The AI Agent Cost Crisis Nobody's Talking About

The $240B Blind Spot

Global spending on AI coding tools is projected to reach $240 billion by 2028 (Gartner, 2025). That number includes licenses, API costs, compute for local models, and the engineering time spent reviewing AI-generated output.

Here's what it doesn't include: any measurement of whether that spending produces better software.

Engineering leaders can tell you their AWS bill to the penny. They can tell you cost-per-deploy, cost-per-incident, cost-per-customer-acquired. But ask them what their AI coding tools actually cost per merged PR and you get silence.

The problem isn't that AI coding tools are bad. The problem is that nobody is measuring whether they're good — at the level of individual commits, PRs, and shipped features.

The METR Study: 19% Slower, Not Faster

In December 2025, METR (Model Evaluation & Threat Research) published the first randomized controlled trial of AI coding tools in real-world conditions. They studied 16 experienced open-source developers working on their own repositories — people who knew the codebase intimately.

The result: developers using AI tools took 19% longer to complete tasks. Not faster. Slower.

The twist: those same developers predicted they would be 20% faster. The gap between perceived and actual productivity was nearly 40 percentage points.

This doesn't mean AI tools are useless. It means the productivity equation is more complex than “add Copilot, ship faster.” Some tasks benefit enormously. Others don't. Without per-task measurement, you're flying blind.

45% of AI Code Has OWASP Vulnerabilities

Backslash Security analyzed thousands of AI-generated code snippets in 2025 and found that 45% contained at least one vulnerability from the OWASP Top 10 — SQL injection, broken authentication, cross-site scripting, insecure deserialization.

This isn't a theoretical risk. These are the same vulnerability classes that cause real breaches. And they're being introduced at scale by tools that generate code faster than humans can review it.

# AI-generated Express.js route (looks clean, right?)
app.get('/user/:id', async (req, res) => {
  const user = await db.query(
    `SELECT * FROM users WHERE id = ${req.params.id}`
  );
  res.json(user);
});

# SQL injection. Classic OWASP A03.
# AI generated it. Code review missed it.
# It shipped.

The cost of a vulnerability isn't just the fix. It's the incident response, the audit, the customer notification, the engineering hours diverted from feature work. IBM's 2025 Cost of a Data Breach report puts the average at $4.88 million per incident.

Every AI-generated commit that ships without a security scan is a liability on your balance sheet that nobody's accounting for.

The Real Cost of an AI-Assisted Commit

Let's break down what a single AI-assisted commit actually costs, beyond the license fee:

Only the first row shows up in your procurement budget. The rest are invisible until they aren't — when a sprint slows down because half the team is reviewing AI-generated PRs, or when a vulnerability hits production.

What Measurement Looks Like

The first step is knowing what's AI-generated and what isn't. That's what GitIntel does — it scans your git history and identifies AI-assisted commits through attribution markers, pattern analysis, and commit metadata.

$ gitintel scan --format table

Repository: acme-api
Commits scanned: 500
AI-assisted commits: 87 (17.4%)

Agent Breakdown:
  Claude Code      71 commits  (81.6%)  +12,450 lines
  Cursor           11 commits  (12.6%)   +1,820 lines
  Copilot           5 commits   (5.7%)     +340 lines

Top AI Contributors:
  sarah@acme.com   34 AI commits  (39.1%)
  james@acme.com   28 AI commits  (32.2%)
  priya@acme.com   25 AI commits  (28.7%)

Once you know the what, you can start asking the important questions:

• • Which AI-assisted PRs had the highest revert rate?
• • Which developers are most productive with AI tools vs. without?
• • Are AI-generated commits concentrated in test files, boilerplate, or core logic?
• • What's the review-time difference for AI vs. human-authored PRs?
• • How does AI code quality correlate with the prompting developer's experience level?

$ gitintel scan --format json | jq '.commits[] | select(.ai == true) | .files'

# See exactly which files have AI-generated code
# Filter by author, date range, or directory
# Export to your existing dashboards

This isn't about policing developers. It's about giving engineering leaders the same visibility into AI tool ROI that they already have for every other line item in their budget.

The Attribution Problem Is Getting Worse

Today, only one major AI coding tool consistently leaves attribution markers: Claude Code adds a Co-Authored-By trailer to every commit. Copilot, Cursor, Windsurf, and others leave no trace by default.

This means the percentage of AI-generated code in any repo is a floor estimate, not a ceiling. Our scan of 13 major open-source repos found 5.8% AI-assisted commits — but the true number could be 2-5x higher once you account for tools that don't self-identify.

As more tools enter the market — Google just made Gemini Code Assist free for individual developers, Cursor 2.0 now runs 8 parallel agents — the volume of unattributed AI code will only grow.

The EU AI Act takes effect in August 2026. It requires organizations to disclose AI-generated content in certain contexts. If you can't tell which commits are AI-generated today, you may have a compliance problem tomorrow.

What Engineering Leaders Should Do Now

The Bottom Line

AI coding tools are here to stay. Spending on them will only increase. But right now, most organizations are writing checks they can't audit — paying for productivity gains they haven't measured, while accumulating security debt they can't see.

The companies that win with AI coding tools won't be the ones that adopt the fastest. They'll be the ones that measure the smartest — tracking what AI generates, what it costs, and what actually ships.