor of writing code poorly, but I am in favor of writing code to reflect your current understanding of a problem even if that understanding is partial."

The debt is the gap between what you understood when you shipped and what you understand now. Debt shows up in different layers of a system:

  • Code debt: Duplicated logic, unclear variable names, violations of coding standards: problems in source code that hurt readability and make maintenance harder.

  • Architectural debt: Architectural choices tend to be the leading source of technical debt because they constrain every layer above them. For instance, a wrong call about data models can ripple into thousands of downstream decisions that are hard to reverse without a rewrite.

  • Infrastructure debt: Manual deployment steps, outdated servers, slow builds: anything that hinders automation and scalability.

  • Security debt: Vulnerabilities in dependencies and unpatched services. The SEI treats this as a consequence of architectural debt, but teams often track it on its own.

  • Process debt: Workflows that require heavy manual lifting, where legacy processes stall decisions and pull focus from the work that matters.

Martin Fowler's Technical Debt Quadrant sorts all of this along two axes: reckless vs. prudent, and deliberate vs. inadvertent. "We must ship now and deal with the consequences" is prudent and deliberate. "What's layering?" is reckless and inadvertent. Fowler's point: teams should distinguish prudent debt from reckless debt.

That distinction tells you which debt is acceptable. Prudent debt in code you rarely touch may never be worth paying down. Reckless debt in a high-traffic file compounds fast and demands attention. Some debt is a reasoned trade-off you make on purpose, while some is a mistake you did not know you were making. Managing it well means telling them apart.

How technical debt accumulates (and why teams often don't notice until it's expensive)

Teams often miss debt because it stays invisible until complexity crosses a threshold. Once a codebase crosses a low threshold of complexity, the debt comes due and gradually consumes developer productivity and software usability.

The usual culprits behind this are:

  • Unrealistic deadlines and "we'll clean it up later:" The cleanup rarely happens. Temporary bug fixes that pass the test and ship are among the biggest sources of permanent debt.

  • Skipped tests, undocumented APIs, copy-paste logic: Each shortcut compounds. Some teams also discover uneven ownership across services alongside uneven test coverage.

  • Legacy systems nobody wants to touch: As older-system experts leave, teams lose context, including institutional knowledge. New code gets layered on old code with unpredictable side effects.

  • Fragmented tooling: The 2025 Stack Overflow survey found most developers use six to 10 tools, and that AI complicates workflows more than it simplifies them.

  • AI-accelerated development: Ship faster and you accumulate debt faster. A QCon AI New York 2025 talk reported AI "provided a three-to-five times development velocity increase for about a month before an observed persistent technical debt accumulation."

Your team could miss all of this if you measure the wrong signals. Many teams track AI adoption and feature velocity but leave technical debt accumulation out of the dashboard entirely.

What are the real costs of unmanaged technical debt?

Unmanaged debt shows up in your engineering metrics, security posture, hiring pipeline, and bottom line. Here is where the bill comes due:

  • Developer productivity loss: A 2025 Chainguard survey found engineers spend just 16% of their week writing new code and building features, with the rest going to maintenance, tech debt, and overhead like dependency updates, vulnerability fixes, and test writing. Every bug fix turns into archaeology through code nobody has touched in months.

  • Security exposure: 2025 saw 48,185 CVEs published, a 20.6% jump over 2024 with roughly 130 new vulnerabilities a day. That volume turns vulnerability triage into a persistent backlog, while manual remediation often struggles to keep pace.

  • Hiring and onboarding drag: Documentation rots, ownership blurs, and new engineers spend weeks figuring out what the codebase does before they can contribute.

  • Business impact: Delayed features, degraded reliability, and slower response to the market. According to Gartner, fewer than 20% of software engineering leaders are "very effective" at managing technical debt, and 44% of companies name it a significant concern.

Well-positioned companies plan for this. Accenture's study of 1,500 companies found they set aside around 15% of their IT budgets for remediation.

There is a newer cost line too: agentic AI spend. Token consumption can vary with call frequency, prompt length, model tier, and caching behavior. Without visibility and attribution across your agent infrastructure, you have no way to know where token spend goes. That blind spot can hide agents using expensive models for tasks a cheaper one could cover, or obscure which workflows actually justify the cost.

Technical debt in the AI era: the problem gets harder before it gets easier

Coding agents complete engineering tasks end to end, which means they can accumulate debt end to end. GitClear's 2025 report analysis of 211 million changed lines found copy/pasted code rose from 8.3% of changes in 2020 to 12.3% in 2024, while moved or refactored code dropped from 24.1% to 9.5%. More copied code and less refactoring means more review and greater maintenance burden.

AI-generated code can look plausible while still requiring careful review for project-specific assumptions. A 2026 study of AI-authored commits across thousands of repositories found that code smells are the most common type of AI-introduced debt, at roughly 89% of the issues it flagged, and that developers tend to over-trust patches that look right. Unreviewed PRs can leave debt for the next engineer who inherits the code.

The 2025 DORA report calls AI the "great amplifier." Teams with strong foundations gain more, while teams with weak processes see more instability. This means AI can magnify change failures, rework, and longer cycle times if your underlying engineering system is already fragile.

Developers using local pair-programming tools can see a 20–30% productivity gain, but they are still working the way they did a decade ago, bounded by how much attention they can give. When agents run autonomously, that attention ceiling stops being the main limit, though it does not disappear. Autonomous agents still run into review capacity, flaky tests, model and tool errors, token budgets, and security constraints. What they expand is throughput on repeatable work, the dependency bumps, vulnerability fixes, and test writing that do not need a developer at the keyboard. The same throughput that creates debt can eliminate it, as long as agents run with reviewable PRs, scoped permissions, and clear human checkpoints.

How to identify and measure technical debt before prioritizing it

You cannot prioritize what you cannot see. A few methods surface the real picture:

  • Static analysis and linting: Static analysis tools track code smells, duplication, and cognitive complexity, and can produce a technical debt ratio that compares estimated remediation cost against total development cost.

  • Dependency audits: OWASP Dependency-Check cross-references your dependencies against the NIST CVE database. OWASP Top 10 A06 lists "Vulnerable and Outdated Components," with continuous inventory and CVE monitoring as the recommended practice.

  • Churn tracking: High-change files are usually the highest-debt files. Code that gets edited repeatedly tends to concentrate complexity, conflicting assumptions, and partial refactors, so a small set of hotspots ends up accounting for an outsized share of defects and rework.

  • Commit history and bug clusters: Combining commit frequency with complexity scores finds the code actively creating friction for your team. This pinpoints where debt is actually costing you time, so remediation effort goes to the files that will pay it back.

  • Agent-run codebase analysis: Use agents to summarize refactor candidates across the codebase, then review the ranked list before prioritizing. This surfaces debt that no single team owns and turns a manual audit into something you can run on every repo at once.

No single metric is sufficient. Google's internal study analyzed 117 proposed metrics and found none was a valid indicator on its own. Human judgment stays essential. When communicating the backlog to non-technical stakeholders, frame debt in business outcomes — delayed launches, slower incident response, higher hosting costs — so leadership can weigh remediation against feature work in the same terms.

Useful frameworks for prioritizing what technical debt to fix first

Once you can see the debt, the next problem is sequencing. A handful of frameworks give you a defensible way to decide what to tackle this sprint and what to defer:

  • The Technical Debt Quadrant: Fowler's Technical Debt Quadrant split tells you what to ignore and what to fix. Reckless debt in active code is the priority.

  • The interest rate model: Treat it as a ratio of ongoing cost to fix cost. For example, debt that burns roughly 8,000persprintinslowdownsandcostsabout8,000 per sprint in slowdowns and costs about 24,000 to fix has a three-sprint payback, so fix it now. Debt that costs 500persprintbut500 per sprint but 150,000 to fix has a 300-sprint payback and probably never earns that investment.

  • Impact × effort scoring: Plot business impact against effort to resolve and start with the quick wins: high impact, low effort. RICE scoring (Reach × Impact × Confidence ÷ Effort) works for debt the same way it works for features.

  • Fix it before you touch it: Clean up debt opportunistically in the code you are already touching for feature work, and hold high-churn files to a stricter bar. The interest compounds fastest in the code your team edits most.

  • Debt allocation inside agile workflows: Shopify's 25 percent rule gives engineers up to four hours a week to improve code they are already working in, with larger refactors treated as planned project work. Note the caveat: dedicated debt sprints often clash with delivering business value, so most teams fold debt work into regular sprints.

These frameworks turn prioritization from a gut call into a defensible trade-off you can explain to product and leadership. With the queue sorted, the remaining question is how to actually work through it every day without breaking delivery.

Technical debt management best practices

Manage debt continuously through the software development lifecycle. Treat debt management as part of the outer loop of engineering, not a side project. The teams who keep debt under control run remediation continuously alongside feature work — with the same telemetry, the same review process, and the same accountability — rather than scheduling cleanup sprints after the fact.

Make debt explicit in the backlog by giving it a ticket and a priority the way you would a feature. Do not hide debt work by folding it into regular backlog grooming; review, estimate, and track it with the same rigor you apply to product work.

A few concrete practices:

  • Write tests before you refactor: With a CI/CD pipeline in place, automated tests catch regressions so you can prove behavior still works. Without that safety net, every refactor risks shipping new bugs faster than it retires old debt.

  • Work in small, behavior-preserving diffs: Commit after each step. Frequent improvements beat large, disruptive refactoring projects.

  • Make debt visible to leadership with metrics: Track code complexity, churn rate, test coverage, incident rates, and mean time to repair (MTTR) alongside delivery metrics. Translate debt into money and time: "This frees up $60K in time" lands better than a technical explanation.

  • Define a policy for AI-generated code review: Require the same review standards for agent-opened PRs as human PRs, including test coverage and a named human approver before merge. Without that gate, agents can quietly add code smells and duplicated logic to the backlog at the same speed they ship features.

  • Set a budget allocation target: Use external benchmarks as a starting point, such as 15% of development cycles dedicated to debt reduction. Research suggests dedicating roughly 15–25% of team capacity to debt retirement

  • Build debt guardrails into CI/CD: Wire automated linting, security scanning, and complexity thresholds directly into your CI/CD pipeline so any PR that crosses the line gets blocked or flagged before merge. This shifts debt prevention left and keeps the backlog from quietly growing every time someone ships under deadline pressure.

One more requirement specific to the AI era: teams running agents at any scale need a control plane to manage spend and visibility. The first questions are the same ones teams ask about cloud spend: where is the money going, which workflows are worth it, and who approved this run? Without org-level and user-level budget enforcement, agentic spend runs unchecked and audit trails go dark.

The OpenHands Agent Control Plane provides this layer, tracking usage and spend at the organization, user, and conversation level through an LLM gateway with enforced budgets. Agent actions are logged and tied to the workflow and user that triggered them.

Download Agent Canvas CTA

How AI coding agents change the economics of paying down technical debt

Agents earn their value in the outer loop where the same throughput that accelerates shipping also automates remediation. This is the repetitive, schedulable work outside the inner loop of writing new features.

Define the workflow once, such as "scan this class of vulnerability, open a reviewable PR, and flag for human approval." Then run it on a cron schedule or in response to real events across every repo.

Agents can handle several debt categories end to end:

  • Dependency upgrades: With a human validation gate. Agent-generated dependency updates need validation because agents can reference non-existent dependencies or outdated packages, so review before merge is non-negotiable.

  • Vulnerability patching across repos: Agents open reviewable PRs as they go, with vulnerability patching workflows running across the fleet.

  • Test coverage gaps: One case study generated nearly 16,000 lines of reliable unit tests in hours rather than weeks under developer supervision, though agent-generated tests often need follow-up updates.

  • Documentation generation: Run agents against commit history and code to produce or refresh READMEs, API docs, and architecture notes. Outdated documentation is one of the most common forms of debt, and rotting docs slow every new hire and every cross-team handoff.

  • Refactoring duplicated logic: Point agents at duplicated patterns across files or services and have them propose unified abstractions in reviewable PRs. Copy-paste code is among the fastest-growing sources of debt in AI-assisted codebases, and consolidating it shrinks the surface area where bugs and inconsistencies hide.

Start agents on the mechanical, supplementary work: security scans, best-practice flags, identifying candidates in the debt backlog. Keep humans on the logic and architecture calls. As trust builds, agents can take on more of the core remediation work while developers move to spot-checking the output. The Cloud Security Alliance's Agentic Trust Framework defines explicit promotion criteria at each stage of autonomy expansion. This is a useful structure for regulated teams that need to document how much the agent can do on its own.

Automate technical debt remediation at scale with OpenHands

Your team has a debt backlog. The question is whether a developer kicks off each fix manually or an agent runs it across every repo while the team ships product work.

OpenHands is the platform for running those agents at scale. Automations are defined once and executed across hundreds of repositories in parallel, on a cron schedule or triggered by real events like a PR opening or an observability alert firing. Pre-built workflow templates cover the highest-frequency debt work: Fix Vulnerabilities, Review PRs, and Migrate Code.

Agent Canvas, OpenHands' local-first interface, connects to local, VM, and cloud backends from one workspace. This means the same interface that runs an agent on your laptop also connects to the fleet running overnight across your repos.

You can also bring your existing Claude Code or Codex subscription. Agent Canvas connects to those harnesses through the Agent Client Protocol, so you keep the model and workflow you already use and get the scheduling, parallel execution, and audit layer on top.

Talk to us about how to use OpenHands to run agents against your backlog with the control your organization requires.

Download for free CTA

Frequently asked questions about technical debt management

What is the difference between technical debt and bugs?

A bug causes visible behavioral failure, where the software produces wrong output now. Technical debt causes structural degradation that developers experience as friction before users see a failure.

Put another way, technical debt is the structural shortcut that produces or surrounds the failure, not the failure itself. Temporary bug fixes that never get cleaned up are a primary source of permanent debt. The patch suppresses the symptom, but the messy workaround, missing test, or unrefactored code path stays in the codebase and compounds with every future change.

How do you explain technical debt to non-technical stakeholders?

Frame it in business outcomes. Prioritize debt that is actively slowing the product changes leadership cares about most, then tie the cleanup directly to the delivery wins it unlocks, like faster launches, fewer incidents, and shorter cycle times. Translating debt into money and time ("this frees up $60,000 in engineering hours next quarter") lands with executives because it puts remediation on the same scoreboard as feature work.

How does AI-generated code affect technical debt?

It cuts both ways. The same throughput that lets agents close out long-standing remediation tickets in hours also lets them introduce subtle structural issues across many files before anyone reviews the output. Think inconsistent abstractions, plausible-looking but project-mismatched patterns, and untested edge cases.

Treat agent-authored PRs as production code with the same gates you would apply to a contractor: explicit review owners, coverage requirements, and automated checks that block merges when quality thresholds slip.

What is the difference between technical debt and legacy code?

Technical debt is a property: the accumulated cost of shortcuts, which can exist in any codebase, new or old. Legacy code is a category of codebase, old and often unsupported, that typically carries high technical debt. In practical terms, legacy code tends to carry substantial technical debt because original authors have moved on, the surrounding tooling and frameworks have aged out, and years of patches have layered shortcuts on top of shortcuts without anyone refactoring the foundation.

Async coding agents download CTA

About OpenHands

OpenHands is the open-source platform for building and running AI coding agents, with the interface, automations, and control layer needed to go from a single local agent to a system running across an entire organization. The mission is to make agent-based software development accessible, transparent, and controllable by default. That starts in the open. The core framework is open source, giving developers and platform teams full visibility into how agents execute work and interact with their systems. The project has over 78,000 GitHub stars, 9 million downloads, and contributions from hundreds of developers. OpenHands is used by engineers at large enterprises and fast-growing startups to build, run, and scale AI coding agents across real software engineering workflows. The long-term vision is to become the full stack AI coding agent platform for software engineering. Not just helping developers write code, but running meaningful parts of the software lifecycle.

Get useful insights in our blog

Insights and updates from the OpenHands team

Sign up for our newsletter for updates, events, and community insights.

By submitting your email you agree to our Privacy Policy