AI's Productivity Boom Creates a Looming Security Debt for Enterprises

PALO ALTO, CA – June 02, 2026 – A powerful new signal of business vulnerability is emerging from the very engine of corporate innovation: the software development lifecycle. New research reveals that while enterprises are rapidly embracing AI coding assistants to accelerate productivity, their security and governance practices are failing to keep pace. A study released today by API security firm Salt Security found that a staggering nine in ten security leaders are concerned about the risks introduced by AI-generated code, exposing a critical disconnect between speed and safety.

This growing tension represents more than a technical challenge; it's a strategic inflection point. As AI tools generate an ever-increasing percentage of enterprise software—approaching nearly half of all new code according to the report—organizations are inadvertently accumulating a new form of security debt, one that is automated, scalable, and largely invisible to traditional oversight.

The Widening Gap Between Velocity and Vulnerability

The adoption of AI coding assistants like GitHub Copilot and Gemini Code Assist has been swift and decisive. The Salt Security report, titled 'AI Coding Assistants and the New Security Challenge,' indicates that 67% of organizations now have widespread adoption across their development teams. This trend is corroborated by broader industry data, with some surveys showing that over 75% of developers now use AI tools in their workflow. The productivity gains are undeniable, allowing developers to focus on high-level logic while AI handles boilerplate implementation.

However, this velocity comes at a price. The research highlights a dangerous reliance on outdated security processes. A concerning 38% of organizations still depend primarily on manual code reviews to catch flaws in AI-generated code—a practice ill-suited for the sheer volume and speed of machine-driven development. This mismatch creates the conditions for what Salt Security calls "security drift," where vulnerabilities are introduced into codebases faster than security teams can identify and remediate them.

"AI coding assistants are fundamentally changing how software is built, but governance has not kept pace," said Roey Eliyahu, CEO and co-founder at Salt Security. "Most organizations recognise the risks, but many are still trying to manage AI-generated code using security processes designed for a pre-AI world. That approach does not scale."

This challenge is particularly acute in larger enterprises. The study found that organizations with more than 500 employees were significantly more likely to report struggles with enforcement consistency, developer overreliance on AI, and the complexity of governing AI use across distributed teams. The signal is clear: as AI adoption scales, so does the governance gap.

Decoding the 'Security Drift': New Risks in the Age of AI Code

The risks associated with AI-generated code are not merely theoretical. Industry analysis from firms like Veracode has found that as much as 45% of code written by AI contains security flaws. These vulnerabilities manifest in several critical ways. AI models, trained on vast datasets of public code, frequently reproduce insecure coding patterns that can lead to common exploits like SQL injection and cross-site scripting.

Beyond flawed patterns, AI assistants have been observed introducing other significant risks. One study noted a 40% rise in exposed secrets—such as API keys and credentials—hardcoded directly into AI-generated projects. Furthermore, these tools can suggest or "pin" outdated and vulnerable open-source libraries, creating a hidden and ticking time bomb within an application's dependencies. This has already led to real-world incidents, including one where an AI-generated service inadvertently pulled in a vulnerable library that resulted in a cryptominer infection.

This new paradigm has also fostered a "false sense of confidence" among developers. One security leader noted they are "concerned about the questionable integrity of code produced with generative AI," a sentiment echoed by research showing that developers using AI assistance sometimes write less secure code while mistakenly believing it is safe. This automation bias, combined with the sheer speed of development, means that critical security checks are often overlooked. The result is a growing portfolio of applications built on a foundation of unvetted, machine-generated code.

Forging a New Governance Frontier

To close this widening security gap, forward-thinking organizations are beginning to treat AI coding assistants not just as developer tools, but as a critical new component of the software supply chain. This strategic shift requires moving beyond manual spot-checks toward a model of embedded, automated, and policy-driven governance.

The industry is responding with a new class of security solutions. Salt Security itself has launched 'Salt Code' to enforce policies within AI assistants. Competitors like Snyk and Checkmarx are also deploying AI-powered platforms. Snyk's Agent Fix autonomously generates and validates code fixes, while Checkmarx One Developer Assist provides real-time security guidance directly within AI-native IDEs. The common thread is a "shift left" approach, integrating automated security analysis (SAST), software composition analysis (SCA), and secrets detection directly into the developer's workflow and the CI/CD pipeline.

This automated-first strategy does not eliminate human oversight but refines its role. By automating the detection of common vulnerabilities, security teams and senior developers can focus their expertise on complex architectural reviews and high-impact business logic, adopting a more effective "human-in-the-loop" posture. Empowering developers with both the tools to find flaws and the training to understand them is becoming the cornerstone of modern DevSecOps.

The Regulatory Horizon and Board-Level Imperative

The challenge of securing AI-generated code is quickly escalating from a technical issue to a board-level compliance concern. Regulators are taking notice, and frameworks like the EU AI Act are set to impose stringent new requirements on how AI-assisted software is developed, deployed, and governed. With its extraterritorial reach, the Act will apply to any company whose products are used in the EU, mandating risk management, data quality controls, and human oversight for high-risk AI systems.

Failure to comply carries the risk of substantial fines and, more critically, loss of market access. In the US, the NIST AI Risk Management Framework is similarly shaping expectations for transparency and accountability. For executives and board members, this means AI governance is no longer optional. It is an essential component of corporate risk management.

As organizations continue to harness AI for competitive advantage, their ability to manage its inherent risks will become a key differentiator. The momentum is undeniable, but sustainable growth will belong to those who can balance the velocity of innovation with the vigilance of robust, modern security governance.