AI coding tools have allowed engineering teams to double their output, and 64% of organizations now use AI assistance to generate a majority of their code.
Within a year, that figure is expected to rise to 90%. This is great if you like fast timelines. But is it great for security?
The organizations downstream from these new AI-generated software solutions might pay the price for lightning-fast deployment cycles and speedy, lightweight dev processes.
Considering the detection tools most companies carry on hand (namely vulnerability management), they may not be prepared to handle what these teams are cranking out—and what might be the only kind of code to come by within the next twelve months.
AI Coding Agents Push Fast Deployments
AI coding agents like Claude Code are accelerating development and deployment cycles. So what?
Engineering teams aggressively using AI are significantly increasing pull request throughput and successfully pushing more routing coding tasks onto agentic agents.
When Accenture deployed GitHub Copilot, the results were nothing less than:
- 9% more pull requests per developer
- 11% higher merge rates
- 84% more successful builds (“while maintaining code quality”)
As a terminal-first agent, Claude Code can “clone repos, explore projects, modify files, run tests, and prepare pull requests autonomously,” according to Planetary Labour. A similar-but-different model, Cursor, is touted as “the closest to having an AI pair programmer that truly understands your project.”
All this is true. But something to keep in mind is that AI doesn’t just change development; it changes the attack surface.
The Cost of AI-Assistance
Faster delivery increases the risk of misconfiguration, identity sprawl, and CI/CD exposure.
While AI coding leads to faster generation out of the gates, it also produces higher bug rates, added rework burden, and a potential increase in technical debt. A lot of this is caused by lower-level analysts driving the AI-powered coding changes.
In analyzing developer activity in OSS projects following the introduction of GitHub Copilot, researchers found that “the added rework burden falls on the more experienced (core) developers, who review 6.5% more code after Copilot’s introduction, but show a 19% drop in their original code productivity.”
The concern is that ongoing AI-assisted development, if not already secure, will put a growing burden on a shrinking number of true coding experts.
Or, if those experts fail to check every piece of AI-assisted code at the door, what will likely happen is that these security concerns will fall directly on the customer.
Considering what most customers have to work with, this may be a problem.
Traditional Vulnerability Models Weren’t Built for Threats at AI Scale
More AI-assisted code may be synonymous with more vulnerabilities flowing into products and enterprise ecosystems. Most vulnerability management programs weren’t built to keep up.
Not only is it a “sheer volume” problem: VM may catch some flaws in coding, but it was never designed to comprehensively detect weaknesses across modern application code, especially AI-generated code.
Traditional vulnerability models weren’t designed for autonomous, AI-assisted workflows. Besides blatant software errors, they introduce risks like:
- Identity sprawl
- Untracked assets
- An expanded attack surface
And non-deterministic risks like those arising from no CVE, no signature, and no clear “patch.”
Traditional vulnerability management tools only tell you what’s broken when compared to a baseline. The problem with AI is that there is no baseline: you have to suss out threats from context.
- VM finds what’s wrong with an asset: AI creates problems between relationships.
- VM offers point-in-time fixes: but with autonomous AI, things are continually changing.
- VM gives you a list of vulnerabilities: AI creates so many that prioritization across all attack surface threats is needed (not just across all CVEs).
To tackle the security problems that AI and AI-assisted workflows create, teams can’t afford to look for one risk (vulns) in one area (assets). They need to widen their scope to include all security exposures, anywhere across the attack surface.
Why Continuous Exposure Management is the AI Era’s VM
New threats, new tools. AI-driven exposures add a different dimension to the security game, forcing organizations to get serious about finding all threats and fixing first ones first.
Because AI-driven workflows are always changing, threats can appear between scans. Because AI-generated code can slip through without the proper oversight, everything from third-party SaaS tools to identity platforms needs to be examined on a regular basis.
And because attackers are using complex architecture and workflows to their advantage, attack paths need to be continuously mapped and prioritized to shut down possible inroads before they’re ever exploited.
It’s a long way from “Patch Tuesday.”
How Exposure Management Reduces AI Risk
AI-powered exposure management solves these problems.
- It can spot AI-style errors, like over-privileged identities, privilege escalation paths, and credential exposure—where most AI risk typically lives.
- It can assess reduce 10,000 vulnerabilities down to the five exposures that actually matter, whether or not they’re CVEs.
- It can map potential attack paths across environments and update risk posture in changing environments.
And in relation to bad code, it can spot flaws pre-deployment. Tenable co-CEO Steve Vintz notes that “[AI] can spot flaws in the code patterns before they’re ever deployed…and when ingested by an authoritative Exposure Management platform, it helps to paint the full picture of where risk resides.”
AI coding agents (and all their counterparts) may be redefining cyber risk, but smart companies will let AI exposure management agents redefine cybersecurity—keeping the score at a nil-nil at least.