AI coding tools may raise enterprise software risk

Software Improvement Group has published its State of Software 2026 report, which finds that AI coding tools can increase technical debt, security risk and operating costs in some enterprise software projects.

The study is based on analysis of more than 30,000 enterprise systems and more than 400 billion lines of code. It examines how AI-assisted coding and autonomous agents are changing software development as businesses expand their use of those tools.

Its central conclusion is that AI neither automatically improves software quality nor automatically harms it. Instead, it tends to magnify the engineering discipline and governance already in place within an organisation.

Companies with stronger controls over architecture, code quality and measurement can use AI to speed up delivery. Those with weaker oversight may accelerate technical debt and security exposure.

One case study cited in the research found that autonomous AI agents built a system in a week, but the project incurred between €10 million and €15 million in AI token fees. The resulting code was described as nearly unmaintainable.

The report also points to a pattern in which developers generate more code to satisfy AI-driven metrics, then spend more time and tokens revising or correcting that output. It says this can erode the productivity gains associated with AI-assisted development.

Security concerns

In SIG's testing, AI-generated code showed roughly twice the security risk violations of human-written code. More than half of the AI-generated code also contained vulnerabilities.

The wider benchmark paints a difficult picture for enterprise software quality even before AI enters the process. The report found that 71% of code has a low degree of security controls, while 86% falls below SIG's recommended maintainability rating.

Architecture was another area of concern. Half of the code assessed scored below SIG's recommended architecture rating, although the report found that stronger architecture reduces issue-resolution time by 30%.

Technical debt remains a significant financial issue. SIG estimated that reducing code-level technical debt can save €870,000 in developer time per system per year.

The findings also suggest a practical ceiling on AI coding gains in larger codebases. Once a codebase reaches 100,000 lines, productivity gains collapse because large language models cannot adequately comprehend complex software architecture, according to the report.

Token consumption is another factor affecting cost. AI token spending for a team of 50 developers now averages the equivalent of nearly one additional developer, while agentic coding tasks can consume up to 1,000 times more tokens than standard code chat or reasoning.

Broader benchmark

The study also assessed systems built specifically for AI use. It found that 72% of AI systems in production score below SIG's recommended build-quality rating.

The research also links software quality and security outcomes closely. Systems with lower code-level technical debt show up to 72% stronger security compliance, according to the report.

Luc Brandts, Chief Executive Officer at Software Improvement Group, said the results should not be read as a rejection of AI in software development.

"Nothing in this report is an argument against AI. The productivity gains are real, and the organisations that fail to embrace it risk falling behind those that learn to use it effectively. But you cannot manage what you do not measure, and you cannot sustain speed on a foundation you do not understand. When code generation outruns governance, technical debt accumulates faster, security exposure widens, and the systems a business depends on become harder to maintain and evolve," Brandts said.

The findings come as businesses move from using AI as a coding assistant to deploying tools that can write, test and merge code with less human involvement. That shift increases the importance of software governance, as speed in generation does not remove the need for maintainability, architecture control or security review.

AI-generated code currently accounts for 1.9% of enterprise production code in SIG's benchmark. Even at that level, the report suggests the financial and operational effects of weak controls can become material as organisations scale up their use of autonomous coding tools.

Across the benchmark, the message is that software quality problems already exist in many companies, and AI can intensify them rather than resolve them.