In the theater of modern enterprise software development, the deployment of AI coding assistants has been heralded as the ultimate victory for sheer engineering volume. Organizations can now generate massive blocks of functional logic in seconds, effectively neutralizing the old "blank page" problem.
But a sobering independent market study from Black Duck and research partner UserEvidence delivers a sharp reality check to the C-suite.
The report, titled "The State of AI-Powered Software Development," surveys 831 software engineers and DevOps professionals to reveal a profound structural paradox: while AI adoption has fundamentally solved the code production bottleneck, it has simultaneously broken the code review pipeline.
As developers flood repositories with automated code, organizations face a critical inflection point. The report's core thesis is clear: Organizations need governance to unlock AI's true potential. Without it, the eight hours developers save each week are entirely swallowed by the manual chaos of downstream testing and rework.
The baseline metrics of the report initially paint a picture of an engineering utopia. Mass adoption is a reality, with 97% of software teams actively utilizing AI coding tools like GitHub Copilot (83%) and Claude Code (63%).
Furthermore, 92% of teams report notable boosts in productivity and release velocity, with AI assistants handing developers back an average of eight hours per week—a full day of work reclaimed.
But this speed is a double-edged sword. Generating lines of code is trivial; verifying its security, logic, and architectural fit is not. Software code is inherently a liability: stuffing a repository with machine-generated lines expands the enterprise attack surface and triggers intense pull-request fatigue.
[RELATED: Secure Vibe Coding: Ship Fast without the Security Risks]
As a result, 90% of teams encounter workflow trade-offs and bottlenecks. AI has not eliminated overall engineering effort; it has merely redistributed it further down the Software Development Lifecycle (SDLC).
When a pipeline lacks clear, automated guardrails, the massive surge in code volume crashes directly into Application Security (AppSec) and Quality Assurance (QA) checkpoints. This is why Black Duck asserts that true AI maturity requires moving away from loose adoption policies toward formal, deterministic governance planes.
"Our research found that 92% of teams see improved productivity and velocity in code development—yet 90% still hit significant bottlenecks further down the SDLC," said Shandra Gemmiti, Sr. Director of Cross-Portfolio Solutions at Black Duck. "Teams have become very good at accelerating code generation but haven't invested in what comes after it. Manual code reviews, security testing, and issue remediation are all falling behind, creating a dangerous imbalance between how fast code is produced and how safely it can be shipped."
Gemmiti added, "The data also shows that governance is a force multiplier for AI ROI, not a constraint. The 30% of teams that have implemented fully governed approaches to AI-assisted development are 55% more likely to see major efficiency gains—proving that guardrails accelerate outcomes rather than slow them down."
"This governance gap becomes existential when you factor in what models like Claude Mythos signal about the threat landscape," Gemmiti continued. "When AI can autonomously discover and exploit vulnerabilities at machine speed, the window teams have to identify and fix issues doesn't just shrink—it effectively disappears. What was a workflow bottleneck before Mythos becomes a structural vulnerability flood that existing security infrastructure was never built to absorb."
"The only viable response is to match this AI-driven attack speed with an AI-assisted defense," Gemmiti said. "Teams will need to use AI to augment their existing application security programs to enable security to handle the increase in code volume, velocity, and vulnerabilities. Those that don't adapt application security to meet this moment will be exposed in ways their current tools and processes have no answer for."
Currently, fewer than a third of teams (30%) operate under a fully governed approach—formally approved, centrally managed, and actively monitored. A massive plurality settles for informal guidelines or relies entirely on developers to manually document AI usage in their pull requests.
However, the organizations that bridge this gap experience a dramatic performance boost: Teams with full AI governance in place are 55% more likely to realize a major improvement in operational efficiency (90% versus 44% for ungoverned peers).
Thoughtful governance transforms pipelines from a series of stop-and-go friction points into continuous force multipliers. By setting explicit, automated rules for how AI-generated code is ingested, tagged, and vetted, teams gain the structural confidence needed to ship software safely without triggering manual code reviews.
What this means for leadership versus cybersecurity teams
The report exposes an alarming alignment gap between corporate executives and the technical contributors holding the defensive line.
-
The C-suite blind spot: Senior leadership removed from day-to-day repository management tends to view AI code quality through rose-tinted glasses. C-level executives are 78% more likely to rate AI code quality as "excellent" compared to the general respondent base (48% versus 27% overall). Conversely, a meager 8% of technical contributors and 9% of first-line managers share this glowing evaluation. Executives see rapid feature releases; developers see the invisible debt of code rework and prompt patching.
-
The cyber team's burden: Cybersecurity teams are left to manage the resulting risk posture. Sixty-four percent of development teams express deep concern about AI introducing security defects and vulnerabilities into production environments. This concern escalates with heavy utilization: among practitioners who leverage AI for the majority of their coding, the urgency around vulnerability remediation rises to 57%.
To survive this influx, developers and security teams are looking to fight automation with automation. Eighty-six percent believe a dedicated AI security agent should evaluate AI-generated code. However, they refuse to yield ultimate control to an autonomous entity: 84% mandate keeping a human in the loop via structured pull requests or real-time IDE suggestions. Developers want machine-speed security inputs, but they insist on retaining final decision-making authority.
The operational realities detailed in Black Duck's research carry direct, real-world consequences for the general public and end-consumers.
For the consumer, the immediate benefit of a fully-governed, AI-accelerated pipeline is the rapid delivery of digital value. Bug fixes, localized user experience improvements, and highly-anticipated new application features can be conceptualized, coded, and deployed in days rather than quarters. Boilerplate code and technical scaffolding are handled instantly by machines, letting human engineers dedicate more focus to complex system design and user experience prototyping.
The downside for the public is severe if organizations prioritize developer velocity over automated governance. If thousands of lines of unverified AI code flow directly into revenue-generating, consumer-facing applications, the likelihood of subtle logical vulnerabilities slipping into production rises exponentially.
For the average consumer, this translates to a heightened risk of data exposure, privacy violations, and software supply chain compromises. If an organization fails to track the exact structure and origin of its AI-assisted components, identifying and patching an active zero-day vulnerability takes significantly longer—leaving public data exposed to threat actors for extended windows.
Tactical directives for modern AppSec and DevSecOps teams
To safely scale engineering velocity without completely drowning the security organization, corporate leadership must execute three core imperatives.
-
Enforce automated AI metadata tagging: Completely ban the practice of relying on manual developer comments in pull requests to track AI code. Organizations must implement automated tagging and cryptographic metadata within the repository and IDE to instantly flag the exact origin and structure of machine-generated code blocks, cutting down downstream investigation windows.
-
Orchestrate concurrent CI/CD security testing: AppSec programs must operate seamlessly and concurrently across the entire release pipeline. Security leaders must deploy automated project onboarding and run Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Analysis (DAST) simultaneously to match machine-speed development volumes without creating an engineering bottleneck.
-
Transition to dynamic Software Bills of Materials (SBOMs): To mitigate complex supply chain risks and ensure strict compliance with emerging regulations like the EU Cyber Resilience Act (CRA), organizations must maintain automated, continuous SBOMs for all code created or ingested. Prioritize deep vulnerability intelligence to accurately isolate and remediate emergent risks at runtime.
We asked experts from cybersecurity solution providers for their thoughts on the survey's results.
Ram Varadarajan, CEO at Acalvio, said:
-
"The key takeaway from the Black Duck research is that AI coding assistants are no longer the challenge; governance is. Organizations that pair AI adoption with clear policies, security guardrails, and human oversight are far more likely to realize productivity gains without increasing technical debt and security risk."
-
"Unfortunately, this is our new reality. Organizations should treat AI-generated code as a new software supply chain risk. So, implement governance frameworks, AI-specific secure coding standards, automated security testing, and mandatory human review processes to ensure AI accelerates development without compromising software quality or security."
Nicole Carignan, SVP of Security & AI Strategy and Field CISO at Darktrace, said:
-
"For organizations, the main concern is insecure code moving faster than review. AI coding tools can help with structure, documentation, and basic checks, but they do not make software secure by default. Generated code may include weak authentication, exposed secrets, over‑permissioned APIs, or unsafe dependency usage that a non‑expert may not recognize. There is also emerging risk in the tools themselves: hallucinated logic, unsafe or unintended function calls, and even the possibility of malicious or compromised tools being introduced into development workflows."
-
"Security teams need to treat AI-assisted development as part of the attack surface. That means visibility not only into the code being produced, but into the tools, functions, and integrations that code relies on. Organizations should understand which internal and external tools are being invoked, how functions interact, and what trust relationships are being created. Graph analysis of tool and function calls, across both internal systems and external services, becomes essential to identify unexpected paths, privilege escalation, or unsafe data flows."
-
"External dependencies deserve particular scrutiny. AI-generated code often pulls in libraries, APIs, or services automatically, sometimes with little transparency to the person building the application. Human analysis of these dependencies is still required to understand ownership, maintenance, security posture, and long-term risk. AI can assist with this process with cyber-AI models that can help identify vulnerabilities, insecure patterns, and known weaknesses in generated code but it should augment, not replace, expert judgment."
-
"Used responsibly, AI coding tools can help developers and non-developers work faster. However, organizations need clear security by design architecture: secure code review, dependency and composition analysis, secrets detection, API security, access controls, data classification, and testing before production. That includes AI-assisted code review and red-team testing to probe how generated code behaves under real-world attack scenarios, followed by mandatory human review before anything reaches production."
Black Duck's 2026 data confirm that simply buying an AI coding assistant no longer provides a competitive edge. The ultimate winners in the digital landscape will be the organizations that understand how to operationalize that volume through ruthless, automated governance. By balancing machine-speed code creation with human-in-the-loop, context-aware AI security agents, enterprise teams can finally capture the true return on their AI investments without turning their software pipelines into an open backdoor.
