Website builders need more than just AI

AI website builders can take you from zero to hero overnight. Then the morning after hits: micro-edits, layout regressions, usability fixes, security issues, prompt churn, and unhappy clients. The headache compounds as you scale your portfolio beyond one or two sites.

Lean too hard on generative tools and see idea diversity drop by an average of 40%, a 10× spike in monthly security findings, and two thirds (66%) of developers spending more time debugging AI-generated code.

The real question is how to use AI to ship faster without the side effects. But before we answer, and explain how Duda lets agencies keep zero to hero AI-powered velocity without the associated pains, let’s quickly review the main issues with AI-generated websites in 2025.

Should agencies rely on AI to build websites?

The short answer is “not by itself”. AI-generated websites are quick and easy to put together. They may even look good and work as expected when you first publish them, but day two is when things get complicated.

LLM hallucinations: AI can be very confident while dead wrong. Even the most advanced reasoning models can hallucinate facts, UX components, and useless code that may encumber performance.
Prompt churn & brittle outputs: Tweak a line in the hero and many AI builders re-generate entire sections, causing layout drift and even more reworks and manual fixes.
Accessibility and compliance blindspots: AI generated website code can cause many WCAG failures that require human intervention to correct since automated scan results don’t prove compliance. WebAIM’s 2025 report stresses that absence of detected errors does not indicate a page is accessible or conformant. Regulators have also pushed back on “one-click AI compliance” claims, culminating in a $1M FTC order against an overlay vendor.
Infosec risk: Vibe-coded websites are packed full of security vulnerabilities that can slip into production unnoticed, and turn into full-blown breaches across multiple client sites, as is evident by AI-accelerated builds leaking sensitive data.
Sameness at scale: AI is not a tool known for its originality. When you use the same tool to generate 100 sites with different prompts, you’ll still see a pattern of repetition. One study showed that while ChatGPT was briefly banned in Italy, the Instagram posts of restaurants became less similar, while engagement rose by ~3.5%.

So the full answer is that AI speeds delivery, but without governance it breeds rework, sameness, and risk.

Building websites with AI: How to accelerate delivery and keep control

How can you use AI in website building without drifting into mundane sameness or waking up to endless day-two reworks? Adopt an agency AI playbook, customize it to your specific needs and processes, and enforce it using streamlined workflows. To help you get started, here is a short list of best practices you can employ.

Define non-negotiables before you prompt

Before you guide an AI to generate anything, decide what “good” and what “ready” mean for every site you ship, and make those standards visible to the team and the client. For agencies shipping at scale, that means defining, in plain language, the minimum bar for things like accessibility, privacy/consent, basic security for data capture, performance expectations, and editorial quality. Framing these as release gates ensure quality is cohesive across pages and accounts.

Next, bake the requirements into your prompts and briefs, and seed prompt templates with the same constraints you’ll use in review. This steers AI to generate inside your standards rather than around them and reduces the “morning-after” edits that drain margin on AI-assisted builds.

Design from the outside in to avoid sameness

Design choices should not be left to the discretion of AI website builders. To ensure AI adherence to brand guidelines set by designers or the clients themselves, codify the brand.

Lock your tokens: Define typography scales, spacing, and color tokens with contrast rules (AA/AAA) up front so anything AI generates inherits readable, on-brand defaults. Keep a quick link to the WCAG success criteria and A11Y Project checklist in every brief you feed into the AI.
Pre-approve a trusted set of components: Design, create, and test patterns for common components like navigation, forms, cards, modals, hero, testimonial, pricing, and FAQ. Each pattern should include content slots, character-count guidance, and attach a description to each component or website section so the AI works with components it understands rather than invent ones from scratch.
Constrain, scope, and include art-direction variants: Mix pre-approved layout variants and use detailed, component-scoped prompts (token set, sizes, alignment) to combat sameness without sacrificing speed.

Employ AI for scaffolding but professionals for accuracy and voice

AI provides scaffolding, not move-in-ready sites. For digital marketing agencies, this means even more checks and balances to bring the human into the loop in the most effective way possible before sites are ready for visitors.

Define explicit review gates: Set review points throughout your AI workflows. For example, Gate 1 can check for hallucinations and verify claims and links, Gate 2 for accessibility assurance, and Gate 3 for brand voice and tone validation.
Let AI draft, not publish: Instead of filling pages with placeholder texts until the content department delivers, you can draft section copy, alt texts, microcopy and SEO metadata with AI. Then, hand the product over the human editors to tweak and refine. This reduces prompt churn and avoids layout drift from re-rolling whole sections for tiny edits.
Protect critical content: AI shouldn’t invent legal disclaimers, consent language, privacy policy text, pricing terms, or regulated claims. Draft those from approved templates and legal sources, and make sure the AI cannot make changes to these components and sections.

Ensure rollbacks and auditability

Website edits should not be made with fingers crossed. They should be attributable and reversible without adding extensive overhead.

Version every change: Keep named snapshots of the site so you can restore quickly if the AI messes anything up.
Maintain an audit trail: Regulated clients and internal QA operations need to have records of who changes what, when, and why - including AI-assisted actions.
Portfolio safety net: For multi-site updates (like AI-assisted policy text or CMP changes), stage in a sandbox, sample across site types, then roll out with the ability to auto-rollback if monitors detect issues.

Optimize for time-to-safe-launch

With your standards and guardrails in place, you can make AI a contributing factor to your team’s productivity. To measure the impact, set a new KPI - time to safe launch.

This KPI should measure the period of time passed from kickoff to first live page with CWV baseline met, critical-path a11y checks passed, consent/privacy configured, metadata/redirects set, and security headers/forms validated. Adjust the process where you uncover bottlenecks, and share your progress with stakeholders.

Duda’s approach: AI inside a governed platform

AI should accelerate work, not add more work. When AI generates code without oversight and guardrails, everyone has a bad time on day two. This is why Duda’s AI stack generates sites without writing code, but instead uses the same human-engineered components as the visual editor. So what you publish gets versioning, governance (granular permissions and roles), client-safe controls, and record-setting performance.

Leverage the speed of AI for quick mockups and first drafts, while your day-two edits are hangover-free with granular and reversible changes. In Duda, AI features aim to remove real bottlenecks in processes, helping agencies scale rapidly without sacrificing control and product quality.

So what does building websites with Duda’s AI stack look like for agencies?

Maintainability & TCO for agencies

Duda’s AI stack runs inside a governed editor and content system, so drafts land as human-maintained components (themes, widgets, collections, sections) without raw generated code.

AI speed with under the hood flexibility: With Duda, AI accelerates content and layout creation, but the output lands in familiar and structured interfaces you control: the Content Library, Flex section, page layout, SEO fields, and the text editor. When you do need custom functionality, Duda’s Widget Builder creates reusable widgets without sprinkling ad-hoc code through your sites.
Fearless iteration: Every change you or a client make to a website (publish, republish, site reset or “develop mode” entries) automatically triggers backups that you can preview and restore. This means you can safely experiment with AI-recommended changes to sites as they are all always reversible.
Roles, permissions, and guardrails: Limiting what AI can do is not enough. Duda lets you decide who can use AI at all (team or client) and you can lock critical components to prevent their editing by clients or the AI stack. This can be especially helpful if your clients want to use AI for content tweaks, but you want to keep structure and legal texts (like consent snippets) uneditable. Duda’s AI Copilot is permissioned and scoped, with appropriate warnings when actions make changes to live sites (even though all changes can be rolled back).
Multi-site orchestration and scalability: Scale portfolio ops with Partner/Content Library APIs, global theme controls, reusable sections, and Dynamic Collections/Pages so rebrands and bulk updates happen once, not hundreds of times.

Accessibility & compliance

AI website builders often lack the training to enforce accessibility, privacy, security, and system integrity on the websites they generate. Because Duda’s AI runs inside governed, human-engineered components (rather than free-form code), sites inherit predictable structure, semantics, and consent patterns that make compliance practical and scalable from day zero.

Accessible-by-design building blocks: Headings, labels/ARIA, focus order, keyboard paths, and alt-text fields are drawn from the same component system that powers every Duda site. This means that AI-generated sites on Duda are built from stable and compliant foundations, which translates into zero manual remediation of ad-hoc AI-generated issues.
Baked-in Web Content Accessibility Guidelines (WCAG) compliance: Common patterns (navigation, forms, dialogs, etc.) are engineered to meet WCAG standard targets, so all you need to do is ensure human review where automation falls short.
Hassle-free rebranding with contract-safe tokens: Color and typography tokens help preserve AA-level contrast when themes evolve, preventing regressions as you scale content and style variations across many client sites. The text color picker includes an AA/AAA contrast checker so teams can validate readable color combinations while they design.
Consent management you can standardize: Region-aware banners, preference management, and policy disclosures can be standardized across a portfolio, so you can comply with GDPR/CCPA-style standards without reinventing flows per site. You can use CMP apps from the Duda ecosystem (Termly, Usercentrics, Springtime, PieEye) to deploy region-aware banners, manage preferences, enable Google Consent Mode where needed, and retain records for compliance audits. In addition, EU-only hosting options and baked-in privacy features help regulated clients meet data-residency and consent expectations with ease.
Auditable and safe rollbacks: Duda’s platform automatically versions publishers, previews, and restores, so you have a verifiable and auditable trail for every change. This is especially important for internal QA and for clients in highly regulated sectors (like health and defense).
Operational transparency: Duda’s public status page includes uptime history and incident reporting that provides stakeholders with auditable service health data (which is important for client assurances and RFPs).

Security

AI scales delivery and cybersecurity risk at (nearly) the same speed. Moreover, vibe coding services have been shown time and again to be a risky place to store sensitive information. The safest way to ship fast is therefore to reduce the attack surface one layer above the AI by building it within a platform that enforces security controls and best-practices for you. Duda’s security posture focuses on infrastructure, identity management, and process transparency, so agencies get enterprise-grade protections without duct-taping plugins or pasting AI-generated code into production.

Hardened hosting & system protections: All Duda sites run on AWS with global CDN delivery, automated DDoS mitigation, strict access controls, and live system health reporting. This ensures that traffic volatility at the site of one client doesn’t impact performance across your portfolio.
Encryption & SSL by default: Duda uses HTTPS/TLS 1.2/1.3 for data in transit and AES-256 for data at rest, with automatic, no-cost SSL for every published site (including subdomains).
Secure SDLC & ongoing patching: Platform code is continuously scanned (SAST/DAST/SCA), pen-tested, and patched centrally, shrinking the window between new CVEs and remediation across Duda systems. This means zero manual upgrade per site acrobatics, and no need for third-party security website scans.
Granular identity management and least privilege enforcement: To protect user accounts from attackers, Duda supports MFA and SSO for accounts, as well as granular user permissions at the feature level, making sure that only the right people can make changes in the right places.
Vendor and integration governance: Sub-processors and marketplace apps undergo information-security and privacy review and documented APIs keep extensions predictable making the process far safer than unvetted, AI-invented code snippets (that can potentially lead to “slopsquatting” vulnerabilities).

Creativity with control

AI can accelerate, but agency creatives differentiate. To channel AI speed into distinct brand-specific outcomes, you need to govern creativity. With Duda’s AI stack, prompts generate output based on your brand tokens and bullet-proof component logic so your teams and clients can explore and play around without any danger of brand drift, or AI-produced sameness across your portfolio.

AI sites that inherit brand tokens: Site-level typography, color, spacing, and component rules apply to AI-generated website scaffolds from minute one. The result: rapid prototyping that still reads as your brand system, and not the AI model’s default style.
Section generation without layout drift: Duda’s “Create a Flex Section with AI” feature produces component-based sections (including content) directly in the editor, so teams can iterate structure and art direction without re-rolling code. So things like spacing and responsiveness are optimized and consistent, while design decisions remain distinctly human.
Discoverability and performance: Every site built on Duda is crawl-ready, logically structured with schemas and accessibility features enabled out of the box. When your teams are not chasing CWV scores, troubleshooting instance resource consumption, or trying to make sense of buggy AI-generated code, they are free to focus on the unique “human touch” they can bring to client sites and campaigns.
AI-generated human-tweaked copy: Just as critical as the website structure is the content. Duda’s AI Assistant provides an alternative to a blank page when building a site or a component, accelerating headlines, body copy, crawlable titles/meta, and alt text production at scale. Then, you can apply your style and polish the voice and nuance of the AI-generated copy.
Signature moments beyond stock UI: For website elements that define a brand, the AI-assisted Widget Builder helps you scaffold unique and customized components that behave like native widgets, match editor controls, and can be reused across accounts while maintaining distinctiveness without a single line of AI-generated code.

Tame AI for your agency needs with Duda

When it comes to building client sites at scale, the win isn’t squeezing another hour out of prompts. The real value is in making day-two edits safe, reversible, and cost effective. That’s exactly what a governed platform like Duda gives you: componentized layouts, versioning and rollback, permissioned controls, portfolio-level orchestration, and accessibility/privacy patterns that persist across accounts. On Duda, AI output is built from the same human-engineered components as the visual editor, so it inherits performance, compliance, and maintainability by default, and without vibe-coded surprises.

What this means for agencies:

Time-to-safe-launch drops while quality gates (a11y, consent, security hygiene) stay intact.
Day-two rework shrinks thanks to granular, reversible edits and locked critical elements.
Brand sameness is curbed by tokens and reusable patterns that stay cohesive, not identical.
ROI improves as multi-site updates, theming, and content ops scale smoothly.

Ready to see governed AI in practice? Explore Duda’s AI Stack and how it plugs directly into a versioned, permissioned editor. If you’d like a walkthrough tailored to your workflow (tokens, CMP setup, multi-site orchestration, rollback strategy), talk to us and we’ll map your current process to a faster, safer launch motion and a calmer, headache-free day two.

Core web vitals: What agencies need to know in 2026

By Shawn Davis • April 1, 2026

Core Web Vitals aren't new, Google introduced them in 2020 and made them a ranking factor in 2021. But the questions keep coming, because the metrics keep changing and the stakes keep rising. Reddit's SEO communities were still debating their impact as recently as January 2026, and for good reason: most agencies still don't have a clear, repeatable way to measure, diagnose, and fix them for clients. This guide cuts through the noise. Here's what Core Web Vitals actually measure, what good scores look like today, and how to improve them—without needing a dedicated performance engineer on every project. What Core Web Vitals measure Google evaluates three user experience signals to determine whether a page feels fast, stable, and responsive: Largest Contentful Paint (LCP) measures how long it takes for the biggest visible element on a page — usually a hero image or headline — to load. Google considers anything under 2.5 seconds good. Above 4 seconds is poor. Interaction to Next Paint (INP) replaced First Input Delay (FID) in March 2024. Where FID measures the delay before a user's first click is registered, INP tracks the full responsiveness of every interaction across the page session. A good INP score is under 200 milliseconds. Cumulative Layout Shift (CLS) measures visual stability — how much page elements unexpectedly move while content loads. A score below 0.1 is good. Higher scores signal that images, ads, or embeds are pushing content around after load, which frustrates users and tanks conversions. These three metrics are a subset of Google's broader Page Experience signals, which also include HTTPS, safe browsing, and mobile usability. Core Web Vitals are the ones you can most directly control and improve. Why your clients' scores may still be poor Core Web Vitals scores vary dramatically by platform, hosting, and how a site was built. Some of the most common culprits agencies encounter: Heavy above-the-fold content . A homepage with an autoplay video, a full-width image slider, and a chat widget loading simultaneously will fail LCP every time. The browser has to resolve all of those resources before it can paint the largest element. Unstable image dimensions . When an image loads without defined width and height attributes, the browser doesn't reserve space for it. It renders the surrounding text, then jumps it down when the image appears. That jump is CLS. Third-party scripts blocking the main thread . Analytics pixels, ad tags, and live chat tools run on the browser's main thread. When they stack up, every click and tap has to wait in line — driving INP scores up. A single slow third-party script can push an otherwise clean site into "needs improvement" territory. Too many web fonts . Each font family and weight is a separate network request. A page loading four font files before rendering any text will fail LCP, especially on mobile connections. Unoptimized images . JPEGs and PNGs served at full resolution, without compression or modern formats like WebP or AVIF, add unnecessary weight to every page load. How to measure them accurately There are two types of Core Web Vitals data you should be looking at for every client: Lab data comes from tools like Google PageSpeed Insights, Lighthouse, and WebPageTest. It simulates page loads in controlled conditions. Lab data is useful for diagnosing specific issues and testing fixes before you deploy them. Field data (also called Real User Monitoring, or RUM) comes from actual users visiting the site. Google collects this through the Chrome User Experience Report (CrUX) and surfaces it in Search Console and PageSpeed Insights. Field data is what Google actually uses as a ranking signal — and it often looks worse than lab data because it reflects real-world device and connection variability. If your client's site has enough traffic, you'll see field data in Search Console under Core Web Vitals. This is your baseline. Lab data helps you understand why the scores are what they are. For clients with low traffic who don't have enough field data to appear in CrUX, you'll be working primarily with lab scores. Set that expectation early so clients understand that improvements may not immediately show up in Search Console. Practical fixes that move the needle Fix LCP: get the hero image loading first The single most effective LCP improvement is adding fetchpriority="high" to the hero image tag. This tells the browser to prioritize that resource over everything else. If you're using a background CSS image for the hero, switch it to anelement — background images aren't discoverable by the browser's preload scanner. Also check whether your hosting serves images through a CDN with caching. Edge delivery dramatically reduces the time-to-first-byte, which feeds directly into LCP. Fix CLS: define dimensions for every media element Every image, video, and ad slot on the page needs explicit width and height attributes in the HTML. If you're using responsive CSS, you can still define the aspect ratio with aspect-ratio in CSS while leaving the actual size fluid. The key is giving the browser enough information to reserve space before the asset loads. Avoid inserting content above existing content after page load. This is common with cookie banners, sticky headers that change height, and dynamically loaded ad units. If you need to show these, anchor them to fixed positions so they don't push content around. Fix INP: reduce what's competing for the main thread Audit third-party scripts and defer or remove anything that isn't essential. Tools like WebPageTest's waterfall view or Chrome DevTools Performance panel show you exactly which scripts are blocking the main thread and for how long. Load chat widgets, analytics, and ad tags asynchronously and after the page's critical path has resolved. For most clients, moving non-essential scripts to load after the DOMContentLoaded event is a meaningful INP improvement with no visible impact on the user experience. For websites with heavy JavaScript — particularly those built on frameworks with large client-side bundles — consider breaking up long tasks into smaller chunks using the browser's Scheduler API or simply splitting components so the main thread isn't locked for more than 50 milliseconds at a stretch. What platforms handle automatically One of the practical advantages of building on a platform optimized for performance is that many of these fixes are applied by default. Duda, for example, automatically serves WebP images, lazy loads below-the-fold content, minifies CSS, and uses efficient cache policies for static assets. As of May 2025, 82% of sites built on Duda pass all three Core Web Vitals metrics — the highest recorded pass rate among major website platforms. That baseline matters when you're managing dozens or hundreds of client sites. It means you're starting each project close to or at a passing score, rather than diagnosing and patching a broken foundation. How much do Core Web Vitals actually affect rankings? Honestly, they're a tiebreaker — not a primary signal. Google has been clear that content quality and relevance still dominate ranking decisions. A well-optimized site with thin, irrelevant content won't outrank a content-rich competitor just because its CLS is 0.05. What Core Web Vitals do affect is the user experience that supports those rankings. Pages with poor LCP scores have measurably higher bounce rates. Sites with high CLS lose users mid-session. Those behavioral signals — time on page, return visits, conversions — are things search engines can observe and incorporate. The practical argument for fixing Core Web Vitals isn't just "because Google said so." It's that faster, more stable pages convert better. Every second of LCP improvement can reduce bounce rates by 15–20% depending on the industry and device mix. For client sites that monetize through leads or eCommerce, that's a revenue argument, not just an SEO argument. A repeatable process for agencies Audit every new site before launch. Run PageSpeed Insights and record LCP, INP, and CLS scores for both mobile and desktop. Flag anything in the "needs improvement" or "poor" range before the client sees the live site. Check Search Console monthly for existing clients. The Core Web Vitals report surfaces issues as they appear in field data. Catching a regression early — before it compounds — is significantly easier than explaining a traffic drop after the fact. Document what you've improved. Clients rarely see Core Web Vitals scores on their own. A monthly one-page performance summary showing before/after scores builds credibility and makes your technical work visible. Prioritize mobile. Google uses mobile-first indexing, and field data shows that mobile CWV scores are almost always worse than desktop. If you only have time to optimize one version, do mobile first. Core Web Vitals aren't a one-time fix. Platforms change, new scripts get added, campaigns bring in new widgets. Build the audit into your workflow and treat it like any other ongoing deliverable, and you'll stay ahead of the issues before they affect your clients' rankings. Duda's platform is built with Core Web Vitals performance in mind. Explore how it handles image optimization, script management, and site speed automatically — so your team spends less time debugging and more time building.

Why systems, not tools, are the future of vertical SaaS

By Ilana Brudo • March 31, 2026

Vertical SaaS must transition from tools to an AI-powered Vertical Operating System (vOS). Learn to leverage context, end tech sprawl, and maximize retention.

Maximizing SaaS growth with an API-driven website builder

By Shawn Davis • March 27, 2026

Automate client management, instant site generation, and data synchronization with an API-driven website builder to create a scalable growth engine for your SaaS platform.