Organisations are racing ahead with AI coding tools, generating software at a pace that outstrips their ability to control, trace, and govern the resulting code, according to a global survey conducted for GitLab.
The survey, which included responses from 1,528 DevSecOps professionals and technology buyers across six countries, highlights both the benefits and challenges of integrating AI into software development.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The report states that 91% of surveyed organisations use at least two AI coding tools, with 54% deploying three or more. Seventy-eight per cent have observed that developers write and commit code more quickly since using AI in their workflows.
Sixty per cent said that the return on investment from AI coding tools has exceeded expectations, and 73% reported improvements in overall code quality.
Nearly four in five respondents noted that individual developer productivity has improved through AI assistance. However, the overall software delivery process has not accelerated at the same pace, a discrepancy described in the study as the “AI Paradox”.
Long-term risks and oversight gaps are highlighted through concerns over AI-generated code maintainability and technical debt. Seventy-three per cent expressed concern about future maintainability of AI-generated code, and 82% said these tools risk creating new technical debt that organisations are not currently prepared to manage.
GitLab chief product and marketing officer Manav Khurana said: “AI coding tools have delivered on their promise of speed. But the events of the past few months, including supply chain attacks, reliability issues, and regulators tightening expectations around AI traceability and provenance are making clear that speed without control is a liability, not an advantage.
“The teams thinking ahead are already asking the harder question: can we actually control all the code we’re generating? The organisations that will ship trusted software faster are the ones building the foundations of accountability with context, traceability, and governance baked into the platform, not just bolted on after the fact.”
According to 85% of respondents, the main bottleneck has shifted from writing code to reviewing and validating code outputs. Governing what happens to AI-generated code after it is created is seen as the biggest challenge by 84%.
Issues of traceability persist. The study found 43% of organisations cannot reliably distinguish AI-generated code from human-authored code in their codebases.
Only 28% reported that their software development lifecycle tools are fully integrated with shared data and workflows. Barriers to control include fragmented toolchains (40%) and systems lacking the ability to track code origin (39%).
Incident response remains complex. While 87% of leaders believed their teams could identify within 24 hours whether AI-generated code was responsible for a production incident. In practice, 34% of organisations that handled such incidents in the past year were unable to make this determination.
Governance challenges are widespread. Ninety-two per cent reported facing some form of difficulty governing AI-generated code, while 80% said their adoption of AI tools outpaced the development of governance policies.
Accumulation of AI code is recognised as a significant risk by 83% of respondents, with 44% ranking it as a top technology risk.
Plans for investment in governance are strong, with 91% of organisations intending to invest in AI code governance tools in the next year and 98% having already allocated, or planning to allocate, budget for such solutions.
According to the survey, the industry focus is moving from increasing the speed of code generation to ensuring oversight and accountability for AI-generated outputs.
The report defines “AI accountability” as the organisational and technical capacity to answer where a line of AI-generated code came from, what its intended purpose was, and who is responsible for it once deployed.
The findings indicate that most organisations cannot reliably answer these questions for their current codebase. As the survey notes, 85% believe the next stage for AI in software development will centre on code governance and validation.
Earlier this year, Kyndryl unveiled a capability to aid enterprises in managing agentic AI workflows in complex, regulated environments. The “policy as code” feature allows embedding organisational rules, compliance, and controls into machine-readable policies, which then govern AI agents’ actions within enterprise systems.
