Skip to content

Data

AI Code Statistics 2026

Last updated: 2026-07-023 min read

The numbers behind AI coding, consolidated and sourced: 84% of developers use AI tools, 96% distrust the code and 48% consistently verify it; review time per PR is up 91%, two-week churn is drifting from ~3.1% toward 5.7%, and ~45% of AI-generated samples fail security tests. Every figure below carries its source and year. A living reference, updated as the research moves.

Contents

Adoption and the verification gap

FigureWhat it measuresSource & year
84%Developers using AI tools (up 14 pts from 2023)Stack Overflow survey, 2025
96%Developers who distrust AI-generated codeSonar, State of Code 2026
48%Developers who consistently verify AI codeSonar, State of Code 2026
38%Find AI code harder to review than a colleague'sSonar, State of Code 2026
Adoption and the verification gap - the two Sonar figures are the sector's most-cited numbers (sources per row; status: 2026).

The gap between 96% and 48% is the sector’s defining number, unpacked in the verification gap.

The review bottleneck

FigureWhat it measuresSource & year
+98%More merged PRs in high-AI teamsFaros AI telemetry, 2026
+91%Review time per PR, same teamsFaros AI telemetry, 2026
+441%Median time a PR spends in reviewDORA-cycle telemetry, 2025
+51%Larger pull requestsDORA-cycle telemetry, 2025
−19%Experienced devs slower with early-2025 AI (while feeling faster)METR RCT, 2025
Throughput and review load in high-AI-adoption teams - percentages, not universal wait-times; the direction is consistent across sources (Faros/DORA telemetry; METR RCT; 2025-2026).

The mechanics are in the review bottleneck; the METR result is the standing caution that perceived and real productivity diverge.

Code quality and churn

FigureWhat it measuresSource & year
~3.1% → 5.7%Two-week churn trend as AI assistance grewGitClear, 211M lines, 2025
~8xRise in duplicated code blocksGitClear, 2025
decliningShare of moved/refactored codeGitClear, 2025
Quality signals from GitClear's 211-million-line analysis - vendor-adjacent research, read as directional; churn is priced against the pre-AI baseline (2025).

What the churn numbers do and do not say is in AI code churn, and their euro translation in the cost calculation.

Security

FigureWhat it measuresSource & year
~45%AI-generated samples that fail security testsVeracode, 2025
86%Relevant samples failing to prevent XSS (CWE-80)Veracode, 2025
72% / 45% / 43% / 38%Failure rate: Java / C# / JavaScript / PythonVeracode, 2025
flatSecurity across model generations (functionality rose)Veracode, 2025
AI-code security from Veracode's evaluation of 100+ LLMs across four languages - the flat-across-generations finding is the load-bearing one (2025).

The classes and defenses are in security vulnerabilities in AI code.

Supply chain and secrets

FigureWhat it measuresSource & year
19.7%LLM-recommended packages that do not existUSENIX Security (Spracklen et al.), 2025
205,000+Unique hallucinated package names observedUSENIX Security, 2025
43%Hallucinated names repeating in all 10 rerunsUSENIX Security, 2025
28.65MNew hardcoded secrets on public GitHub in 2025GitGuardian, 2026
+81%Rise in AI-service secret leaks year over yearGitGuardian, 2026
~2xSecret-leak rate of AI-assisted vs human commitsGitGuardian, 2026
Supply-chain and secrets exposure - the USENIX study is academic; GitGuardian is vendor research (2025-2026).

These feed slopsquatting and what AI tools actually read.

What these numbers do not say

Three honest caveats. There is no robust industry figure for “what percentage of code is AI-generated” - the definitions and telemetry differ too much, so this page avoids that headline. Several key sources are vendor or vendor-adjacent (Sonar, Faros, GitClear, Veracode, GitGuardian); they are the best public data and carry an interest, so treat them as directional and prefer figures corroborated across independent signals - which most of the above are. And percentages describe direction and magnitude, not a universal multiplier: your codebase’s numbers come from measuring it, via the four metrics, not from ours.

Where Reality Graph fits

Reality Graph cites these numbers; it does not generate its own. There are deliberately no Reality Graph statistics on this page - the product is in private beta, and inventing product-performance figures would violate the same claim-safety rule the rest of the site follows. What Reality Graph does is let a team produce its own version of these numbers, from its own runs, via the evidence reports and metrics - measured, not borrowed.

This reference gives you

  • Every key AI-code figure with its source and year
  • Themed tables built for one-value citation
  • The independent-vs-vendor split, stated per source
  • A living page updated as the research moves

It does not give you

  • A robust 'X% of code is AI-generated' number - none exists
  • Any Reality Graph performance statistics
  • A universal multiplier for your codebase - measure it
  • Certainty from single vendor studies - direction over gospel

If these boundaries fit how your team wants to ship:

FAQ

How much code is AI-generated, and how many developers use AI tools?
As of the 2025 Stack Overflow survey, 84% of developers use AI tools - up 14 points from 2023. A single reliable figure for the share of code that is AI-generated does not exist across the industry (definitions and telemetry differ), which is why this page reports adoption and effect rather than a headline 'X% of code' number that no source robustly supports.
How long do AI pull requests wait, and how much has review slowed?
Faros AI telemetry across thousands of teams reports review time per PR up 91% in high-AI-adoption teams, while merged PR volume rose about 98% - and DORA-cycle telemetry put the median time a PR spends in review up 441% as AI volume grew (2025). There is no universal wait-time in hours; the percentages describe the direction and magnitude, which are consistent across sources.
What is the single most-cited AI code statistic?
Sonar's 2026 finding that 96% of developers distrust AI-generated code while only 48% consistently verify it - the 'verification gap'. It is widely cited because it captures the whole problem in two numbers: the awareness is nearly universal, the diligence is not, and the difference is behavioral rather than technical.
Are these statistics from independent research or vendors?
Both, and this page marks which. Independent or academic: the METR randomized trial, the USENIX Security 2025 slopsquatting study. Vendor or vendor-adjacent (reliable but with an interest): Sonar, Faros AI, GitClear, Veracode, GitGuardian. We treat vendor figures as directional evidence, note them as such, and prefer numbers corroborated across independent signals.
How current are these numbers?
This is a living reference: it consolidates the sourced figures used across the site and is updated when new research lands or a number ages, with the visible date bumped. Each figure carries its own year in the tables, so you can see at a glance whether a statistic is from 2025 or 2026 rather than trusting a single 'last updated' stamp.
Can I cite these figures?
Yes - cite the underlying source named in each row and its year, not this page. The tables are organized to make that easy: value, precise description, source and year in every row. Where a figure is a range or a trend, cite it as one; the biggest error in AI-code statistics is quoting a spread as a point.

Keep reading

Sources

Want to follow the beta, or test it when it opens?

Join early access