"97% of teams are actively using AI coding assistants, but just 30% have a fully governed approach to oversight."
That summary — drawn from an independent survey of 831 software engineers and DevOps professionals conducted by UserEvidence for Black Duck in March 2026 — encapsulates a sharp dissonance. Adoption of AI coding tools is nearly universal, yet formal controls and oversight lag, and the gap is already shaping where work gets done and where risk accumulates.
Near-universal adoption, concentrated toolset
The survey found 97% of teams actively using AI coding assistants. Usage is concentrated around a few products: GitHub Copilot is used by 83% of teams and Claude Code by 63%, and most teams run more than one assistant. Those figures show the tools are now a standard part of many development toolchains even as governance remains uneven.
Measured gains — eight hours a week and faster releases
Teams reported tangible productivity returns. Ninety-two percent credited the assistants with faster, more productive releases, and respondents said the tools hand developers back an average of eight hours each week. Those are meaningful efficiency signals, and they explain why near-universal adoption has taken hold so quickly.
Downstream friction: code review, security testing and rework
The gains come with a catch: nine in ten teams encountered problems with AI-generated code somewhere in their workflow. Most of the friction lands after code is written — manual code review was cited by 52% of teams, security testing by 51%, reworking generated code by 48%, and iterating on prompts by 41%.
Where teams reported that AI-written code had surged by more than half, 57% named security testing and vulnerability fixing as the worst bottleneck. As Diana Kelley, CISO at Noma Security, put it: "faster code is not the same thing as safer code," warning that developer time is shifting toward validating and securing what AI produces.
Governed teams pull ahead — and many teams lack basic policies
Formal governance appears to deliver outsized returns. Where AI use is fully governed, 90% of teams reported a major efficiency gain — compared with 58% overall and 44% among teams without full governance. Yet a quarter of respondents said they have no defined AI coding policy at all.
Automated tracking of AI-generated code was flagged as extremely important by 68% of teams, but implementation is inconsistent: many teams still mark AI-produced work by hand in pull-request comments. Ram Varadarajan, CEO of Acalvio, framed the shift bluntly: "AI coding assistants are no longer the challenge; governance is," adding that AI-generated code should be treated as a new supply-chain risk and fenced in by policy, secure-coding standards and human review.
What security teams, engineering leaders, and developers and DevOps will watch
- Technologists and security teams: Security unease is widespread — 64% said they are moderately or extremely concerned that assistants will introduce security defects, and the heaviest users are the most worried. Most respondents want automated help: 86% think an AI agent or model should vet AI-written code, 56% want a dedicated AI security agent, and 84% want to retain a human in the loop through pull requests or in-editor suggestions. Nicole Carignan, field CISO at Darktrace, warned that generated code can hide weak authentication, exposed secrets or over-permissioned APIs and often pulls in opaque external dependencies.
- Engineering leaders and procurement: The data give a clear operational lever: teams that formalize oversight report larger efficiency gains. With a quarter of organizations lacking any AI coding policy and many teams resorting to manual flagging, leaders will need to decide whether to invest in automated tracking, policy, and secure-coding standards to capture the productivity upside without increasing downstream cost.
- Developers and DevOps: Developers are already reclaiming time — eight hours a week on average — but that time is being diverted in many cases to review, rework and security testing. Black Duck argues teams that learn to "operationalize AI" — through guardrails and shared standards — will avoid seeing efficiency gains leak away into QA, DevOps and AppSec.
The numbers point to a clear inflection: AI coding assistants have moved from novelty to near-universal tool, but the real test is governance. With 97% adoption and only 30% of teams fully governed, the firms that embed automated tracking, secure-coding standards and human review into their workflows are already reporting far better results — 90% major efficiency gains — while those that do not risk moving effort downstream into review and remediation. Will teams turn those recovered eight hours per developer into stronger guardrails or let the work shift into QA and security? The survey leaves that choice squarely in the hands of engineering and security leaders.
