Table of Contents
How organisations can preserve the speed of AI-assisted development without losing control of security, quality and compliance
Software development is entering a new phase. Developers increasingly use artificial intelligence not only to complete individual lines of code, but also to generate functions, integrations and entire application components.
This approach is often called vibe coding: developers define the idea, desired behaviour and high-level architecture, while AI handles much of the implementation.
The benefits are significant. Applications can be prototyped faster, smaller teams can deliver more, and people with limited programming experience can transform ideas into functional software. However, faster code generation does not automatically produce secure, maintainable or production-ready systems.
The central challenge is no longer whether AI can write code. It is whether organisations can understand, test and govern that code as quickly as it is generated.
The Vulnerability Conundrum
AI-generated code often looks more reliable than it actually is. It is typically well structured, professionally formatted and capable of passing basic functional tests. Yet functional code is not necessarily secure code.
Large-scale security evaluations suggest that approximately 45% of AI-generated code contains security weaknesses, compared with an estimated 25% to 30% baseline for human-written code. More advanced models have not consistently closed this gap.
The problem becomes more visible when security depends on context. AI performs relatively well against familiar risks such as SQL injection, but struggles with vulnerabilities requiring deeper data-flow understanding, including cross-site scripting and log injection.
An LLM may know that input should be sanitised. What it often lacks is a complete understanding of where the input originated, how it moved through the application and how another component will eventually interpret it.
This allows AI to generate syntactically correct code without understanding the full threat environment surrounding it.
Professional-Looking Code and False Confidence
The polished appearance of AI-generated code can also create automation bias.
Developers may review poorly structured human-written code carefully because its weaknesses are visible. AI output, however, often appears clean and confident, encouraging reviewers to assume that the implementation has already been properly reasoned through.
Research on pull requests has found that AI-assisted contributions can contain more total issues, more security-specific weaknesses and significantly more readability problems than human-written contributions.
The work saved during initial implementation may therefore reappear later as additional code review, debugging, security testing and maintenance.
Productivity should not be measured by how much code AI generates. It should be measured by how much secure and maintainable software reaches production.
A Larger Attack Surface
AI coding tools are evolving from simple suggestion engines into autonomous agents. They can inspect repositories, modify files, install dependencies, execute commands and interact with development infrastructure.
This makes them more useful, but also expands the attack surface.
Malicious instructions can be hidden inside source-code comments, documentation, issue tickets or third-party libraries. An AI agent processing this material may interpret these instructions as legitimate context. This creates indirect prompt-injection risks that may lead to data exposure, unsafe code changes or unauthorised actions.
As coding assistants become capable of acting rather than merely suggesting, access control becomes critical. Agents should operate with limited permissions, isolated environments and human approval for high-impact actions.
Secrets and Dependency Risks
AI-assisted development also increases the risk of exposing API keys, credentials and access tokens.
In 2025, millions of new secrets were detected in public code repositories. AI-generated examples may include hardcoded credentials or encourage developers to place sensitive information directly inside configuration files.
Security controls should therefore operate before code reaches the central repository. Organisations need pre-commit secret detection, short-lived credentials, automated rotation and strict separation between development and production access.
Dependencies create another risk. AI tools sometimes recommend outdated, vulnerable or entirely fictional packages. Attackers can register these hallucinated package names on public registries and distribute malicious code through a technique known as hallucination squatting.
Every AI-recommended dependency should be verified, scanned and recorded in a software bill of materials. Autonomous package installation should require approval.
Faster Code, Greater Technical Debt
AI makes it inexpensive to create new code, but it does not always encourage developers to improve or reuse existing code.
Instead of identifying an existing abstraction, an AI assistant may generate another function that solves the same problem. Repeated across a large codebase, this behaviour creates duplicated logic, inconsistent validation and fragmented error handling.
This is not only technical debt. It is also security debt.
When a vulnerability is discovered in duplicated code, every version must be located and corrected. As the codebase becomes larger and more repetitive, it becomes harder for both developers and security tools to understand.
Ownership, Compliance and Accountability
AI-assisted development also changes how organisations should approach intellectual property and regulation.
Copyright protection generally requires meaningful human authorship. Businesses should therefore retain evidence of human contribution, including architecture decisions, requirements, Git history, reviews and substantive code modifications.
Generated code should also be scanned for open-source licence conflicts. AI output may reproduce or resemble code governed by restrictive licences, creating potential compliance risks.
Data protection is equally important. Prompts, source code and uploaded files may contain personal, financial or commercially sensitive information. Organisations must confirm that their AI service, deployment model and contractual terms support applicable requirements.
Under the EU AI Act, standard coding tools are not automatically considered high-risk. However, stricter obligations may apply when AI is used in employee evaluation, critical infrastructure or regulated products.
AI coding governance must therefore form part of the organisation’s broader AI and risk-management strategy.
Building Secure AI-Assisted Development
Traditional application security testing remains essential, but it must evolve. Higher volumes of generated code produce more findings, making manual review increasingly difficult.
Organisations need security controls throughout the development lifecycle:
| Development stage | Essential control |
|---|---|
| Planning | Version-controlled requirements and threat models |
| Coding | Secure templates, dependency policies and secret scanning |
| Pull requests | Human review, SAST, dependency and licence analysis |
| Testing | Negative testing, abuse cases and dynamic security testing |
| Deployment | Least privilege, signed artefacts and approval gates |
| Operations | Logging, monitoring and credential rotation |
Spec-driven development can provide the necessary foundation. Version-controlled files such as AGENTS.md, SECURITY.md and architecture decision records can define approved technologies, security boundaries and forbidden actions for both humans and AI agents.
Agents working in parallel should also use isolated branches, containers or Git worktrees. No agent should have unrestricted production access.
The Future Belongs to Governed Speed
AI-assisted development does not make software engineering less important. It changes where engineering value is created.
Developers will spend less time writing every implementation detail and more time defining requirements, setting boundaries, reviewing decisions and validating outcomes.
The organisations that succeed will not be those generating the most code. They will be those capable of transforming AI-generated output into secure, maintainable and trusted software.
AI provides speed. Disciplined engineering turns that speed into sustainable value.
Bibliography
- AI-Generated Code: A Double-Edged Sword for Developers
- AI-generated code and vibe coding: copyright, licensing, and legal risks
- Why 45 Percent of AI Generated Code Contains Security Vulnerabilities
- “AI is writing 40%plus of code now” sounds impressive… until you look at the security side of it.
- AI Coding Security Vulnerability Statistics 2026: Alarming Data
- Canonical List of Data-Backed AI Developer Velocity and Code Quality Research from 2025-2026
- What security headaches has AI (Copilot, Cursor, Claude etc.) actually caused in your projects in 2026? #194034
- Top 5 GitHub Copilot Security Risks & 9 Ways to Mitigate Them
- Generative AI at Work: Stay Creative, Stay Compliant
- How strong is the case against AI coding tools on copyright grounds?
- Navigating compliance risks in AI code analysis
- The 2026 EU AI Act and AI-Generated Code: What Changes for Dev Teams
- EU AI Act Compliance Checklist 2026: A Step-by-Step Guide for Software Development Companies
- Code of Practice on Transparency of AI-Generated Content
- AI SAST: The 2026 Guide to AI-Powered Static Application Security Testing
- The Results: AI-generated Code That Works, But Isn’t Safe
- The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81% and 29M Secrets Hit Public GitHub
- AI Copilot Code Quality: 2025 Look Back at 12 Months of Data
- AI Act: EP approves simplification measures and “nudifier” app ban
