The Problems of AI in Software Development
Artificial intelligence (AI) is becoming a common tool in software development. Currently, 86% of companies use AI in their software development life cycle (SDLC), and 93% plan to increase their AI investments. However, this widespread adoption often happens without clear internal policies or external regulations guiding the secure use of AI in coding.
Developers, facing constant deadlines and pressure to deliver, often turn to third-party AI tools without proper vetting or approval. This practice leads to what’s known as shadow AI—unmanaged AI usage that reduces enterprise visibility into development processes and increases security risks.
Take the example of DeepSeek, a free AI tool from China with over five million users. While not all are enterprise developers, such easy access encourages developers to prioritize speed and productivity over security. Unfortunately, tools like DeepSeek come with high failure rates in malware generation, jailbreaking, prompt injection attacks, hallucinations (false or fabricated information), supply chain risks, and toxicity.
Four Steps to Mitigate Risks from AI Coding Assistants
- Get ahead of regulatory pressures.
- Commit to risk management.
- Practice security-focused governance.
- Incorporate benchmarking and results tracking.
Research by BaxBench shows that no current large language model (LLM) is capable of generating deployment-ready code with high accuracy and security. Frequent reliance on AI can also dull critical thinking, fostering a “factory worker” mindset instead of a more deliberate approach that protects the product’s attack surface. Teams that think critically avoid blindly trusting AI outputs, but this approach is still rare in many organizations.
Challenges Increasing AI Risks in Software Development
- Outdated Models: Existing enterprise security frameworks can’t keep pace with the speed and complexity AI introduces.
- Knowledge Gaps: Developers often lack training in applying security best practices when using AI tools, including vetting LLM-assisted products.
- Shadow AI: Unapproved use of AI tools creates unknown risks. Security leaders need to move from shadow AI to a controlled Bring Your Own AI (BYOAI) environment.
- Lack of Regulation-Based Controls: Without clear policies or standards, developers may use various AI assistants, increasing vulnerabilities and backdoor exploits.
How CISOs Should Respond
Get Ahead of Regulatory Pressures
Don’t wait for government regulations. Collaborate with development and security teams now to apply defensive strategies for using LLMs and AI tools. This ensures you get the benefits of AI while maintaining security.
Commit to Risk Management
Developer risk management must be central. Invest in tools and continuous learning that promote safe coding, critical thinking, and adversarial awareness. This helps measure and reduce application security risks from the start of the SDLC.
Practice Security-Focused Governance
Not all developers prioritize security by default. Set clear policies and enforce them programmatically. Upskill developers with relevant training for the languages and frameworks they use. Modern software development, especially with AI assistants, requires updated security programs that include developer proficiency assessments as a prevention strategy.
Incorporate Benchmarking and Results Tracking
Benchmarking encourages a security-first mindset by setting clear standards. Track outcomes such as improved developer security skills and reduced vulnerabilities. For example, in finance, evaluate adherence to standards like PCI-DSS and GDPR compared to peers. Use these insights to focus training where it’s needed most, making improvements more targeted and effective.
Build Security Into the Workflow
Deadline pressure shouldn’t justify an insecure environment. CISOs and development leaders need to stress the importance of secure software and risk management. Security efforts can actually improve productivity by reducing rework and remediation time.
By sharing lessons and defining best practices, organizations can establish industry standards for safe AI use. This creates a framework where AI tools support teams within secure boundaries rather than causing uncontrolled risks.
For developers and security professionals seeking to improve their skills in AI and secure coding, exploring specialized training can be a key step. Resources like Complete AI Training offer courses designed to enhance knowledge in AI-assisted development and security.
Your membership also unlocks:
