Sonar’s developer survey for 2026 reveals a striking tension. AI now accounts for 42% of committed code, with projections that this could reach 65% by 2027. At the same time, 96% of developers say they do not fully trust AI-generated code. The result is a trust gap that organisations cannot afford to ignore.
Volume without confidence
The growth in AI-generated code is not surprising. Coding assistants are fast, widely available and increasingly capable. They lower the barrier to producing working code and help developers move through boilerplate, unfamiliar APIs and repetitive tasks. For many teams, they have become the default way to write.
But volume is not the same as quality. Generated code can contain subtle bugs, security weaknesses, outdated patterns or dependencies that do not fit the codebase’s conventions. Developers know this, which explains the low trust score. The code is being accepted into repositories because it passes review, not because it is believed to be flawless.
Why trust matters for velocity
Low trust is not just a sentiment issue. It affects behaviour. Developers may spend extra time re-reading generated code, second-guessing suggestions or adding manual checks that slow the workflow. Teams may also become dependent on a small number of reviewers who are willing to scrutinise AI output carefully.
Over time, a codebase with a high proportion of unverified generated code becomes harder to change. Technical debt accumulates invisibly because the code looks modern and idiomatic while harbouring inconsistency or fragility. The short-term speed gain can become a long-term maintenance burden.
Closing the gap with quality gates
The answer is not to ban AI-generated code. It is to strengthen the quality gates through which it passes. Several practices help:
Require test coverage for generated changes. An AI-assisted change should arrive with tests, not excuses. If the developer cannot write a test for the generated code, that is a signal that the change is not well understood.
Run static analysis and security scanning automatically. Generated code should pass the same linters, type checkers and vulnerability scanners as human-written code. Ideally, these run before the developer is asked to review.
Enforce architectural consistency. Define and automate checks for coding standards, dependency rules and design patterns. AI does not know your architecture unless you make it know.
Review for correctness, not just style. Human review of AI-generated code should focus on whether the change does what it claims, handles edge cases and integrates safely. Style comments are easy; correctness questions are what matter.
Measure and iterate. Track defect rates, review time and revert frequency for AI-assisted changes. Use the data to decide where AI helps and where it creates more work than it saves.
The bottom line
AI-generated code is here to stay and its share of commits will grow. The organisations that benefit will be those that treat it as code that needs verification, not code that is exempt from it. Closing the trust gap is not about rejecting AI; it is about making quality gates strong enough that trust becomes justified.