The Feeling is Real. The Speed is Not
Forty-one percent of all code written globally in 2024 was generated or suggested by AI. Eighty-four percent of developers now use AI coding tools.

In July 2025, a randomised controlled trial set out to measure what AI coding tools actually do to developer productivity. The developers tested were not novices — they were experienced open-source contributors working on codebases they knew well, using the tools that have driven AI adoption at scale: Cursor Pro with Claude 3.5 and 3.7 Sonnet. Before the experiment began, they predicted the tools would make them 24% faster. After completing the tasks, they still believed AI had made them 20% faster. The measured result was that they were 19% slower than developers who had worked without AI. The gap between what the tools felt like and what they produced was 39 to 44 percentage points.
This was not a finding about novices or edge cases. The Model Evaluation and Threat Research group, which conducted the trial, ran it on real issues in real codebases — the kind of work that makes up most professional software development. The minutes saved on initial code generation were consumed by reviewing, fixing, or discarding AI output that was close to correct but not correct enough. The feeling of speed was real. What it was measuring was not productivity.
That gap — between the experience of using AI coding tools and their measurable effect — is what makes the current moment unusual. The tools have been adopted at extraordinary speed, the productivity dashboards show dramatic improvements, and the downstream costs are accumulating in places the dashboards do not look.
What the numbers actually say
The scale of AI code generation adoption is not in doubt. GitHub Copilot reached 20 million users by July 2025 and had 4.7 million paid subscribers by January 2026 — a 75% year-on-year increase. It is deployed at 90% of Fortune 100 companies. By early 2026, 84% of developers reported using AI tools in their development process. GitClear’s analysis of 211 million changed lines of code found that approximately 41% of all code committed globally in 2025 was initially generated or suggested by AI.
By April 2026, Google’s CEO Sundar Pichai confirmed that 75% of all new code at Google is AI-generated — reviewed and approved by engineers before it ships, up from just over 25% in mid-2024.
The productivity data from vendor-run studies is compelling. GitHub’s study of 4,800 developers, conducted with Accenture, found task completion 55% faster with Copilot. Pull request time dropped from 9.6 days to 2.4 days. Successful builds increased 84%. Developers using AI daily merge approximately 60% more pull requests than light users. DX, a developer analytics platform tracking more than 135,000 developers, found that developers using AI tools regularly self-report saving an average of 3.6 hours per week.
These numbers are real. They are also, largely, measuring the things AI code generation is good at: boilerplate, test scaffolding, documentation, refactoring familiar patterns, completing obvious continuations of existing code. The 55% faster figure comes from a task involving JavaScript HTTP server code — a type of work that is highly amenable to AI suggestion, with clear patterns and extensive training data. The same gains do not generalise to all development work, and the vendor-run studies are not designed to measure the downstream costs.
Experienced developers using AI tools felt 20% faster. They were 19% slower. The 39-percentage-point gap between perception and measurement is the most important data point in software development in 2025.
A separate analysis by Faros AI, examining telemetry from more than 10,000 developers across 1,255 teams, found that AI adoption correlated with a 9% increase in bugs per developer. Individual output increased; the organisation’s code quality fell.
The security picture is starker. Veracode tested more than 100 large language models against 80 coding tasks specifically designed to carry a known security dimension — the kind of tasks where a wrong choice introduces a real vulnerability. In 45% of cases, the models chose the insecure path, introducing vulnerabilities from the OWASP Top 10; newer and larger models did not perform significantly better than their predecessors. CodeRabbit’s analysis of 470 real-world pull requests found that AI-generated code introduced 2.74 times more cross-site scripting vulnerabilities than human-written code, and 1.9 times more insecure direct object references. Aikido Security’s survey of 450 organisations found that one in five had experienced a serious cybersecurity incident caused by AI-generated code in 2025.
What the technology cannot see
This is not the first time the industry has tried to automate code production. In the 1980s and 1990s, Computer Aided Software Engineering — CASE — made the same promise: feed your models and specifications into a repository, generate the code. The output was usually unusable. Teams spent longer unpicking what the tools produced than they would have spent writing from scratch. The tools were not wrong about the mechanics of generation. They were wrong about what the hard part of software engineering actually is.
An AI coding assistant faces a version of the same problem at larger scale and higher speed. It has been trained on enormous quantities of code from public repositories. It has learned to predict what code is likely to follow given what has already been written. It is, in that sense, a very sophisticated pattern-completion engine. What it does not have is any understanding of the specific system it is generating code for — the business logic, the security requirements, and the architectural decisions that are specific to this system rather than to code in general.
SQL injection is one of the oldest and most well-documented security vulnerabilities in web development. It appears in the training data with high frequency, both as the vulnerability and as its correct prevention through parameterised queries. AI models should, in principle, know how to avoid it. They often do not. The reason is that the model is optimised to produce code that completes the task as stated — and the task as stated rarely includes ‘and also, make absolutely sure no user input can be injected into this query’. The model takes the shortest path to a passing result. Security requirements that are implied rather than explicit tend to be skipped.
AI Code Generation — The State of Play in 2026:
Adoption: 84% of developers use AI tools; 41% of all code globally was AI-generated (2024) |
GitHub Copilot: 20M users (Jul 2025); 4.7M paid subscribers (Jan 2026); 90% Fortune 500 |
Vendor productivity data: 55% faster on benchmark tasks; 3.6 hrs/week saved on average |
METR trial (Jul 2025): Experienced developers 19% slower — despite feeling 20% faster |
Security: 45% of AI code fails security tests (Veracode); 2.74× more XSS vulnerabilities (CodeRabbit) |
Quality: 4× more code duplication (GitClear); refactoring collapsed from 25% to <10% of changed code lines |
Faros AI (10,000+ developers): AI adoption linked to 9% more bugs at company level |
1 in 5 organisations experienced a security incident caused by AI-generated code (Aikido, 2025) |
YC W25 batch: 25% of startups had codebases 95% AI-generated — small teams, real revenue
GitClear’s longitudinal analysis of 211 million lines of code identified a more structural problem. The proportion of code that constitutes refactoring — the disciplined work of improving existing code’s structure without changing its behaviour — fell from 25% of all commits to under 10% as AI adoption increased. Simultaneously, code duplication increased fourfold. The pattern is consistent with what happens when code generation is optimised for volume and speed: new code is added rather than existing code improved, similar patterns are copy-pasted rather than abstracted, and the codebase becomes progressively harder to understand and change.
The term that circulated widely in 2025 was ‘vibe coding’, coined by Andrej Karpathy to describe the practice of accepting AI suggestions without reading the generated code carefully — programming by feel, copying error messages back to the AI until it works. As a personal approach to low-stakes projects, this is a reasonable efficiency trade. As a pattern spreading through professional development teams, it has measurable consequences. OX Security examined more than 300 repositories and identified ten recurring anti-patterns present in 70 to 100% of AI-generated code, including incomplete error handling, weak concurrency management, and inconsistent architectural decisions. These are not exotic failure modes — they are the standard failure modes of code written by someone who knows what the output should look like but does not fully understand the system it runs in.
The junior developer question is also changing in ways that are not straightforward. Demand for very junior developers — those whose primary value is writing boilerplate and implementing well-specified features — has softened as AI handles more of that work. Gartner has forecast that 80% of software engineers will need to upskill in AI by 2027. The role that remains, and that is if anything growing in value, is the developer who can specify problems precisely enough for AI to address them, review AI output critically enough to catch its characteristic failure modes, and design systems architecturally rather than producing code line by line. That is a different job description from the one most developers were hired to do five years ago.
Who benefits, and the costs they cannot see
The clearest beneficiaries of AI code generation are not the developers who were already most productive. They are the people who previously could not build software at all. In Y Combinator’s Winter 2025 batch, 25% of startups had codebases that were 95% AI-generated, with small teams — often fewer than ten people — shipping products with paying customers at a pace that would have been impossible two years earlier. A non-developer who can specify what they need in plain language, and who has enough domain expertise to evaluate whether the output works, can now produce functional software at a speed that was impossible without technical co-founders. The barrier that used to require a technical co-founder or a development team has dropped to domain expertise and the ability to specify what you need.
The costs tend to fall elsewhere. Production systems with AI-generated code are accumulating a backlog of maintainability problems, duplicated logic, and architectural inconsistencies that compound over time — what the industry has taken to calling a technical debt tsunami. Analysis by Codebridge describes a predictable pattern in AI-assisted projects without proper governance — what it calls the 18-month wall: velocity gains in months one to three are followed by a plateau, then a decline, and by 18 months the team can no longer fully understand their own system. The code shipped faster. The code that was shipped has become progressively harder to change.
The clearest beneficiaries of AI code generation are the people who previously could not build software at all. The costs — security vulnerabilities, technical debt, degraded maintainability — tend to fall on the teams who inherit the codebase.
The security consequences are not evenly distributed either. An organisation with a mature security engineering function — automated scanning in the continuous integration pipeline, mandatory human review for AI-generated code, developers trained to recognise the characteristic vulnerability patterns that AI produces — can capture the productivity benefit while managing the risk. An organisation without those controls, which describes many of the smaller and less well-resourced companies where AI code generation is growing fastest, is generating code with known vulnerability patterns at scale. The one-in-five cybersecurity incident rate from Aikido Security’s survey is not a future risk. It is a 2025 reality.
What ‘more productive’ actually means
There is a genuine productivity case for AI code generation. For handling tedious scaffolding, repetitive testing, and documentation that would otherwise be skipped, the tools do what they claim — they reduce the time spent on work that does not require judgement, and free the developer to focus on what requires care. The 55% faster result in GitHub’s study is real. The question is whether the developer who is 55% faster at writing the initial code is also better, faster, or more thoughtful at reviewing it.
Whether AI code generation expands what developers can do — building more complex systems, serving more users — or whether it primarily produces more code without proportional improvement in outcomes is not the same question. The technical debt and security findings suggest that ‘more code’ and ‘better software’ are not the same thing. An organisation that measures developer productivity by lines of code or pull requests merged will see dramatic improvements. An organisation that measures by system reliability, security record, and long-term maintainability will see a more complicated picture.
The question that most organisations are not yet asking is whether their approach to AI code generation matches the actual risk. The risk profile is not uniform. A SQL query generated by AI in a financial application has a different security consequence from a CSS class generated by AI in a marketing site. A snippet of authentication logic reviewed by a senior security engineer has a different risk profile from the same snippet reviewed by a junior developer under time pressure.
The organisations managing this well tend to share two things: automated scanning on AI-generated code before it reaches production, and a differentiated approach — more scrutiny where the risk is high, less where it is low. Most apply uniform policies, either permitting AI use broadly or restricting it broadly. Neither matches the actual risk profile.
What the productivity dashboard doesn’t show
The METR trial found experienced developers were 19% slower with AI tools while believing they were 20% faster. If you use AI coding tools, how confident are you that your sense of your own productivity is accurate? What would you need to measure to find out?
One in five organisations reported a security incident caused by AI-generated code in 2025. Does your organisation scan AI-generated code for security vulnerabilities before it reaches production? If not, what is the process that is supposed to prevent those vulnerabilities from being deployed?
AI tools handle the initial code generation faster, but the work of specifying problems precisely, reviewing output critically, and designing systems that remain comprehensible as they grow — these are becoming more important, not less. Is the way your organisation hires, trains, and develops software engineers keeping up with that shift?
Startups in Y Combinator’s 2025 batch were building products with 95% AI-generated codebases and reaching real revenue. What does it mean for the software industry that the barrier to building has dropped this dramatically — and for whom has it actually dropped?
The tools are installed. The feeling of acceleration has not gone away. What is accumulating alongside it — the vulnerabilities, the duplicated logic, the refactoring debt — does not appear in the metrics being used to justify the adoption.
Sources and further reading
1. METR — Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity
Joel Becker, Nate Rush, Elizabeth Barnes, David Rein — Model Evaluation and Threat Research, 10 July 2025
metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study
The randomised controlled trial underlying the 19% slower / 20% faster perception gap. 16 experienced open-source developers, real issues from their own codebases, Cursor Pro with Claude 3.5 and 3.7 Sonnet.
2. Veracode — 2025 GenAI Code Security Report
Veracode, July 2025
veracode.com/resources/analyst-reports/2025-genai-code-security-report
100+ large language models tested against 80 coding tasks specifically designed to carry a known security dimension. 45% of cases: model chose the insecure path. Rate consistent across model generations.
3. CodeRabbit — State of AI vs Human Code Generation Report
CodeRabbit, December 2025
coderabbit.ai/whitepapers/state-of-AI-vs-human-code-generation-report
470 real-world pull requests (320 AI-co-authored, 150 human-only). AI code: 2.74× more cross-site scripting vulnerabilities, 1.91× more insecure direct object references, 1.7× more total issues.
4. Aikido Security — 2026 State of AI in Security & Development
Aikido Security, 2025
aikido.dev/state-of-ai-security-development-2026
Survey of 450 CISOs, security leaders, developers, and AppSec engineers across Europe and the US. 20% reported a serious security incident caused by AI-generated code.
5. GitClear — AI Copilot Code Quality: 2025 Data Suggests 4x Growth in Code Clones
GitClear, 2025
gitclear.com/ai_assistant_code_quality_2025_research
211 million changed lines of code analysed (2020–2024). Code duplication increased fourfold. Refactoring fell from approximately 25% of commits to under 10% as AI adoption increased.
6. Faros AI — The AI Productivity Paradox
Faros AI, 2025
faros.ai/ai-productivity-paradox
Telemetry from more than 10,000 developers across 1,255 teams. AI adoption correlated with a 9% increase in bugs per developer. Daily AI users merge approximately 60% more pull requests than light users.
7. DX — AI-Assisted Engineering: Q4 Impact Report 2025
DX (Developer Experience), 2025
getdx.com/blog/ai-assisted-engineering-q4-impact-report-2025
435 companies, 135,000+ developers, July–October 2025. Developers using AI tools regularly self-report saving an average of 3.6 hours per week. Note: self-reported perception, not independently measured.
8. GitHub / Accenture — GitHub Copilot Impact Study
GitHub and Accenture, 2024
github.blog/news-insights/research/survey-ai-wave-grows
4,800 developers. Task completion 55% faster with Copilot. Pull request time: 9.6 days → 2.4 days. Successful builds increased 84%. Note: benchmark task involving JavaScript HTTP server code — a domain highly amenable to AI suggestion.
9. GitHub Copilot user and subscriber figures
GitHub announcement, July 2025; Microsoft FY26 Q2 earnings call, 28 January 2026
dataconomy.com/2025/07/31/github-copilot-now-has-over-20-million-users
20 million total users by July 2025. 4.7 million paid subscribers by January 2026 — 75% year-on-year growth. Deployed at 90% of Fortune 100 companies.
10. Google — Sundar Pichai at Google Cloud Next 2026
Google, 22 April 2026
blog.google/innovation-and-ai/infrastructure-and-cloud/google-cloud/cloud-next-2026-sundar-pichai
75% of all new code at Google is AI-generated, reviewed and approved by engineers before it ships. Up from just over 25% in mid-2024.
11. Gartner — Generative AI Will Require 80% of Engineering Workforce to Upskill Through 2027
Gartner, 3 October 2024
gartner.com/en/newsroom/press-releases/2024-10-03-gartner-says-generative-AI-will-require-80-percent-of-engineering-workforce-to-upskill-through-2027
12. OX Security — State of AI-Generated Code Report
OX Security, October 2025
prnewswire.com/news-releases/ox-report-ai-generated-code-violates-engineering-best-practices-302592642.html
300+ open-source repositories analysed. Ten recurring anti-patterns present in 70–100% of AI-generated code, including incomplete error handling, weak concurrency management, and inconsistent architectural decisions.
13. Codebridge — The Hidden Costs of AI-Generated Software: Why It Works Isn’t Enough
Codebridge
codebridge.tech/articles/the-hidden-costs-of-ai-generated-software-why-it-works-isnt-enough
Analysis of the 18-month wall pattern in AI-assisted projects without proper governance: velocity gains in months one to three, followed by plateau and decline.
14. Garry Tan — Y Combinator W25 batch AI-generated code
Garry Tan, X, 4 March 2025
x.com/garrytan/status/1897303270311489931
*25% of YC Winter 2025 batch startups had codebases that were 95% LLM-generated.
You’re reading The Next Evolution by Neil Catton, articles that explore the human world and the intersection of technology, they try and ask difficult questions - not to scare - but to inform. If someone forwarded this to you, you can subscribe free at neilcatton.substack.com.
Neil Catton is the author of The Next Evolution, The Cognitive Crucible and The Shadow System - available on Amazon, and writes at the intersection of technology, ethics, and human purpose.


Really insightful piece, Neil. It highlights the tension between raw speed and deep capability. Right now, AI is a great co-pilot for flattening repetitive tasks in development and testing, but its progress is definitely a jagged edge rather than a smooth wave. You raise an important point that we should remember that we are in the era of augmented engineering, not automated replacement.
As an industry, we're seeing architecture and complex design lag behind the velocity of pure code generation. It makes the risk of developer skill atrophy very real. I love the idea of instituting deliberate "no-AI" or "human-only engineering" days. It’s a pragmatic way to keep engineering intuition sharp and ensure we don’t outsource the critical systems-thinking that AI can't replicate. Thanks for provoking some great reflection here!