AI coding tools are creating serious security risks in production, with one-in-five CISOs saying they've suffered major incidents because of AI-generated code.
AI coding tools now write 24% of production code – 21% in Europe and 29% in the US – according to a new report from Aikido. But it's risky, with 69% of security leaders, security engineers, and developers across Europe and the US revealing they'd found serious vulnerabilities in AI-written code.
US-based respondents were among the worst hit by AI-related flaws, with 43% of organizations reporting serious incidents, compared with just 20% in Europe.
This, the study noted, appears to be down to better prevention and oversight. For example, EU-based firms reported more “near misses” with AI-generated code than their US counterparts, potentially highlighting more robust testing practices.
Adding more tools to address the issue isn’t helping, Aikido found. Indeed, organizations with more security tools report more incidents, with more overhead and slower remediation.
Nearly two-thirds (64%) of those with just one or two tools had an incident, the figure was 90% for those with between six and nine tools.
All-in-one AI coding tools are helping bridge gaps
Notably, teams using tools designed for both developers and security teams were more than twice as likely to report zero incidents than those using tools made for only one specific group.
“Giving developers the right security tool that works with existing tools and workflows allows teams to implement security best practices and improve their posture,” commented Walid Mahmoud, DevSecOps lead at the UK Cabinet Office.
Teams using separate AppSec and CloudSec tools were 50% more likely to face incidents, and 93% of those with separate tools reported integration headaches such as duplicate alerts or inconsistent data.
The security blame game is heating up
The blame for incidents caused by AI code is now becoming a serious point of contention within enterprises, the report noted. For example, 53% of respondents blamed security teams for failing to address issues, while 45% blamed developers who failed to spot issues before pushing to production.
Meanwhile, 42% pointed toward whoever merged it. This blame game is expected to continue escalating, according to Aikido. Half of developers reckoned they’d be blamed if the AI code they wrote introduced a vulnerability, even more than the security team itself.
“There's clearly a lack of clarity among respondents over where accountability should sit for good risk management,” commented Andy Boura, CISO at Rothesay.
Despite concerns across the board, enterprises are expected to continue driving ahead with adoption of AI coding tools, the study noted. Nine-in-ten said they expect AI to take over penetration testing within the next five years, for example
Meanwhile, 96% believe AI will write secure, reliable, code at some point, with the biggest proportion (44%) thinking it will happen in the next three-to-five years.
Only 21% think this will be achieved without human oversight, however, underlining the importance of keeping humans in the loop.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Think AI coding tools are speeding up work? Think again – they’re actually slowing developers down
- How AI coding is transforming the IT industry in 2025
- AI coding tools are booming – and developers in this one country are by far the most frequent users
-
Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK'News Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Anthropic’s new Claude Code web portal aims to make AI coding even more accessibleNews Claude Code for web runs entirely in a user’s browser of choice rather than in a command-line interface and can be connected directly to chosen GitHub repositories.
-
Anthropic’s new Claude Code web portal aims to make AI coding even more accessible
News Claude Code for web runs entirely in a user’s browser of choice rather than in a command-line interface and can be connected directly to chosen GitHub repositories.
-
The UK’s aging developer workforce needs a ‘steady pipeline’ of talent to meet future demand – but AI’s impact on entry-level jobs and changing skills requirements mean it could be fighting an uphill battleAnalysis With the average age of developers in the UK rising, concerns are growing about the flow of talent into the sector
-
AI coding really isn't living up to expectations – "the savings have been unremarkable" but not for the reason you might thinkNews Companies are focusing too heavily on simple AI coding tasks, and not overhauling wider business processes
-
UK government programmers trialed AI coding assistants from Microsoft, GitHub, and Google – here's what they foundNews Developers participating in a trial of AI coding tools from Google, Microsoft, and GitHub reported big time savings, with 58% saying they now couldn't work without them.
-
US Senator calls for Microsoft FTC probe over ‘gross cybersecurity negligence’ – Ron Wyden claims the tech giant has provided ‘dangerous, insecure software’ to the US governmentNews Ron Wyden, a Democratic senator from Oregon, has written to the chair of the FTC calling for an investigation into Microsoft's cyber practices.
-
Microsoft touts new Copilot features in Excel, but says you shouldn’t use them if you want accurate resultsNews Microsoft has warned against using new AI features in Excel for “tasks with legal, regulatory, or compliance implications” – so when can you use it?
-
Senior developers are all in on vibe coding, but junior staff lack the experience to spot critical flawsNews Experienced developers are far more confident in using AI-generated code
-
Microsoft says AI is finally having a 'meaningful impact' on developer productivity – and 80% 'would be sad if they could no longer use it'News Researchers at Microsoft wanted to demystify how AI is being used by software developers – their findings show the benefits are finally becoming clear.
