Two-thirds of commercial codebases now contain open-source license conflicts — the highest rate ever recorded, up 12 percentage points in a single year, according to Black Duck's 2026 OSSRA report, which audited 947 codebases across 17 industries. That jump correlates directly with rising AI coding agent adoption. The mechanism is license laundering: an AI model trained on GPL and copyleft repositories generates code snippets derived from that training data, strips the attribution metadata, and presents them as original output.
Why AI Coding Agents Create a License Blind Spot
AI coding agents do not perform license attribution. When a model suggests a function, it does not surface the license that governed the training code it was derived from. GitHub's internal research has acknowledged that roughly 1% of suggestions match training code exactly. At enterprise scale — across millions of daily suggestions — that is a material surface area for accidental license violations.
The legal ownership picture compounds the risk. The US Copyright Office ruled in January 2025 that AI-generated outputs are only eligible for copyright protection where a human author contributed sufficient expressive elements. The code your agent wrote may therefore be unprotected — no IP shield for your organization, but full exposure to the license terms of whatever the model derived it from. Research published in Future Internet (2026) identifies attribution traceability as the core compliance gap in AI-assisted development workflows.
Where Exposure Enters Your Pull Request
Most teams already run security scans on PRs. The governance gap is narrower than it appears: Black Duck's 2026 survey data found that 76% of organizations check AI-generated code for security risks, but only 54% evaluate it for IP and license obligations. Just 24% perform comprehensive checks covering IP, license, security, and quality together.
Three patterns create the most exposure:
Copyleft code in a proprietary repository: A GPL-licensed function included in closed-source commercial software triggers the copyleft obligation to disclose source code upon distribution. One codebase in Black Duck's audit contained 2,675 distinct license conflicts.
Permissive license without attribution: MIT and Apache 2.0 code requires attribution. AI agents omit this. Missing attribution clauses create audit failures and surface in M&A due diligence.
Incompatible license stacking: Two dependencies with incompatible licenses (GPL and Apache 2.0, for example) can render a codebase legally unshippable. AI agents have no awareness of license compatibility when they generate code that draws on multiple sources.
Three Steps to Add License Scanning to Your PR Workflow
Scan every AI-authored PR for license-bearing code patterns: Static composition analysis should run against changed files, not just the dependency manifest. New functions — not just new packages — can introduce license obligations. Make this a required check before merge, not an advisory warning.
Build a three-tier license policy: Define which licenses your organization approves without review (permissive: MIT, BSD, Apache 2.0), which require legal sign-off (weak copyleft: LGPL, MPL), and which are blocked in proprietary repositories (strong copyleft: GPL, AGPL). Encode this as an enforced PR gate — not a spreadsheet engineers consult after the fact.
Record AI agent provenance in your audit trail: For each PR where an AI coding agent was the primary author, log the tool name, model version, and timestamp. This does not resolve liability, but it creates the chain of custody your legal team needs to assess exposure and respond to challenges. Without it, a retroactive audit has nowhere to start.
License compliance in AI-assisted codebases is a governance problem — it requires enforcement at the point of merge, not a quarterly legal review. Re-entry.ai scores pull request risk, including IP and license signals, before code lands in your main branch. See how it works at re-entry.ai.