Almost every enterprise development team is now using AI coding assistants, but the same research that confirms that breakthrough adoption rate also reveals a security and governance crisis quietly building in the background.
That is the central finding of The State of AI-Powered Software Development, a report published this week by application security firm Black Duck, based on an independent survey of 831 software engineers and DevOps professionals conducted in March 2026 with research partner UserEvidence.
Ninety-seven percent of respondents are actively using AI coding assistants, and 92 percent say these tools have improved their productivity and release velocity. On the surface, that looks like a success story. Dig deeper, and a different picture emerges.
“AI doesn’t reduce overall workload — it moves work downstream, redistributing it to security testing, code review, and remediation.”
Security Testing Emerges as Top Bottleneck
Close to nine in ten respondents (90%) report encountering issues with AI-generated code that span the software development lifecycle. The four most cited bottlenecks are manual review (52%), security testing (51%), code rework (48%), and prompt iteration (41%).
The research is explicit: AI coding assistants do not reduce overall workload; they redistribute it. Developers produce more code faster, but that code then creates pressure further down the pipeline, particularly in security testing and QA. For teams with AI code volume growth exceeding 50%, security testing and vulnerability remediation have become the single biggest bottleneck, cited by 57% of that sub-group.
Security Concerns Grow With Usage
Nearly two-thirds of teams (64%) express moderate or extreme concern about AI coding assistants introducing security defects or vulnerabilities. Counterintuitively, the most security-anxious respondents are also among the heaviest AI users: 51% of those with extreme concerns use AI for the majority of their new development work, compared to 41% overall.
The report suggests this group’s caution may be productive. They were 12 percentage points more likely to see a major improvement from AI tools and 17 points more likely to rate AI-generated code quality as excellent, possibly because their vigilance drives more deliberate use and more thorough output review.
But at scale, vigilance is not a sustainable security strategy. As code volumes grow and release cycles compress, the report warns that manual security processes will fail to keep pace.
BY THE NUMBERS
92% of teams report improved productivity with AI coding tools
64% express concern about AI-introduced security defects
30% have full governance over AI coding tools
90% of teams hit by workflow bottlenecks from AI code
55% more likely to see major efficiency gains with full governance
The Governance Gap
The report’s most striking finding for security leaders is the scale of the governance deficit. Only 30% of teams have a fully governed approach to AI coding assistant adoption, which includes formal approval processes, centralised management, and active monitoring. A quarter of teams have no defined AI coding policies at all.
Yet governance is precisely the mechanism that unlocks AI’s potential for security and efficiency. Teams with full governance in place are 55% more likely to report a major improvement in efficiency (90% versus 58% overall). The inverse is equally stark: fewer than half of ungoverned teams (44%) report a major improvement.
Two-thirds of developers (68%) say an automated system for tracking AI-generated code is extremely important for debugging, security, and accountability. Only 40% currently use automated tagging or metadata to identify AI-generated code. A further 38% rely on manual developer comments in pull requests, a method the report notes is often miscategorised as governance, when it lacks the automated guardrails that actually improve security outcomes.
AI Security Agents: Wanted, But Carefully
When it comes to fixing the security testing bottleneck, respondents are open to AI-assisted solutions but insist on human oversight. Some 86% believe an AI agent or model should evaluate AI-generated code for security issues. More than half (56%) favour a dedicated AI security agent separate from the code-generation tool itself. A further 30% prefer the same AI model that wrote the code to review it.
However, full automation remains a minority preference. Just 16% want fully automated remediation, while 82% want either automated pull requests reviewed by a human, or real-time IDE suggestions that developers can accept or reject. Developers want AI to handle the heavy lifting but not the final call.
The Leadership Perception Gap
The research surfaces a notable disconnect between seniority levels. Three-quarters of C-suite respondents (74%) describe AI’s impact on productivity as a major improvement. Only 38% of technical contributors say the same. The gap likely reflects the fact that frontline developers carry the downstream burden of code review, rework, and security remediation, work that is often invisible to senior leadership when projects are assessed in aggregate.
Similarly, C-level respondents are 78% more likely to rate the quality of AI-generated code as excellent (48%), compared to just 8% of technical contributors. This disconnect has implications for how security budgets and tooling investments are justified internally.
What Security Teams Should Be Pushing For
The Black Duck report concludes with three operational imperatives for development organisations. First, automate and scale application security testing across the full CI/CD pipeline to handle the volume of AI-generated code without creating bottlenecks. Second, maintain comprehensive Software Bills of Materials (SBOMs) and automated vulnerability alerting to address supply chain risks and meet regulatory requirements such as the EU Cyber Resilience Act. Third, move beyond reactive security gates and embed AI-native, context-aware security agents directly into developer environments.
For security teams, the headline message is clear: the governance gap is not an abstract compliance concern. It is an active, measurable drag on the security posture of software organisations and closing it is the single highest-leverage action available.
