As AI-generated code becomes more mainstream, a new study by Checkmarx reveals that 81% of organizations knowingly ship vulnerable code.
According to a study of 1500 CISOs, AppSec managers and developers, half of respondents already use AI security code assistances and 34% admitted that more than 60% of their code is AI generated.
This is despite AI-generated code often containing known vulnerabilities by default.
The findings are part of a Checkmarx study titled Future of Application Security in the Era of AI published on 14 August, 2025.
The study surveyed professionals from Europe, North America and Asia-Pacific. Regionally, 32% of European respondents said their organization often deploys code with known vulnerabilities, compared with 24% of those in North America.
The findings highlighted that 98% of respondents experienced a breach stemming from vulnerable code in the past year, a sharp rise from 91% in 2024.
Checkmarx noted that the growing adoption of AI coding assistants is eroding developer ownership and expanding the attack surface.
Within the next 12 to 18 months, 32% of respondents expect Application Programming Interface (API) breaches via shadow APIs or business logic attacks.
Code Development Lacks Security Governance
Fewer than half of respondents reported deploying foundational security tools, such as mature application security tools like dynamic application security testing (DAST) or infrastructure‑as‑code scanning.
Meanwhile, only half of organizations surveyed actively use core DevSecOps tools and just 51% of North American organizations report adopting DevSecOps.
“The velocity of AI‑assisted development means security can no longer be a bolt‑on practice. It has to be embedded from code to cloud,” said Eran Kinsbruner, vice president of portfolio marketing at Checkmarx.
“Our research shows that developers are already letting AI write much of their code, yet most organizations lack governance around these tools. Combine that with the fact that 81% knowingly ship vulnerable code and you have a perfect storm. It’s only a matter of time before a crisis is at hand.”
To overcome the issues identified in the report, Checkmarx encourages organizations to operationalize security tooling that focuses on prevention.
The application security firm also noted that policies for AI usage need to be established. Currently, governance is lagging in this area despite AI-generated code becoming mainstream.
Agentic AI can also be used to automatically analyze and fix issues in real-time.
“AI generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years,” Kinsbruner said.
The release of this report follows Checkmarx’s announcement of general availability of its Developer Assist agent, with extensions to top AI-native Integrated Development Environments (IDE) including Windsurf by Cognition, Cursor and GitHub Copilot.