AI-assisted coding has crossed the line from experimental to essential. According to new research from Black Duck, nearly every organization now relies on AI tools to generate software code.
This creates a big problem!
Security practices haven’t evolved at the same pace. While 95% of teams use AI-generated code, fewer than 25% apply comprehensive intellectual property, licensing, security, and quality checks to that output. This growing disconnect creates a new class of software supply chain risk that traditional AppSec programs can’t manage.
Commenting on the report, Saumitra Das—Vice President of Engineering at Qualys—said, “By 2030, 95% of code is expected to be AI-generated. Even now, in 2025, it is reported to be around 30% at large enterprises and close to 90-95% at small startups. The key word to keep in mind is generated. This is more code being generated than humans can reasonably even review for correctness, functionality, readability, and security issues.”
As the Black Duck report shows, organizations with strong software development fundamentals—dependency tracking, software bill-of-materials (SBOM) validation, automation, and compliance maturity—position themselves far better to manage this risk. Others essentially fly blind as they introduce AI-generated components into production, without visibility or accountability.
“Organizations should assume that AI-generated code expands their software supply chain risk, not just their development speed,” said Jason Soroko, a Senior Fellow at Sectigo. “Black Duck’s survey shows only 24% apply comprehensive IP, license, security, and quality evaluations to that output. This leaves large blind spots in provenance, obligations, and exploitable flaws.”
AI Coding Now the Default, Not the Exception
There’s an uncomfortable reality behind most software development teams using AI-generated code. As release cycles accelerate and as developers embed AI across workflows, securing software supply chains is no longer just about open-source hygiene. It’s also about adapting security models where machines increasingly write the code—faster than humans can reasonably review it.
By shifting from simple code suggestions to embedding full automation for testing, debugging, deployment, and real-time monitoring, AI tools have quietly moved from developer experimentation to core production workflows. The shift has occurred as the need for speed and convenience has outpaced governance.
This essentially transforms developers into supervisors who need to validate and orchestrate AI outputs for faster, more efficient, and higher-quality software delivery. Developers must turn their focus to strategic value rather than manual coding.
The Security Gap Nobody Designed For
Traditional application security programs assume humans will develop software code. The process involves predictable development cycles and manual review processes.
This assumption is challenged by the rise of AI-generated code, which introduces new security blind spots and opaque risks into the software supply chain. This occurs primarily through a lack of transparency and explainability. Using traditional security tools, human developers find it difficult to identify hidden vulnerabilities, insecure dependencies, and potential backdoors.
That’s unfortunate because failure to apply full intellectual property (IP), licensing, security, and quality checks to software code can lead to significant risks. In the legal and financial realms, this can include IP infringement lawsuits, software license non-compliance, and contractual breaches. In addition, inadequate checks may expose internal IP by allowing competitors to copy functionality or use proprietary algorithms.
In the security arena, skipping security checks leaves software exposed to vulnerabilities like SQL injection, cross-site scripting, and buffer overflows. Cybercriminals may exploit vulnerabilities, leading to data breaches, unauthorized access to sensitive user data, and potential ransomware attacks. There’s also the consideration that data breaches resulting from security lapses can cause significant reputational harm and lead to hefty fines for privacy violations.
Developers are also likely to experience headaches from insufficient quality checks, which increase the likelihood of bugs, performance issues, and system crashes. Poor quality code is also difficult to maintain, debug, and update, leading to higher maintenance costs and slower development cycles. Then there’s the issue of user dissatisfaction since unreliable software leads to a poor user experience.
Dependency Management: The First Line of Defense
The Black Duck report notes that organizations highly effective at tracking and managing open-source dependencies are significantly more prepared (85%) to secure open-source software compared to the overall average (57%).
This is key because visibility into coding dependencies correlates strongly with application readiness. Visibility allows development teams to proactively manage vulnerabilities, compliance requirements, and performance issues before they impact deployment or production.
Dependency tracking also indicates an organization’s overall security maturity in managing software supply chain risks. Those that track dependencies also typically deploy automated security processes (i.e., vulnerability detection and patching) and licensing enforcement policies.
Gaining visibility into complex interdependencies indicates a shift from reactive, manual security to proactive, integrated AppSec practices. Better tracking leads to better control, faster response, and reduced risk.
Automation: The Difference Between Detection and Response
The operational cost of slow vulnerability responses within rapid software release environments includes data breaches, productivity losses due to unplanned work, team burnout, and regulatory fines. The cost of fixing vulnerabilities increases dramatically the later they are addressed in the development lifecycle.
Continuous automatic monitoring solves this challenge by offering real-time, 24/7 visibility, which enables immediate detection of rapidly evolving threats and faster responses. In contrast, periodic scanning only provides point-in-time snapshots as it creates gaps where threats can hide.
Automation also dramatically improves remediation rates for cyber threats—primarily through machine-speed response. This approach eliminates the delays and errors inherent in manual processes and reduces the time a threat is present before being neutralized—often containing incidents in minutes or seconds.
SBOM: Paperwork or Practical Security Tool?
While an SBOM shows the list of components used in a software application, the more crucial aspect is to verify that the list is accurate, complete, and trustworthy. Collecting the list alone does not equal security; continuous validation is required.
By consistently validating SBOMs, software teams can transform third-party risk by providing supply chain visibility that generates several key benefits:
- Proactive vulnerability detection
- License compliance
- Continuous monitoring
- Vendor transparency
These capabilities illustrate why an SBOM matters more so in AI-generated code. AI introduces hidden, complex dependencies (models, data, generated snippets) that create unknowns that increase supply chain risk, legal and licensing ambiguity, and vulnerability surface area. All this requires a detailed SBOM to track provenance, bias, and ensure compliance and security.
Compliance Maturity as a Security Accelerator, Not a Burden
It is counterintuitive that more security controls lead to faster cyber risk remediation. While additional controls increase complexity and often slow down detection, they also provide more data and enforcement points. When optimized, controls can automate and expedite the response and recovery phases of remediation.
Finding the right balance between regulatory complexity and operational effectiveness lies in integrating compliance into daily operations through technology, unified GRC frameworks, and a strong AppSec culture. Using automation for monitoring, risk assessments, and cross-functional collaboration makes compliance inherent to efficient processes and creates synergy—where staying compliant drives better, more streamlined operations, ensures agility, and builds stakeholder trust.
Compliance frameworks can also tame AI risks by providing a structured, systematic methodology to identify, assess, mitigate, and monitor potential issues across the AI lifecycle. This ensures systems operate within legal, ethical, and secure boundaries and transforms management from a reactive, ad-hoc process to a proactive, continuous system of governance.
Rethinking Software Supply Chain Security in the AI World
AI-generated code introduces novel vulnerabilities and obfuscates traditional risk assessment methods. It also moves the source of potential flaws from human error and known outdated components to the AI model's training data. This demands new assumptions about software supply chain security.
To shift from reactive AppSec to proactive supply chain governance, software teams must gain deep visibility via SBOMs, embed security into CI/CDs pipeline with policy-as-code, automate risk assessment using context, and foster developer ownership. With these capabilities, software teams can focus on continuous monitoring and risk mitigation before code is deployed.
And as AI adoption accelerates, cybersecurity leaders must prioritize securing AI pipeline data and models by implementing robust AI governance and risk policies. Leaders should also adopt defensive AI tools, such as enhancing data security posture management and encryption—all while balancing risk management with innovation.
