93% of Developers Use AI. Productivity Is Up 10%. Welcome to the 2026 AI Paradox

Three numbers from this week's data are doing the rounds in CTO Slack channels, and they do not fit comfortably together. First: 92.6% of developers use an AI coding assistant at least monthly, 82% daily or weekly, and 41% of all code shipped to production worldwide is now AI-generated. Second: in spite of that, average reported productivity gains are stuck around 10%, and a controlled METR study famously showed experienced open-source developers were 19% slower with AI than without. Third: AI-assisted code carries a 23.7% higher rate of security vulnerabilities than human-written code.

If you are running an engineering org, those three numbers describe a paradox: maximal adoption, modest aggregate gains, and rising downstream risk. The temptation is to declare the AI coding revolution oversold. That would be the wrong conclusion. The right conclusion is that the value is real — but it is leaking out of three specific holes, and you can plug all three this quarter.

1. The numbers in one paragraph

84% of developers using AI tools, 41% of code AI-generated, 26.9% of production code AI-authored (up from 22% one quarter ago). Self-reported productivity uplift: 10–30%, depending on which study you trust. Senior developer productivity in controlled trials: −19% in some tasks, +0% in many others, with significant variance. Meanwhile, 66% of developers say the biggest issue with AI is "not fully correct" output, and security vulnerability density in AI code is up 23.7%.

2. Why faster typing didn't translate to faster shipping

A coding agent finishes the diff faster. It does not finish the work faster. "The work" includes understanding the ticket, designing the change, getting through code review, passing CI, debugging the staging regression, getting it past your security scanner, and shipping it without a customer ticket. AI compresses one slice of that pipeline — the typing — by maybe 50%. The other slices are unchanged or worse. If the typing was already 20% of total cycle time, you get 10% saved. That is exactly the headline number. The arithmetic was always going to land here; we just refused to do it.

3. The hidden tax: a 23.7% rise in vulnerabilities

The security data is the most underreported part of the paradox. The same models that produce a clean controller method will also confidently emit string-concatenated SQL, missing CSRF tokens, weak password rules, and dependency on a package whose latest version was published yesterday by a freshly registered npm account. (See: this week's "Mini Shai-Hulud" SAP npm compromise, covered in this digest's security article.) AI-generated code is not less secure because the model is malicious; it is less secure because the average training-set example was less secure than your team's hand-rolled, code-reviewed equivalent. Average code is the new floor.

4. What actually moves the productivity needle

The teams getting more than 10% are doing four things. They give the agent a CLAUDE.md or equivalent project-specific context. They scope agents to a single layer (the test agent only writes tests; the migration agent only edits SQL migrations) instead of asking one agent to do everything. They run a security linter before the agent's diff is allowed into a branch — not after, not in code review. And they measure cycle time end-to-end, not "lines of code per developer per day," which is the metric most likely to make AI look amazing while you ship slower.

My take

The "AI is making us slower" narrative is wrong, and so is the "AI 10x'd my team" narrative. The honest read of May 2026 data is: AI is a 10–15% productivity boost, a 24% security regression, and a 100% change in how junior engineers learn. Net it out and the short-term ROI is real but modest, the medium-term security debt is genuine and growing, and the long-term skills picture is the part nobody is pricing yet. The companies that will look smartest in 18 months are the ones investing now in AI-aware code review, mandatory CLAUDE.md-style context, and a deliberate apprenticeship pipeline that prevents juniors from outsourcing their core skill to a model. The ones that just buy more Copilot seats and hope for the best are paying for productivity they will never see.