AI coding assistants and the governance gap teams keep missing

TL;DR: AI coding assistants can speed up scaffolding and boilerplate, but multiple studies cited by Cerbos show that experienced developers often slow down, review burden rises, and insecure output can increase privilege paths and secrets exposure. The real issue is not typing speed but whether production-ready code, credentials, and review gates can keep up.

NHIMG editorial — based on content published by Cerbos: AI coding assistants expose the gap between speed and production safety

By the numbers:

• In July 2025, the METR randomized trial found experienced open source developers using AI tools were on average 19% slower.
• Only 16.3% of developers said AI made them more productive to a great extent in the 2025 Stack Overflow Developer Survey.

Questions worth separating out

Q: How should teams govern AI coding assistants in production software delivery?

A: Treat AI coding assistants as privileged workflow components, not neutral productivity aids.

Q: When do AI coding assistants create more risk than they reduce?

A: They create more risk when the organisation assumes faster drafting equals safer delivery.

Q: What do security teams get wrong about AI-generated code?

A: The common mistake is reviewing AI output only for obvious bugs and syntax errors.

Practitioner guidance

• Define assistant privilege boundaries Limit what coding assistants, plugins, and extensions can access in the developer environment.
• Require secret-safe development workflows Block API keys, tokens, and credentials from being pasted into prompts or shared with external AI systems.
• Tighten review for AI-generated privilege changes Route changes that affect roles, service accounts, or permission checks through deeper scrutiny than ordinary feature work.

What's in the full article

Cerbos' full blog post covers the operational detail this post intentionally leaves for the source:

• The specific study findings behind the productivity numbers, including the developer cohorts and task types used in the analysis.
• Examples of AI-generated code issues that create privilege escalation paths, secrets exposure, and review overhead.
• The article's discussion of assistant-driven attack surfaces across plugins, extensions, and cloud-connected developer workflows.
• The team's perspective on when AI coding help is useful for MVP work and when it becomes a net drag on production delivery.

👉 Read Cerbos' analysis of AI coding assistants, productivity, and security risk →

AI coding assistants and the governance gap teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →