Research · VC & Analyst Reports
Back to sweepResearch sweep · deep · 2025 – present
AI Dark Code — Organisational Accountability and Control
AI-generated and agent-produced code ("dark code") in enterprise settings June 2025–April 2026: organisational accountability structures, failure and adaptation of established management frameworks, technical and governance controls, observability and discoverability of agent logic, and documented outcomes from early enterprise adoption.
- financial
- frontier
- academic
- vc
- substack
Synthesised 2026-04-13
Narrative
The dominant story from VC and analyst coverage across June 2025 to April 2026 is a collision between accelerating enterprise adoption of AI-generated and agent-produced code and a governance apparatus that has not kept pace. a16z's June 2025 CIO survey established the baseline: agentic workflows are now production realities, but 'quality assurance of agents is not super easy' and every prompt is tuned for a specific model, creating deep lock-in and accountability ambiguity. By November 2025, McKinsey's State of AI — drawing on 1,993 respondents — confirmed that only 23% of enterprises were scaling any agentic system, with 51% having experienced AI incidents; governance and human-in-the-loop accountability were the explicit separators between high performers and the rest. Bain's Technology Report 2025 reinforced the accountability distribution problem: while central platform teams own the core infrastructure, domain teams must own agent assembly, testing, and monitoring — yet most organisations lack the observability and lineage infrastructure to make this work. Gartner's December 2025 prediction report introduced the sharpest specific quantitative warning: prompt-to-app approaches will increase software defects by 2,500% by 2028, driven by 'context-deficient' AI code that is syntactically correct but architecturally naive, producing bugs exponentially more expensive to fix than conventional errors. Forrester responded in August 2025 with the AEGIS framework — the analyst community's first purpose-built governance model for agentic AI — introducing 'least agency' (versus least privilege), 'continuous assurance', and 'explainable outcomes' as core principles, and explicitly naming 'obscured causal provenance' and the near-impossibility of post-incident forensics as the defining dark-code problem.
By early 2026, the analyst consensus had crystallised around several hard numbers and structural predictions. Gartner's January 2026 zero-trust data governance prediction (50% of organisations adopting zero-trust postures for AI-generated data by 2028) and its February 2026 AI governance market sizing ($492M in 2026 spend, $1B+ by 2030) framed the commercial opportunity. Microsoft's February 2026 Cyber Pulse report provided the most direct empirical anchor for the dark-code thesis: first-party telemetry confirmed more than 80% of Fortune 500 companies are actively running AI agents built with low-code/no-code tools — agents built substantially outside formal engineering review channels. CB Insights identified AI agent observability and evaluation tooling as the fastest-growing cybersecurity sub-segment and an M&A battleground for 2026, with the agent security and risk management market leading on Mosaic score momentum. KPMG's Q4 2025 AI Pulse survey quantified investment intent: half of enterprise leaders plan to allocate $10–50M specifically for data lineage, model governance, and agentic architecture hardening. The VC prediction landscape (a16z, Bessemer, Sequoia, aggregated by multiple synthesis pieces) converged on 'code clean-up agents' and 'agent operations' as the two organisational responses to the 2025 AI coding boom's technical debt hangover — with Bessemer's Lindsey Li naming the category explicitly and multiple analysts predicting 'agent operations' will become a formal enterprise function analogous to DevOps, complete with audit logs, rollback controls, and human override as non-negotiable production requirements.
Sources
| ID | Title | Outlet | Date | Significance |
|---|---|---|---|---|
| v1 | How 100 Enterprise CIOs Are Building and Buying Gen AI in 2025 | Andreessen Horowitz (a16z) | 2025-06 | Surveying 100 CIOs across 15 industries, a16z identifies the rise of agentic workflows as straining model-switching flexibility and introduces the concept of 'quality assurance of agents' as a new, non-trivial engineering burden replacing traditional QA. |
| v2 | The State of AI in 2025: Agents, Innovation, and Transformation | McKinsey & Company (QuantumBlack) | 2025-11 | Drawing on 1,993 respondents across 105 countries, McKinsey finds only 23% of enterprises are scaling agentic AI and 51% report AI incidents, framing governance and human-in-the-loop accountability as the separating factor between AI high performers and laggards. |
| v3 | Building the Foundation for Agentic AI (Technology Report 2025) | Bain & Company | 2025 | Bain argues that distributed accountability for agent assembly, testing, and monitoring must be built into enterprise domain teams from inception, and that observability, security, governance, and controls must be embedded — not bolted on — as a prerequisite for safe agentic scale. |
| v4 | Introducing Forrester's AEGIS Framework: Agentic AI Enterprise Guardrails for Information Security | Forrester Research | 2025-08 | Forrester's landmark AEGIS framework introduces 'least agency' as the agentic analogue to least privilege, and codifies six governance domains specifically designed for autonomous AI — marking the first major analyst framework to replace infrastructure-centric with intent-centric security controls for agent-generated artefacts. |
| v5 | Gartner Predicts 2026: AI Potential and Risks Emerge in Software Engineering Technologies | Gartner | 2025-12 | Gartner's December 2025 prediction report warns that prompt-to-app citizen development will increase software defects by 2,500% by 2028, identifying 'context-deficient' AI code — syntactically correct but architecturally naive — as a new defect class invisible to traditional testing. |
| v6 | Gartner Predicts by 2028, 50% of Organizations Will Adopt Zero-Trust Data Governance as Unverified AI-Generated Data Grows | Gartner | 2026-01 | Gartner frames AI-generated data proliferation — including code — as a model-collapse and compliance risk requiring zero-trust data governance postures, with 84% of CIOs planning to increase GenAI funding in 2026 despite these risks. |
| v7 | Global AI Regulations Fuel Billion-Dollar Market for AI Governance Platforms | Gartner | 2026-02 | Gartner quantifies that organisations using AI governance platforms are 3.4× more likely to achieve high governance effectiveness, and projects the AI governance market to reach $492M in 2026 and surpass $1B by 2030, driven by regulatory fragmentation. |
| v8 | Gartner Predicts AI Regulatory Violations Will Result in a 30% Increase in Legal Disputes for Tech Companies by 2028 | Gartner | 2025-10 | A Gartner survey of 360 IT leaders finds that over 70% cite regulatory compliance as a top-three challenge for GenAI deployment, while only 23% are confident in their organisation's ability to manage security and governance — directly quantifying the accountability gap around AI-produced artefacts. |
| v9 | Why CIOs Must Integrate Governance into Enterprise AI | Gartner (via CIO Dive) | 2025 | Gartner VP Analyst Sumit Agarwal explicitly argues that traditional AI governance built on periodic audits and static policies cannot manage nondeterministic agentic architectures, calling for governance mechanisms embedded directly into AI architecture. |
| v10 | 5 AI Agent Predictions for 2026 | CB Insights | 2026-03 | CB Insights identifies AI agent observability and evaluation tooling as an M&A battleground for 2026, drawing on its Market Index of 1,600+ tech markets and Q4'25 enterprise survey to map where governance gaps are driving the most urgent investment. |
| v11 | The AI Agent Tech Stack | CB Insights | 2025-10 | CB Insights maps the maturing AI agent stack and identifies the AI agent security and risk management market as the fastest-growing cybersecurity segment, with observability, evaluation, and governance applications seeing accelerating early-stage funding and acquisitions. |
| v12 | AI 100: The Most Promising Artificial Intelligence Startups of 2025 | CB Insights | 2025-07 | The CB Insights AI 100 explicitly identifies AI observability and governance as critical enterprise infrastructure gaps, spotlighting startups building monitoring, benchmarking, and compliance tooling as filling voids left by traditional application security approaches. |
| v13 | What's Next for AI Agents? 4 Trends to Watch in 2025 | CB Insights | 2025-07 | CB Insights Q-survey finds 63% of enterprises place high importance on AI agents for the next 12 months, while reliability, security, and implementation talent top the barriers — framing the observability and governance gaps as the central adoption bottleneck. |
| v14 | The AI Agent Market Map: March 2025 Edition | CB Insights | 2025-03 | CB Insights maps the growing market for agent evaluation and observability tools, including automated testing (Haize Labs) and performance tracking (Langfuse), establishing a vendor taxonomy for the discoverability and inspectability layer missing from most enterprise deployments. |
| v15 | Introducing AEGIS — The Guardrails That CISOs Need for the Agentic Enterprise (blog) | Forrester Research | 2025-09 | Forrester VP Jeff Pollard articulates that agentic AI introduces 'obscured causal provenance, making post-incident forensics nearly impossible' — directly naming the dark-code discoverability problem and positioning AEGIS as the governance response. |
| v16 | Gartner Market Guide for AI Trust, Risk and Security Management (AI TRiSM), February 2025 | Gartner | 2025-02 | Gartner's AI TRiSM Market Guide — summarised in context alongside Forrester AEGIS — establishes that runtime guardrails and AI red teaming are now central to enterprise AI security strategy, acknowledging traditional controls struggle when agents act autonomously post-deployment. |
| v17 | 2026 AI Predictions: The Year of the 'Agent Employee' | VC Cafe (synthesis of Sequoia, a16z, Bessemer, Greylock, Insight, Radical Ventures, Sapphire et al.) | 2026-01 | Aggregates 2026 predictions from Sequoia, a16z, Bessemer, and others, with Bessemer's Lindsey Li naming 'code clean-up agents' as a major 2026 category to address the technical debt accumulating from 2025's AI coding boom — directly identifying the dark-code maintenance problem. |
| v18 | The Full 2026 VC AI Predictions (a16z, Bessemer, Khosla, Menlo et al.) | The AI Opportunities (synthesis of VC predictions) | 2026-01 | Synthesises VC consensus that AI-generated code shipped in 2024–2025 is creating a 'technical-debt hangover' with inconsistency and absent ownership, predicting 'agent operations' will become a formal enterprise function akin to DevOps — with audit logs and human override as table-stakes for production. |
| v19 | AI at Scale: How 2025 Set the Stage for Agent-Driven Enterprise Reinvention in 2026 (KPMG Q4 AI Pulse Survey) | KPMG | 2026-01 | KPMG's Q4 2025 enterprise survey finds 65% of leaders cite agentic complexity as the top barrier for two consecutive quarters; half plan $10–50M investments specifically for data lineage, model governance, and agentic architecture hardening, with 60% restricting agent access without human oversight. |
| v20 | 80% of Fortune 500 Use Active AI Agents: Observability, Governance, and Security Shape the New Frontier | Microsoft Security (Cyber Pulse report) | 2026-02 | Microsoft telemetry confirms more than 80% of Fortune 500 companies are using active AI agents built with low-code/no-code tools, with agents built outside formal engineering channels — validating the dark-code hypothesis — and identifying the visibility gap as the primary business risk. |
| v21 | Agentic AI Transformation: Bain Technology Report 2025 Guide | Bain & Company | 2025 | Bain's Technology Report 2025 analysis finds 78% of IT leaders expect agentic AI to replace or augment ERP functions within three years, while governance and accountability frameworks remain the primary gap, with communication protocol standards (MCP, A2A) arriving too fast for enterprise governance to match. |
| v22 | Gartner Market Guide for AI Governance Platforms (2025) | Gartner | 2025 | Gartner confirms AI governance platforms (AIGPs) are now essential enterprise infrastructure, identifying 'Shadow AI' and distributed oversight of AI-generated artefacts as the core unsolved governance problems, and predicting 'death by AI' legal claims will double by 2029 without risk guardrails. |
| v23 | AI Agent Adoption 2026: What the Data Shows (Gartner, IDC synthesis) | Joget (synthesis of Gartner, Forrester, IDC, Deloitte data) | 2026-03 | Synthesises Gartner's prediction that over 40% of agentic AI projects will fail by 2027 due to insufficient controls, and surfaces Forrester and Gartner consensus that 2026 is the breakthrough year for multi-agent systems — making governance the decisive capability separating survivors from failures. |
| v24 | Securing AI-Generated Code in Enterprise Applications: The New Frontier for AppSec Teams | Security Boulevard | 2025-11 | Practitioner analysis argues traditional SAST/DAST are inadequate for AI-generated code's 'AI-style vulnerabilities', proposing that fuzz testing, runtime instrumentation, and AI-specific tooling are the minimum bar — with approval processes and license reviews required to establish traceability. |
| v25 | Forrester Predicts 75% of Tech Decision-Makers Will Face Moderate-to-Severe Tech Debt by 2026 / AI Generated Code Technical Debt Management | BuildMVPFast (citing Forrester, Gartner, DORA, Stack Overflow, Sonar) | 2026-03 | Aggregates cross-industry data showing 41% of committed code is now AI-assisted, incidents per pull request increased 23.5% alongside a 20% rise in throughput, and Forrester's prediction that 75% of tech decision-makers will face severe AI-induced technical debt — quantifying the dark-code governance failure at scale. |