Data
AI Code Statistics 2026
Last updated: 2026-07-023 min read
The numbers behind AI coding, consolidated and sourced: 84% of developers use AI tools, 96% distrust the code and 48% consistently verify it; review time per PR is up 91%, two-week churn is drifting from ~3.1% toward 5.7%, and ~45% of AI-generated samples fail security tests. Every figure below carries its source and year. A living reference, updated as the research moves.
Contents
Adoption and the verification gap
| Figure | What it measures | Source & year |
|---|---|---|
| 84% | Developers using AI tools (up 14 pts from 2023) | Stack Overflow survey, 2025 |
| 96% | Developers who distrust AI-generated code | Sonar, State of Code 2026 |
| 48% | Developers who consistently verify AI code | Sonar, State of Code 2026 |
| 38% | Find AI code harder to review than a colleague's | Sonar, State of Code 2026 |
The gap between 96% and 48% is the sector’s defining number, unpacked in the verification gap.
The review bottleneck
| Figure | What it measures | Source & year |
|---|---|---|
| +98% | More merged PRs in high-AI teams | Faros AI telemetry, 2026 |
| +91% | Review time per PR, same teams | Faros AI telemetry, 2026 |
| +441% | Median time a PR spends in review | DORA-cycle telemetry, 2025 |
| +51% | Larger pull requests | DORA-cycle telemetry, 2025 |
| −19% | Experienced devs slower with early-2025 AI (while feeling faster) | METR RCT, 2025 |
The mechanics are in the review bottleneck; the METR result is the standing caution that perceived and real productivity diverge.
Code quality and churn
| Figure | What it measures | Source & year |
|---|---|---|
| ~3.1% → 5.7% | Two-week churn trend as AI assistance grew | GitClear, 211M lines, 2025 |
| ~8x | Rise in duplicated code blocks | GitClear, 2025 |
| declining | Share of moved/refactored code | GitClear, 2025 |
What the churn numbers do and do not say is in AI code churn, and their euro translation in the cost calculation.
Security
| Figure | What it measures | Source & year |
|---|---|---|
| ~45% | AI-generated samples that fail security tests | Veracode, 2025 |
| 86% | Relevant samples failing to prevent XSS (CWE-80) | Veracode, 2025 |
| 72% / 45% / 43% / 38% | Failure rate: Java / C# / JavaScript / Python | Veracode, 2025 |
| flat | Security across model generations (functionality rose) | Veracode, 2025 |
The classes and defenses are in security vulnerabilities in AI code.
Supply chain and secrets
| Figure | What it measures | Source & year |
|---|---|---|
| 19.7% | LLM-recommended packages that do not exist | USENIX Security (Spracklen et al.), 2025 |
| 205,000+ | Unique hallucinated package names observed | USENIX Security, 2025 |
| 43% | Hallucinated names repeating in all 10 reruns | USENIX Security, 2025 |
| 28.65M | New hardcoded secrets on public GitHub in 2025 | GitGuardian, 2026 |
| +81% | Rise in AI-service secret leaks year over year | GitGuardian, 2026 |
| ~2x | Secret-leak rate of AI-assisted vs human commits | GitGuardian, 2026 |
These feed slopsquatting and what AI tools actually read.
What these numbers do not say
Three honest caveats. There is no robust industry figure for “what percentage of code is AI-generated” - the definitions and telemetry differ too much, so this page avoids that headline. Several key sources are vendor or vendor-adjacent (Sonar, Faros, GitClear, Veracode, GitGuardian); they are the best public data and carry an interest, so treat them as directional and prefer figures corroborated across independent signals - which most of the above are. And percentages describe direction and magnitude, not a universal multiplier: your codebase’s numbers come from measuring it, via the four metrics, not from ours.
Where Reality Graph fits
Reality Graph cites these numbers; it does not generate its own. There are deliberately no Reality Graph statistics on this page - the product is in private beta, and inventing product-performance figures would violate the same claim-safety rule the rest of the site follows. What Reality Graph does is let a team produce its own version of these numbers, from its own runs, via the evidence reports and metrics - measured, not borrowed.
This reference gives you
- Every key AI-code figure with its source and year
- Themed tables built for one-value citation
- The independent-vs-vendor split, stated per source
- A living page updated as the research moves
It does not give you
- A robust 'X% of code is AI-generated' number - none exists
- Any Reality Graph performance statistics
- A universal multiplier for your codebase - measure it
- Certainty from single vendor studies - direction over gospel
If these boundaries fit how your team wants to ship:
FAQ
- How much code is AI-generated, and how many developers use AI tools?
- As of the 2025 Stack Overflow survey, 84% of developers use AI tools - up 14 points from 2023. A single reliable figure for the share of code that is AI-generated does not exist across the industry (definitions and telemetry differ), which is why this page reports adoption and effect rather than a headline 'X% of code' number that no source robustly supports.
- How long do AI pull requests wait, and how much has review slowed?
- Faros AI telemetry across thousands of teams reports review time per PR up 91% in high-AI-adoption teams, while merged PR volume rose about 98% - and DORA-cycle telemetry put the median time a PR spends in review up 441% as AI volume grew (2025). There is no universal wait-time in hours; the percentages describe the direction and magnitude, which are consistent across sources.
- What is the single most-cited AI code statistic?
- Sonar's 2026 finding that 96% of developers distrust AI-generated code while only 48% consistently verify it - the 'verification gap'. It is widely cited because it captures the whole problem in two numbers: the awareness is nearly universal, the diligence is not, and the difference is behavioral rather than technical.
- Are these statistics from independent research or vendors?
- Both, and this page marks which. Independent or academic: the METR randomized trial, the USENIX Security 2025 slopsquatting study. Vendor or vendor-adjacent (reliable but with an interest): Sonar, Faros AI, GitClear, Veracode, GitGuardian. We treat vendor figures as directional evidence, note them as such, and prefer numbers corroborated across independent signals.
- How current are these numbers?
- This is a living reference: it consolidates the sourced figures used across the site and is updated when new research lands or a number ages, with the visible date bumped. Each figure carries its own year in the tables, so you can see at a glance whether a statistic is from 2025 or 2026 rather than trusting a single 'last updated' stamp.
- Can I cite these figures?
- Yes - cite the underlying source named in each row and its year, not this page. The tables are organized to make that easy: value, precise description, source and year in every row. Where a figure is a range or a trend, cite it as one; the biggest error in AI-code statistics is quoting a spread as a point.
Keep reading
Sources
- Sonar – State of Code: 96% distrust, 48% verify, 38% find AI code harder to review (2026)
- Faros AI – DORA-cycle telemetry: +98% merged PRs, +91% review time/PR, +441% time-in-review, +51% PR size (2025-2026)
- GitClear – AI Copilot Code Quality: churn ~3.1%→5.7%, duplication up ~8x across 211M lines (2025)
- Veracode – GenAI Code Security Report: 45% fail, XSS 86%, Java 72%, flat across model generations (2025)
- Spracklen et al. – package hallucination study: 19.7%, 205k names, 43% persistent (USENIX Security 2025)
- GitGuardian – State of Secrets Sprawl 2026: 28.65M new secrets, AI leaks +81%, ~2x leak rate (2026)
- METR – RCT: experienced developers 19% slower with early-2025 AI while feeling faster (2025)
- Stack Overflow Developer Survey: 84% AI-tool adoption (2025)