As Sandeep Johri, CEO of Checkmarx, shared during our recent Agentic AI Summit, AI coding assistants bring meaningful productivity gains, but they also increase concern. 

“AI coding assistants are really a double-edged sword,” he said. “On one hand, they drive 20, 30, even 40 percent productivity gains. On the other, they raise anxiety because now organizations have to make sure they’re not also multiplying their vulnerabilities.” 

To explore this reality in depth, Johri invited Katie Norton, Research Manager at IDC, to join the conversation.  

Norton leads IDC’s DevSecOps and supply chain security practice, where she tracks how enterprises are adapting their security strategies for this new AI-powered era of software development.  

Their discussion revealed what is working today and what is still evolving as organizations learn how to apply both AI coding assistants and autonomous AI application security agents in practical ways. 

AI Coding Assistants Are Everywhere, But Not Without Risk 

Norton opened with a striking data point: according to IDC, 91% of organizations are now using AI coding assistants in software development.  

That number highlights how quickly these tools have become standard in engineering workflows in mere years. 

The appeal is clear. Developers report productivity increases of up to 35%, thanks to faster code generation, reduced repetition, and a smoother path to meeting delivery deadlines, but that speed introduces a plethora of security concerns. 

“Much of the code these assistants are trained on comes from open-source repositories,” Norton explained.  

“While open source is essential, it also contains vulnerabilities and outdated practices. That means AI-generated code can include insecure patterns, unvetted dependencies, or even code with unclear provenance.” 

Higher Expectations, More Pressure, and the Role of Intelligent Support

The volume of code now being created adds pressure to AppSec teams. Productivity improvements come at a cost if they are not managed carefully. “If you say your team is coding 35% faster,” Norton said, “the business will start expecting that level of output”, which naturally leads to a potential decline in code scrutiny.  

That pressure does not only apply to developers. AppSec teams are now expected to secure code just as quickly. 

The problem here is that traditional security processes can’t keep pace with Gen AI. The more that gets built, the more security must validate. As Johri noted, the concern is not just about the speed itself, but the widening gap between development and security capacity. 

Ensuring the safety of this new flow of code requires intention. Norton summed it up clearly. “Securing AI-generated code requires more than trust. It demands the deliberate integration of controls, oversight, and continuous governance.” 

Agentic AI in AppSec Isn’t About Hype, But Help

Where AI coding assistants focus on creation, agentic AI in AppSec focuses on control: It introduces a layer of intelligent automation that supports application security efforts without slowing teams down.  

These agents close the gap that already existed between development speed and security, and broadened by the introduction of AI-gen code. They reduce manual burdens, detect risks as early as the code is typed in, and embed protection where they need to be most. 

“Agentic AI is still in the early days,” Norton shared. “But we’re seeing real promise. These agents can detect issues, enforce policies, and take predefined actions without waiting for humans.” 

Organizations are embedding agents directly into developer environments. From within the IDE, these agents interpret code as it’s written and scan results, surface contextual security recommendations, and even propose code fixes.  

Developers get immediate guidance without leaving their workspace. On the AppSec side, agents are already helping triage issues, remove duplicates, and in some cases, apply fixes automatically. 

However,  as Johri pointed out, “The goal is not just to detect faster. It is to reduce the gap between detection and remediation in a way that does not depend on hiring more people.” 

Agentic AI steps in to help both sides manage those expectations without compromising quality or safety. 

However, autonomous AppSec does not magically work on its own. Johri reminded us that “Technology only succeeds when it is aligned with people, process, and clear business outcomes.” 

How The Best Organizations Are Doing AppSec Differently 

Not every company is getting this right. The difference lies in strategy and clarity.  

IDC research found that 57% of CIOs consider clearly defined business use cases the top success factor for adopting AI agents. Without this clarity, these tools risk becoming fragmented experiments that introduce more complexity than value. 

“This is not just a tech decision,” Norton said. “These agents must tie directly to business outcomes and security priorities.” 

The most successful organizations share several things in common: 

• They define outcomes first. Whether it is filtering false positives, proposing secure code fixes, or automating triage, every use of agentic AI starts with a purpose. 

• They embed AI into daily workflows. These tools live where the work happens, inside developer environments and integrated into CI pipelines. 

• They establish visibility and control. Application security teams need transparency into how AI agents work in order to build trust. 

• They build culture to support the change. New technology cannot thrive without cultural readiness. Change management, ethical frameworks, and clear governance matter as much as the tech itself. 

As Norton put it, “Agentic AI offers a practical way to embed security. Not just by providing alerts, but by taking action.” 

Watch the Full Session

Smarter Action, Not More Alerts 

The most dangerous misconception about agentic AI is that it is just another feature bolted on to coding tools. It is much more than that. It is a necessary response to a fundamental shift in how software is built. Without it, organizations risk drowning in speed without safety. 

Those who treat Agentic AI AppSec as a strategic pillar are already seeing results. Orgs are closing the gap between detection and resolution, giving developers fast feedback and helping security teams focus on the highest value work. 

At Checkmarx, we are building our agentic AI strategy with this future in mind. As Johri said, “This is not about trends. It is about enabling our customers to build secure software at machine speed, with human oversight and business intent.” 

The future of application security will not be defined by how fast we build, but by how confidently we secure what we build. 

Missed the Agentic AI Summit? Watch the Full Sessions Now 

Watch exclusive conversations from the recent Checkmarx Agentic AI Summit, featuring industry leaders in AI, development, and AppSec. Gain fresh, actionable insights into the real-world opportunities and challenges of AI in Application Security. 

Companies striving for better scalability, efficiency, and agility need more robust security measures. However, with such commitment to DevSec and the inherent dangers in tinkering with existing system, how does this new approach ensure secure coding practices and security testing are integrated throughout the development lifecycle?

What is Platform Engineering?

Platform engineering focuses on creating tools and systems that make it easier for developers to do their job. Instead of worrying about setting up and managing complicated tech infrastructure, developers can focus on building new features and improving products. This streamlined approach is designed to manage the scale of developments and deployments, including within an Internal Development Platform (IDP).

Think of it as a natural progression of DevOps, with a stronger emphasis on simplifying the technical stuff behind the scenes. It ensures developers have ready-to-use, secure, and efficient environments to work in, so they can be more productive and spend less time on setup and maintenance.

The AppSec Opportunity for Platform Engineering

Platform engineering focuses on streamlining developer workflows by providing easy access to the tools they need to be productive.

While its primary goal isn’t security, platform engineering has a unique opportunity to bridge the gap between DevOps and security teams. By integrating top-notch security tools into the development platform, platform engineers can help ensure that security checks and automations are seamlessly embedded into the standard developer workflow. This proactive integration shifts security from being an afterthought to a natural part of the development process.

In this way, platform engineering can play a pivotal role in enabling DevSecOps, fostering collaboration between teams and creating a development environment that is not only efficient but also secure by design.

How Checkmarx Integrates Into Platform Engineering

Checkmarx, a leading AppSec platform, provides an automated and scalable way to identify vulnerabilities in code. It integrates seamlessly into the pipeline, making security a natural part of the workflow without slowing down the development process.

We help teams remain always ready to run with:

• Checkmarx One
  Utilizing the cloud-based Checkmarx One platform, developers can access a full suite of enterprise AppSec solutions in a unified manner, allowing them to secure applications from the first line of code to deployment in the cloud. By eliminating the need for multiple tools and fragmented workflows, teams now rapidly identify and remediate vulnerabilities 55% faster.

• Code to Cloud Protection
  While many approach cloud-native application security from an infrastructure, network, or workload perspective and then shift left, comprehensive security must start from the very first line of code. Our industry leading Checkmarx One platform offers all the capabilities you need to secure every stage of the SDLC, correlate security findings, and then prioritize remediation for developers to make the biggest business impact.

• #DevSecTrust
  The responsibility to secure applications is now shared between AppSec managers and developers. The trust between CISOs, development, and security teams – called #DevSecTrust – is critical if the enterprise is going to reduce the business risk of vulnerable applications successfully. Checkmarx meets developers where they are and helps improve the developer experience to build this #DevSecTrust.

• Secure Developer Platforms
  Platform engineering aims to provide standardized environments for developers. By embedding security into these environments through tools like Checkmarx, security becomes an inherent part of the platform. Developers using the platform are assured that security checks are built in, reducing the likelihood of deploying insecure code.

• Comprehensive Coverage Across Technologies
  In platform engineering, the tools and systems that developers use are constantly evolving, and the platforms themselves often span various technologies. Checkmarx’ ability to cover a wide range of programming languages, frameworks, and environments makes it an ideal solution for diverse platforms.

The Synergy of Platform Engineering and Security

It’s clear that security must be an active part of the development process and not an afterthought. By directly integrating security tools like Checkmarx One, organizations can ensure they are proactively addressing vulnerabilities while maintaining the speed and agility that platform engineering aims to achieve.

The synergy between platform engineering and security tools creates a development environment where security is embedded into the process, streamlined, and – eventually – automated. This proactive security approach not only reduces risk but also increases the efficiency of the development process, empowering development teams to deliver high-quality, secure software at scale.

Empowering Developers and Strengthening Security: The Future of Platform Engineering

Platform engineering isn’t just about making life easier for developers—it’s about transforming how teams collaborate, innovate, and build secure, scalable applications. By streamlining access to tools and integrating security into everyday workflows, platform engineers have the power to align DevOps and security teams in ways that were once siloed and inefficient.

This approach creates a seamless developer experience while embedding security as a fundamental part of the process, not an afterthought. As organizations continue to prioritize productivity and security, platform engineering stands at the forefront, poised to drive the evolution of DevSecOps and redefine how we build the future of technology.

If you’re ready to let your developers work, see the platform work by booking a demo.