45% of AI-generated code ships with a vulnerability — and developer trust in it just hit a new low
Veracode's 2026 testing found 45% of AI-generated code contains a security vulnerability, while separate developer survey data puts trust in AI-written code at just 29% — down from 40% the year before. Adoption is up; confidence is down.
3 July 2026
Two numbers from 2026’s security and developer-survey data don’t fit together comfortably, which is exactly why they’re worth reading side by side. Veracode’s testing across 80 coding tasks and 100+ LLMs found that 45% of AI-generated code contains a security vulnerability. Separately, developer trust in AI-generated code’s accuracy has dropped to 29%, down from 40% the year before, with the share who actively distrust AI output rising sharply. Sonar’s developer survey data puts AI-generated or AI-assisted code at 42% of everything being written.
Adoption and confidence are moving in opposite directions
That combination — more AI-written code shipping, less trust in it — isn’t a contradiction, it’s the honest state of the industry. Teams have adopted these tools because the productivity case is real: faster first drafts, less boilerplate, quicker iteration. But the same teams increasingly know, from direct experience, that AI output needs checking rather than trusting by default. Most developers now report refusing to merge AI-generated code without manual review — which is the correct response to a 45% vulnerability rate, not an overreaction to it.
Why this is the actual argument for process, not for avoiding AI tools
The wrong conclusion here is “don’t use AI coding tools.” The right one is “don’t use them without a review discipline built around them” — automated test gates, a second model or a human reviewing before merge, and someone accountable for what actually ships. Teams doing that get the speed benefit without inheriting the vulnerability rate. Teams that don’t are running exactly the risk this data describes.
So what
If you’re commissioning software, “do you use AI coding tools” is no longer the useful question — every serious development team does. The useful question is what review process sits between an AI agent’s output and production. Ask for specifics: test coverage requirements, who reviews AI-authored code, whether a second model or a human checks security-sensitive changes. That answer tells you more about the quality of what you’ll receive than the tool name ever will. More on how we build review discipline into AI-assisted delivery on the AI-assisted development page.