New industry findings show 75% of organisations often or sometimes deploy code they already know contains security weaknesses, underscoring a persistent gap between software delivery targets and risk controls. The figure marks only a limited improvement from last year’s 81%, suggesting that boards and engineering leaders have yet to turn security policy into routine development practice.
The findings arrive at a time when AI-assisted coding is becoming embedded in software teams, procurement chains and cloud infrastructure. Developers are using code-generation tools to accelerate releases, automate testing and reduce repetitive work, but security teams say the same tools can multiply defects when outputs are not properly reviewed. AI-generated code can appear functional while carrying insecure defaults, weak authentication, unsafe dependencies or flawed handling of user inputs.
Checkmarx, which tracks application-security trends, said organisations face a sharper threat environment because the window between vulnerability disclosure and exploitation has narrowed dramatically. Weaknesses that once took months or years to weaponise can now be targeted in days, while automated scanning and AI-enabled reconnaissance allow attackers to move across public repositories, package registries and cloud services with greater speed.
Business pressure remains a central driver. Product teams face demands to release features faster, keep pace with competitors and integrate AI capabilities into customer-facing platforms. Security checks are often pushed late into the development cycle, where remediation becomes expensive and disruptive. Many companies accept known flaws on the assumption that patches can follow after deployment, but that trade-off is becoming harder to defend as attackers exploit exposed systems with little delay.
A separate cyber-risk survey of UK businesses found that 75% are concerned about risks arising from suppliers’ use of AI, while only 28% of firms using AI audit how third parties deploy the technology. The same research found AI adoption close to universal among surveyed companies, with a majority integrating it into operations, yet only about a third maintaining a formal governance policy.
That mismatch has elevated third-party software risk from a technical issue to a board-level concern. Companies increasingly depend on open-source packages, software-as-a-service vendors, managed IT providers and AI tools supplied by external platforms. A flaw in one supplier’s development pipeline can spread across customers through updates, integrations or shared credentials.
Software supply-chain attacks have already shown how quickly trusted components can become attack channels. Malicious packages uploaded to public repositories, compromised developer accounts and poisoned updates have affected widely used ecosystems. Attackers have also targeted continuous integration and delivery systems because these environments hold signing keys, tokens and privileged access needed to move from code repositories into production infrastructure.
AI adds another layer of exposure. Model downloads, plug-ins, developer extensions and agentic coding tools create new dependencies that may not be captured by traditional software inventories. Security teams are being asked to monitor not only source code and containers, but also prompts, model configurations, training data, generated code and autonomous agents that can act across internal systems.
Regulators and public agencies are taking a closer interest. Financial authorities in the UK have urged companies to address risks from advanced AI models, warning that these systems could amplify cyber threats if used maliciously. Critical sectors are under pressure to demonstrate resilience, maintain incident-response plans and scrutinise digital suppliers more closely.
The insurance market is also reassessing exposure. Cyber underwriters are asking tougher questions about AI governance, supplier audits, vulnerability management and secure software-development practices. Firms that cannot show clear controls may face higher premiums, exclusions or more demanding renewal conditions as insurers try to measure systemic loss risk across interconnected clients.
Security specialists argue that the answer is not to slow AI adoption, but to change how code is built and approved. Stronger controls include software bills of materials, automated dependency scanning, secrets detection, secure coding standards, mandatory peer review for AI-generated code and continuous monitoring of production systems. More mature organisations are embedding security checks directly into developer workflows rather than relying on separate reviews before release.
The challenge is cultural as much as technical. Developers may view security tools as blockers when they produce too many alerts or lack context. Security teams, meanwhile, struggle with backlogs that grow faster than human reviewers can handle. AI-based remediation tools are now being marketed as a way to prioritise defects and suggest fixes, but they also require oversight to prevent false confidence.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
