Bottom line: Companies know that AI-generated code contains critical security gaps but deploy it massively and sometimes deliberately without fixes.
A Checkmarx report shows: approximately half of production code is generated by AI tools, yet companies are aware of security vulnerabilities and ship the code anyway – sometimes deliberately hoping that weaknesses go undetected.
According to a survey of 2,350 CISOs, AppSec managers and developers from 14 countries, the reality check is devastating: companies that have between 81 and 100 percent of their code generated by AI ship vulnerable software 3.4 times more frequently than organizations that keep AI usage below 20 percent. 70 percent of surveyed developers confirm that AI-generated code introduced security vulnerabilities in 2025.
Despite these findings, a “normalization of risk” has taken hold: 75 percent of companies deliberately deploy vulnerable software under pressure to achieve faster profits. About 30 percent even admit to shipping compromised software and hoping that the vulnerability is not discovered. More than a third leave known security defects unaddressed for over 90 days. Simultaneously, 93 percent of all surveyed organizations experienced at least one security breach through their own applications.
A central problem: the bottleneck is not in detecting vulnerabilities, but in the organizational decision to ignore them. AppSec teams are often limited to reactive incident response, while developers only consider security continuously in 18 percent of cases – despite being equipped with security tools. Developers are thus systematically placed in a situation where they must prioritize speed and delivery volume over security.
Alarming is also the overestimation of capabilities: companies that rate themselves as “highly mature” AI organizations ship particularly vulnerable software in 42 percent of cases – their breach rates hardly differ from less mature competitors. Only 22 percent of organizations have established formal AI governance; manual code reviews still dominate as the standard for compliance checking. This creates a dangerous mismatch between the speed of software creation and the pace of governance controls.
Source: www.csoonline.com · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.