In the realm of software development, the integration of AI coding assistants has become almost ubiquitous, with a staggering 97% of software engineers and DevOps professionals utilizing these innovative tools. Despite this widespread adoption, a significant governance gap exists that prevents organizations from fully capitalizing on the productivity benefits promised by AI technologies. A recent independent survey conducted by UserEvidence on behalf of Black Duck surveyed 831 professionals in this field and provided troubling insights about the state of AI governance.
The survey revealed that while tools like GitHub Copilot and Claude Code dominate adoption—being employed by 83% and 63% of teams, respectively—only a mere 30% of these organizations have established formal oversight policies. Such oversight is crucial to ensure that the integration of AI assistants enhances productivity rather than causing unexpected consequences downstream.
The potential productivity gains from AI coding assistants are notable. Developers report an average recovery of eight hours per week due to these tools, and an impressive 92% of responding teams affirm that AI assistants lead to faster and more productive releases. However, this apparent efficiency often comes with hidden complications. A significant majority, specifically nine out of ten teams, encounter challenges stemming from AI-generated code during various stages of their workflow. Notably, 52% of teams identify manual code reviews as bottlenecks, while 51% face issues during security testing. Additionally, 48% find themselves reworking the code generated by AI, and 41% are engaged in iterative prompting to elicit better responses from the AI.
As the utilization of AI expands, so do the security concerns associated with AI-generated code. Among teams experiencing a surge in AI-written code, 57% classify security testing and vulnerability remediation as their most pressing bottleneck. Alarming data from the survey indicates that nearly two-thirds of all teams harbor moderate to extreme fears regarding the introduction of security defects through AI assistants. This concern climbs notably among the heaviest users of AI technologies. Diana Kelley, Chief Information Security Officer at Noma Security, emphasizes that the speed of code production does not correlate with safety, as developers increasingly find their time consumed by the necessity to validate and secure AI outputs. Meanwhile, Nicole Carignan, a field CISO at Darktrace, underscored the risks posed by AI-generated code, such as vulnerabilities in authentication protocols, exposed secrets, overly permissive APIs, and opaque external dependencies that remain hidden in the generated code.
The disparity in outcomes between teams implementing formal governance structures and those that do not is clear. Organizations that fully govern their AI use report major efficiency gains of 90%, a stark contrast to the overall average of 58%, and particularly low at 44% among teams lacking comprehensive governance. Despite these evident advantages, approximately one-quarter of organizations have no defined AI coding policy at all. Interestingly, 68% of respondents prioritize the automated tracking of AI-generated code, yet many still rely on the outdated approach of manually flagging issues through comments in pull requests, rather than adopting a consistent and systematic form of oversight.
Experts in the field advocate for treating AI-generated code as a supply-chain risk that necessitates dedicated controls. Ram Varadarajan, CEO of Acalvio, argues that governance, rather than the AI tools themselves, represents the primary barrier to realizing their full benefits. To mitigate risks, organizations are encouraged to establish policy frameworks, secure coding standards, and mandatory human reviews of AI-generated outputs. The survey also highlighted that 86% of teams believe that an AI agent or model should play a role in vetting AI-produced code while 56% desire a dedicated AI security agent for this purpose. However, a compelling 84% still prefer the inclusion of human oversight, either through pull requests or in-editor suggestions.
In conclusion, the data consistently demonstrates that operationalizing AI in a manner that includes proper governance and shared standards is essential. Without these crucial guardrails, the efficiency gains that AI coding assistants promise may inadvertently create additional burdens during stages such as quality assurance, DevOps processes, and application security. Ultimately, organizations must take decisive actions to close the governance gap if they wish to harness the full potential of AI in software development.