Article Summary
While security awareness is at an all-time high, execution is not, and AI is widening the gap.
95 percent of CISOS are feeling pressure to suppress or delay compliance-related security issues.
Companies with 81-100 percent AI-generated production code are nearly three times more likely to ship software with known security vulnerabilities than companies with 1-20 percent AI code production.
Checkmarx recently unveiled their 2026 Future of Application Security Report, which offered some interesting insight on the impact of AI.
Nearly all developers write code with AI, but fewer than one in five secure it as they go, citing limited use of in-IDE (Integrated Developer Environments) AppSec tooling and difficulty integrating security into existing CI/CD pipelines. Their CISOs face the same demands from the executive floor, with 95 percent feeling pressure to suppress or delay compliance-related security issues when business deadlines are at stake.
Additionally, 96 percent of developers acknowledged having AI tooling in their IDEs and nearly unanimously rated it as effective, with 18 percent saying they apply security continuously as they write code. The data highlights the unsettling fact that companies with 81-100 percent AI-generated production code are nearly three times more likely to ship software with known security vulnerabilities than companies with 1-20 percent AI code production.
The deeper issue cuts across all usage levels: 75 percent of organizations knowingly deploy vulnerable code at some point, driven by deadlines, complexity, and the hope that flaws will not be discovered.
Hope is No Longer a Security Strategy
New frontier AI models are simultaneously exposing new attack surfaces and reducing time to exploit. The 2026 Future of Application Security Report highlights the best practices of leading organizations who embed hybrid security into every layer that pairs deterministic ground truth with AI-augmented reasoning; prioritizes formal AI governance policies; and uses automation to turn remediation from manual bottlenecks into defensive strengths.
The data also shows the widening gap between the organizations who evolve with the threat-scape and those who still hope flaws won't be found by the latest AI model advances. Additional findings include:
- More than 80 percent of developers do not apply AppSec continuously as code is written, instead catching issues at defined stages after the code already exists, or worse, reactively once incidents surface. Flaws caught late are flaws that can be exploited.
- In a year, the amount of vulnerable code knowingly shipped decreased from 81 percent to 75 percent, while formal AI governance policies at companies increased from 18 percent to 22 percent. As exploit windows collapse from years to minutes, incremental change is simply not enough.
- 93 percent of organizations acknowledged a recent breach tied to their own applications, even as 73 percent describe their security posture as “advanced” or “highly mature”. There is a distressing disconnect between security confidence and security reality.
- The 78 percent of organizations who lack formal AI governance policies are leaving the door open for shadow AI tools to proliferate and for exploitation of the unchecked code they quietly produce.
“This report points to a massive disconnect between the security crisis that organizations are facing and the incremental steps that they are taking to address it. A completely new model is required,” said Sandeep Johri, CEO of Checkmarx.
The full report is available for free at https://checkmarx.com/foa-report/.
