A study released on June 9, 2026, by Black Duck, a software security firm, reveals something business leaders should pay close attention to. AI coding tools have achieved near-total adoption in enterprise software teams, but the governance infrastructure needed to manage them safely is almost completely absent.

The research, conducted in partnership with UserEvidence, surveyed 831 enterprise software engineers and DevOps professionals at organizations with 500 or more employees. The results paint a picture of a technology adoption wave that has outrun the safety measures designed to keep it productive.

The Adoption Numbers Are Remarkable

A full 97% of respondents said their teams use AI coding tools. The leading platforms are GitHub Copilot (used by 83% of respondents) and Claude Code (63% adoption), with most teams running more than one assistant simultaneously.

The productivity gains are real. Nine in ten development teams (92%) report improved productivity and faster release cycles, with 58% describing the improvement as major. Developers reclaim an average of eight hours per week. More than half (53%) have grown their total code volume by over 25%.

These are not marginal improvements. For any organisation that ships software, from internal tools and client-facing apps to analytics platforms and automation workflows, AI coding tools have become a genuine competitive lever.

The Governance Gap Is the Real Story

Here is where the numbers take a sharp turn.

Despite 97% adoption, only 30% of teams have full governance in place for their AI coding tools. That means seven out of ten enterprise development teams are using productivity-boosting AI tools with no formal framework for oversight, risk management, or accountability.

The consequences are already showing up. Nearly two-thirds of respondents (64%) expressed moderate or extreme concern that AI coding tools are introducing security vulnerabilities into their codebases. And nearly 90% said their teams encounter issues with AI-generated code, with bottlenecks appearing in manual review (52%), security testing (51%), and code rework (48%).

So the promise of eight hours reclaimed per week is being partially consumed by fixing problems the tools themselves created.

Why Governance Is the ROI Multiplier

Black Duck’s finding that governance is the ROI multiplier is worth taking seriously. Teams with strong governance frameworks are better placed to capture productivity gains without the rework cycles that eat them back.

This mirrors a pattern seen across enterprise AI adoption broadly. The tools arrive fast, the results look impressive in pilots, and then production reality surfaces the gaps. Code review processes that assumed human authors. Security scanning that was not built for AI-generated output volumes. Legal and IP questions about training data. Version control workflows that were not designed for 25% higher code throughput.

None of these are blockers. But they do require deliberate attention before they become incidents.

What This Means for Business

For business leaders, the key takeaway is this: if your development team is in the 97% but not the 30%, you likely have a gap between the productivity you are claiming from AI coding tools and the actual net productivity after rework, security remediation, and manual review overhead.

The businesses that will extract the most value from AI coding adoption in the next 12 months are those that treat governance as part of the implementation plan, not an afterthought.

That means establishing clear policies around which tools are approved, what code review checkpoints remain mandatory, how security scanning is adapted for AI-generated output, and who owns accountability when AI-generated code causes a production issue.

For organisations that are not sure where to start, that governance gap is exactly where strategic AI advisory adds value. Building the operating model around the tools, not just the tools themselves, is the work that separates teams capturing real gains from teams that are merely busy.

At Enterprise DNA, working with business leaders on exactly this kind of gap, the space between “we deployed AI” and “AI is reliably delivering ROI”, is a core part of what the Omni Advisory practice is designed to address. If your team is in the 97% but struggling to get into the 30%, that is a solvable problem.