Nearly all software development teams have adopted AI coding assistants, but a critical governance gap is preventing organizations from realizing the full productivity benefits these tools promise. An independent survey of 831 software engineers and DevOps professionals conducted by UserEvidence for Black Duck in March 2026 found that 97% actively use AI coding tools, yet only 30% have implemented formal oversight policies. GitHub Copilot and Claude Code lead adoption, used by 83% and 63% of teams respectively, with most organizations running multiple assistants simultaneously.
The productivity gains are substantial but come with hidden costs. Teams report that AI assistants return an average of eight hours per week to developers, and 92% credit the tools with faster, more productive releases. However, nine in ten teams encounter problems with AI-generated code somewhere in their workflow, indicating that these tools often shift effort downstream rather than eliminating it entirely. The friction points occur primarily after code generation: 52% cite manual code review as a bottleneck, 51% point to security testing, 48% report reworking generated code, and 41% spend time iterating on prompts.
Security concerns escalate with increased usage. Among teams where AI-written code has grown by more than half, 57% identify security testing and vulnerability remediation as their worst bottleneck. Nearly two-thirds (64%) of all teams express moderate to extreme concern that AI assistants will introduce security defects, with the heaviest users showing the greatest worry. Diana Kelley, CISO at Noma Security, emphasized that faster code does not equal safer code, as developer time increasingly shifts toward validating and securing AI output. Nicole Carignan, field CISO at Darktrace, warned that AI-generated code can conceal weak authentication, exposed secrets, over-permissioned APIs, and opaque external dependencies.
Teams with formal governance structures demonstrate significantly better outcomes. Where AI use is fully governed, 90% report major efficiency gains, compared to 58% overall and just 44% among teams without full governance. Despite this clear advantage, a quarter of organizations have no defined AI coding policy whatsoever. While 68% consider automated tracking of AI-generated code extremely important, many still rely on manual flagging through pull-request comments rather than systematic oversight.
Security experts recommend treating AI-generated code as a supply-chain risk requiring dedicated controls. Ram Varadarajan, CEO of Acalvio, argues that governance, not the assistants themselves, now represents the primary challenge. Organizations should implement policy frameworks, secure coding standards, and mandatory human review. The survey found that 86% of teams believe an AI agent or model should vet AI-written code, and 56% want a dedicated AI security agent, though 84% still prefer keeping humans in the loop through pull requests or in-editor suggestions. Black Duck concludes that teams which operationalize AI with proper guardrails and shared standards will prevent efficiency gains from leaking into downstream QA, DevOps, and application security work.
Source: https://www.infosecurity-magazine.com/news/ai-coding-adoption-governance-lags/