AI-Generated Code Is Accelerating Faster Than Enterprise Security Practices
Artificial intelligence is fundamentally changing how software is built. Developers are generating code faster than ever, AI copilots are becoming part of daily workflows, and agentic development is beginning to automate larger portions of the software lifecycle.
This speed, however, is exposing a new security problem. 93% of organizations now use AI-generated code, yet only 12% consistently apply standard security controls. While AI is dramatically increasing developer productivity, it is also amplifying software supply chain risk as organizations struggle to secure AI-assisted development at machine scale.
In this episode of AppDevANGLE, I spoke with Brian Fox, Co-Founder and Chief Technology Officer at Sonatype, about how AI is reshaping software development, why traditional security practices are no longer sufficient, and what organizations must do to secure AI-generated software without slowing innovation.
Our conversation explored why AI security begins with better software supply chain management, how grounding models with real-time data improves security outcomes, and why AI-native development requires AI-native security.
AI Security Starts Long Before Code Is Generated
One of the most important themes from the discussion is that securing AI-generated code begins with securing the software components AI chooses to build upon.
Modern applications have relied on open-source software for years, with many codebases consisting of 80% to 90% third-party components. As AI assistants increasingly recommend frameworks, libraries, and dependencies automatically, poor dependency decisions can quickly scale across thousands of applications.
Fox explained that organizations must move beyond manual governance. “If it’s not written down, it’s not known,” Fox said. “Those types of processes need to be encoded in a way that AI can react to.”
Traditional development teams often relied on tribal knowledge or human code reviews to determine which open-source components were acceptable. AI systems cannot rely on informal processes. Security policies, licensing rules, vulnerability thresholds, and dependency standards must become machine-readable so AI agents can consistently enforce them.
The result is a shift from human-managed software supply chains to policy-driven automation.
AI Models Cannot Secure What They Cannot See
Another major challenge discussed is the inherent limitation of large language models themselves. Foundation models are trained on historical data. By definition, they have no awareness of vulnerabilities, dependency updates, malware, or software releases that occurred after their training cutoff.
Fox cautioned that relying solely on an LLM for dependency recommendations introduces significant risk. “Any given model has no information about new versions of dependencies, new vulnerabilities, or malware,” he explained.
Instead, organizations should ground AI models using real-time enterprise data. By connecting AI assistants to continuously updated vulnerability databases, software inventories, and policy engines through retrieval-augmented generation (RAG), Model Context Protocol (MCP), or similar approaches, organizations allow AI to reason using current information rather than outdated training data.
According to Fox, the improvement is dramatic. “It’s not about the model,” he said. “It’s about access to the real-time information.”
This fundamentally changes how enterprises should think about trustworthy AI. Model capability alone is no longer enough. Context freshness is becoming equally important.
Eliminating Hallucinations Introduced a New Security Risk
The conversation also explored an unexpected trend in AI development. Over the past year, frontier models have become significantly better at avoiding hallucinated software versions and nonexistent package recommendations.
At first glance, this appears to be progress. However, there is a surprising side effect. Rather than recommending incorrect versions that immediately fail during builds, newer models increasingly avoid making recommendations altogether.
Fox described this as moving from hallucination to hesitation. “What we found is they basically proportionately got to the point where they make no recommendation,” he said.
The consequence is more serious than simply generating an incorrect answer. “If you did the analysis and everything is fine,” Fox explained, “you might have significant vulnerabilities hiding right in plain sight.”
Unlike hallucinated dependencies, which fail immediately during compilation, false confidence allows vulnerable software to remain in production undetected. In many cases, that creates longer-lasting security exposure than obvious model mistakes.
The lesson is that reducing hallucinations does not automatically improve security outcomes.
AI Is Creating a New Form of Security Debt
As AI accelerates software creation, it also accelerates vulnerability accumulation. Developers are producing more applications, introducing more dependencies, and making architectural decisions faster than security teams can manually evaluate them. This creates what could be described as AI-driven vulnerability debt.
Fox argued that organizations should not attempt to solve this through larger models alone. Instead, enterprises should combine AI reasoning with continuously updated security intelligence.
“We found that when you do that, the output is dramatically better,” he said.
Grounded AI systems can evaluate dependency freshness, identify newly disclosed vulnerabilities, recommend safer package versions, and reason about software supply chains far more effectively than standalone models operating from static training data.
In this model, AI becomes an accelerator for security rather than an amplifier of technical debt.
AI-Native Development Requires AI-Native Security
Looking ahead, the discussion emphasized that AI-generated software will continue expanding across enterprise development organizations.
Forward-looking engineering teams are already writing substantially more code with AI assistance, whether through developer copilots or increasingly autonomous agents. Security must evolve accordingly.
“You are not going to be able to keep up,” Fox said, “without some kind of AI automation.”
The future is unlikely to involve replacing human security professionals. Instead, security teams will increasingly rely on AI to evaluate software supply chains, identify emerging threats, recommend remediations, and continuously monitor application risk at machine speed.
Just as developers now rely on AI to write code, security teams will increasingly depend on AI to defend it. The organizations that succeed will integrate AI throughout both software delivery and software security rather than treating them as separate initiatives.
Analyst Take
Enterprise software development is entering a phase where software supply chain security becomes inseparable from AI adoption.
For years, organizations focused primarily on securing developer-written code. Increasingly, developers are orchestrating AI systems that generate code, recommend dependencies, and automate development workflows. That changes the nature of software security.
The critical insight from this conversation is that model intelligence alone does not create trustworthy software. AI systems require access to current enterprise context, continuously updated vulnerability intelligence, and machine-readable governance policies that allow them to make informed decisions in real time.
Equally important, AI security cannot remain a manual process. As AI accelerates application delivery, organizations will need AI-powered security operating alongside AI-powered development. Otherwise, software supply chain risk will grow faster than security teams can respond.
The next generation of secure software development will be defined not simply by how quickly organizations generate code, but by how effectively they combine AI automation with real-time security intelligence and governance.

