Causal Mapping of the Risks of Using Generative AI in Software Development

Context Generative AI tools can enhance the productivity and effectiveness of software development. These tools are evolving rapidly, as are the associated risks. Therefore, software organizations adopting these tools need to understand their risks, why they occur, and how they evolve over time. Objective Previous research has highlighted risks related to using generative AI in software development; however, the underlying causes of these risks remain largely unexplored. To effectively manage these risks, we need to understand what causes them. Therefore, we examine the causal explanations behind the risks of using generative AI in software development organizations. Methods In a multi-case study of three Danish software organizations during the early stages of generative AI tool adoption, we interviewed software developers and managers within these organizations to uncover the causal explanations of risks associated with generative AI. We employed a causal mapping approach to understand and visualize the differences and similarities across software organizations’ causal explanations of risks. A year later, we returned to validate the risks and causal maps with representatives from each software organization. Results Our study shows that the software organizations exhibit circular reasoning regarding a perpetual uncertainty in the validity of AI-generated code, with the three risks: Mistrust of AI, Insufficient validation of AI output, and Insufficient/insecure AI output. They are also concerned about similar root risks, which solely cause other risks without being caused by any risks themselves, such as Lacking AI competencies. While they differed in emphasis on tail-end risks, which are understood as not causing any additional risks. Conclusion The causal mapping approach proved appropriate for showing similarities and differences in software organizations’ perceptions of risks and causal explanations related to the use of generative AI in software development. The same applies to visualizing how the emphasis on risks can change over time.