Who's Writing the Code Now
The adoption numbers stopped being interesting because they stopped having anywhere to go. Stack Overflow's 2025 survey put AI tool usage at 84% of developers (using or planning to use). Google's DORA research measured 90% of developers using AI at work, with a median of about two hours a day spent working with it. GitHub Copilot passed 20 million users; Cursor went from niche to a reported $500M+ in annualized revenue faster than any developer tool in history.
The more telling numbers are about output share, not adoption:
- Google disclosed in late 2024 that about a quarter of its new code was AI-generated, a figure executives have since put above 30%. This is a company with arguably the strictest code review culture in the industry.
- Y Combinator's W25 batch: managing partner Jared Friedman said roughly a quarter of the startups had codebases that were about 95% AI-written. These are venture-funded companies shipping to production, not weekend prototypes.
- Microsoft put its share at 20–30% of code in company repositories written by AI, per Satya Nadella in April 2025.
So the question in 2026 isn't whether AI writes production code. It demonstrably does, at enormous scale. The question is what that's doing to the software — and here the data gets a lot less comfortable than the marketing.
The 19% Problem: Measured Speed vs. Felt Speed
In July 2025, the research nonprofit METR published the first serious randomized controlled trial of AI coding tools on realistic work: 16 experienced open-source developers, 246 real tasks on large mature repositories they knew well, randomized into AI-allowed (mostly Cursor with Claude models) and AI-forbidden conditions, with screen recordings to verify behavior.
The result made everyone angry, which is usually a sign a study measured something real:
- Developers took 19% longer to complete tasks when allowed to use AI.
- Before the study, they predicted AI would make them 24% faster. After finishing — having actually been slowed down — they still estimated it had made them about 20% faster.
- Economics and ML experts consulted beforehand predicted speedups of roughly 39% and 38% respectively. Everyone was wrong in the same direction.
The mechanism, visible in the screen recordings: developers spent less time actively coding and more time prompting, waiting on generations, and reviewing output — accepting under 44% of generations and then spending real time cleaning up the ones they did accept. On code you know deeply, describing the change to a model and auditing its attempt can genuinely cost more than typing the change yourself.
The study's authors were careful about scope, and you should be too: this was experienced developers on familiar, mature, high-standards codebases. Separate controlled experiments on greenfield or unfamiliar work — including a large Microsoft/Accenture field experiment with Copilot — found real speedups, typically in the 20–55% range on self-contained tasks. Both results can be true at once. The honest synthesis: AI assistance pays off roughly in proportion to how unfamiliar the territory is, and can go negative exactly where senior engineers spend most of their time — deep in systems they already understand. The perception gap is the dangerous part, because it means self-reported productivity gains (which is what most vendor studies and internal surveys measure) are systematically inflated.
What the Repositories Say: More Code, Less Reuse
Individual experiments aside, you can just look at what's happening to code at scale. GitClear analyzed hundreds of millions of changed lines across 2020–2024 — before-and-after the assistant era — and found the character of committed code shifting in a consistent direction:
- Copy-paste is up. The frequency of duplicated code blocks (5+ lines) rose roughly 8x during 2024, and 2024 was the first year in the dataset's history that copy-pasted lines exceeded moved lines — meaning developers now duplicate code more often than they refactor it into shared abstractions.
- Refactoring is down. "Moved" lines — the signature of consolidation work — fell by nearly 40% as a share of changes. Assistants are extremely good at writing new code and structurally biased against suggesting "delete these three near-duplicates and extract a function."
- Churn is up. Lines reverted or substantially rewritten within two weeks of being committed climbed steadily — code is going in faster and sticking less.
DORA's delivery research tells the same story from the pipeline side: teams with higher AI adoption ship more throughput, but delivery instability rises alongside it — AI amplifies whatever engineering system it lands in. Strong review, testing, and deployment practices convert AI volume into shipped value; weak ones convert it into rework. None of this says AI code is bad. It says AI defaults to additive code, and codebases accumulate cost through addition. Somebody still has to do the subtracting, and the data says it's happening less.
The Security Bill Arrives Later
Security scans of AI-generated code produce the most consistent — and most consistently ignored — numbers in this whole area:
- Veracode's 2025 GenAI Code Security report ran 80 curated coding tasks across 100+ models and found AI introduced OWASP Top 10-class vulnerabilities in about 45% of security-relevant tasks. Worse: that rate was essentially flat across model generations — newer, smarter models wrote more syntactically correct code, not safer code. Cross-site scripting and log injection were the standout failure classes (~86% and ~88% failure rates respectively).
- Package hallucination is a real supply-chain vector. A 2025 USENIX Security study across 576,000 generated code samples found about 20% of package references pointed to libraries that don't exist, with open-source models hallucinating at ~4x the rate of commercial ones. Attackers now register those plausible-sounding names preloaded with malware — the technique has a name, slopsquatting, which tells you how established it is.
- Secrets leak more. GitGuardian's 2025 data found repositories with Copilot enabled leaked secrets at a ~40% higher rate than the GitHub average — not because the AI invents credentials, but because generated boilerplate normalizes hardcoding them and volume overwhelms review.
The common thread: the vulnerability density of AI code isn't dramatically worse than median human code — but the volume is unprecedented and the review attention per line is collapsing. Security debt scales with lines shipped, and lines shipped is the one number going vertical.
What Teams Getting Real Gains Do Differently
Enough teams now demonstrably win with AI-heavy development that the differentiators are visible. They look boring, which is the point:
- They keep diffs small and reviewable. The failure mode isn't AI writing bad code; it's AI writing 800-line pull requests that no human meaningfully reviews. Teams that cap generated changes at reviewable size preserve the one quality gate that catches the 45%-class issues.
- They spend the saved time on tests, not more features. AI is genuinely excellent at writing tests — it's the highest-leverage, lowest-risk use of generation. Teams that convert AI speed into coverage get compounding returns; teams that convert it into feature velocity get GitClear's churn chart.
- They lint and scan in the loop, not after. Static analysis, secret scanning, and dependency verification (does this package exist and is it the real one?) run on every generation, because review attention is the scarce resource now.
- They route work honestly. Boilerplate, migrations, tests, unfamiliar APIs → AI-first. Core domain logic in a codebase a senior dev knows cold → the METR result says let them type. Matching the tool to the terrain is where the actual productivity lives — which is also why model choice per task matters more than a single house-standard model.
- They measure completed, retained work. Not acceptance rate, not lines generated, not self-reported speed — those all inflate. Cycle time on merged work and churn within 30 days are the numbers that don't lie.
The 2026 situation, honestly stated: AI coding assistance is a permanent, massive shift with real but wildly uneven returns, a measurement problem that flatters it, and a quality-and-security bill that arrives on a lag. The teams treating it like any other powerful tool — with gates, measurement, and skepticism about their own perception — are the ones the data says come out ahead.