UserEvidence: 97% Use AI Coding, Only 30% Governed
Key insights
- Only 30% of teams have fully governed AI coding oversight, despite 97% of the 831 surveyed developers actively using AI assistants.
- GitHub Copilot (83%) and Claude Code (63%) lead adoption, with most teams running multiple assistants simultaneously.
- Full governance doubles efficiency outcomes: 90% of governed teams report major gains versus 44% of ungoverned teams.
Why this matters
The 97% adoption figure across 831 surveyed professionals means AI coding tools are no longer experimental — engineering teams are betting their delivery velocity on them at scale, making governance gaps an operational risk, not a future concern. The 64% expressing moderate to extreme concern about security defects from AI assistants signals that the most critical part of the stack, vulnerability review, is where oversight is most absent. The efficiency data makes the governance investment case concrete: the gap between 90% and 44% efficiency-gain rates for governed versus ungoverned teams turns compliance into a measurable performance differentiator.
Summary
A March 2026 UserEvidence survey of 831 developers found AI coding adoption at 97%, but only 30% of teams have a fully governed oversight process.
GitHub Copilot leads at 83% of teams, Claude Code at 63%, with most running multiple tools at once. 92% credit assistants with faster releases; developers gain roughly eight hours weekly.
Essentially: (GitHub Copilot, Claude Code) dominate an adoption curve that governance hasn't matched.
- 90% of teams encounter problems with AI-generated code; manual code review (52%) and security testing (51%) lead the friction list.
- Among heavy users, 57% flag security testing and vulnerability fixing as the worst bottleneck.
- Fully governed teams see 90% report major efficiency gains versus 44% for ungoverned ones.
Security review is both the biggest pain point and the least-governed area across the survey.
Potential risks and opportunities
Risks
- Teams where AI writes over 50% of code and governance lags face compounding vulnerability backlogs as the 57% security bottleneck worsens with each successive release cycle.
- The 64% expressing moderate to extreme concern about AI security defects face audit and compliance exposure if AI-introduced vulnerabilities surface in regulated industries before oversight structures catch up.
- GitHub Copilot and Claude Code face reputational pressure if the security testing bottleneck flagged by 57% of heavy users becomes linked to a notable breach traceable to AI-generated code.
Opportunities
- AI code security vendors (Snyk, Semgrep, Endor Labs) are positioned to capture budget from the 70% of teams without full governance as security testing emerges as the top AI-code friction point.
- Automated pull-request vetting tools stand to benefit directly: 86% of respondents welcome automated AI code vetting and 84% want humans retained in reviews, signaling strong demand for hybrid review workflows.
- Vendors who can quantify governance ROI gain a measurable sales lever: the 90% versus 44% efficiency-gain gap between fully governed and ungoverned teams converts an abstract compliance pitch into a business case.
What we don't know yet
- Which specific governance frameworks the 30% of fully governed teams use is not disclosed: whether formal policy, certification, or third-party tooling drove the result.
- Whether the 57% security bottleneck among heavy users translates to measurable breach or vulnerability incident rates is not captured in the survey data.
- How UserEvidence defines 'full governance' is not detailed, making it difficult to benchmark findings against NIST, OWASP, or other industry standards.
Originally reported by infosecurity-magazine.com
Read the original article →Original headline: Black Duck Study: AI Coding Adoption Hits 97% Among Developers but Only One-Third Have Full Governance — GitHub Copilot at 83%, Claude Code at 63%