Companies Knowingly Ship Vulnerable AI Code

What happened?

A report from application security firm Checkmarx, based on a survey of 2,350 CISOs, application security managers, and developers across 14 countries, reveals that companies are deploying AI-generated code at an accelerated pace, despite being aware of the vulnerabilities it introduces. According to the study, nearly half of the code in production today is AI-generated, and 70% of developers reported that AI created vulnerabilities in 2025. Alarmingly, 30% of respondents admitted to shipping compromised code hoping the vulnerability would not be discovered. This behavior is not new to the industry: during the Log4j crisis in 2021, many companies also opted for partial patches or ignored critical vulnerabilities due to delivery pressure. However, the current scale is unprecedented: generative AI accelerates the production of defective code, and the combination with automated attack tools creates an exponential risk scenario.

Why is this important?

This phenomenon represents a radical shift in the cybersecurity landscape. Tools like Anthropic's Mythos can find and exploit vulnerabilities in minutes, while human security teams take months. The Checkmarx report notes that Mythos-like models “collapse the window between a vulnerability existing and a functional exploit being available, from months to minutes.” The combination of insecure AI-generated code and AI-powered attack capabilities creates a dangerously narrow exposure window. The report indicates that companies relying more heavily on AI (81-100% of their code) ship vulnerable code 3.4 times more often than those using it conservatively (20% or less). Additionally, 93% of organizations suffered at least one security breach directly related to internally developed applications. For context, in 2023, 82% of breaches involved web applications according to Verizon, but now AI amplifies both the generation and exploitation of flaws.

Consequences for businesses and users

The normalization of risk has profound implications. Development teams are pressured to deliver quickly, and security becomes an afterthought. The report indicates that only 18% of the time do developers continuously secure code, despite having security tools. As a result, more than a third of organizations leave half of their known vulnerabilities unpatched for 90 days or more. This echoes the “patch fatigue” phenomenon observed after the WannaCry attack in 2017, where many organizations failed to apply critical updates. But now the volume is larger: according to Checkmarx, most companies report that at least half of their codebase consists of open-source components, adding supply chain risks. For end users, this means an increased risk of data breaches, ransomware, and other incidents. For businesses, consequences include reputational damage, regulatory fines (such as GDPR fines up to 4% of global revenue), and remediation costs that, according to IBM, averaged $4.88 million per breach in 2024.

What should readers know?

The bottleneck is not detection, but the human decision to ship insecure code. Security leaders must implement 'security by design' policies, integrate static and dynamic analysis tools into the CI/CD pipeline, and foster a culture where speed does not trump security. Developers, in turn, need continuous training and tools that provide early, actionable feedback. The industry must move toward AI models that include security guarantees from training, as proposed by the “AI red teaming” approach already used by companies like Microsoft and Google. Additionally, regulators are starting to act: the EU AI Act requires risk assessments for high-impact AI systems, and the NIS2 cybersecurity directive reinforces corporate responsibility.

“Developers are set up to fail,” the Checkmarx report states. “They face significant pressure to deliver and are forced to choose quantity and speed over security.”

The era of agentic AI demands an urgent rethinking of software development practices. Ignoring the problem is not a sustainable option. As the report warns, companies relying on traditional security tools “cannot survive this reality.” The window to act is closing: according to Gartner, by 2027, 60% of applications will include AI-generated code, and attackers are already leveraging the same technology to automate their attacks. The question is not whether a breach will occur, but when and how severe it will be.