AI Coding Assistants: Productivity Gains Amid Governance Gaps
In recent years, nearly all software development teams have embraced AI coding assistants, with a striking 97% of developers actively utilizing these tools. However, despite the enthusiasm for AI integration, a concerning statistic has emerged: fewer than a third of these teams have established comprehensive governance strategies regarding the use of these tools. This disparity highlights a significant barrier that may be hindering the potential productivity improvements promised by AI technologies.
The insights come from a detailed survey conducted by the research firm UserEvidence for Black Duck in March 2026, which involved 831 software engineers and DevOps professionals. The findings reveal a paradoxical situation where the majority of development teams have adopted AI-driven coding assistants, yet only 30% claim to employ a fully governed approach to overseeing their usage.
The survey highlighted GitHub Copilot and Claude Code as the dominant coding assistants, with adoption rates among teams standing at 83% and 63% respectively. Many development teams have opted to use multiple AI assistants simultaneously, reflecting their growing reliance on these tools to aid in coding tasks.
One of the more encouraging bits of data is that 92% of teams believe that AI assistants contribute to quicker, more efficient releases. On average, developers report reclaiming approximately eight hours of their workweek, suggesting that AI tools are delivering on their promise of enhanced productivity.
Yet, this productivity surge comes with complexities. Ninety percent of teams encountered issues with AI-generated code at various points in their workflows, indicating that these tools often transfer the workload downstream rather than eliminating it altogether. The identified friction points primarily occur after the code has been generated, leading to crucial tasks including:
- Manual code review: 52% of teams are still reliant on manual checks to ensure quality.
- Security testing: 51% reported this to be another major concern, indicating potential vulnerabilities.
- Reworking generated code: 48% found it necessary to modify the AI-created code.
- Prompt iteration: 41% needed to continuously adjust their requests to improve output.
Among teams that have seen a dramatic increase in AI-generated code—over 50%—57% highlighted security testing and the rectification of vulnerabilities as the most significant bottlenecks, underscoring a crucial gap in the assurance of software safety.
Diana Kelley, Chief Information Security Officer at Noma Security, voiced a pertinent warning when she stated, "Faster code is not the same thing as safer code." This highlights the shift in developer priorities, where more time is devoted to validating and securing AI-generated outputs rather than focusing on new development.
The survey findings further revealed a stark contrast between teams with and without formalized governance structures. Teams that enforce oversight of their AI usage are witnessing the most substantial efficiency gains. An impressive 90% of these governed teams reported major improvements in their workflows, in contrast to 58% of all teams and only 44% of those without governance measures in place. Alarmingly, a quarter of the surveyed teams do not have any defined AI coding policy.
Despite recognizing the importance of automated tracking of AI-generated code—68% of teams indicated it is extremely important—many still resort to manual flagging in pull-request comments. Ram Varadarajan, CEO of Acalvio, aptly summarized the situation by stating, "AI coding assistants are no longer the challenge; governance is." He stressed that AI-generated code should be perceived as a new supply-chain risk, necessitating policies, secure coding standards, and human reviews.
Concerns regarding security are escalating alongside the increasing use of AI tools. Nearly two-thirds of teams (64%) expressed moderate to extreme apprehensions that these assistants could introduce security defects, with the heaviest users displaying the most anxiety. In a future-directed approach, 86% of teams indicated a desire for automated mechanisms to vet AI-written code, and 56% expressed interest in employing a dedicated AI security agent. Nonetheless, a significant 84% affirmed the necessity of retaining human oversight through methods like pull requests or in-editor suggestions.
Nicole Carignan, field Chief Information Security Officer at Darktrace, cautioned that security teams must regard AI-assisted development as an integral part of their attack surface. She noted that generated code can conceal various risks, including weak authentication and over-permissioned APIs, as well as integrating unknown external dependencies.
In summation, the report from Black Duck underscores that teams capable of effectively "operationalizing" AI will likely emerge as leaders in their field. Implementing proper guardrails and establishing shared standards will be crucial to ensuring that increased efficiency does not diminish as teams shift focus toward quality assurance, DevOps, and application security. Balancing the benefits of AI with a responsible governance framework may ultimately determine the success of coding assistants in driving productivity while maintaining security.