Enterprises Ship AI-Generated Code They Know Is Vulnerable
Nearly half of production code at enterprises is now AI-generated, yet security teams knowingly deploy vulnerable software at scale. A survey of 2,350 security leaders found that 75% of organizations ship code they know contains flaws, betting the vulnerabilities won't be discovered before users find them.
The risk calculation has changed. AI tools like Anthropic's Claude models can now discover and exploit security flaws in minutes instead of months, collapsing the window between vulnerability and working exploit.
The scale of the problem
Enterprises relying heavily on AI code generation face sharper consequences. Organizations where 81-100% of code is AI-built ship vulnerable code 3.4 times more often than those using AI for 20% or less of their codebase.
The damage is real. Seventy percent of developers said AI code generation created vulnerabilities in 2025. Nearly all enterprises surveyed (93%) experienced at least one security breach from in-house developed applications.
Yet the response has been passive. About 30% of respondents admitted they ship compromised code and hope no one finds the vulnerability. More than a third leave known vulnerabilities unfixed for 90 days or longer.
Why developers become the bottleneck
The organizational problem isn't detection-it's the human decision to ship anyway. Developers face intense pressure to deliver. Security tools often deliver low-value findings, unclear guidance, or feedback that arrives too late in the development cycle.
Only 18% of developers continuously secure code, despite nearly all having security tooling available. The systems aren't aligned to support them. Developers remain accountable for security outcomes even when workflows don't support secure development.
AppSec teams operate in reactive mode, dealing with tool sprawl and incident response rather than prevention. The result: developers are set up to fail.
Confidence masking poor practice
Many enterprises overestimate their security maturity. Among organizations that rate themselves as "highly mature" AI operations, 42% often ship the most vulnerable code. Their breach rates are barely distinguishable from less mature organizations.
Only 22% of organizations have formal AI governance. Most still rely on manual code reviews to ensure compliance. These processes were designed for slower software delivery and cannot keep pace with AI-scale development.
What needs to change
Security must move from checkpoint to workflow. Embed it directly into the IDE, pipelines, and AI-assisted development tools where code is actually written.
Reduce tool sprawl and define clear ownership of AI tools. Simplify security stacks to align responsibilities and ensure consistent use.
Move beyond manual triage. AI systems should prioritize, remediate, and resolve vulnerabilities without waiting for human approval at each step. Let AI fight AI in a system built to handle the speed of modern development.
Organizations need formal AI governance, developer training, and DevSecOps practices that treat risk as a priority over code volume. Progress depends on embedding security directly into the systems where development happens.
Learn more about securing AI-generated code through AI Coding Courses or explore specialized training in AI for Cybersecurity Analysts.
Your membership also unlocks:
