Practically all software program improvement groups have adopted AI coding assistants, however fewer than a 3rd govern how the instruments are used and that hole is capping the productiveness AI guarantees.
The figures come from an impartial survey of 831 software program engineers and DevOps professionals carried out by the analysis agency UserEvidence for Black Duck in March 2026. It discovered 97% actively utilizing the instruments however simply 30% with a totally ruled strategy to oversight.
GitHub Copilot and Claude Code dominate, utilized by 83% and 63% of groups respectively, and most run a couple of assistant.
On the upside, 92% of groups credit score the assistants with sooner, extra productive releases and on common the instruments hand builders eight hours again every week.
Learn extra on AI-generated code dangers: Most Cyber Leaders Concern AI-Generated Code Will Enhance Safety Dangers
Productiveness Comes With a Catch
The good points include a catch. 9 in 10 groups hit issues with AI-generated code someplace of their workflow, an indication the instruments usually shift effort downstream slightly than eradicating it.
Many of the friction lands after the code is written:
-
Guide code assessment, cited by 52% of groups
-
Safety testing, at 51%
-
Transforming the generated code, 48%
-
Iterating on prompts, 41%
In the meantime, amongst groups whose AI-written code has surged by greater than half, 57% named safety testing and vulnerability fixing because the worst bottleneck.
Diana Kelley, CISO at Noma Safety, warned that “sooner code shouldn’t be the identical factor as safer code,” with developer time shifting towards validating and securing what AI produces.
Ruled Groups Pull Forward
The groups that formalize oversight see the most important returns. The place AI use is totally ruled, 90% report a serious effectivity achieve, in opposition to 58% general and 44% of groups with out full governance.
Nevertheless, 1 / 4 don’t have any outlined AI coding coverage in any respect, and though 68% referred to as automated monitoring of AI-generated code extraordinarily vital, many nonetheless flag it by hand in pull-request feedback.
“AI coding assistants are not the problem; governance is,” stated Ram Varadarajan, CEO of Acalvio, including that AI-generated code must be handled as a brand new supply-chain danger fenced in by coverage, secure-coding requirements and human assessment.
Holding a Human within the Loop
Safety unease rises with use. Practically two-thirds of groups (64%) stated they’re reasonably or extraordinarily involved the assistants will introduce safety defects, and the heaviest customers are probably the most apprehensive.
Regardless of this, many would welcome automated assist: 86% suppose an AI agent or mannequin ought to vet AI-written code, and 56% need a devoted AI safety agent. Even so, 84% need to hold a human within the loop by way of pull requests or in-editor ideas.
“Safety groups have to deal with AI-assisted improvement as a part of the assault floor,” warned Nicole Carignan, discipline CISO at Darktrace, noting that generated code can cover weak authentication, uncovered secrets and techniques or over-permissioned APIs and sometimes pulls in opaque exterior dependencies.
Within the report, Black Duck made the identical case, arguing that the groups which study to “operationalize AI” will come out forward, and that guardrails and shared requirements are what cease the effectivity good points leaking away as work shifts to QA, DevOps and AppSec.