Using AI to code? Watch your security debt
AI is speeding up shipping, but security isn't keeping pace. New research from Black Duck shows 81% of security pros say application security testing slows development and delivery. Nearly 60% of teams now deploy daily or more, yet 46% still run security as manual steps. That gap turns into security debt: issues that pile up release after release.
Speed is up. Security isn't.
AI has moved into mainstream development, with strong adoption reported in recent surveys, including the Stack Overflow Developer Survey. But trust lags, and security leaders worry about AI-generated code introducing flaws. At the same time, 71% say alerts are noise-false positives and duplicates from overlapping tools eat time and attention.
Black Duck's data shows the core issue: automation of security hasn't matched automation of delivery. Over 61% of organizations test less than 60% of their applications. If you don't see the risk, you can't fix it-and your backlog grows.
The automation gap fuels security debt
High-velocity pipelines without integrated, automated AppSec lead to blind spots. Debt then shows up in cycle time: Veracode reports the average time to fix vulnerabilities has increased 47% in five years, from 171 days (2020) to 252 days (2025). That's the cost of deferring security.
Industry leaders are calling for a shift away from reactive, tool-by-tool tactics. The direction is clear: consolidate, integrate, and automate security inside developer workflows so speed doesn't outpace visibility.
What teams can do now
- Integrate security into CI/CD: add SAST, SCA, secret scanning, container and IaC checks to pre-commit, PR, and build stages. Set policy gates by severity and exploitability, not just counts.
- Reduce tool sprawl: centralize findings in one platform, deduplicate, and normalize by CWE/CVE. Cut overlapping scanners that create duplicate noise.
- Automate triage and routing: auto-assign by code ownership, surface reachability/context, and suppress repeats. Track true-positive rate.
- Increase coverage: target 90%+ of apps and services, including APIs, third-party components, and infrastructure. Maintain an SBOM for every release.
- Shift left and right: threat model at design time, enforce secure defaults in templates, and add runtime protections and anomaly detection for APIs and services.
- Set clear AI guardrails: treat AI-generated code as untrusted until scanned, enforce license policies, track code provenance, and block secrets in prompts and outputs.
- Measure what matters: MTTR by severity, percent of apps tested per release, false-positive rate, and backlog burn-down. Review these in engineering leadership meetings like any other reliability KPI.
Voices from the field
Black Duck's CEO, Jason Schmitt, argues teams should move from reactive, tool-centric tactics to a platform approach that embeds security in developer workflows. That's how you get scale without stalling releases.
Mayur Upadhyaya, CEO at APIContext, notes that AI is both a productivity boost and an attack vector. He stresses better observability-baseline normal behavior and catch deviations in real time-plus simplification over adding more tools.
Bottom line
Faster releases without integrated security create debt you will pay later-with interest. Close the automation gap, simplify the stack, and make security part of how code ships, not an afterthought.
If your team is leveling up skills for safe, AI-assisted development, explore our AI Certification for Coding for structured, practical training: AI Certification for Coding.
Further reading: Stack Overflow Developer Survey 2024 and Veracode State of Software Security.
