A new report from Qodo puts some hard numbers behind something most developers already
feel: AI coding tools are moving faster than the systems built to catch their mistakes.
The report, based on a Censuswide survey of 500 U.S. IT engineers and engineering leaders
conducted in March 2026, doesn't read like a hit piece on AI. It reads like an honest look at
where enterprise engineering teams actually stand — and the picture is complicated.
The Numbers
Start with this: 89% of organizations surveyed have experienced at least one AI-related
production incident. Security vulnerabilities top the list at 53%, followed by broken code
and bugs at 44% each. One in four organizations has experienced a full production outage
caused by AI-generated code.
Those are not small numbers.
And yet 94% of developers say they're confident in the code AI tools produce. 63% describe
themselves as very confident.
Both things are true at the same time, and that's the point.
The Confidence-Scrutiny Paradox
Here's the part worth sitting with: 95% of developers say knowing that code is AI-generated
changes how closely they review it. Of those, 57% say their scrutiny increases significantly.
Nearly 40% scrutinize AI-generated code more heavily than code written by a human colleague.
And 45% change their entire review process when AI-generated code is involved — requiring
additional tests, benchmarks, or documentation before approving a merge.
So developers are confident in AI tools and reviewing AI output with extra suspicion. That's
not a contradiction. It's an accurate read of how these tools actually behave.
AI coding assistants are genuinely useful. They handle boilerplate reliably, speed up routine
implementation, and reduce cognitive overhead on the predictable stuff. But they also produce
code that looks correct and isn't. A model can hallucinate an API reference, misapply a
security pattern, or generate code that works in isolation and breaks in production. Developers
have learned this through experience, and they've adjusted accordingly.
The report calls this a "trust tax." You use the tool, you get the speed benefit, and you pay for
it with heightened alertness on every review.
The Review Burden
Here's where the productivity story gets messier. Across the full survey, the net time savings
from AI tools on manual review is roughly 17 minutes per week. That's not nothing, but it's
not the productivity leap the pitch decks promised.
More telling: 41% of developers are spending more time on manual review than before AI
tools existed. The code volume has increased. The human bandwidth to review it hasn't.
The report frames this as a throughput failure. We can generate code faster than we can
safely verify it. That's a structural problem, not a training problem or a tooling preference
problem.
The 501 to 1,000 employee bracket illustrates it most clearly. It's the only company size
group where the net effect is additional time spent — an average of 0.55 hours per week
more than before. These companies are large enough that AI adoption is widespread and code
volume is high, but they haven't yet built the review infrastructure to match that volume.
The Enterprise Paradox
The most counterintuitive finding in the report involves the largest organizations — those
with 10,000 or more employees. They report saving an average of 1.18 hours per week on
manual review. Sounds good. But they also have the highest production outage rate in the
survey at 40%, compared to a 25% average across the full population.
And they have the lowest adoption of automated gates — 68% — of any bracket above 50
employees.
That gap explains a lot. When you reduce manual review time without adding automated
verification to catch what manual review is no longer catching, you're not saving time. You're
moving risk downstream, where it surfaces as outages and vulnerabilities.
The 2,501 to 5,000 employee bracket shows what the alternative looks like. At 84% gate
adoption — the highest of any bracket — their outage rate sits at 27%, in line with the overall
average. Automated gates don't eliminate incidents, but the data suggests they meaningfully
reduce exposure.
What Reviewers Are Actually Catching
Developers know what to look for. The top frustrations in review are hallucinated logic and
subtle bugs (30%) and security vulnerabilities (23%). Those map directly onto the leading
incident types reported in production.
The rest of the list points to a consistent pattern: AI is good at syntax and weak on context.
Fifteen percent of reviewers say AI-generated code misses important business or domain
context. Thirteen percent cite inadequate error handling. Ten percent say the code ignores
existing architectural decisions the model simply didn't have access to.
Knowing what to look for isn't the same as having a scalable system for catching it. That's the
core problem.
What This Means for Your Team
The report's conclusion is straightforward: the organizations doing the best aren't the ones
using AI most aggressively. They're the ones that have built verification infrastructure to
match the pace of AI-generated output — automated gates that block code from merging if it
violates security, compliance, or quality policies.
Twenty-one percent of organizations still don't have that layer in place. For those teams,
reviewer bandwidth is the only backstop. And reviewer bandwidth doesn't scale.
AI is accelerating code generation. The constraint has shifted to verification. The teams that
recognize that and build accordingly are in a better position. The ones still measuring success
purely by lines of code shipped or hours saved in review are measuring the wrong things.
The full Qodo report is available here: https://www.qodo.ai/.