By Lars Hegenberg | Senior Innovation Researcher
Last year we published a comprehensive guide to the already exciting AI-augmented coding space, including use cases throughout the entire Software Development Lifecycle (SDLC). Since then, adoption among enterprises has skyrocketed. It is one of the very few GenAI categories that has delivered clear, measurable ROI, and that is not by accident. Software engineering runs on logic, structure, and modular patterns, which is exactly where AI thrives. From automating syntax corrections to composing and combining code components, AI amplifies what developers already do well. Decades of publicly available code give the models a rich foundation to learn from, and any output can be empirically tested and refined.
But there is a catch. With the rapid adoption of code generation, the bottleneck has shifted. It is no longer the act of writing code; it is everything around it. Code is shipping to production at record speed, while internal processes and the rest of the SDLC have been left in the dust. Security and review teams are drowning, and we already have evidence of what happens when agents push code to production without guardrails:
Amazon's website and shopping app went down for nearly six hours recently due to an erroneous software code deployment, and AWS suffered a 13-hour interruption after an autonomous AI tool opted to delete and recreate environments. In a different example, a prompt injection attack resulted in OpenClaw being installed onto 4000 users’ machines.
Bottom line: AI didn't just speed up coding. It exposed the lack of speed throughout the rest of the delivery process. That's the opportunity.
Code Planning
When code generation tools first launched, developers used them in the simplest way possible. Ask the model for a snippet, paste it back into the editor, repeat.
Today, AI augmentation should start much earlier, before the first line of code is written. Modern planning tools translate a high-level idea into a detailed specification and, just as importantly, surface what they don’t know. Rather than guessing at ambiguous requirements, they return a structured list of clarifying questions: Which architectural decisions need to be made? Which API keys are required? Which edge cases have not been considered? The output is a living specification that guides downstream code generation and keeps human intent aligned with machine output as the project evolves.
This is AI graduating from autocomplete to collaborator. It is guiding design and architectural decisions, flagging constraints, and surfacing risks. To do that well, it needs a rich contextual understanding of company policies, project-specific instructions, third-party best practices, and technical documentation. Emerging solutions like Eraser and Traycer are tackling this directly, unlocking rapid architecture designs from text, code, or images and continuously syncing documentation to the codebase.
Code Generation
This use case has gotten the most attention over the past few years, and for good reason. AI tools provide context-aware completions and generate snippets from natural language descriptions. They speed up development, reduce repetitive work, and let developers focus on the high-impact logic. But not all "code generation" is the same. The approaches differ meaningfully.
-
Tab Completion & Editing: Inline code completion is now table stakes in modern development. Tools embedded in IDEs like Cursor, Windsurf, and VSCode anticipate what a developer is trying to do and complete lines or execute local edits without being explicitly asked. They run on compact, purpose-built models optimized for speed and precision.
-
Chat-based File Editing: A step up in scope, chat-based editing gives developers a conversational interface to work across larger surfaces of the codebase. Leveraging larger reasoning models with expansive context windows, these tools handle file creation, dependency management, and cross-file refactoring through natural language, accessible inside an IDE or through a web interface.
-
Background Agents: Further along the autonomy spectrum, background agents operate independently over extended periods, using automated tests to verify their own output and delivering work as a completed pull request. Solutions like Devin, Claude Code, and Cursor Background Agents have made this mode increasingly viable for real development tasks.
-
AI App Builders and Prototyping Tools:
Code Review and Security
Any efficiencies coming from Code Generation solutions will have to be paired with appropriate tooling downstream to avoid the risk of just shifting the bottleneck.
As such, instead of QA engineers manually writing test cases, agentic AI solutions can now generate, run, and evaluate tests across UI, API, and backend layers. Vendors like QA Wolf and Diffblue simulate real-world scenarios to keep testing reliable and continuous. Code review gets the same treatment. Without tooling, developers will be burdened with a lot of manual work: Context-switching between tabs, taking a day to get to a pull request, and drowning in a queue three times longer than before. Tools like Qodo and Greptile triage the noise, flagging code quality issues, standards violations, and bugs before a human ever sees the PR. That frees senior engineers to focus on the decisions that actually need judgment.
Security-focused solutions like Mobb Security or Corgea can scan for vulnerabilities and then automatically deliver fixes directly to developers’ workflows and repositories, thereby maintaining consistent hygiene at scale. Next to the code itself, it’s also important to consider the key entities that make up the broader development ecosystem and reduce the attack surface accordingly.
This includes:
-
Malicious MCP servers: Unvetted MCPs from public catalogs can inject code, exfiltrate credentials, or tamper with agent behavior.
-
Malicious AI rules: Shared rule files (e.g., .cursor/rules) can hide instructions, sometimes via invisible Unicode, that steer agents into inserting backdoors.
-
Local network exposure: Local MCP servers can bind to broader network interfaces, exposing capabilities and data to others on the same network.
-
Excessive MCP permissions: Overly broad access to filesystem, env variables, or APIs creates a wide blast radius.
-
AI-generated vulnerabilities: Without security guidance, AI tools produce vulnerable code, hallucinated dependencies, or replicated OSS flaws.
-
Prompt injection: Hidden instructions in READMEs, web content, or MCP responses can hijack agents into leaking credentials or running shell commands.
Mitigating these risks requires a shift from reactive scanning to proactive guardrails embedded across the developer environment. This is where emerging solutions like Backslash Security come in: vetting and inventorying MCP servers and AI rules before use, as well as enforcing least-privilege permissions and localhost-only bindings. Security should be baked directly into the prompt layer rather than relying on developers to ask for secure code, and agent behavior continuously monitored for drift or anomalies.
Closing the loop, AI-SRE solutions like Ciroos or Cleric pick up where pre-deployment security ends, autonomously investigating production incidents, surfacing root cause, and compressing mean time to resolution. As AI-generated code reaches production faster than ever, AI-SRE ensures operational reliability scales alongside development velocity, turning every incident into institutional memory the next time around.
The SDLC Requires a More Holistic Approach
Code Generation tools addressed the biggest bottleneck at the time of their launch - developers having to manually write code. The problem is the rest of the SDLC did not keep up, dampening overall productivity estimates.
Moving forward, organizations will have to take a more holistic approach, leaning into AI-augmented tools across the entire software delivery process. Emerging solutions like Factory.ai exemplify this shift. It operates as a coordinated team of role-scoped agents taking on planning, code, review, validation, and knowledge - orchestrated end-to-end from ticket to merged PR. The bet is purpose-built agents working in concert produce better outcomes across the SDLC than a single generalist trying to do everything. This directly targets cycle time rather than developer-seat productivity.
When evaluating investments, ROI of coding assistants should not be evaluated in isolation. The real question is end-to-end cycle time from ticket opened to code in production. If that number does not meaningfully improve over time, the gap is almost certainly downstream of coding. In that case, mapping exercises can identify where the queue time is accumulating in the pipeline and should rationalize which slice of this ecosystem to invest in first.
Measuring that impact, metrics also need to become more outcome-oriented instead of activity-based. This is where frameworks like APEX offer a practical template, organizing measurement around AI leverage, predictability, flow efficiency, and developer experience. This anchors AI’s impact to pull request-level activity, end-to-end cycle time, and developer sentiment rather than seat-license adoption.
Automating code generation was just the first step. Time for the rest of the SDLC to catch up!
If you’re curious to learn more or want to stay on top of the latest developments in Innovation, feel free to reach out to us at innovation@trace3.com.
Lars is a Senior Innovation Researcher on Trace3's Innovation Team, where he is focused on demystifying emerging trends & technologies across the enterprise IT space. By vetting innovative solutions, and combining insights from leading research and the world's most successful venture capital firms, Lars helps IT leaders navigate through an ever-changing technology landscape.