The coding-agent category has spent two years in a strange state: technical readiness clearly outrunning commercial uptake. Demos that would have looked like science fiction in 2023 are now table stakes. Acceptance rates on autonomous PRs at well-instrumented shops sit comfortably above 50%. And yet the procurement cycle at large enterprises is running 9-12 months from initial pilot to organization-wide rollout. Why?
The four gates
Every coding-agent procurement we’ve tracked goes through the same four gates, in roughly the same order.
Security review. SOC 2 Type II is now table stakes, but the substantive question is data residency: where does code touched by the agent end up, and what does the vendor’s training data policy say about it. Vendors that can offer “your code never leaves your VPC” via a self-hosted model option clear this gate faster, even when the self-hosted version underperforms the API.
Cost model. This is where most pilots stall. Seat licensing maps cleanly to existing SaaS procurement but produces an immediate ROI question: 200 engineers × $40/month is real money, and the org-wide adoption rate to justify it has to clear maybe 60%. Usage-based pricing (per task, per merged PR) is more defensible on paper but harder to budget. The vendors winning enterprise deals in 2026 are offering hybrid models: a low seat floor plus a usage cap.
Integration depth. A coding agent that only works in the IDE is a productivity tool. A coding agent that also lives in CI, code review, and incident response is an organizational change. The latter is what the procurement committee is actually buying. Vendors who lead with the IDE demo and back-end into CI/CD almost always lose to vendors who arrive with all three integrated.
Governance. What does the agent see, what does it write, who reviews it, what gets logged. Large enterprises want an audit trail of every prompt, every tool call, every diff. Vendors that ship this as an afterthought stall here for months.
What the 9-12 month cycle tells you
The procurement timeline is not a sign of slow uptake. It’s a sign of category maturity. Compare to AppSec tools (12-18 months), data warehouses (9-15 months), or observability (6-12 months). Coding agents are landing inside normal enterprise software budgets, which is what should happen to a real category.
The implication: the next leg of the coding-agent market won’t be won by the model with the best benchmark or the IDE with the slickest UI. It’ll be won by whichever vendor builds the cleanest procurement story , security, cost model, integration depth, governance , across the four gates. The technical race converged faster than anyone expected. The commercial race is wide open.
What to watch
Three signals worth tracking over the next 6 months:
- Usage-based pricing penetration. If the per-task billing model survives enterprise procurement, it changes the unit economics of the entire category and probably forces the GitHub Copilot incumbent to respond.
- Self-hosted serving. The frontier labs are reluctant to enable air-gapped deployments because it cannibalizes API revenue. Whichever lab cracks first opens up the regulated-industry market (financial services, healthcare, defense).
- Code-review integration. The IDE is the visible layer; the review layer is the leverage point. Watch for the vendor that wins GitHub Enterprise as an integration partner without becoming GitHub-dependent.
The category is no longer about whether the agents work. It’s about whether the procurement story holds together. Track that.