When AI writes the code: governing coding agents in UK business

What changed

In early June 2026, Anthropic published an analysis arguing that AI is starting to help build AI. The company disclosed that, as of May 2026, more than 80% of the code merged into its own codebase was written by Claude, up from low single figures before its Claude Code tool launched in February 2025, and that a typical engineer was merging roughly eight times as much code per day in the second quarter of 2026 as in 2024. Its central observation is that coding agents can now run code themselves and delegate hours of work to other agents. Anthropic is careful to say the field is not yet at full recursive self-improvement, where systems design their successors without people, and that such an outcome is not inevitable. But it warns that as systems get closer to building their own successors, the ways we secure them, monitor them and shape their behaviour all grow more important.

Why it matters for UK business

Strip away the frontier-lab framing and there is a concrete fact underneath it that already affects UK firms: coding agents are now mainstream in how software gets built. The same class of tool Anthropic uses internally, Claude Code, and competitors such as OpenAI's Codex and GitHub Copilot, are in the hands of UK SMEs and scaleups today. Increasingly these are not autocomplete; they are agents that execute commands, edit files, install dependencies and, in newer versions, hand sub-tasks to other agents.

That capability is genuinely useful and genuinely risky in the same breath. An agent that can run code can also run the wrong command, expose a secret, install a vulnerable package or push a change no human has read. The risk is not science fiction about machines taking over; it is the ordinary software risk of an actor with broad permissions and no judgement about consequences, operating faster than a person can supervise. We see the unmanaged version of this directly: applications built quickly with AI coding tools that work in a demo and then fail, or leak data, in production.

The lesson from Anthropic's own numbers is not that you should let an agent run free because it writes most of the code. It is that the firms getting value from coding agents are the ones that have put controls around them.

What to do, and what not to do

Do:

• Sandbox what agents can execute. Give a coding agent its own isolated environment, not standing access to production systems, customer data or payment rails.
• Scope permissions to least privilege. Grant the narrowest credentials the task needs, time-limited where possible, rather than a broad token that is convenient today and dangerous later.
• Keep a human approval gate on consequential actions. Code review, deployment, and anything that touches live data, money or customer-facing systems should require a person to sign off, not just the agent's own confidence.
• Log and retain what agents do. An audit trail of commands run and changes made is what lets you investigate when something goes wrong, and it is increasingly expected in regulated work.

Do not:

• Hand an agent broad, standing credentials to save time. Convenience here is the single most common cause of the expensive incident later.
• Ship code no human has read because the AI wrote it. Authorship by a model is not a substitute for review; if anything it raises the bar, because the failure modes are less familiar.
• Let an agentic proof of concept reach production without a security review. Speed of build is exactly why the engineering check matters more, not less.
• Mistake the model's fluency for correctness. A confident, well-formatted answer can still be wrong, insecure or subtly out of scope.

Where The AI Consultancy fits

Putting practical guardrails around coding agents, the sandboxing, permissions, review gates and logging above, is part of how we scope AI-assisted build work and is the core of our Production Clinic, which reviews applications built with AI tools before they go live. If your team has adopted coding agents and you want them governed without losing the speed that made them worth adopting, that is a defined piece of work. Our guides to agentic AI for UK businesses and to the security risks in AI-generated applications go into more depth.

Figures on Anthropic's internal code authorship and engineering throughput are from Anthropic's published analysis of recursive self-improvement, as at June 2026, and are the company's own. The capability and risk assessments in this briefing are The AI Consultancy's interpretation and are not specific to any one tool.