AI coding tools have moved from experiment to routine software work faster than many company policies can handle. A global study from cloud security firm Checkmarx found a sharp mismatch between official rules and what development teams are actually doing.
The headline finding is simple: 99% of development teams use AI coding tools, while 15% of surveyed companies have explicitly prohibited them. That gap matters because it shows that banning code AI does not necessarily stop its use inside development departments.
What the Checkmarx study found
The study describes a software workplace where generative AI is already deeply embedded. Nearly all development teams are using AI coding tools, including in organizations where those tools are not allowed by policy.
This creates a practical challenge for companies. If developers keep using AI despite restrictions, leaders may have less visibility into which tools are being used, what code is being generated, and how that code is reviewed before it enters a software environment.
The study also points to a governance gap. Only 29% of companies have established any form of governance for generative AI tools. In 70% of cases, there is no central strategy, and purchasing decisions are made on an ad-hoc basis by individual departments.
That means the issue is not only whether AI coding tools are allowed. It is also whether companies have clear ownership, consistent rules, and a shared process for deciding how generative AI should be used in application development.
Why bans are hard to enforce
The Checkmarx findings suggest that formal restrictions can fail when they do not match day-to-day developer behavior. A company may ban AI coding tools, but developers may still see them as useful enough to keep using them.
That leaves security and technology leaders with a difficult problem. If a tool is used openly, it can be governed, reviewed, and integrated into existing software processes. If it is used quietly, the organization may have less ability to understand the risks or shape safe practices.
The source article also notes that Microsoft's Work Trend Index recently reported similar findings. It showed that many employees use their own AI tools when none are provided, and often do not discuss that use. According to the article, that silence makes it harder to implement generative AI systematically into business processes.
For development teams, the same dynamic can become especially important because code is not just a productivity artifact. It becomes part of products, services, and internal systems. When AI-generated code enters that pipeline without a clear policy, the company still owns the result.
Security worries are already widespread
The study found that 80% of respondents are worried about potential threats from developers using AI. It also found that 60% express concern about AI issues such as hallucinations.
Those concerns are directly tied to software quality and application security. If AI produces code that looks useful but contains mistakes, the burden of detection falls back on the development and security process. The more AI-generated code enters that process, the more pressure those review systems may face.
"The responses of these global CISOs expose the reality that developers are using AI for application development even though it can’t reliably create secure code, which means that security teams are being hit with a flood of new, vulnerable code to manage," said Kobi Tzruya, chief product officer at Checkmarx.
That statement captures the central tension in the study. Developers are adopting AI coding tools because they can help with application development, but security teams are concerned that the output may increase the amount of vulnerable code they need to manage.
Companies still see potential in code AI
The findings are not simply a rejection of AI in software development. Despite the security concerns, there is still strong interest in what AI coding tools could do inside development workflows.
According to the study, 47% of respondents were open to allowing AI to make unsupervised code changes. Only 6% said they would not trust AI with security measures in their software environment.
Those two findings show that many organizations are not trying to avoid AI altogether. Instead, they appear to be caught between optimism about AI's usefulness and concern about how to control its risks.
That makes governance the core issue. The study's numbers show that AI coding tools are already being used widely, but policies, purchasing decisions, and security practices are not always keeping up.
The real question is control
The most important lesson from the Checkmarx study is that code AI adoption is not waiting for perfect rules. Developers are already using these tools at scale, and some are doing so even where companies have banned them.
For organizations, the choice is becoming less about whether AI coding tools exist in the workplace and more about whether their use is visible, governed, and connected to security review. A ban may state a position, but the study suggests it may not describe reality inside development teams.
That reality creates a clear management problem. Companies need to understand how AI coding tools are entering software workflows, who is making purchasing decisions, and how AI-generated code is checked before it creates risk.
The Checkmarx study points to a future where generative AI in application development is normal, but unevenly governed. The companies that close that gap may have a better chance of capturing the benefits of AI coding tools without leaving security teams to handle the consequences alone.