The AI Coding Paradox: 97% Adoption, 90% Bottlenecks, and a Governance Crisis

• Manual code review (52%) — reviewers are now processing a larger volume of AI-generated code than human-written code, and that volume is growing
• Security testing (51%) — AI-generated code introduces new vulnerability classes that weren't present in the hand-written equivalent, particularly around dependency injection, hardcoded secrets, and outdated library recommendations
• Reworking generated code (48%) — almost half of teams report spending significant time fixing, refactoring, or rewriting AI output before it can ship

This pattern has a name now: toil shift. Instead of eliminating work, AI is moving it from the creation phase to the verification, testing, and remediation phases . Black Duck's framing is blunt: "most organizations are producing AI-generated code faster than they can review, secure, or govern it" .

Governance: The Real ROI Multiplier

If there is one finding from the report that engineering leaders should act on, it's this: governance is the ROI multiplier . The difference between teams that govern AI usage and those that don't isn't marginal — it's the difference between capturing efficiency gains and watching them leak out the sides.

Black Duck found that organizations with full governance frameworks reported 90% major efficiency gains from AI coding tools. Teams without structured oversight? The figure drops to 44% .

Governance in this context doesn't mean bureaucracy. It means having defined policies for which tools are used, how AI-generated code is reviewed, what security gates must be passed, and who owns the output. It's the difference between "developers use whatever they want" and "developers use approved tools within a structured, auditable pipeline."

The Shadow AI Problem

Complicating governance is the rise of Shadow AI — developers using AI tools against or outside of company policy. Black Duck found that 18% of organizations report shadow AI as a significant unmanaged risk . When tools like Cursor, Windsurf, or Claude Code are adopted at the individual developer level without going through procurement or security review, the organization loses visibility into its attack surface .

Supply-Chain Risks: What AI-Generated Code Inherits

The supply-chain implications are where governance gaps become concrete vulnerabilities. Black Duck's work — including its related 2026 OSSRA report — surfaces three interconnected risks particular to AI coding assistants:

License laundering. AI assistants trained on open-source repositories can generate code snippets from copyleft sources without retaining original license information . The 2026 OSSRA report found that two-thirds of audited codebases contain license conflicts — the highest rate in the report's history . Organizations may be shipping code they don't have the right to use, without knowing it.

Dependency explosion. Open-source components per codebase rose 30% year-over-year, and average vulnerabilities per codebase surged by 107% . AI coding assistants accelerate this trend because they compose solutions faster and from wider training corpora — meaning each AI-generated function may pull in dependencies the developer didn't explicitly choose.

The compliance gap. Only 24% of organizations perform comprehensive IP, license, security, and quality evaluations of AI-generated code . That means three-quarters of organizations can't reliably answer the question: "What legal and security obligations did we just commit to?"

Developer Trust: Adoption Rises While Confidence Falls

The Black Duck findings don't exist in isolation. Multiple independent surveys published around the same period reinforce and extend the trust picture with granular data:

• Sonar's 2026 State of Code Developer Survey (1,100+ developers) found that 96% of developers do not fully trust the functional accuracy of AI-generated code . Yet only 48% always verify it before committing — meaning code that developers themselves distrust is regularly shipped to production .
• Stack Overflow's 2025 Developer Survey (49,009 respondents) showed trust in AI accuracy fell from 40% to 29% in one year. Active distrust rose to 46%, while positive favorability dropped from 72% to 60% .
• Harness's State of AI-Driven Software Releases 2026 (500 engineering leaders) found 57% still require human-in-the-loop review for every line of AI-generated code, and 29% spend more time on code review now than before adopting AI assistants .

The consensus across these surveys is remarkably consistent: developers cannot work without AI tools, but they cannot fully trust them either. The gap between generation and verification has become the new bottleneck.

Diana Kelley, CISO at Noma Security, captured the core tension: "Faster code is not the same thing as safer code" .

What Governance Actually Looks Like

Black Duck's prescription isn't abstract. The report points to a set of concrete measures that distinguish the 30% with full governance from the rest:

1. Structured AI governance frameworks — not informal guidelines, but documented, enforced policies covering tool approval, output review, and accountability
2. Pipeline-integrated review gates — moving away from manual security-testing-queue handoffs, which 46% of companies still use, toward automated quality and security checks that run on every AI-assisted commit
3. Continuous monitoring post-deployment — Black Duck notes that a "shift-left only strategy is no longer sufficient" because risk is introduced, discovered, and must be managed across the entire software development lifecycle
4. Rationalization of the security toolchain — over 71% of respondents reported tool sprawl as a major friction source, and consolidating onto fewer, better-integrated tools is a prerequisite for scaling AI safely

The Bottom Line

The Black Duck report doesn't argue against using AI coding assistants. It argues that using them without commensurate governance is self-defeating. When 97% of teams are generating code at unprecedented speed but only 30% have the oversight infrastructure to manage it, the industry is collectively writing checks it can't cash.

The correlation between governance and efficiency gains — 90% versus 44% — makes the business case unambiguous. Organizations that build the guardrails first will capture the productivity AI promises. Those that don't will discover, repeatedly, that time saved at the keyboard gets spent in the review queue.