{"id":103433,"date":"2025-08-31T10:42:00","date_gmt":"2025-08-31T08:42:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=103433"},"modified":"2025-12-30T21:25:09","modified_gmt":"2025-12-30T19:25:09","slug":"the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/","title":{"rendered":"The Cost of AI Velocity: 5 Actions Dev Leaders Must Take to Secure Their Codebase From AI Vulnerabilities"},"content":{"rendered":"<p>Here&#8217;s a hypothetical for you: You discover a developer on your team produces code where 40-50% contains exploitable vulnerabilities. How long before your CTO calls you up for a serious talk?<\/p>\n\n\n\n<p>AI-powered coding tools like GitHub Copilot and Cursor are transforming software development, enabling developers to generate code at unprecedented speeds. But they&#8217;re also generating code with exactly those vulnerability rates, and whether you like it or not, they\u2019re part of your team.<\/p>\n\n\n\n<p>Recent research underscores significant security risks in AI-generated code. The most recent academic research, <a href=\"https:\/\/cset.georgetown.edu\/publication\/2024-annual-report\/\">Georgetown University Center for Security and Emerging Technology (CSET) report<\/a> (November 2024), found that 48% of AI-generated code snippets from five major large language models contained vulnerabilities flagged by the ESBMC verification tool, highlighting the potential for malicious exploitation.<\/p>\n\n\n\n<p>Similarly, <a href=\"https:\/\/www.ibm.com\/reports\/data-breach\">IBM&#8217;s 2025 Cost of a Data Breach Report<\/a> found that 97% of organizations reported an AI-related security incident.<\/p>\n\n\n\n<p>Checkmarx\u2019s own <a href=\"https:\/\/checkmarx.com\/report-future-of-appsec-2025\/\">Future of AppSec in the Age of AI<\/a>&nbsp;report corroborates these findings, with a direct correlation between AI-generated code, and a rise in almost all risk-related metrics:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>34% of organizations report that over 60% of their codebase is AI-generated, increasing exposure to vulnerabilities.<\/li>\n\n\n\n<li>81% knowingly ship vulnerable code to meet deadlines.<\/li>\n\n\n\n<li>Only 18% enforce governance policies for AI tool usage.<\/li>\n\n\n\n<li>20% detect unapproved AI tool use, constituting true Shadow AI.<\/li>\n\n\n\n<li>98% experienced at least one security breach in the past year.<\/li>\n<\/ul>\n\n\n\n<p>Even before AI entered the picture, security was already struggling to keep pace with accelerating development cycles. Now, with the volume and velocity of AI-generated code, today\u2019s AppSec structures aren\u2019t just lagging. They\u2019re fundamentally unprepared.<\/p>\n\n\n\n<p>With unvetted AI-generated code flooding production environments, dev leaders face a critical choice: continue the perilous trade-off between velocity and security, or take decisive action.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">The AI Trifecta: The Three Forces Derailing Security in AI-Generated Development<\/h2>\n\n\n\n<p>As Heads of Development face mounting pressure to ship faster using AI-generated code, they&#8217;re also expected to maintain security, stability, and compliance. But three structural challenges are quietly undermining their ability to do both.<\/p>\n\n\n\n<p>These challenges\u2014velocity without security alignment, lack of AI governance, and under-integrated AppSec tooling\u2014form what we call <strong>the AI Trifecta<\/strong>: a convergence of forces that puts organizations on a collision course with risk. Addressing just one isn\u2019t enough. To create a sustainable balance between speed and security, all three must be tackled in parallel.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Speed-First Culture Breeds Structural Risk<\/h2>\n\n\n\n<p>The vulnerability rates in AI-generated code would be concerning enough on their own. But as Checkmarx&#8217;s report finds, they&#8217;re combined with an increasingly alarming reality: organizations aren&#8217;t just accidentally shipping vulnerable code\u2014they&#8217;re doing it knowingly, systematically, and at accelerating rates.<\/p>\n\n\n\n<p>As mentioned above, <strong>81% of organizations knowingly ship vulnerable code<\/strong>. Not because they want to, but because external <strong>pressures<\/strong> make it feel necessary, while developers\u2019 optimism bias leads teams to underestimate the real risk:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>38% of organizations<\/strong> deploy vulnerable code to meet feature deadlines.<\/li>\n\n\n\n<li>\n<strong>33% of developers<\/strong> admit to hoping vulnerabilities &#8220;won&#8217;t be discovered&#8221;\u2014a sharp rise from <strong>15%<\/strong> in 2024.<\/li>\n<\/ul>\n\n\n\n<p>This reveals a systemic underlying problem. KPIs that prioritize feature delivery over security, compressed review timelines, and unrestricted AI tool access all incentivize dangerous shortcuts. When AI can generate code faster than security teams can review it, the pressure to &#8220;ship now, fix later&#8221; becomes overwhelming\u2014and eventually leads to &#8220;ship now, fix never, get breached eventually.&#8221;<\/p>\n\n\n\n<p>The result is mounting <strong>security debt<\/strong>: increased breach exposure, operational drag from emergency patches, and eroded customer trust. IBM&#8217;s 2025 Report mentioned above puts the average breach cost at <strong>$4.4 million<\/strong>, with vulnerabilities in custom code being a significant contributor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">The AI Governance Crisis: Development Without Guardrails<\/h2>\n\n\n\n<p>Checkmarx&#8217;s report also reveals a staggering governance gap that should alarm every development leader:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Only 18% of organizations<\/strong> have established approved AI tool lists<\/li>\n\n\n\n<li>\n<strong>20% detect unapproved AI tool use<\/strong>\u2014constituting true Shadow AI<\/li>\n\n\n\n<li>\n<strong>Only 18% enforce governance policies<\/strong> for AI tool usage<\/li>\n\n\n\n<li>\n<strong>82% lack comprehensive oversight<\/strong> of AI development tools<\/li>\n<\/ul>\n\n\n\n<p>IBM\u2019s report paints a slightly optimistic, yet still concerning picture, where \u201conly\u201d 63% of organizations lacked AI governance policies to manage AI or prevent the proliferation of shadow AI.<\/p>\n\n\n\n<p>This represents a fundamental breakdown in risk management. The majority of organizations have essentially handed over significant portions of their codebase to ungoverned AI systems, creating massive blind spots in security oversight.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AppSec Tools Lag Behind Developer Velocity<\/h3>\n\n\n\n<p>Despite years of talk around DevSecOps, the reality on the ground tells a different story: most security tooling still isn&#8217;t keeping pace with the way modern development teams work.<\/p>\n\n\n\n<p>Key security practices\u2014like Dynamic Application Security Testing (DAST), Infrastructure-as-Code (IaC) scanning, and container security\u2014are adopted by fewer than 50% of organizations. And even when in use, they\u2019re often bolted on after the fact, rather than embedded into the daily development workflow.<\/p>\n\n\n\n<p>The result? Security becomes an external gate, not an integrated part of the build process. Tools that aren&#8217;t wired into IDEs, pull requests, or CI\/CD pipelines are easily ignored or deprioritized under delivery pressure.<\/p>\n\n\n\n<p>To secure AI-accelerated development, AppSec needs to live where the code lives\u2014in the hands of developers, in real time, as part of the flow. Without that, every \u201cshift-left\u201d promise is just a theory.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Five High-Impact Actions for Heads of Development<\/h2>\n\n\n\n<p>To navigate the AI-Gen Trifecta, Heads of Development must drive strategic change, align cross-functional teams, and overcome organizational resistance.<\/p>\n\n\n\n<p>The following five actions provide actionable, evidence-backed strategies to balance AI-driven productivity with robust security, tailored to the leadership challenges of managing teams, budgets, and stakeholders.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Redefine Success Metrics to Counter Speed-First Culture<\/h3>\n\n\n\n<p><br>Shift KPIs to prioritize security alongside velocity, addressing the speed-first culture\u2019s risks. Implement metrics like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Fix rate by vulnerability severity:<\/strong> Ensure 90% resolution of high-severity issues pre-release, using CVSS for code vulnerabilities.<\/li>\n\n\n\n<li>\n<strong>AI-specific risk scores (AIVSS):<\/strong> Adopt the <a href=\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/cvss-was-built-for-code-not-ai-agents-now-aivss-closes-the-gap\/\">OWASP AIVSS framework<\/a> to quantify agentic AI risks (e.g., prompt injection, context poisoning), targeting a &lt;10% rate of high-risk AI behaviors in production code.<\/li>\n\n\n\n<li>\n<strong>Mean Time to Remediate (MTTR):<\/strong> Aim for under 48 hours for critical vulnerabilities, per NIST guidelines (NIST, 2024).<\/li>\n\n\n\n<li>\n<strong>Releases with unresolved vulnerabilities:<\/strong> Target &lt;5% to minimize risk exposure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Enforce AI Tool Governance to Close the Governance Gap<\/h3>\n\n\n\n<p>To close the governance gap, Heads of Development must collaborate with AppSec teams and CISOs to design policies that secure AI usage without disrupting developer workflows. Implement:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Approved AI tool lists:<\/strong> Restrict usage to vetted platforms, ensuring integration with enterprise security policies (e.g., SSO, encryption). Conduct a 90-day audit to identify and phase out unapproved tools, reducing shadow AI risks.<\/li>\n\n\n\n<li>\n<strong>Prompt transparency and audit trails:<\/strong> log AI-generated code and prompts, incorporating OWASP AIVSS scores to assess behavioral risks (e.g., autonomy, tool misuse).<\/li>\n\n\n\n<li>\n<strong>Commit-time scanning:<\/strong> Deploy real-time vulnerability scanning in CI\/CD pipelines to catch AI-specific issues like prompt injection, with AIVSS-guided prioritization.<br><strong>Collaboration Process:<\/strong>\n<\/li>\n\n\n\n<li>\n<strong>Form a Governance Task Force:<\/strong> Create a cross-functional team with AppSec, CISOs, developers, and legal to define policies and address both technical and behavioral AI risks.<\/li>\n\n\n\n<li>\n<strong>Align on DORA Metrics:<\/strong> Work with CISOs to <a href=\"https:\/\/checkmarx.com\/blog\/tuning-appsec-to-boost-your-dora-metrics\/\">balance security with velocity and eliminate friction using DORA metrics<\/a> as a mutual guide.<\/li>\n\n\n\n<li>\n<strong>Invest in ongoing developer education around AI-assisted coding and emerging AppSec risks.<\/strong> Ensure your teams understand how AI-generated code can introduce new threat vectors, and provide training on secure usage practices, threat modeling, and mitigation techniques.<\/li>\n\n\n\n<li>\n<strong>Pilot and Iterate:<\/strong> Start with a pilot in a high-risk business unit, using AIVSS to score AI tool risks and refine policies. Scale after 90 days, incorporating developer feedback to minimize friction.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Drive Adoption of Unified, Developer-Native AppSec Platforms<\/h3>\n\n\n\n<p>Heads of Development must champion the adoption of a unified AppSec platform that lives in developers\u2019 IDEs, covers diverse risks (code, AI, infrastructure), and prioritizes alerts based on exploitability to avoid overwhelming teams:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<strong>Advocate for a Unified Platform:<\/strong> Push for <a href=\"https:\/\/checkmarx.com\/product\/application-security-platform\/\">unified platforms like that integrate SAST, SCA, DAST, and IaC scanning into IDEs and CI\/CD pipelines.<\/a> These platforms correlate findings across code, open-source libraries, APIs, and cloud environments, making it easier to bridge the gap between dev and application security.<\/li>\n\n\n\n<li>\n<strong>Prioritize Exploitability-Based Alerts:<\/strong> Ensure the platform prioritizes high-impact vulnerabilities, based on contextualized exploitability.<\/li>\n\n\n\n<li>\n<strong>Collaborate with AppSec and CISOs:<\/strong> Form a cross-functional council with AppSec, CISOs, and developers to select a platform that aligns with organizational needs.<\/li>\n\n\n\n<li>\n<strong>Pilot and Scale:<\/strong> Start with a 60-day pilot in a high-velocity team, testing IDE-integrated tools and measuring DORA metrics improvements (e.g., 2x Deployment Frequency). Scale to other teams after validating developer adoption. Address developer resistance by involving them in tool selection, customizing alerts to their workflows.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">\n<strong>4.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>Champion Application Security Posture Management (ASPM) for Strategic Oversight<strong><\/strong>\n<\/h3>\n\n\n\n<p>ASPM tools provide unified visibility across custom code, open-source libraries, APIs, cloud environments, and AI-driven systems, addressing all three AI-Gen Trifecta risks (speed, governance, tooling).<\/p>\n\n\n\n<p>Heads of Development must champion <a href=\"https:\/\/checkmarx.com\/product\/aspm\/\">ASPM adoption<\/a> to reduce risk exposure, align security with business goals, and support developer velocity, leaving technical implementation to AppSec teams:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Advocate for ASPM Adoption:<\/strong> Push for ASPM platforms that integrate with IDEs (e.g., VS Code) and CI\/CD pipelines, correlating CVSS and AIVSS scores to prioritize exploitable vulnerabilities (e.g., AI agent autonomy, code-based SQL injection).<\/li>\n\n\n\n<li>\n<strong>Ensure Developer-Friendly Integration:<\/strong> Mandate that ASPM tools deliver real-time, actionable alerts within developer workflows, minimizing context switching and supporting DORA metrics like Lead Time for Changes.<\/li>\n\n\n\n<li>\n<strong>Lead Cross-Functional Alignment:<\/strong> Form a governance council with AppSec, CISOs, developers, and business leaders to define ASPM requirements, ensuring alignment with NIST AI RMF and organizational priorities.<\/li>\n\n\n\n<li>\n<strong>Pilot and Scale Strategically:<\/strong> Launch a 90-day ASPM pilot in a critical business unit, measuring reductions in breach risk and DORA metric improvements (e.g., 40% lower Change Failure Rate). Scale enterprise-wide after validating ROI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Leverage Agentic AI for Scalable Security<\/h3>\n\n\n\n<p>According to a recent <a href=\"https:\/\/my.idc.com\/getdoc.jsp?containerId=lcUS53648225\">IDC report<\/a>,in response to the risks of Ai-gen code there is a growing shift toward Appsec use of <strong>agentic<\/strong>: autonomous, role-specific agents that operate within the tools developers and AppSec teams already use.<\/p>\n\n\n\n<p>These agents are designed not to scan after the fact, but to prevent vulnerabilities in real time\u2014from code creation to policy enforcement to executive visibility.<\/p>\n\n\n\n<p><br>Agentic AI security tools dedicated to being integrated into the developer&#8217;s workflow, like <a href=\"https:\/\/checkmarx.com\/product\/checkmarx-one-assist\/\">Checkmarx One Developer Assist<\/a>, automated real-time detection, remediation, and policy enforcement at commit time.<\/p>\n\n\n\n<p>Agentic AI helps your developers maintain velocity while mitigating the associated risk of AI-generated code, by:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<strong>Embedding Real-Time Vulnerability Detection in IDEs<\/strong>: The Developer Assist Agent integrates into IDEs to scan AI-generated code as it\u2019s written, identifying vulnerabilities like SQL injection or prompt injection within seconds without disrupting developer workflows.<\/li>\n\n\n\n<li>\n<strong>Providing Guided Remediation with Actionable Code Fixes<\/strong>: The agent uses generative AI to suggest tailored code snippets for fixing vulnerabilities directly in the IDE, with confidence scores (0\u2013100) indicating exploitability.<\/li>\n\n\n\n<li>\n<strong>Enabling Efficient, Customized Security Queries<\/strong>: AI Query Builders allows developers to create tailored security queries using natural language, scanning AI-generated code and open-source libraries for malicious packages and vulnerabilities.<\/li>\n\n\n\n<li>\n<strong>Enhancing Governance with Real-Time Code Validation<\/strong>: Agentic AI can ensure compliance with secure coding policies, thereby mitigating the governance gap and shadow AI risks, helping alignment with NIST AI RMF.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Speed Without Safety Is Unsustainable<\/h2>\n\n\n\n<p>Every data point in this report points to the same inflection point: <strong>AI-generated development isn\u2019t just outpacing security. It\u2019s running circles around it.<\/strong><\/p>\n\n\n\n<p>&nbsp;Heads of Development are no longer just responsible for delivering fast\u2014they\u2019re also responsible for delivering safely at scale. That means rethinking how and where security fits into their developers\u2019 workflow.<\/p>\n\n\n\n<p><strong>AI velocity comes attached with a bill. <\/strong>And it\u2019s up to development leaders to ensure that the bill isn\u2019t paid with breaches and erosion of trust.<\/p>","protected":false},"excerpt":{"rendered":"<p>AI-powered coding tools accelerate development but introduce alarming vulnerability rates. This blog reveals the 5 essential actions dev leaders must take to safeguard codebases against AI-driven security risks.<\/p>\n","protected":false},"author":143,"featured_media":103434,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"footnotes":""},"categories":[1284,84],"tags":[1272,490,1300],"class_list":["post-103433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-llm-tools-in-application-security","category-blog","tag-agentic-ai","tag-ai-security","tag-ai-generated-code"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Secure AI-Generated Code: 5 Actions for Dev Leaders<\/title>\n<meta name=\"description\" content=\"AI-generated code introduces major vulnerabilities. Learn 5 proven actions dev leaders must take to secure code and reduce breach risks\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure AI-Generated Code: 5 Actions for Dev Leaders\" \/>\n<meta property=\"og:description\" content=\"AI-generated code introduces major vulnerabilities. Learn 5 proven actions dev leaders must take to secure code and reduce breach risks\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-31T08:42:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-30T19:25:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1279\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Eran Kinsbruner\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Eran Kinsbruner\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\"},\"author\":{\"name\":\"Eran Kinsbruner\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/0e5df47a6fb9c1bc0e0b31ef6cfd41fa\"},\"headline\":\"The Cost of AI Velocity: 5 Actions Dev Leaders Must Take to Secure Their Codebase From AI Vulnerabilities\",\"datePublished\":\"2025-08-31T08:42:00+00:00\",\"dateModified\":\"2025-12-30T19:25:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\"},\"wordCount\":1962,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp\",\"keywords\":[\"Agentic AI\",\"AI Security\",\"AI-Generated Code\"],\"articleSection\":[\"AI &amp; LLM Tools in Application Security\",\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\",\"name\":\"Secure AI-Generated Code: 5 Actions for Dev Leaders\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp\",\"datePublished\":\"2025-08-31T08:42:00+00:00\",\"dateModified\":\"2025-12-30T19:25:09+00:00\",\"description\":\"AI-generated code introduces major vulnerabilities. Learn 5 proven actions dev leaders must take to secure code and reduce breach risks\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp\",\"width\":2560,\"height\":1279,\"caption\":\"AI Generated Code security for dev leaders Blog Cover image\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/0e5df47a6fb9c1bc0e0b31ef6cfd41fa\",\"name\":\"Eran Kinsbruner\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Eran-Kinsbruner-avatar-150x150.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Eran-Kinsbruner-avatar-150x150.jpg\",\"caption\":\"Eran Kinsbruner\"},\"description\":\"Enterprise Product Marketing Executive. Recognized thought leader, board advisor to stealth companies, researcher, inventor, and best-selling author of four books. Expertise in B2B SAAS, AI, observability, DevOps, and software quality.\",\"url\":\"https:\/\/checkmarx.com\/author\/erankinsbruner\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure AI-Generated Code: 5 Actions for Dev Leaders","description":"AI-generated code introduces major vulnerabilities. Learn 5 proven actions dev leaders must take to secure code and reduce breach risks","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"Secure AI-Generated Code: 5 Actions for Dev Leaders","og_description":"AI-generated code introduces major vulnerabilities. Learn 5 proven actions dev leaders must take to secure code and reduce breach risks","og_url":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2025-08-31T08:42:00+00:00","article_modified_time":"2025-12-30T19:25:09+00:00","og_image":[{"width":2560,"height":1279,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp","type":"image\/webp"}],"author":"Eran Kinsbruner","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Eran Kinsbruner","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/"},"author":{"name":"Eran Kinsbruner","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/0e5df47a6fb9c1bc0e0b31ef6cfd41fa"},"headline":"The Cost of AI Velocity: 5 Actions Dev Leaders Must Take to Secure Their Codebase From AI Vulnerabilities","datePublished":"2025-08-31T08:42:00+00:00","dateModified":"2025-12-30T19:25:09+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/"},"wordCount":1962,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp","keywords":["Agentic AI","AI Security","AI-Generated Code"],"articleSection":["AI &amp; LLM Tools in Application Security","Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/","url":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/","name":"Secure AI-Generated Code: 5 Actions for Dev Leaders","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp","datePublished":"2025-08-31T08:42:00+00:00","dateModified":"2025-12-30T19:25:09+00:00","description":"AI-generated code introduces major vulnerabilities. Learn 5 proven actions dev leaders must take to secure code and reduce breach risks","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/the-cost-of-ai-velocity-5-actions-dev-leaders-must-take-to-secure-their-codebase-from-ai-vulnerabilities\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/08\/blog_the_costs_of_ai_speed-scaled.webp","width":2560,"height":1279,"caption":"AI Generated Code security for dev leaders Blog Cover image"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/0e5df47a6fb9c1bc0e0b31ef6cfd41fa","name":"Eran Kinsbruner","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Eran-Kinsbruner-avatar-150x150.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/05\/Eran-Kinsbruner-avatar-150x150.jpg","caption":"Eran Kinsbruner"},"description":"Enterprise Product Marketing Executive. Recognized thought leader, board advisor to stealth companies, researcher, inventor, and best-selling author of four books. Expertise in B2B SAAS, AI, observability, DevOps, and software quality.","url":"https:\/\/checkmarx.com\/author\/erankinsbruner\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/103433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/143"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=103433"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/103433\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/103434"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=103433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=103433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=103433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}