Appropriate Non-Use & Managed Use

Weight: 15%

Sources verified Dec 25, 2025⚠1 source changed

Why It Matters

The constraint is human review capacity, not AI capability. Opsera data shows regulated industries appropriately calibrate: insurance (50% acceptance), banking (55%), healthcare (60%) vs. startups (75%). High-stakes code requires calibrated processes—extra review time, expertise matching—not blanket prohibitions.

✓ Opsera: Regulated industries show appropriately lower acceptance rates: insurance 50%, banking 55%, healthcare 60% vs. startups 75% ⓘ

×

GitHub Copilot Adoption Trends: Insights from Real Data

Opsera

Provides industry-specific acceptance rate benchmarks that are critical for contextualizing AI adoption. The pattern is clear: regulated industries (healthcare, insurance, finance) show lower acceptance rates due to compliance requirements. This isn't a failure - it reflects appropriate caution. The 35%+ benchmark for 'good' acceptance rate is useful for organizations evaluating their own metrics.

Key Findings:

• Startups: 75% acceptance rate (highest)
• Technology: 70% acceptance rate
• Healthcare: 60% acceptance rate

Credibility: medium

View Source ↗

✓ Veracode: AI-generated code introduced security flaws in 45% of tests, requiring additional verification ⓘ

×

October 2025 Update: GenAI Code Security Report

Veracode

Primary source for AI code security statistics: 45% overall failure rate, 72% for Java specifically. The 'bigger models ≠ more secure code' finding is critical for model_routing - security scanning is needed regardless of model. Java's 72% rate makes it the riskiest language for AI-generated code.

Key Findings:

• AI-generated code introduced risky security flaws in 45% of tests
• Java was the riskiest language with 72% security failure rate
• XSS (CWE-80) defense failed in 86% of relevant code samples

Credibility: high

Referenced by:

Calibrated Trust Vibe Coding Calibrated AI Use Guardrails Quick Reference: AI Code Checklists Debug a Hallucinating AI When AI Gives Garbage Output: A Systematic Troubleshooting Guide Vibe Coding Failures: When 'Accept All' Goes Wrong Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

✓ HHS OCR (Office for Civil Rights): Regulated environments like healthcare have specific compliance requirements for AI tool usage ⓘ

×

HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information

HHS OCR (Office for Civil Rights)

IMPORTANT: This is a PROPOSED rule (NPRM), not a finalized regulation. Published December 27, 2024 with 60-day comment period. While it addresses cybersecurity broadly (encryption, MFA, audits), it does not specifically address AI coding tools. The relevance to our survey is about the broader compliance environment healthcare organizations must consider when using AI tools that might touch ePHI.

Key Findings:

• PROPOSED rule (NPRM) - not yet finalized
• Major update to strengthen cybersecurity for ePHI
• Requires encryption of ePHI at rest and in transit

Credibility: high

View Source ↗

✓ Addy Osmani: Human verification is critical for AI-generated code - 'Copilot, Not Autopilot' principle ⓘ

×

The 'Trust, But Verify' Pattern For AI-Assisted Engineering

This article provides the conceptual framework for our trust_calibration dimension. The three principles (Blind Trust is Vulnerability, Copilot Not Autopilot, Human Accountability Remains) directly inform our survey questions. The emphasis on verification over speed aligns with METR findings. Practical guidance includes starting conservatively with AI on low-stakes tasks.

Key Findings:

• Blind trust in AI-generated code is a vulnerability
• AI tools function as 'Copilot, Not Autopilot'
• Human verification is the new development bottleneck

Credibility: high

Referenced by:

Calibrated AI Use When AI Gives Garbage Output: A Systematic Troubleshooting Guide Knowing When NOT to Ask AI: Preserving Core Skills Good vs Bad Context: A Side-by-Side Comparison Catching a Hallucination: Trust but Verify Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

Learn More

• ConceptFramework for matching AI oversight levels to code stakes
• ConceptUnderstand failure modes and when AI assistance is inappropriate
• ConceptLearn protective patterns for high-risk contexts
• ConversationDevelop judgment for when to code manually

Assessment Questions (7)

Maximum possible score: 38 points

○ Q1 single choice 5 pts

Are there specific types of code where you deliberately avoid or limit Copilot use?

[1] No - I use it for everything

[3] Yes - a few specific scenarios

[4] Yes - I have clear criteria for when not to use it

[5] Yes - and I use specialized security tools for sensitive areas

Note: Updated for 2025: 'Managed use with specialized tools' scores higher than blanket avoidance

✓ Veracode: AI-generated code introduced security flaws in 45% of tests ⓘ

×

October 2025 Update: GenAI Code Security Report

Veracode

Primary source for AI code security statistics: 45% overall failure rate, 72% for Java specifically. The 'bigger models ≠ more secure code' finding is critical for model_routing - security scanning is needed regardless of model. Java's 72% rate makes it the riskiest language for AI-generated code.

Key Findings:

• AI-generated code introduced risky security flaws in 45% of tests
• Java was the riskiest language with 72% security failure rate
• XSS (CWE-80) defense failed in 86% of relevant code samples

Credibility: high

Referenced by:

Calibrated Trust Vibe Coding Calibrated AI Use Guardrails Quick Reference: AI Code Checklists Debug a Hallucinating AI When AI Gives Garbage Output: A Systematic Troubleshooting Guide Vibe Coding Failures: When 'Accept All' Goes Wrong Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

✓ Google DORA: 39% of developers trust AI output only 'a little' or 'not at all' ⓘ

×

State of AI-Assisted Software Development 2025

Google DORA

The 2025 DORA report introduces the 'AI Capabilities Model' identifying seven practices that amplify AI benefits. The core insight is that AI is an 'amplifier' - it magnifies existing organizational strengths AND weaknesses. Key stats: 89% of orgs prioritizing AI, 76% of devs using daily, but 39% have low trust. The trust research is critical: developers who trust AI more are more productive, but trust must be earned through organizational support (policies, training time, addressing concerns). The 451% adoption increase from acceptable-use policies is remarkable - clarity enables adoption.

Key Findings:

• 89% of organizations prioritizing AI integration into applications
• 76% of technologists rely on AI for parts of their daily work
• 75% of developers report positive productivity impact from AI

Credibility: high

Referenced by:

Debug a Hallucinating AI Monthly Source Audit: Maintaining Content Accuracy

View Source ↗

○ Q2 multi select 8 pts

How does your team handle code review for high-stakes changes?

[2] Extra review time allocated for sensitive areas

[2] Reviewers have domain expertise for what they're reviewing

[2] Reviewers must demonstrate understanding, not just approve

[2] Security scanning runs on all changes (AI-generated or not)

[0] We treat all code the same regardless of stakes

Note: Process over prohibition: the bottleneck is human review capacity, not AI capability. An auth expert can use AI for auth code—with appropriate review depth.

✓ Addy Osmani: Human verification is the new development bottleneck ⓘ

×

The 'Trust, But Verify' Pattern For AI-Assisted Engineering

This article provides the conceptual framework for our trust_calibration dimension. The three principles (Blind Trust is Vulnerability, Copilot Not Autopilot, Human Accountability Remains) directly inform our survey questions. The emphasis on verification over speed aligns with METR findings. Practical guidance includes starting conservatively with AI on low-stakes tasks.

Key Findings:

• Blind trust in AI-generated code is a vulnerability
• AI tools function as 'Copilot, Not Autopilot'
• Human verification is the new development bottleneck

Credibility: high

Referenced by:

Calibrated AI Use When AI Gives Garbage Output: A Systematic Troubleshooting Guide Knowing When NOT to Ask AI: Preserving Core Skills Good vs Bad Context: A Side-by-Side Comparison Catching a Hallucination: Trust but Verify Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

✓ The New Stack: 91% increase in PR review times—review capacity is the constraint ⓘ

×

Is AI Creating a New Code Review Bottleneck for Senior Engineers?

The New Stack

Documents the emerging 'AI Productivity Paradox': AI increases output but creates review bottlenecks. The 91% increase in PR review times despite 21% more tasks completed shows the shifting bottleneck problem. Critical for organizational integration dimension.

Key Findings:

• Teams with heavy AI use completed 21% more tasks but PR review times increased 91%
• 67% of developers spend more time debugging AI-generated code
• 68% note increased time spent on code reviews

Credibility: medium

Referenced by:

AI System Monitoring Compare Chat vs RAG vs Agent

View Source ↗

○ Q3 single choice 5 pts

If you work in healthcare or with PHI: Are you aware of the HIPAA implications?

[0] N/A - I don't work with healthcare data

[0] No - I didn't know there were specific regulations

[1] Vaguely - I know there might be compliance issues

[3] Yes - I never put actual PHI in prompts and use synthetic test data

[5] Yes - we have data handling policies for AI tools and review prompt logging practices

Note: The compliance concern is PHI in prompts, not code that handles PHI. GitHub doesn't sign BAAs for Copilot, so actual patient data in prompts creates exposure.

✓ Microsoft: GitHub doesn't sign BAAs for Copilot; compliance risk is PHI in prompts, not code logic ⓘ

×

Microsoft HIPAA/HITECH Compliance Documentation

Microsoft

GitHub doesn't sign BAAs for Copilot, meaning prompts containing actual PHI would create compliance exposure. However, the concern is data in prompts, not code logic - writing code that handles PHI (without embedding patient data in prompts) is generally safe. Note: Microsoft 365 Copilot (for Word/Excel/Teams) is a different product from GitHub Copilot (for code) and is not a substitute for code completion needs.

Key Findings:

• GitHub doesn't sign BAAs for Copilot products
• Microsoft 365 Copilot (Word/Excel/Teams AI, NOT code completion) can be BAA-covered
• Compliance concern is PHI in prompts/context, not code that handles PHI

Credibility: high

View Source ↗

○ Q4 single choice 5 pts

Do you work in a regulated industry, and if so, how mature is your AI compliance?

[0] Not in a regulated industry (financial, government, defense, healthcare, energy)

[0] Regulated industry - no AI-specific policies exist

[1] Regulated industry - general AI guidance but not regulation-specific

[3] Regulated industry - policies aligned to regulatory requirements

[5] Regulated industry - compliance-reviewed policies with regular audits

Note: Combines industry classification with policy maturity. Regulated industries (SOX, FedRAMP, HIPAA, EU AI Act, etc.) face heightened AI compliance requirements. EU AI Act enforcement begins 2025.

✓ European Union: EU AI Act creates specific requirements for high-risk AI applications ⓘ

×

Regulation (EU) 2024/1689 - Artificial Intelligence Act

European Union

The EU AI Act establishes a comprehensive risk-based regulatory framework for AI systems, classifying them into prohibited, high-risk, and general-risk categories with varying compliance requirements. Enforcement begins in 2025, with organizations using AI coding tools needing to assess whether their implementations fall under high-risk categories. This regulation sets global precedent for AI governance and directly impacts how development teams can deploy AI-assisted development tools.

Key Findings:

• Enforcement begins 2025
• Regulates AI systems by risk level
• Applies to AI coding tools used in EU

Credibility: high

View Source ↗

✓ European Parliament: EU AI Act enforcement begins 2025 ⓘ

×

AI Act Implementation Timeline

European Parliament

EU AI Act enforcement began in 2025 with prohibited practices and GPAI rules. Full application by 2026. Critical for appropriate_nonuse and legal_compliance dimensions.

Key Findings:

• EU AI Act entered into force August 1, 2024
• Prohibited AI practices effective February 2, 2025
• GPAI model obligations effective August 2, 2025

Credibility: high

View Source ↗

○ Q5 single choice 5 pts

Do you work on safety-critical systems where AI code errors could cause physical harm?

[0] No - not safety-critical

[0] Yes - I use AI tools normally

[2] Yes - I use AI but with extra verification

[4] Yes - I avoid AI for safety-critical components

[5] Yes - AI prohibited by policy for safety-critical code

Note: Safety-critical systems (automotive, medical devices, aviation) require highest verification or AI prohibition.

✓ Veracode: Security-critical code requires additional verification beyond AI generation ⓘ

×

October 2025 Update: GenAI Code Security Report

Veracode

Primary source for AI code security statistics: 45% overall failure rate, 72% for Java specifically. The 'bigger models ≠ more secure code' finding is critical for model_routing - security scanning is needed regardless of model. Java's 72% rate makes it the riskiest language for AI-generated code.

Key Findings:

• AI-generated code introduced risky security flaws in 45% of tests
• Java was the riskiest language with 72% security failure rate
• XSS (CWE-80) defense failed in 86% of relevant code samples

Credibility: high

Referenced by:

Calibrated Trust Vibe Coding Calibrated AI Use Guardrails Quick Reference: AI Code Checklists Debug a Hallucinating AI When AI Gives Garbage Output: A Systematic Troubleshooting Guide Vibe Coding Failures: When 'Accept All' Goes Wrong Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

✓ European Union: High-risk AI systems have specific regulatory requirements ⓘ

×

Regulation (EU) 2024/1689 - Artificial Intelligence Act

European Union

The EU AI Act establishes a comprehensive risk-based regulatory framework for AI systems, classifying them into prohibited, high-risk, and general-risk categories with varying compliance requirements. Enforcement begins in 2025, with organizations using AI coding tools needing to assess whether their implementations fall under high-risk categories. This regulation sets global precedent for AI governance and directly impacts how development teams can deploy AI-assisted development tools.

Key Findings:

• Enforcement begins 2025
• Regulates AI systems by risk level
• Applies to AI coding tools used in EU

Credibility: high

View Source ↗

○ Q6 single choice 4 pts

How well do you understand Copilot's limitations for your specific tech stack and work?

[1] Not well - I'm not sure what it's bad at

[2] Somewhat - I know some general limitations

[3] Well - I know where it struggles in my context

[4] Very well - I could list specific failure patterns

✓ METR: Understanding AI limitations is key - developers perceived 20% speedup but measured 19% slowdown ⓘ

×

Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity

METR

This is the most rigorous 2025 study on AI coding productivity. The RCT methodology (16 experienced developers, 246 tasks, $150/hr compensation) makes this highly credible. The 39-44 percentage point gap between perceived and actual productivity is the key insight for our trust_calibration dimension. This directly supports recommendations about not over-trusting AI suggestions and maintaining verification practices.

Key Findings:

• Experienced developers were 19% slower with AI
• Developers perceived 20% speedup (39-44 percentage point gap)
• Self-reported productivity may not reflect reality

Credibility: high

Referenced by:

Understanding AI Limitations Calibrated AI Use AI System Monitoring The AI Productivity Paradox Managing Review Fatigue: When AI Output Overwhelms Human Oversight When AI Gives Garbage Output: A Systematic Troubleshooting Guide Knowing When NOT to Ask AI: Preserving Core Skills Catching a Hallucination: Trust but Verify

View Source ↗

✓ Addy Osmani: Calibrated trust requires understanding model limitations ⓘ

×

The 'Trust, But Verify' Pattern For AI-Assisted Engineering

This article provides the conceptual framework for our trust_calibration dimension. The three principles (Blind Trust is Vulnerability, Copilot Not Autopilot, Human Accountability Remains) directly inform our survey questions. The emphasis on verification over speed aligns with METR findings. Practical guidance includes starting conservatively with AI on low-stakes tasks.

Key Findings:

• Blind trust in AI-generated code is a vulnerability
• AI tools function as 'Copilot, Not Autopilot'
• Human verification is the new development bottleneck

Credibility: high

Referenced by:

Calibrated AI Use When AI Gives Garbage Output: A Systematic Troubleshooting Guide Knowing When NOT to Ask AI: Preserving Core Skills Good vs Bad Context: A Side-by-Side Comparison Catching a Hallucination: Trust but Verify Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

○ Q7 multi select 6 pts

How do you ensure your coding skills don't atrophy from AI reliance?

[1] I sometimes code without AI deliberately

[1] I deeply review AI code to learn from it

[1] I practice fundamentals separately (leetcode, learning, etc.)

[1] I make sure I can explain any AI code I use

[2] We have 'AI-free' practice sessions or days

[0] I don't actively think about this / not concerned

Note: Addy Osmani identifies skill atrophy as a real risk—but one that's preventable with deliberate practice.

✓ Addy Osmani: Skill surface shifts from 'write code' to 'verify and supervise AI code' ⓘ

×

AI Won't Kill Junior Devs - But Your Hiring Strategy Might

Addy Osmani reframes the junior developer AI debate from risk to opportunity. Key insight: AI accelerates careers for juniors who adapt by shifting from 'write code' to 'supervise AI code'. Teams with updated mentorship create accelerated apprenticeships. The real threat is hiring strategies, not AI itself.

Key Findings:

• AI is a career accelerant for juniors who adapt
• Skill surface shifts from 'write code' to 'verify and supervise AI code'
• Updated mentorship: coach on integrating AI without over-dependence

Credibility: high

Referenced by:

AI-Era Career Strategy

View Source ↗

✓ Addy Osmani: Blind trust in AI is a vulnerability; deliberate practice maintains skills ⓘ

×

The 'Trust, But Verify' Pattern For AI-Assisted Engineering

This article provides the conceptual framework for our trust_calibration dimension. The three principles (Blind Trust is Vulnerability, Copilot Not Autopilot, Human Accountability Remains) directly inform our survey questions. The emphasis on verification over speed aligns with METR findings. Practical guidance includes starting conservatively with AI on low-stakes tasks.

Key Findings:

• Blind trust in AI-generated code is a vulnerability
• AI tools function as 'Copilot, Not Autopilot'
• Human verification is the new development bottleneck

Credibility: high

Referenced by:

Calibrated AI Use When AI Gives Garbage Output: A Systematic Troubleshooting Guide Knowing When NOT to Ask AI: Preserving Core Skills Good vs Bad Context: A Side-by-Side Comparison Catching a Hallucination: Trust but Verify Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

Practice Conversations (1)

Learn through simulated conversations that demonstrate key concepts.

intermediate 10 min

Knowing When NOT to Ask AI: Preserving Core Skills

You're a developer who could ask AI for help with a task, but you're wondering if you should

8 messages →