New report reveals that organizations are generating up to 60% of code with AI coding assistants, despite the fact that 20% still forbid them
Checkmarx, the leader in agentic AI-powered application security, today released the results of its annual survey titled “Future of Application Security in the Era of AI,” offering a candid assessment of how AI‑accelerated development is reshaping the risk landscape and how to prepare for the year ahead. The study surveyed more than 1,500 CISOs, AppSec managers and developers across North America, Europe and Asia‑Pacific to understand how organizations are adapting to a world where software is increasingly written by machines.
The findings paint a stark picture: AI‑generated code is becoming mainstream, but governance is lagging. Half of respondents already use AI security code assistants and 34% admit that more than 60% of their code is AI‑generated. Yet only 18% have policies governing this use. The growing adoption of AI coding assistants is eroding developer ownership and expanding the attack surface.
The research also shows that business pressure is normalizing risky practices. More than 80% of organizations surveyed knowingly ship vulnerable code, and 98% experienced a breach stemming from vulnerable code in the past year, that’s a sharp rise from 91% in 2024. Within the next 12 to 18 months, nearly a third (32%) of respondents expect Application Programming Interface (API) breaches via shadow APIs or business logic attacks. Despite these realities, fewer than half of the respondents report deploying foundational security tools, such as using mature application security tools such as dynamic application security testing (DAST) or infrastructure‑as‑code scanning. While DevSecOps is widely discussed industry-wide, only half of organizations surveyed actively use core tools and just 51% of North American organizations report adopting DevSecOps.
“Fast-growing markets across APAC, the Middle East, and Africa often prioritize speed to capture opportunities,” said Nitin Dang, vice president of Asia Pacific, the Middle East and Africa. “Yet our research shows that under-utilization of essential application security practices, combined with the rush to deliver, often results in vulnerabilities making it to production.”
The report outlines six strategic imperatives for closing the application security readiness gap: move from awareness to action, embed “code‑to‑cloud” security, govern AI use in development, operationalize security tools, prepare for agentic AI in AppSec, and cultivate a culture of developer empowerment.
Dang added, “To scale securely, organizations must view security as a business enabler -embedding it early in the development process, giving developers the right tools and training, and fostering a culture where building secure software is part of delivering business value.”
The release of this report follows Checkmarx’s announcement of general availability of its Developer Assist agent, with extensions to top AI-native Integrated Development Environments (IDE) including Windsurf by Cognition, Cursor, and GitHub Copilot. This new agent—the first in a family of agentic-AI tools to enhance security for developers, AppSec leaders, and CISO’s alike—delivers real-time, context-aware issue identification and guidance to developers as they code for autonomous prevention.
Download the full “Future of Application Security in the Era of AI” report at Checkmarx website to learn how organizations can navigate the AI‑accelerated risk landscape and build secure‑by‑default development practices.
