Skip to content
Latchkey
Published June 2026

The State of Feature Flags 2026

How teams decouple deploy from release, test in production safely, and pay down the flag debt that quietly accumulates when nobody cleans up.

63%
of teams use feature flags to gate at least some releases
Latchkey analysis (modeled)
41%
of flags outlive their purpose and become stale flag debt
Latchkey analysis (modeled)
76%
of professional developers run CI/CD, the substrate flags ride on
Stack Overflow Developer Survey

Executive summary

Feature flags have crossed from a Big-Tech luxury into mainstream practice. The headline shift is conceptual, not technical: teams increasingly treat deploying code and releasing a feature as two separate events, so a merge no longer has to mean a customer-visible change. That decoupling is what lets a team ship continuously while still controlling exposure, and it is the single idea that reframes everything else in this report.

The same data shows the cost of getting it wrong. Flags are easy to add and hard to remove, so most codebases accumulate a long tail of stale toggles that complicate every conditional, slow every test matrix, and quietly raise the blast radius of the next change. The teams that win treat a flag as a temporary scaffold with an expiry date, not a permanent fork in the code, and they measure their flag inventory as carefully as they measure their test coverage.

Flags also depend on a fast, reliable pipeline underneath them. Testing in production, percentage rollouts, and dark launches only feel safe when the build that produced the artifact was deterministic and the runner that built it did not flake mid-run. A flag gating an artifact nobody actually validated is not risk control, it is theater. The reliability of the release layer is therefore inseparable from the reliability of the CI layer that feeds it.

This report quantifies the adoption curve by team size, the purposes teams actually put flags to, and the rate at which flag debt accumulates as toggles age. It then connects those release-side numbers back to the build layer, because the safety guarantees a flag appears to offer are only as strong as the pipeline that produced the code behind it.

The throughline for engineering leaders is that feature flags are a discipline, not a feature you buy. The targeting engine matters far less than the operating habits around it: an expiry date set at creation, a kill switch wired before the first rollout, and a deterministic build under every artifact. Teams that internalize this turn flags into a durable delivery advantage. Teams that do not turn them into a slowly compounding maintenance tax.

Feature flag adoption by org size
Solo / <5 eng29%5-20 eng48%20-100 eng67%100+ eng84%

Share of teams gating at least some releases behind flags, by engineering headcount (modeled). · Source: Latchkey analysis (modeled)

What teams use flags for
Gradual rollout / exposure control 38%
Kill switch / operational toggle 27%
A/B and experimentation 21%
Entitlement / plan gating 14%

Primary stated purpose of flags among teams that use them (modeled). · Source: Latchkey analysis (modeled)

Email me the report

The full report is right here on this page, free. Want the link in your inbox to read later or share, plus new Latchkey reports as they drop? Drop your email and we will send it over.

Sent! Check your inbox for the report link.

No spam. Unsubscribe anytime.

Decoupling deploy from release is the real unlock

The teams getting the most value from flags are not the ones with the fanciest targeting rules, they are the ones who stopped equating a merge with a release. Once a deploy is just shipping dormant code, the pressure to batch changes drops, pipelines run smaller and more often, and the scary part of delivery moves to a controlled toggle flip that any on-call engineer can reverse in seconds.

This reframing has a measurable effect on how teams work. When a merge no longer changes customer behavior, there is no longer a reason to hold a branch open until a feature is 'done'. Engineers integrate partial work behind an off flag, the trunk stays close to production, and the painful long-lived merge conflict largely disappears. The release becomes a separate, deliberate act rather than a side effect of whichever pull request happened to land last.

It also changes who owns risk. In a deploy-equals-release world, the riskiest moment is a deploy, which is owned by whoever is shipping. In a decoupled world, the riskiest moment is a toggle flip, which can be owned by a release manager, a product owner, or an automated rollout policy. The decision to expose a feature is separated from the mechanics of getting the code into production, and that separation is what lets teams ship continuously without continuously holding their breath.

Adoption tracks team size more than industry

Flag adoption rises steeply with engineering headcount. Very small teams often skip flags entirely, because with a handful of engineers a deploy and a release really can be the same event without much risk, and the overhead of a flagging system is hard to justify. As a team grows past twenty engineers the calculus flips: more people merging into the same trunk means more changes in flight at once, and the cost of an uncontrolled release climbs fast.

By the time an organization passes a hundred engineers, gating releases behind flags is close to universal. At that scale multiple teams ship into shared surfaces every day, and the only sane way to coordinate is to let everyone merge freely while controlling exposure centrally. The flag system becomes the coordination layer that lets independent teams move without stepping on each other.

The practical implication is that flags are a scaling tool, and the right time to adopt them is just before the pain arrives, not after. Teams that wait until an uncontrolled release causes an incident tend to bolt flags on reactively and inconsistently, which produces exactly the kind of sprawling, undocumented toggle inventory that the rest of this report warns about.

Testing in production is now a default, not a heresy

Percentage rollouts, internal-only audiences, and shadow traffic let teams validate behavior against real load that no staging environment reproduces. The idea that production is the only environment that tells the truth has moved from a controversial opinion to standard operating practice, because the alternative, a staging environment that perfectly mirrors production, has proven to be a fiction nobody can actually maintain.

The practice is only as safe as the rollback path, which is why a kill switch wired to a single flag has become standard alongside the rollout itself. The discipline is not 'expose carefully', it is 'expose carefully and be able to un-expose instantly'. A rollout without a tested kill switch is a one-way door, and teams that have been burned learn to wire the off switch before they ever turn anything on.

Done well, this turns the release into a series of small, reversible experiments rather than a single irreversible event. A feature goes to internal users, then to one percent, then to ten, with health metrics watched at each step and an automatic halt if anything regresses. The blast radius of a bad change is bounded by whatever percentage was exposed when the problem surfaced, not by the entire user base.

  • Internal-only and dogfood audiences catch the worst regressions before any external user sees them.
  • A kill switch wired to a single flag turns a bad rollout into a sub-minute recovery rather than a redeploy.
  • Percentage rollouts bound the blast radius of a defect to the slice exposed at the moment it surfaced.

Most flags exist for exposure control, not experimentation

There is a common misconception that feature flags are mostly about A/B testing. The data points the other way. The dominant use is plain exposure control: shipping code dark and turning it on gradually. Experimentation is a real and valuable use, but it is the minority case, and treating the whole flag system as an experimentation platform leads teams to over-invest in statistical machinery they rarely use.

Operational toggles and kill switches are the second large category, and they are arguably the highest-value flags a team carries. A kill switch on a risky integration or an expensive code path costs almost nothing to maintain and pays for itself the first time it prevents an incident from becoming an outage. These flags are infrastructure, not experiments, and the best teams treat them as permanent, documented controls rather than temporary scaffolds.

Entitlement and plan gating round out the picture. Here a flag is not temporary at all, it is a long-lived business rule about which customers can see which features. The important discipline is to keep these conceptually separate from release flags, because mixing 'is this feature finished' with 'is this customer entitled to it' in the same toggle is a reliable way to produce confusing, hard-to-remove flag logic.

Flag debt is the silent tax

A flag is trivial to add and politically awkward to remove, so most codebases carry a long tail of toggles that should have been deleted months ago. Each one adds a conditional, doubles a code path in test, and widens the surface where a stale branch can surprise you. The cost is invisible day to day and very real in aggregate, because it shows up as slower test suites, more confusing code, and the occasional production incident caused by a forgotten toggle in an unexpected state.

The accumulation curve is steep. A flag that is still live after thirty days is usually fine, it is mid-rollout. A flag still live after six months is almost always debt: the rollout finished, the feature is permanent, and nobody went back to remove the now-pointless conditional. The modeled share of flags surviving past their intended window roughly doubles between the ninety-day and one-hundred-eighty-day marks, which is exactly the region where a flag stops being a tool and starts being a liability.

Teams that set a removal date at creation and track it like any other ticket keep the tail short. The mechanism matters less than the commitment: a flag without an owner and an expiry is a flag that will outlive everyone's memory of why it existed. The most disciplined teams fail a build or raise an alert when a flag passes its expiry without being removed, which turns flag cleanup from a chore nobody volunteers for into a routine part of the workflow.

  • Every stale flag adds a conditional and doubles a path in the test matrix, slowing every run.
  • Flags surviving past six months are almost always permanent code wrapped in a pointless toggle.
  • An expiry date and owner set at creation, enforced by an alert, keeps the long tail from forming.
Flag debt accumulates with age
Under 30 days8%30-90 days23%90-180 days41%Over 180 days58%

Modeled share of flags still live past their intended removal window. · Source: Latchkey analysis (modeled)

Flags do not fix a flaky pipeline, they expose it

Controlled exposure assumes the artifact you are exposing is the one you tested. That assumption quietly breaks when the build is not deterministic. When a build flakes on a transient runner failure and a retry silently changes the inputs, the flag is now gating an artifact nobody actually validated, and the careful percentage rollout is rolling out an unknown.

This is the seam where the release layer and the build layer meet. A feature flag is a promise that exposure is controlled and reversible, but that promise rests on the artifact being exactly what the pipeline produced and tested. A flaky pipeline that re-runs jobs on fresh inputs, or that goes green only after a retry that masked a real problem, undermines the entire chain of custody from commit to customer.

Self-healing managed runners that recover transient failures in place keep the build deterministic, which is the precondition for trusting any rollout. By absorbing the network blips, registry timeouts, and resource kills that produce most spurious failures, and by recovering them without changing the inputs, they preserve the guarantee that the artifact behind a flag is the artifact that passed CI. The release discipline and the build discipline reinforce each other: neither is worth much without the other.

The maturity curve runs through cleanup discipline

Early adopters measure success by how many flags they can ship. Mature teams measure it by how few they carry. The shift from adding flags to retiring them on schedule is the clearest signal that an organization has moved from experimenting with the technique to operating it, and it correlates with smaller, faster, less risky pipelines overall.

The mature posture treats the flag inventory as a living system with a budget. New flags are welcome, but every new flag comes with an owner, a purpose, and an expiry, and the total count is watched as a health metric. When the inventory grows without bound, it is a signal that cleanup is not keeping pace with creation, the same way a growing list of failing tests signals that quality is slipping.

This discipline is what separates teams for whom flags are a durable advantage from teams for whom they are an accumulating burden. The targeting engine, the dashboard, and the SDK are commodities. The operating habits, expiry on creation, kill switch before rollout, deterministic build underneath, and routine retirement, are what actually determine whether a flag system makes delivery faster and safer or slowly grinds it down.

Recommendations

Treat every flag as temporary and set an expiry at creation

Require an owner and a removal date the moment a flag is created, and enforce it with an alert or a failing build when a flag passes its expiry without being removed. The single most effective control on flag debt is making retirement the default rather than an act of heroism nobody volunteers for.

Wire the kill switch before the first rollout

Never start a percentage rollout without a tested path to instantly revert it. A rollout without a kill switch is a one-way door. Make the off switch part of the rollout plan, and verify it works before any real user is exposed, so recovery is a sub-minute toggle flip rather than an emergency redeploy.

Separate release flags from entitlement flags

Keep "is this feature finished" distinct from "is this customer entitled to it". Release flags are temporary and should expire; entitlement flags are long-lived business rules. Mixing the two in one toggle produces confusing logic that is impossible to retire, because half of it is permanent and half of it should already be gone.

Make the build deterministic so the flag means something

A flag only controls exposure if the artifact behind it is exactly what CI tested. Use runners that recover transient failures in place rather than re-running jobs on changed inputs, so a green build always reflects the code you are about to roll out and the rollout is gating a known quantity.

Track the flag inventory as a health metric

Watch the total flag count and the age distribution the way you watch test coverage or pipeline duration. A steadily growing inventory means cleanup is losing to creation. Review the long tail on a regular cadence and retire anything past its window, so the system stays a tool rather than becoming an archaeology project.

Outlook

Expect feature flags to keep spreading down-market through 2026 and 2027 as the tooling commoditizes and the pattern becomes the assumed default for any team past a handful of engineers. The conceptual shift, deploy is not release, is durable because it solves a coordination problem that only gets worse as teams grow, and nothing on the horizon makes that problem go away.

The frontier is moving from adoption to operations. The teams that have run flags for years are increasingly focused on the unglamorous parts: retirement discipline, kill-switch hygiene, and keeping the inventory from sprawling. We expect more tooling to target the cleanup problem specifically, because the value of a flag system is now bounded less by how easily it adds flags and more by how reliably it sheds them.

The connection to the build layer will tighten. As more of the release decision moves behind flags, the integrity of the artifact behind each flag becomes load-bearing, and teams will increasingly demand deterministic, self-healing pipelines as a precondition for trusting their rollouts. The release story and the CI story are converging on the same requirement, that the thing you are exposing is provably the thing you tested.

Methodology

This report synthesizes publicly available industry data, including developer surveys and the DORA State of DevOps research, with Latchkey's own analysis of release and pipeline patterns observed across managed runner usage. Adoption, flag-purpose, and flag-debt figures are modeled estimates derived from typical team behavior and pipeline shapes, calibrated against the share of teams running CI/CD; they are not a primary survey. Where a figure is attributed to a named source it reflects that source. Figures labeled "modeled" are illustrative estimates derived from public pricing and typical pipeline shapes, not a primary survey; figures attributed to a named source reflect that source. Pricing reflects published rates at time of writing and should be verified against current provider pricing.

Sources

More Latchkey reports

See what you would save with Latchkey managed runners and self-healing. Start free →