The Issue at Hand
Between late 2024 and early 2025, Checkmarx commissioned Censuswide to survey security and development leaders in organizations using AI code generation tools. The findings revealed a critical issue in application security operations: while AI-powered detection tools identified vulnerabilities at unprecedented rates, 95% of CISOs reported pressure to suppress or delay compliance-related security findings. Organizations with high AI code adoption (81-100% of production code) shipped vulnerable code at 3.4 times the rate of those with minimal AI adoption (1-20%).
This is not an isolated incident but evidence of a systemic failure affecting organizations across the industry.
Timeline of Events
Q4 2024: The survey was conducted among security leaders at organizations where AI-generated code constitutes a significant portion of production systems. At this time, 49% of production code across surveyed organizations was AI-generated.
Q1 2025: The results were published, showing that the gap between detection and remediation had widened despite increased investment in AI-powered security scanning tools. The data revealed significant perception gaps between CISOs, AppSec managers, and developers regarding vulnerability severity and remediation timelines.
Current State: Organizations continue deploying AI code generation at scale without adequate security review processes to handle the volume of findings these tools produce.
Failed or Missing Controls
The research highlighted failures in several control areas:
Vulnerability Management: Your team likely has a process for triaging and remediating findings from traditional SAST/DAST scans. However, AI-generated code has changed the baseline volume and ratio of true positives to noise. The 3.4x increase in vulnerable code shipments at high-AI-adoption organizations suggests these teams didn't scale their remediation capacity to match their new risk profile.
Code Review Gates: If 49% of your production code is AI-generated and you're shipping vulnerabilities at elevated rates, your pre-commit and pre-merge review processes aren't catching AI-introduced flaws. This indicates missing or inadequate security requirements in your CI/CD pipeline.
Risk Acceptance Authority: When 95% of CISOs report pressure to suppress findings, the organizational structure for security decision-making has failed. Someone with budget authority but insufficient security context is overriding technical risk assessments.
Developer Training: The perception gaps between roles indicate developers weren't equipped to evaluate AI-generated code for security implications. If your developers can't spot when an LLM introduces an SQL injection or hardcodes a credential, your secure coding training program needs updating.
Compliance Standards and Requirements
PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be developed based on industry standards and incorporate information security throughout the software development lifecycle. If half your codebase is AI-generated and you're shipping vulnerabilities at 3x normal rates, you're not meeting this requirement.
OWASP ASVS v4.0.3 Section 1.2 (Authentication Architecture) and Section 5.1 (Input Validation) define verification requirements that apply regardless of code origin. Your verification process must catch these failures before deployment.
ISO/IEC 27001:2022 Control 8.25 (Secure Development Lifecycle) requires you to establish and apply rules for the secure development of software. If you've integrated AI code generation into your workflow without updating your SDL rules to account for AI-specific risks, you're not maintaining this control.
NIST 800-53 Rev 5 SA-11 (Developer Testing and Evaluation) requires security testing at multiple stages of the development cycle. The pressure to suppress findings suggests organizations are conducting the testing but failing to act on results.
Actionable Steps for Your Team
Treat AI-Generated Code as Untrusted Input: Implement mandatory security reviews for AI-generated functions, especially those handling authentication, authorization, or data validation.
Recalibrate Your Vulnerability SLAs: If you're shipping 3.4x more vulnerabilities, your existing remediation timelines are insufficient. Calculate your current mean time to remediate (MTTR) for critical findings and adjust accordingly.
Fix the Risk Acceptance Process: Document who has authority to accept security risks and under what conditions. Create a risk acceptance form that requires sign-off from both the CISO and the business owner, with explicit acknowledgment of compliance implications.
Instrument Your AI Code Generation: Tag AI-generated code in your repository to track vulnerability rates by source. Use this data to adjust your review processes and training.
Update Your SDL Documentation: Add explicit guidance on reviewing AI-generated code. Train your developers on common LLM failure modes: hardcoded secrets, missing input validation, broken access control.
Measure the Gap Between Detection and Remediation: Track time from scan completion to fix deployment for each vulnerability severity level. Address process problems that prevent timely remediation.
The detection tools are working. The problem is what happens after detection. Fix that, or stop deploying AI-generated code at scale.
