GitLab warns of AI code governance gap in new report

GitLab has released its 2026 AI Accountability Report, based on a survey of 1,528 developers and technology buyers across six countries.

The findings point to a widening gap between the rapid uptake of AI coding tools and the controls organisations use to track, review and govern the code they produce.

According to the report, 91% of organisations now have at least two AI coding tools in active use, while 54% have three or more. At the same time, 78% of respondents said developers are writing and committing code faster since adopting AI tools, and 60% said returns from AI coding have exceeded expectations.

That speed has not removed friction elsewhere in the software process. While 79% of respondents said AI has improved individual developer productivity, the overall software delivery process has not advanced at the same rate.

Control gaps

A central theme in the research is the difficulty many organisations face in identifying and managing AI-generated code once it enters production. The report found that 84% of respondents agreed the biggest challenge with AI-generated code is governing what happens to it after it is created.

It also found that 82% believe AI-generated code risks creating a new form of technical debt that their organisation is not prepared to manage. Separately, 73% said they are concerned about the maintainability of AI-generated code in their codebase.

Traceability remains a weak point. Only 28% of respondents said their software development lifecycle tools are fully integrated with shared data and workflows, suggesting many teams still rely on fragmented systems to track code origins and ownership.

The top structural barriers were difficulty distinguishing AI-generated code from human-written code, cited by 43% of respondents, fragmented toolchains at 40%, and systems that do not track code origin at 39%.

The survey also highlighted a gap between confidence and operational reality during incidents. While 87% of respondents said they were confident their team could determine within 24 hours whether AI-generated code had contributed to a production incident, 34% of organisations that experienced an incident in the past year said they could not actually make that determination.

Governance lag

Governance emerged as another concern. The report found that 80% of respondents said their organisation adopted AI tools faster than it developed policies to govern them, while 92% reported some form of governance challenge linked to AI-generated code.

For many organisations, that concern has moved from theory to risk management. Some 83% of respondents identified the accumulation of AI-generated code as a risk that needs to be managed now, and 44% described it as a top technology risk.

That appears to be driving planned spending. The report found that 91% of respondents are likely to invest in AI code governance tools over the next 12 months, while 98% have already allocated or expect to allocate budget for that area.

The findings suggest the debate around AI coding is shifting. Rather than focusing only on code generation speed, organisations are increasingly assessing whether they can verify where code came from, what it was intended to do and who is responsible for it after deployment.

Another result underlined that shift. The survey found that 85% of respondents agree AI has moved the main bottleneck from writing code to reviewing and validating it, suggesting development teams may now be producing output faster than their existing assurance processes can handle.

There were also signs that respondents expect the market to move in that direction. According to the report, 85% agreed that the next phase of AI in software will focus less on generating code and more on governing it.

The research was conducted by The Harris Poll and covered respondents in North America, Europe and Asia-Pacific. It surveyed both developers and technology buyers, reflecting views from technical users as well as people involved in software purchasing and oversight.

GitLab framed AI accountability around three practical questions for any line of AI-generated code: where it came from, what it was meant to do and who is responsible for it once it is in production. The results suggest many organisations still struggle to answer those questions consistently across their software environments.

Manav Khurana, Chief Product and Marketing Officer at GitLab, commented on the findings:

"AI coding tools have delivered on their promise of speed. But the events of the past few months, including supply chain attacks, reliability issues, and regulators tightening expectations around AI traceability and provenance, are making clear that speed without control is a liability, not an advantage. The teams thinking ahead are already asking the harder question: can we actually control all the code we're generating? The organisations that will ship trusted software faster are the ones building the foundations of accountability with context, traceability, and governance baked into the platform, not just bolted on after the fact."