Analyst(s): Mitch Ashley
Publication Date: November 25, 2025
AI is accelerating development, yet the security of AI-generated code remains unresolved. The past year delivered a wave of releases and acquisitions across the security ecosystem, but concerns about the trustworthiness of AI-generated code continue to rise.
Key Points:
- Futurum Research data shows that over 60% of organizations are concerned that AI-generated code may introduce new vulnerabilities.
- 53% have already found at least one critical or high-severity flaw in AI-generated code in the past twelve months.
- Vendors across the industry are building early AI-driven analysis, remediation, and orchestration capabilities that begin to shift security to the point where code is created.
Overview:
Concerns over AI-generated code containing security vulnerabilities continue to grow. Futurum Research’s DevOps and Application Development 2025 data shows that over 60% of organizations are concerned that code generated by AI tools may introduce new vulnerabilities or security flaws. Our data also shows that 53% of organizations have found at least one critical or high-severity vulnerability in code generated by AI assistants in the past 12 months.
This pressure has pushed major vendors to accelerate innovation. DeepMind, OpenAI, and Anthropic introduced models and utilities designed to inspect, reason about, and remediate insecure code. GitHub, Cycode, Tenable, and ArmorCode expanded AI-assisted fix generation anchored to vulnerability context. Harness, Invicti, Checkmarx, and Rapid7 added new analysis engines and guidance layers built to connect exploitability, remediation, and business risk.
These efforts represent early attempts to stabilize a rapidly growing problem. Five patterns define how vendors are approaching AI-driven code security:
- AI assists in securing code
- Deeper code analysis
- Collaborative planning between humans and AI
- Integration into DevSecOps pipelines
- Orchestration and workflow automation
These approaches move security work closer to where code is created. Early AI agents test and propose fixes as developers write code. Reasoning engines read entire codebases to determine why issues matter. Remediation planning is becoming a continuous task shared by humans and AI. Pipelines are now running security checks and fixes automatically. Orchestration systems link scanners, prioritization logic, and remediation workflows. Each pattern represents incremental progress, yet none eliminates the underlying risk.
Evidence reinforces the need for caution. A 2025 IEEE study examining iterative AI code generation found that security degraded across multiple rounds. Across four prompting strategies and forty rounds of improvement on four hundred samples, critical vulnerabilities increased by more than 37% after only five iterations. This reflects a core principle. Quality and security must be controlled at the point of origin where code is expressed.
Secure Software Origin adapts lean manufacturing’s idea of quality at the source to modern software creation. Without integrated controls, dependency validation, and policy enforcement, organizations cannot rely on developer judgment to ensure AI output is secure. Verification must keep pace with the volume of AI-generated code entering daily workflows.
Progress is coming. New models trained to produce fewer vulnerabilities are expected in 2026, along with early orchestration of AI agents that remediate issues before code reaches developers. These advances will not eliminate code security risks, but they help shift the work from correcting insecure output to generating higher-quality code at creation.
The full report is available via subscription to Futurum Intelligence’s Software Lifecycle Engineering IQ service—click here for inquiry and access.
Futurum clients can read more about it in the Futurum Intelligence Platform, and non-clients can learn more here: Software Lifecycle Engineering Practice.
About the Futurum Software Lifecycle Engineering Practice
The Futurum Software Lifecycle Engineering Practice provides actionable, objective insights for market leaders and their teams so they can respond to emerging opportunities and innovate. Public access to our coverage can be seen here. Follow news and updates from the Futurum Practice on LinkedIn and X. Visit the Futurum Newsroom for more information and insights.
Author Information
Mitch Ashley is VP and Practice Lead of Software Lifecycle Engineering for The Futurum Group. Mitch has over 30+ years of experience as an entrepreneur, industry analyst, product development, and IT leader, with expertise in software engineering, cybersecurity, DevOps, DevSecOps, cloud, and AI. As an entrepreneur, CTO, CIO, and head of engineering, Mitch led the creation of award-winning cybersecurity products utilized in the private and public sectors, including the U.S. Department of Defense and all military branches. Mitch also led managed PKI services for broadband, Wi-Fi, IoT, energy management and 5G industries, product certification test labs, an online SaaS (93m transactions annually), and the development of video-on-demand and Internet cable services, and a national broadband network.
Mitch shares his experiences as an analyst, keynote and conference speaker, panelist, host, moderator, and expert interviewer discussing CIO/CTO leadership, product and software development, DevOps, DevSecOps, containerization, container orchestration, AI/ML/GenAI, platform engineering, SRE, and cybersecurity. He publishes his research on futurumgroup.com and TechstrongResearch.com/resources. He hosts multiple award-winning video and podcast series, including DevOps Unbound, CISO Talk, and Techstrong Gang.
