


























Executives are asking engineering teams to accelerate AI adoption. Most engineering leaders, though, cannot answer a basic question: which AI coding assistants are actually in use across our repositories right now?
The gap is the lack of a reliable inventory. This article covers why visibility is the first governance challenge, what repository-level scanning reveals about real adoption patterns, and how to operationalize AI tool tracking without blocking the tools developers rely on.
In this article:
To gain visibility into AI tools used by engineering teams, you can combine quantitative tracking of AI-assisted coding with qualitative developer feedback. Unmonitored AI usage is common, so specialized analytics help track tool usage, security posture, and productivity impact. The challenge, though, is that most engineering leaders cannot answer a straightforward question: which AI coding assistants are active across our repositories right now?
The contradiction is that boards and executives are pushing teams to adopt AI to improve delivery speed. At the same time, leadership often lacks a reliable inventory of which tools developers actually use. The reporting gap widens as AI adoption accelerates.
The visibility problem is not about whether AI is being used, but rather about whether leadership has an auditable view of AI usage across the engineering organization.
Shadow AI in software development goes beyond employees using random chatbots. In engineering contexts, shadow AI includes a range of tools and artifacts that often bypass centralized IT or security visibility.
Here are common forms of shadow AI in development workflows:
AI coding tools have moved well beyond pilot programs. A significant share of developers now use AI assistants daily, and AI-assisted code represents a growing portion of code creation across organizations.
Several patterns are worth noting. Many developers access AI tools through personal accounts, including personal ChatGPT or Claude subscriptions. The average development team uses multiple AI tools simultaneously, often without centralized tracking. GitHub Copilot, ChatGPT, and Claude are common across development workflows, though adoption varies by team and project.
Exact figures depend on survey methodology, company size, and how "AI-assisted" is defined. The direction, however, is clear: AI use has moved beyond experimentation into everyday development practice.
Surveys and procurement data tell part of the story. Repository-level scanning tells another. When you analyze what is actually committed to codebases, a different picture emerges.
Recently, we scanned over 6,700 repositories across more than 800 organizations and detected 27 different coding assistants. Claude Code appeared most frequently by a wide margin, followed by Cursor and Microsoft Copilot. The long tail included Codex, Windsurf, Augment Code, JetBrains Junie, and more than 20 other tools.
On the surface, 27 assistants suggests tool sprawl. At the organization level, though, the average org showed traces of only two coding assistants. Most companies do not have chaos everywhere. They have limited but often unmeasured AI adoption.
The visibility problem is not only "too many tools." It is that leaders do not know which tools are present, where they appear, or how usage differs by repository.

Governance policies often live in places that do not observe actual developer behavior. Security questionnaires, procurement approvals, acceptable-use policies, SSO tool lists, and manual team self-reporting all capture intent. They rarely capture reality.
Here is where governance controls miss common engineering paths:
Even organizations with governance and security validation policies may still have developers using Cursor, Claude, and other tools in parallel. Developer adoption pressure is real: engineers choose tools that help them move faster.
Policies define intent. Inventories reveal reality.
AI-generated or AI-assisted code changes the scale and review model for engineering teams. More code can be produced faster. Review depth may decrease when reviewers assume generated code is correct. Similar patterns may be replicated across repositories quickly.
Security and quality risks include:
Inventory is not a substitute for SAST, SCA, secrets detection, or policy checks. It is the visibility layer that tells leaders where AI code governance applies.
There is also a procurement angle. If most developers already use a particular tool, it may be worth upgrading to an enterprise plan and managing it centrally rather than allowing fragmented personal usage.
Codacy's AI Inventory is a repository-level view of AI assets, tools, workflows, and signals found across codebases. It turns scattered repository evidence into a view engineering leaders can act on.
A useful inventory typically captures:
| Dimension | What it reveals |
|---|---|
| AI tools detected | Which coding assistants appear across repositories Copilot, Claude Code, Cursor, Windsurf) |
|
AI models called |
Which AI models and providers are referenced across repositories (GPT-4o, Claude Sonnet, Gemini, OpenAI SDK, Anthropic SDK, etc.) |
| Repository distribution | Where each tool appears and how usage varies |
| Configuration and workflow files | AI-related config, prompt templates, or agent definitions |
| Policy compliance status | Whether detected tools align with approved lists |
|
AI-related issues |
Security or quality findings in repositories with AI usage |
| Risk assessment summary | Aggregated view of exposure by repository or team |
The goal is to provide enough visibility that leaders can compare detected usage against policy and decide where enforcement applies.
Visibility without action is just reporting. The practical value of AI Inventory comes from connecting it to enforcement and decision-making.
A reasonable approach follows this sequence:
AI tool usage changes quickly. Inventory is not a one-time audit. It works best when continuous or regularly refreshed.
When executives or board members ask about AI adoption, vague answers erode confidence. Specific metrics convert adoption claims into evidence.
Useful leadership metrics include:
Metrics like these help leaders report adoption without relying only on surveys or procurement data. They create a bridge between AI enablement and risk management.

Several patterns undermine AI visibility efforts. Recognizing them early helps avoid wasted effort.
The goal is to create a managed adoption model where leaders know which tools are in use, understand where they appear, define acceptable use by risk level, enforce security and quality checks consistently, and produce evidence for leadership and compliance.
AI adoption has already reached everyday development workflows. The immediate leadership gap is visibility. Leaders cannot credibly report AI adoption or manage AI risk without knowing what is actually being used.
The practical path forward starts with AI inventory across repositories. Use it to align policy, enforcement, and reporting. Then connect it to existing code quality and security controls that already protect the delivery pipeline.
Codacy's AI Inventory provides a repository-level view of AI tools, workflows, and related artifacts, helping engineering leaders track usage, identify policy gaps, and improve visibility across development teams.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。