AI has fundamentally altered the landscape of software development, impacting both how code is produced and the speed at which products are delivered to users. A recent report by Cycode, titled The 2026 State of Product Security for the AI Era, highlights the pervasive influence of AI in development processes and the corresponding security challenges organizations face. The report surveyed 400 Chief Information Security Officers (CISOs), application security leaders, and DevSecOps managers across the United States and the United Kingdom.
Key findings reveal that all organizations involved in the survey are using AI-generated code, with an astounding 97 percent employing or piloting AI coding assistants. Despite the rapid adoption of these technologies, only 19 percent of organizations maintain complete visibility into how and where AI is utilized. This lack of oversight raises significant concerns as most security leaders report an increase in overall risk since integrating AI into their systems.
Interestingly, mid-sized companies are at the forefront of AI adoption, often relying on these tools to extend the capabilities of smaller teams. Approximately one in three organizations indicate that AI is responsible for producing a majority of their code, with a small fraction reporting that over 75 percent of their codebase originates from AI systems. This reliance on AI presents a dual-edged sword, as AI-generated code can introduce logic flaws or insecure patterns that could proliferate quickly.
Security Challenges in the Age of AI
The report identifies the phenomenon of “shadow AI” as a critical security risk. Employees frequently utilize unapproved AI tools, plugins, and protocols without proper oversight. These systems have the potential to process sensitive data while often circumventing necessary security reviews and procurement controls. More than half of the respondents acknowledged that AI tool usage and vulnerabilities within the software supply chain represent significant blind spots in their security strategies.
Each AI model or integration acts like a new, unverified supplier, which complicates the security landscape. Without clear visibility into the origins of code or data, organizations may struggle to maintain confidence in the integrity of their products. Researchers emphasize that securing the code itself is insufficient; organizations must also manage the systems and data pipelines that generate this code.
The report highlights that over half of the organizations lack centralized governance, relying instead on informal or fragmented approval processes. This situation creates gaps in oversight and accountability. In response, product security teams are beginning to assume governance and compliance roles to address these vulnerabilities. More than half are now tasked with managing regulatory responsibilities, and some are introducing AI bills of materials to document models, datasets, and dependencies. This initiative builds on the existing software bill of materials concept while focusing on transparency for AI components.
Balancing Innovation and Risk
While AI tools are delivering measurable benefits, such as enhanced developer productivity and a 72 percent improvement in time-to-market, they also contribute to increased risk. Approximately 65 percent of organizations report heightened security concerns stemming from their use of AI technologies. Business leaders are eager to harness the value of AI, often prioritizing speed over security controls. This presents a critical question for CISOs: how sustainable is this balance as vulnerabilities continue to rise alongside productivity gains?
After years of expanding their toolsets, security leaders are now shifting their focus toward consolidation. An impressive 97 percent of surveyed organizations plan to streamline their application security stacks within the next year. Almost half of product security teams gauge their success by their ability to minimize tool sprawl. Researchers advocate for convergence, not just consolidation, as the next logical step. By integrating application security testing, supply chain security, and application security posture management into a cohesive framework, teams can better identify and prioritize risks. This unified approach aligns the need for speed with the imperative of control, ultimately fostering a more secure software development environment.
In conclusion, AI is reshaping the software development landscape, offering both unprecedented opportunities and significant security challenges. As organizations navigate this evolving terrain, a balanced approach that prioritizes both innovation and risk management will be essential for long-term success.
