Skip to main content
CodeLint.Dev Dev Tools
AI Tools 11 min read By CodeLint.Dev Team

AI Writes a Third of the Code Now. The Data on What That's Actually Doing to Software

Somewhere in 2025, AI-assisted coding stopped being a productivity experiment and became the default way software gets written. Google reports over 30% of its new code is AI-generated. A quarter of Y Combinator's Winter 2025 batch shipped codebases that were ~95% AI-written. And yet the most rigorous study anyone has run found experienced developers were 19% slower with AI tools — while estimating they were 20% faster. This post is about that gap: what the repository-level data, the controlled experiments, and the security scans actually show, as opposed to what it feels like at the keyboard.

Try the tool
LLM Model Comparison
Compare coding models side by side →

Who's Writing the Code Now

The adoption numbers stopped being interesting because they stopped having anywhere to go. Stack Overflow's 2025 survey put AI tool usage at 84% of developers (using or planning to use). Google's DORA research measured 90% of developers using AI at work, with a median of about two hours a day spent working with it. GitHub Copilot passed 20 million users; Cursor went from niche to a reported $500M+ in annualized revenue faster than any developer tool in history.

The more telling numbers are about output share, not adoption:

  • Google disclosed in late 2024 that about a quarter of its new code was AI-generated, a figure executives have since put above 30%. This is a company with arguably the strictest code review culture in the industry.
  • Y Combinator's W25 batch: managing partner Jared Friedman said roughly a quarter of the startups had codebases that were about 95% AI-written. These are venture-funded companies shipping to production, not weekend prototypes.
  • Microsoft put its share at 20–30% of code in company repositories written by AI, per Satya Nadella in April 2025.

So the question in 2026 isn't whether AI writes production code. It demonstrably does, at enormous scale. The question is what that's doing to the software — and here the data gets a lot less comfortable than the marketing.

The 19% Problem: Measured Speed vs. Felt Speed

In July 2025, the research nonprofit METR published the first serious randomized controlled trial of AI coding tools on realistic work: 16 experienced open-source developers, 246 real tasks on large mature repositories they knew well, randomized into AI-allowed (mostly Cursor with Claude models) and AI-forbidden conditions, with screen recordings to verify behavior.

The result made everyone angry, which is usually a sign a study measured something real:

  • Developers took 19% longer to complete tasks when allowed to use AI.
  • Before the study, they predicted AI would make them 24% faster. After finishing — having actually been slowed down — they still estimated it had made them about 20% faster.
  • Economics and ML experts consulted beforehand predicted speedups of roughly 39% and 38% respectively. Everyone was wrong in the same direction.

The mechanism, visible in the screen recordings: developers spent less time actively coding and more time prompting, waiting on generations, and reviewing output — accepting under 44% of generations and then spending real time cleaning up the ones they did accept. On code you know deeply, describing the change to a model and auditing its attempt can genuinely cost more than typing the change yourself.

The study's authors were careful about scope, and you should be too: this was experienced developers on familiar, mature, high-standards codebases. Separate controlled experiments on greenfield or unfamiliar work — including a large Microsoft/Accenture field experiment with Copilot — found real speedups, typically in the 20–55% range on self-contained tasks. Both results can be true at once. The honest synthesis: AI assistance pays off roughly in proportion to how unfamiliar the territory is, and can go negative exactly where senior engineers spend most of their time — deep in systems they already understand. The perception gap is the dangerous part, because it means self-reported productivity gains (which is what most vendor studies and internal surveys measure) are systematically inflated.

What the Repositories Say: More Code, Less Reuse

Individual experiments aside, you can just look at what's happening to code at scale. GitClear analyzed hundreds of millions of changed lines across 2020–2024 — before-and-after the assistant era — and found the character of committed code shifting in a consistent direction:

  • Copy-paste is up. The frequency of duplicated code blocks (5+ lines) rose roughly 8x during 2024, and 2024 was the first year in the dataset's history that copy-pasted lines exceeded moved lines — meaning developers now duplicate code more often than they refactor it into shared abstractions.
  • Refactoring is down. "Moved" lines — the signature of consolidation work — fell by nearly 40% as a share of changes. Assistants are extremely good at writing new code and structurally biased against suggesting "delete these three near-duplicates and extract a function."
  • Churn is up. Lines reverted or substantially rewritten within two weeks of being committed climbed steadily — code is going in faster and sticking less.

DORA's delivery research tells the same story from the pipeline side: teams with higher AI adoption ship more throughput, but delivery instability rises alongside it — AI amplifies whatever engineering system it lands in. Strong review, testing, and deployment practices convert AI volume into shipped value; weak ones convert it into rework. None of this says AI code is bad. It says AI defaults to additive code, and codebases accumulate cost through addition. Somebody still has to do the subtracting, and the data says it's happening less.

The Security Bill Arrives Later

Security scans of AI-generated code produce the most consistent — and most consistently ignored — numbers in this whole area:

  • Veracode's 2025 GenAI Code Security report ran 80 curated coding tasks across 100+ models and found AI introduced OWASP Top 10-class vulnerabilities in about 45% of security-relevant tasks. Worse: that rate was essentially flat across model generations — newer, smarter models wrote more syntactically correct code, not safer code. Cross-site scripting and log injection were the standout failure classes (~86% and ~88% failure rates respectively).
  • Package hallucination is a real supply-chain vector. A 2025 USENIX Security study across 576,000 generated code samples found about 20% of package references pointed to libraries that don't exist, with open-source models hallucinating at ~4x the rate of commercial ones. Attackers now register those plausible-sounding names preloaded with malware — the technique has a name, slopsquatting, which tells you how established it is.
  • Secrets leak more. GitGuardian's 2025 data found repositories with Copilot enabled leaked secrets at a ~40% higher rate than the GitHub average — not because the AI invents credentials, but because generated boilerplate normalizes hardcoding them and volume overwhelms review.

The common thread: the vulnerability density of AI code isn't dramatically worse than median human code — but the volume is unprecedented and the review attention per line is collapsing. Security debt scales with lines shipped, and lines shipped is the one number going vertical.

What Teams Getting Real Gains Do Differently

Enough teams now demonstrably win with AI-heavy development that the differentiators are visible. They look boring, which is the point:

  • They keep diffs small and reviewable. The failure mode isn't AI writing bad code; it's AI writing 800-line pull requests that no human meaningfully reviews. Teams that cap generated changes at reviewable size preserve the one quality gate that catches the 45%-class issues.
  • They spend the saved time on tests, not more features. AI is genuinely excellent at writing tests — it's the highest-leverage, lowest-risk use of generation. Teams that convert AI speed into coverage get compounding returns; teams that convert it into feature velocity get GitClear's churn chart.
  • They lint and scan in the loop, not after. Static analysis, secret scanning, and dependency verification (does this package exist and is it the real one?) run on every generation, because review attention is the scarce resource now.
  • They route work honestly. Boilerplate, migrations, tests, unfamiliar APIs → AI-first. Core domain logic in a codebase a senior dev knows cold → the METR result says let them type. Matching the tool to the terrain is where the actual productivity lives — which is also why model choice per task matters more than a single house-standard model.
  • They measure completed, retained work. Not acceptance rate, not lines generated, not self-reported speed — those all inflate. Cycle time on merged work and churn within 30 days are the numbers that don't lie.

The 2026 situation, honestly stated: AI coding assistance is a permanent, massive shift with real but wildly uneven returns, a measurement problem that flatters it, and a quality-and-security bill that arrives on a lag. The teams treating it like any other powerful tool — with gates, measurement, and skepticism about their own perception — are the ones the data says come out ahead.

Frequently Asked Questions

Does AI actually make developers faster?
It depends heavily on the work. Controlled studies on greenfield or unfamiliar tasks show real speedups, commonly 20–55%. But METR's 2025 randomized trial — the most rigorous study to date — found experienced developers were 19% slower with AI on large codebases they knew well, while believing they were about 20% faster. The gains are real on unfamiliar territory and can be negative on deeply familiar code, and self-reported productivity systematically overstates the benefit.
How much production code is AI-generated in 2026?
At the large end: Google has said over 30% of its new code is AI-generated, and Microsoft has cited 20–30%. Among startups it can be far higher — about a quarter of Y Combinator's Winter 2025 batch reported codebases roughly 95% AI-written. Industry-wide, AI touches the majority of new code in some form, since ~90% of developers now use AI tools during their workday.
Is AI-generated code less secure?
Scans say it introduces OWASP Top 10-class vulnerabilities in roughly 45% of security-relevant tasks (Veracode 2025, across 100+ models), with XSS and log injection the worst categories — and the rate has not improved with newer models. The bigger issue is volume: vulnerability density is comparable to unreviewed human code, but AI produces far more code per unit of review attention, so absolute security debt grows unless scanning and review scale with generation.
What is slopsquatting?
A supply-chain attack that exploits package hallucination. LLMs regularly cite dependencies that don't exist — about 20% of package references in one 576,000-sample study. Attackers register those plausible-sounding package names on npm or PyPI with malicious payloads, so a developer who installs what the AI suggested gets compromised. Defense: verify every AI-suggested dependency exists, is actively maintained, and is the package you think it is before installing.
Why does AI-assisted code have more duplication?
Assistants generate code token-by-token in the context of the current file — they're structurally biased toward writing new code rather than discovering that three similar blocks elsewhere should be consolidated into one abstraction. GitClear's repository data shows duplicated blocks rose ~8x in 2024 while refactoring-style "moved code" fell nearly 40%. Left alone, AI-heavy codebases accumulate additive sprawl; scheduled human-led refactoring is the counterweight.
Which AI model is best for coding?
It changes quarterly, and the honest answer is task-dependent: frontier models lead on complex multi-file agentic work, while smaller fast models are often better value for completions, tests, and boilerplate. Routing by task beats standardizing on one model. Benchmarks like SWE-bench Verified are a useful starting filter — comparing current models' coding scores, context windows, and per-token pricing side by side is exactly what a model comparison tool is for.

Ready to try LLM Model Comparison?

Free, private, and runs entirely in your browser — no sign-up, no server, no data sent anywhere.

Open LLM Model Comparison