Why companies keep shipping AI code they know is risky

Enterprises are shipping AI-generated code despite inherent security vulnerabilities

AI-generated code is now part of almost every large enterprise’s production environment. According to Checkmarx’s global survey of 2,350 CISOs, AppSec managers, and developers across 14 countries, nearly half of all active production code today is created by AI. That speed and efficiency come with risk, risk that too many companies are ignoring. The same report confirmed that 93% of enterprises have suffered at least one security breach linked to in-house developed apps. Even more concerning, companies that rely on AI for 81–100% of their code ship vulnerable code 3.4 times more often than those that use it far less.

The deeper problem is human decision-making. Many teams knowingly release vulnerable software, hoping issues won’t be discovered before the next product update. Roughly three-quarters of enterprises admit to deploying code with known vulnerabilities, while 30% openly acknowledge shipping compromised code under pressure to deliver faster returns.

For executive leaders, this is a governance and accountability challenge. AI allows for unmatched velocity, but speed without security creates future liabilities. Breaches lead to more than financial loss, they erode trust and disrupt growth. Success here starts with leadership discipline: aligning innovation targets with clear security thresholds. Structuring incentives to value secure delivery over pure velocity is the sustainable path forward. Leaders who master this balance will dominate the next decade of digital transformation.

Developers face systemic constraints that favor rapid code delivery over robust security

Developers are trapped by design. The Checkmarx report shows that even though nearly all developers have access to security tools, code is continuously secured only 18% of the time. This gap isn’t because developers don’t care about security. It’s because they’re under constant pressure from leadership and market demands to push features out quickly. Fast iteration and high release frequency have become the standard, often leaving security measures lagging behind delivery priorities.

Security, in many organizations, still sits apart from development. Teams work in silos, and security feedback often arrives too late to be actionable. The result: delayed fixes, reactive firefighting, and an ongoing cycle where the same vulnerabilities recur. Developers face additional friction from tool sprawl, too many disconnected systems providing unclear guidance or overwhelming noise that slows action, rather than enabling it.

Executives should treat this as a structural problem. The smartest move is to embed security directly into the development workflow, at the point where code is written, tested, and deployed. Bringing security closer to real-time operations means developers no longer need to trade off speed for protection. It also means that leadership must invest in automation that ensures consistent, continuous protection without adding friction. This approach aligns accountability, improves outcomes, and allows teams to innovate with confidence.

Speed is valuable, but secure speed wins. As AI-driven development accelerates, integrating security from the start must become as natural as writing the first line of code.

Overconfidence and outdated governance models exacerbate the risk of deploying insecure AI-generated software

A growing number of enterprises overestimate their readiness for the AI-driven future. According to Checkmarx’s research, 42% of organizations that describe themselves as “highly mature” in AI still ship the most vulnerable code. Their breach rates are nearly identical to companies with far less developed AI capabilities. This pattern shows that self-confidence in AI maturity doesn’t equal security competence. Only 22% of surveyed organizations have formal governance frameworks specifically designed to oversee AI-generated development.

The problem is structural. Most enterprises continue to govern AI development using compliance frameworks built for a slower, human-paced era of coding. Manual code reviews and periodic audits cannot keep up with the velocity of AI code production. Human teams simply can’t evaluate the millions of lines of code being generated and deployed each week. This mismatch creates a governance lag, a space where vulnerabilities persist unnoticed or unaddressed.

For executives, the takeaway is clear. Traditional compliance approaches no longer protect against high-speed, high-volume AI development cycles. Leadership must evolve governance to match the new pace of creation. This means real-time oversight mechanisms supported by automated threat detection, continuous validation, and AI-specific compliance standards. Overconfidence blinds an organization to its weak points; structured governance exposes and manages them. Enterprises that recognize this now can build security into their growth trajectory rather than bolting it on afterward.

The evolution of agentic AI models significantly accelerates the exploitation of vulnerabilities

The threat landscape has changed dramatically with the emergence of agentic AI models capable of independent analysis and action. Anthropic’s Mythos and Project Glasswing systems represent this next generation. Mythos has demonstrated the ability to identify and exploit vulnerabilities within minutes, an acceleration that renders traditional security practices obsolete. Project Glasswing uncovered thousands of previously unknown flaws across major operating systems and browsers, highlighting the unprecedented pace at which these systems can operate.

Checkmarx’s report makes it clear: “Mythos-class models collapse the window between a vulnerability existing and a working exploit being available from months to minutes.” This speed is the real game-changer. Human teams still operate on investigation and review cycles measured in days or weeks. In contrast, these AI systems run continuous scanning and exploitation within seconds, leaving enterprises exposed long before their defenses can adapt.

For leadership, this demands a new defensive posture. Security must become proactive and adaptive. Organizations can no longer depend solely on human-controlled review processes or static toolsets. Executive priorities should shift toward intelligent, automated security architectures that detect and respond in real time. AI tools must be part of the defense ecosystem.

Anthropic’s contribution underscores a powerful truth, the same intelligence that introduces risk can also be harnessed to contain it. The enterprises that will maintain resilience in the coming years are those that integrate AI not only into how they build but also into how they defend. They will be positioned to limit exposure, respond faster, and lead confidently in a landscape where vulnerability cycles no longer favor human reaction time.

Integrating automated, AI-native security measures into development workflows is urgently needed

Security can no longer exist as a separate function within the software lifecycle. The Checkmarx report emphasizes that the next step for enterprises is to embed security directly into development environments, within the integrated development environment (IDE), the pipeline, and AI-assisted workflows. This integration ensures that security checks, risk prioritization, and vulnerability remediation occur during design and development, not after deployment. The report specifically stresses the necessity of systems that allow risks to be “prioritized, remediated, and resolved, all within the systems that they operate in.”

This model calls for automation at every stage of the process. Human gatekeeping, reviews, sign-offs, and manual triage, cannot keep up with the scale and frequency of modern code generation. Automated systems that assess, flag, and resolve security risks instantly can transform how organizations manage their threat surface. By removing friction between development and security, enterprises can remove delays, improve accountability, and strengthen risk response. Its success depends on efficient orchestration between tools, teams, and intelligence systems, the three components that define how modern software operations should function.

For C-suite leaders, this should be treated as a central business initiative, not a back-end technical priority. Integrating AI-native security ensures that governance, compliance, and performance align under one architecture. It requires investment in platform unification to reduce tool fragmentation, which continues to drain productivity and clarity across large technology teams. Executives should define tool ownership frameworks and deploy automated oversight systems capable of responding faster than human teams can react.

The opportunity is clear: when security becomes a built-in process rather than a delayed review, the entire enterprise becomes more resilient and agile. With AI development cycles expanding and external threats accelerating, automating security at the source is the only sustainable path forward. For organizations serious about long-term competitiveness, embedding AI-driven intelligence into every layer of workflow is foundational.

Key takeaways for leaders

• AI code is accelerating faster than enterprise security discipline: Most enterprises are deploying AI-generated code knowing it’s insecure. Leaders should recalibrate incentives to prioritize secure delivery over speed, as unchecked risk is now a strategic liability.
• Developer limits are a structural problem: Developers are pressured to release fast without proper support. Executives should integrate real-time security into workflows so protection scales naturally with output.
• Confidence without governance is exposing enterprises to risk: Nearly half of “mature” AI adopters deliver weak code due to outdated oversight. Leadership must modernize governance and embed AI-specific compliance mechanisms that evolve at the same speed as development.
• AI threats move at machine speed while defenses remain human-paced: Agentic AI models like Anthropic’s Mythos and Project Glasswing exploit vulnerabilities in minutes. Decision-makers must invest in adaptive, automated defenses capable of monitoring and responding in real time.
• Security must be embedded, automated, and continuous: Manual triage and fragmented tools cannot keep up with AI-scale coding. Executives should unite development and security systems under automated, AI-native architectures that detect, prioritize, and resolve risks as code is built.