Corporate software teams are continuing to release code they know contains security flaws, as artificial intelligence accelerates development cycles and leaves chief information security officers struggling to enforce compliance against commercial deadlines.A new Checkmarx application security report found that 75 per cent of organisations knowingly deploy vulnerable code at least some of the time, even as exploit windows shrink and attackers use automation to identify weaknesses faster. The findings point to a widening gap between the speed at which companies are building software and the controls needed to secure it before release.
The report, based on responses from 2,350 CISOs, application security managers and developers across 14 countries, found that 95 per cent of CISOs faced pressure to suppress or delay compliance-related security issues when business deadlines were at stake. The pressure is most acute in organisations where software delivery is tied directly to revenue targets, customer commitments and product launches.
The issue is no longer confined to poorly resourced technology teams. Large enterprises with mature security programmes are also struggling to balance risk management with speed. Nearly all developers surveyed said they had access to AI tools in their integrated development environments, yet only 18 per cent said security was being applied continuously while code was written. That means most flaws are still being detected after code has been created, when fixes are costlier, slower and more likely to be deferred.
The rise of AI-generated code has intensified the risk. Organisations where 81 to 100 per cent of production code is AI-generated were nearly three times more likely to ship software with known vulnerabilities than companies where AI accounts for only 1 to 20 per cent of production code. The finding challenges the assumption that AI-assisted development automatically improves productivity without creating new security liabilities.
The report also found that 93 per cent of organisations had experienced a breach linked to their own applications, despite 73 per cent describing their security posture as advanced or highly mature. That mismatch suggests that many companies are overestimating their readiness while underestimating the speed at which attackers can turn software flaws into operational disruption.
The share of organisations knowingly shipping vulnerable code has fallen from 81 per cent last year to 75 per cent, but the decline is modest when measured against the pace of change in software development. Formal AI governance policies have risen only from 18 per cent to 22 per cent, leaving more than three-quarters of organisations without structured rules for how AI tools are used to generate, review and deploy code.
Security leaders say the danger lies not only in vulnerabilities themselves, but in the normalisation of risk acceptance. For years, companies often relied on patch-later practices, assuming that flaws could be repaired before attackers found them. That model is becoming less viable as automated vulnerability discovery, open-source dependency scanning and AI-enabled reconnaissance reduce the time between disclosure, discovery and exploitation.
The pressure on CISOs reflects a broader governance problem inside companies. Security executives are often accountable for compliance failures and breaches, but product and engineering teams control release timelines. When revenue targets dominate boardroom discussions, security exceptions can become routine rather than exceptional. The result is a growing backlog of unresolved flaws, many of which remain buried inside applications, software supply chains and cloud-native infrastructure.
Developers are also being asked to shoulder more responsibility without always receiving the tools or training needed to manage it. AI coding assistants can generate functional code quickly, but they may also reproduce insecure patterns, introduce flawed dependencies or create components that developers do not fully understand. Without strong review processes, AI-generated output can move into production before security teams have a clear view of what has changed.
The findings underline the growing importance of application security in sectors such as finance, healthcare, retail, public services and critical infrastructure, where software flaws can expose sensitive data or disrupt essential operations. Ransomware groups and financially motivated attackers increasingly target third-party code, APIs, cloud workloads and open-source components, making application security a board-level concern rather than a narrow technical function.
Topics
Technology