AI Coding Governance Gap: 97% Adoption, 30% Control (2026)
June 28, 2026
%22%2F%3E%0A%20%3Cg%20opacity%3D%220.12%22%3E%3Crect%20x%3D%22120%22%20y%3D%22126%22%20width%3D%22420%22%20height%3D%2212%22%20fill%3D%22url(%23g)%22%2F%3E%3Crect%20x%3D%22660%22%20y%3D%22472.5%22%20width%3D%22360%22%20height%3D%2212%22%20fill%3D%22url(%23g)%22%2F%3E%3C%2Fg%3E%0A%20%3Cg%3E%3Cpath%20d%3D%22M%20174%20432%20L%20973%20509%22%20stroke%3D%22url(%23g)%22%20stroke-opacity%3D%220.25%22%20stroke-width%3D%223%22%2F%3E%3Cpath%20d%3D%22M%20973%20509%20L%201017%20106%22%20stroke%3D%22url(%23g)%22%20stroke-opacity%3D%220.25%22%20stroke-width%3D%223%22%2F%3E%3Cpath%20d%3D%22M%201017%20106%20L%20844%20380%22%20stroke%3D%22url(%23g)%22%20stroke-opacity%3D%220.25%22%20stroke-width%3D%223%22%2F%3E%3Cpath%20d%3D%22M%20844%20380%20L%20622%20523%22%20stroke%3D%22url(%23g)%22%20stroke-opacity%3D%220.25%22%20stroke-width%3D%223%22%2F%3E%3Cpath%20d%3D%22M%20622%20523%20L%20792%20529%22%20stroke%3D%22url(%23g)%22%20stroke-opacity%3D%220.25%22%20stroke-width%3D%223%22%2F%3E%3Ccircle%20cx%3D%22174%22%20cy%3D%22432%22%20r%3D%2214%22%20fill%3D%22url(%23g)%22%20opacity%3D%220.6%22%2F%3E%3Ccircle%20cx%3D%22973%22%20cy%3D%22509%22%20r%3D%2214%22%20fill%3D%22url(%23g)%22%20opacity%3D%220.6%22%2F%3E%3Ccircle%20cx%3D%221017%22%20cy%3D%22106%22%20r%3D%2214%22%20fill%3D%22url(%23g)%22%20opacity%3D%220.6%22%2F%3E%3Ccircle%20cx%3D%22844%22%20cy%3D%22380%22%20r%3D%2212%22%20fill%3D%22url(%23g)%22%20opacity%3D%220.6%22%2F%3E%3Ccircle%20cx%3D%22622%22%20cy%3D%22523%22%20r%3D%226%22%20fill%3D%22url(%23g)%22%20opacity%3D%220.6%22%2F%3E%3Ccircle%20cx%3D%22792%22%20cy%3D%22529%22%20r%3D%2212%22%20fill%3D%22url(%23g)%22%20opacity%3D%220.6%22%2F%3E%3C%2Fg%3E%0A%20%3Cg%3E%0A%20%3Ctext%20x%3D%2250%25%22%20y%3D%2250%25%22%20dominant-baseline%3D%22central%22%20text-anchor%3D%22middle%22%20font-family%3D%22Inter%2Csystem-ui%2CArial%22%20font-size%3D%22108%22%20font-weight%3D%221000%22%20fill%3D%22none%22%20stroke%3D%22%230b1020%22%20stroke-width%3D%2210%22%20stroke-opacity%3D%220.6%22%20style%3D%22paint-order%3A%20stroke%20fill%3B%22%3E%23AI%20CODING%20GOVERNANCE%20GAP%3C%2Ftext%3E%0A%20%3Ctext%20x%3D%2250%25%22%20y%3D%2250%25%22%20dominant-baseline%3D%22central%22%20text-anchor%3D%22middle%22%20font-family%3D%22Inter%2Csystem-ui%2CArial%22%20font-size%3D%22108%22%20font-weight%3D%221000%22%20fill%3D%22url(%23g)%22%20filter%3D%22url(%23drop)%22%3E%23AI%20CODING%20GOVERNANCE%20GAP%3C%2Ftext%3E%0A%20%3C%2Fg%3E%0A%20%3Cg%20transform%3D%22rotate(-8%20264%20126)%22%3E%3Ctext%20x%3D%22216%22%20y%3D%22126%22%20font-family%3D%22Inter%2Csystem-ui%2CArial%22%20font-size%3D%2234%22%20font-weight%3D%22700%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.9%22%3Eai%20coding%20adoption%202026%3C%2Ftext%3E%3C%2Fg%3E%0A%20%3Cg%20transform%3D%22rotate(10%20936%20516.6)%22%3E%3Ctext%20x%3D%22864%22%20y%3D%22516.6%22%20font-family%3D%22Inter%2Csystem-ui%2CArial%22%20font-size%3D%2234%22%20font-weight%3D%22700%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.9%22%3Eshadow%20ai%3C%2Ftext%3E%3C%2Fg%3E%0A%20%3C!--%20Code%20card%20background%20for%20contrast%20--%3E%0A%20%3Cg%20opacity%3D%220.18%22%3E%0A%20%3Crect%20x%3D%2260%22%20y%3D%22378%22%20rx%3D%2216%22%20ry%3D%2216%22%20width%3D%22600%22%20height%3D%22176.4%22%20fill%3D%22%230b1020%22%20stroke%3D%22url(%23g)%22%20stroke-opacity%3D%220.35%22%2F%3E%0A%20%3C%2Fg%3E%0A%20%3Ctext%20x%3D%2272%22%20y%3D%22415.8%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%2219%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.7%22%3E%23%20AI%20Coding%20Governance%20Gap%3A%2097%25%20Adoption%2C%2030%25%20Control%20(2026)%3C%2Ftext%3E%3Ctext%20x%3D%2272%22%20y%3D%22439.8%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%2219%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.7%22%3EThe%20most%20important%20number%20in%20software%20development%20right%20now%20is%20not%20a%20benchmark%20score%20%E2%80%94%20it%20is%20a%20gap.%20In%202026%2C%20AI%20coding%20assistants%20reached%20**97%25%20adoption**%20among%20enterprise%20development%20teams%2C%20yet%20**fewer%20than%20one-third%20(30%25)**%20have%20full%20governance%20in%20place%20to%20track%20and%20control%20the%20code%20those%20tools%20produce.%5B%5E1%5D%20That%20distance%20between%20use%20and%20oversight%20has%20a%20name%3A%20the%20AI%20coding%20governance%20gap.%3C%2Ftext%3E%3Ctext%20x%3D%2272%22%20y%3D%22463.8%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%2219%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.7%22%3E**In%20one%20line%3A**%20The%20AI%20coding%20governance%20gap%20is%20the%20widening%20distance%20between%20how%20many%20teams%20use%20AI%20coding%20tools%20(almost%20all%20of%20them)%20and%20how%20few%20formally%20govern%20them%20(less%20than%20a%20third)%20%E2%80%94%20and%20the%20data%20now%20ties%20that%20gap%20directly%20to%20security%20risk%20and%20lost%20ROI.%5B%5E1%5D%3C%2Ftext%3E%3Ctext%20x%3D%2272%22%20y%3D%22487.8%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%2219%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.7%22%3E%23%23%20TL%3BDR%3C%2Ftext%3E%3Ctext%20x%3D%2272%22%20y%3D%22511.8%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%2219%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.7%22%3E-%20**The%20gap%3A**%20A%20June%202026%20Black%20Duck%20study%20of%20831%20enterprise%20engineers%20found%2097%25%20use%20AI%20coding%20assistants%2C%20but%20only%2030%25%20have%20full%20governance%20over%20them.%5B%5E1%5D%3C%2Ftext%3E%3Ctext%20x%3D%2272%22%20y%3D%22535.8%22%20font-family%3D%22ui-monospace%2C%20SFMono-Regular%2C%20Menlo%2C%20monospace%22%20font-size%3D%2219%22%20fill%3D%22url(%23g)%22%20fill-opacity%3D%220.7%22%3E-%20**The%20upside%20is%20real%3A**%2092%25%20of%20teams%20report%20better%20productivity%2C%2058%25%20call%20it%20a%20*major*%20improvement%2C%20and%20developers%20reclaim%20about%20eight%20hours%20a%20week.%5B%5E1%5D%3C%2Ftext%3E%0A%20%3Crect%20width%3D%221200%22%20height%3D%22630%22%20fill%3D%22%23000%22%20opacity%3D%220%22%20filter%3D%22url(%23grain)%22%2F%3E%0A%3C%2Fsvg%3E)
The most important number in software development right now is not a benchmark score — it is a gap. In 2026, AI coding assistants reached 97% adoption among enterprise development teams, yet fewer than one-third (30%) have full governance in place to track and control the code those tools produce.1 That distance between use and oversight has a name: the AI coding governance gap.
In one line: The AI coding governance gap is the widening distance between how many teams use AI coding tools (almost all of them) and how few formally govern them (less than a third) — and the data now ties that gap directly to security risk and lost ROI.1
TL;DR
- The gap: A June 2026 Black Duck study of 831 enterprise engineers found 97% use AI coding assistants, but only 30% have full governance over them.1
- The upside is real: 92% of teams report better productivity, 58% call it a major improvement, and developers reclaim about eight hours a week.1
- So is the risk: 64% of teams are moderately-to-extremely worried that AI assistants are introducing security defects — and the heaviest users are the most worried.1
- Shadow AI makes it worse: 64.5% of activity on personal AI accounts is actually work, much of it invisible to employers, per Harmonic Security.2
- It already costs money: Breaches involving shadow AI ran about $670,000 higher than at organizations with little or no shadow AI, IBM found.3
- The fix pays for itself: Teams with full governance are 55% more likely to report a major efficiency gain — governance is an ROI multiplier, not a brake.1
What You'll Learn
- What the AI coding governance gap is and why it matters in 2026
- How fast AI coding adoption actually moved — and what it bought teams
- Why governance lagged so far behind, and where shadow AI fits in
- The concrete security risks of ungoverned AI-generated code
- Why governance correlates with more productivity, not less
- A practical checklist for closing the gap on your team
What is the AI coding governance gap?
The AI coding governance gap is the mismatch between adoption and oversight: nearly every engineering team now uses AI to write code, but most have no formal, automated system to track what that code is, where it came from, or whether it is safe.
Governance here means the practical controls around AI-assisted development — knowing which tools are approved, recording which code was AI-generated, scanning it for vulnerabilities and license problems, and holding it to the same review bar as human-written code. The gap is what opens up when adoption races ahead and those controls do not follow. Black Duck's data puts hard numbers on the gap: 97% adoption against 30% full governance is the central finding of its 2026 study.14
AI coding adoption in 2026: the 97% that changed software
Adoption is effectively universal. In a survey of 831 enterprise software engineers and DevOps professionals at organizations with 500+ employees, conducted in March 2026 with the independent research firm UserEvidence, Black Duck found that 97% of teams now use AI coding assistants.1 This is no longer an early-adopter story; it is the baseline.
The productivity case is what drove that speed. In the same study, 92% of development teams reported improved productivity and release velocity, and 58% called the improvement major. Developers reclaim an average of eight hours per week, and more than half of respondents (53%) said their total code volume has grown by over 25%.1 For coverage of how the tooling got this good this fast, see our look at AI assistance for coding, from autocomplete to autonomous pair programmers.
But more code, generated faster, by tools most teams do not formally track, is exactly the condition that creates risk. The same study that celebrates eight hours a week saved is the one warning about the governance gap.
The 30% problem: why governance lags
Here is the uncomfortable pairing from the Black Duck data. Two-thirds of developers (68%) say it is extremely important to have a clear, automated system for tracking AI-generated code and measuring its impact for debugging, security, and accountability. Yet fewer than one-third of teams (30%) actually have full governance in place.1 Developers know what is missing; the controls just have not been built.
Governance lags for structural reasons. AI coding tools entered organizations bottom-up — a developer installs an assistant in their IDE, productivity jumps, and the practice spreads before any policy catches it. Procurement, security review, and audit trails are slow; an autocomplete that saves an hour a day is instant. The result is a familiar pattern in technology: the capability arrives, the controls arrive later, and the gap in between is where the risk lives. The rise of "vibe coding" — describing intent in natural language and accepting large AI-written blocks wholesale — only widens that gap, because the human author may never have read the code line by line.
| Dimension | 2026 reality | Source |
|---|---|---|
| AI coding tool adoption | 97% of teams | Black Duck1 |
| Teams with full governance | 30% | Black Duck1 |
| Developers wanting automated AI-code tracking | 68% | Black Duck1 |
| Moderate-to-extreme security concern | 64% | Black Duck1 |
| Personal-AI-account use that is work-related | 64.5% | Harmonic2 |
| Breaches involving shadow AI | 20% | IBM3 |
| Extra cost when shadow AI is involved | +$670K | IBM3 |
Shadow AI: the governance gap's other half
The governance gap is not only about sanctioned tools used loosely — it is also about unsanctioned tools used invisibly. That is shadow AI: employees using AI tools, often on personal accounts, without IT approval or oversight.
The scale is larger than most leaders assume. Harmonic Security analyzed 1,935,247 classified AI-session minutes over a seven-week period ending April 2026 and found that 64.5% of all activity on personal and free-tier AI accounts is business use, not personal use.2 The line between "work AI" and "personal AI" simply does not match how people behave. Harmonic also found that 45.6% of personal AI activity happens on enterprise-licensed plans the employer is already paying for — meaning even the "approved" spend is being used in ways security teams cannot see.2
For developers, shadow AI is the same governance gap wearing different clothes. A pasted snippet of proprietary code, a debugging session in a personal chatbot, an API key dropped into a free-tier tool — each is AI-assisted work happening outside any control. For the broader security picture, see our deep dive on defending against threats in the AI era.
The security risks of ungoverned AI-generated code
The worry is not hypothetical, and the people closest to the tools feel it most. Nearly two-thirds of development teams (64%) told Black Duck they are moderately-to-extremely concerned that AI coding assistants are introducing security defects or vulnerabilities. Tellingly, the most concerned developers are among the heaviest users: 51% of that highest-concern group rely on AI for most of their new development.1 Familiarity is breeding caution, not complacency.
The financial side is now measurable too. In IBM's 2025 Cost of a Data Breach report — researched by the Ponemon Institute — shadow AI was a factor in 20% of breaches, and organizations with high levels of shadow AI faced about $670,000 in additional breach cost compared with those that had little or none. (For context, the global average breach cost that year was $4.44 million.)35 Shadow-AI incidents were also more likely to expose customer data: 65% involved personally identifiable information, against a 53% global average.3 And the governance vacuum is widespread — 63% of breached organizations reported having no AI governance policy at all.3
Ungoverned AI code carries the obvious risks — injected vulnerabilities, license-tainted snippets, and untracked dependencies — but the deeper problem is accountability. If you cannot tell which code an AI wrote, you cannot review it differently, scan it specifically, or trace a defect back to its source.
Governance as an ROI multiplier, not a brake
The instinct is to treat governance as a tax on velocity. The 2026 data says the opposite. Black Duck found that teams with full governance in place are 55% more likely to report a major improvement in efficiency than teams without it.1 Governance is not the thing that slows AI down; it is the thing that lets you trust AI enough to lean on it harder.
The logic is straightforward. When you can see which code is AI-generated, scan it automatically, and prove it meets your bar, you can accept more of it with confidence — and ship faster. When you cannot, every AI contribution is a small act of faith that eventually demands manual re-checking, rework, or incident response. As Black Duck CEO Jason Schmitt put it, "speed without governance is a liability, not an advantage," and the teams winning with AI are "the ones building automated security and governance guardrails that scale alongside their development velocity."1 Governance is what converts raw AI speed into durable throughput.
How to close the AI coding governance gap
Closing the gap is less about restricting AI and more about making its output visible and accountable. A practical starting checklist:
- Inventory the tools. Identify every AI assistant in use, including personal-account and free-tier usage — that is where shadow AI hides.2
- Tag AI-generated code. Track which code came from AI so it can be reviewed and scanned distinctly; 68% of developers already want this.1
- Automate security scanning. Put AI-generated code through the same (or stricter) SAST, SCA, and dependency checks as human code — automatically, in the pipeline, not as a manual gate.
- Provide sanctioned tools. Much shadow AI exists because the approved path is slower than the personal one; give people a fast, governed option and the incentive to go around it shrinks.
- Set a clear policy. With 63% of breached organizations reporting no AI governance policy, even a basic written standard puts you ahead.3
- Measure, then expand. Treat governance as an enabler: instrument it, show it correlates with throughput, and use that to justify broader, more confident AI adoption.
Organizations standardizing AI agents across the enterprise are starting to formalize this with dedicated control planes — see our coverage of Microsoft's Agent 365 AI control plane for one example of where governance tooling is heading.
The Bottom Line
AI coding adoption is finished — 97% is as close to "everyone" as surveys get.1 The open question for 2026 is governance, and right now most teams are flying with the speed turned up and the instruments turned off. The same study that found developers saving eight hours a week found two-thirds of them worried about the security of what they are shipping, and only 30% with full controls in place.1 The encouraging part is that the fix is not a trade-off: governed teams are measurably more productive, not less.1 The gap between 97% and 30% is where the next wave of AI software risk — and the next wave of AI software advantage — will be decided.
Sources
Footnotes
-
Black Duck, "AI Coding Hits 97% Enterprise Adoption; New Black Duck Study Shows Governance Is the ROI Multiplier" (via PR Newswire, June 9, 2026). https://www.prnewswire.com/news-releases/ai-coding-hits-97-enterprise-adoption-new-black-duck-study-shows-governance-is-the-roi-multiplier-302794103.html ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8 ↩9 ↩10 ↩11 ↩12 ↩13 ↩14 ↩15 ↩16 ↩17 ↩18 ↩19 ↩20 ↩21 ↩22 ↩23 ↩24 ↩25 ↩26
-
Harmonic Security, "Employees Use Their Personal AI Accounts for Work 64% of the Time, Potentially Invisible to Their Employers, Research Finds" (via Business Wire, May 20, 2026). https://www.businesswire.com/news/home/20260520319293/en/Employees-Use-Their-Personal-AI-Accounts-for-Work-64-of-the-Time-Potentially-Invisible-to-Their-Employers-Research-Finds ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
IBM, "Cost of a Data Breach Report 2025" (research conducted by Ponemon Institute, July 2025). https://www.ibm.com/reports/data-breach ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8 ↩9
-
Black Duck, "The State of AI-Powered Software Development" (analyst report landing page, 2026). https://www.blackduck.com/resources/analyst-reports/state-of-ai-powered-software-development.html ↩
-
IBM Newsroom, "IBM Report: 13% of Organizations Reported Breaches of AI Models or Applications, 97% of Which Reported Lacking Proper AI Access Controls" (July 30, 2025). https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications,-97-of-which-reported-lacking-proper-ai-access-controls ↩
