Three-quarters. That’s the jaw-dropping number of organizations that admit to knowingly shipping code riddled with vulnerabilities. Two new studies dropped this week, and both paint a rather grim picture of our software supply chains, particularly with the accelerating capabilities of AI.
Checkmarx’s May 21st report is the source of that particular stat: 75% of companies either often or sometimes deploy code they’re aware is flawed. Yes, it’s a slight dip from last year’s 81%, but let’s be clear – that’s still an astronomical figure. Especially when you consider that increasingly sophisticated AI models are making it ridiculously easy for bad actors to find and exploit these weaknesses. We’re talking about a speed increase that beggars belief. What used to take nearly three years to exploit in 2018, might now take less than two days. And Checkmarx’s Zero team? They’re predicting exploit times to shrink to a single minute by 2028. A minute. Let that sink in.
Eran Kinsbruner, a VP at Checkmarx, points a finger directly at unvetted AI-generated code as a major culprit. He argued, and I’m paraphrasing here, that the problem isn’t about processes anymore; it’s a fundamental math issue. “AI-generated code is outpacing every manual remediation model in existence.” That’s not just a casual observation; it’s a red flag waving furiously over the entire software development lifecycle.
This isn’t an isolated chorus of concern, either. Verizon’s latest Data Breach Investigations Report (DBIR) chimed in, noting that vulnerability exploitation was responsible for nearly a third (31%) of all initial access points in data breaches over the past year. Up from 20% the previous year. The report explicitly suggests that the adversarial use of AI could be behind this surge. They found that the median threat actor was using AI assistance across 15 different techniques, with some even dabbling in 40 or 50. This isn’t just about faster hacking; it’s about more sophisticated, AI-augmented hacking.
The UK’s AI Anxiety: A Mirror to Global Fears
Across the pond, a separate study from UK insurer QBE reveals similar anxieties. A full 75% of UK businesses are fretting about their vendors and suppliers incorporating AI into their operations. They’re already on high alert for supply chain incidents, with QBE reporting a rise in cyber events within the past 12 months – from 53% in 2025 to 59% in 2026. And here’s a particularly chilling detail: over a fifth (22%) of these businesses stated that “all or most” of the attacks they suffered in the last year involved a supplier. The concern is palpable, yet the action? Far less so. Despite these worries, a mere 28% of companies using AI have bothered to audit their third-party suppliers’ AI systems. And only 35% have a formal AI usage or governance policy in place. It’s a classic case of knowing the threat but failing to build the defenses.
Why Does This Matter So Much for Developers?
Look, for developers, this is more than just abstract corporate-level worry. This directly impacts the code they write, the tools they use, and the security posture of their projects. The pressure to deliver faster, often coupled with the allure of AI coding assistants, means that the temptation to overlook potential vulnerabilities is immense. If AI can generate code snippets faster than a human can vet them, where does that leave us? It leaves us with a software development pipeline that’s becoming a conveyor belt for risk. The historical parallel isn’t some obscure tech trend; it’s the sprawling, often insecure, component-based development of the late 90s and early 2000s, amplified by AI’s speed and scale. We’re not just talking about leaky APIs or old libraries anymore; we’re talking about entire codebases potentially compromised before they even hit production.
“The backlog isn’t a process problem anymore; it’s a math problem. AI-generated code is outpacing every manual remediation model in existence.”
The fact that organizations know they’re shipping vulnerable code is the most damning indictment. It suggests a conscious trade-off between speed and security, a gamble where the stakes keep getting higher. When exploit times shrink to minutes, that gamble becomes a ticking time bomb. We’re building our digital infrastructure on foundations that are knowingly weak, and AI is the accelerant turning small cracks into chasms.
It’s easy for companies to point fingers at AI or third-party vendors. But the core issue remains an organizational one: a failure to prioritize security throughout the development lifecycle. This isn’t a new problem, but AI has certainly turned up the heat. We’re entering an era where the sheer velocity of code creation, fueled by AI, could easily overwhelm our ability to secure it, leading to a potentially catastrophic rise in breaches and data compromises. It’s a daunting prospect, and one that demands a fundamental re-evaluation of how we build and deploy software.
🧬 Related Insights
- Read more: Hims & Hers Breach Puts ED and Hair Loss Secrets in Hacker Hands
- Read more: Cloud Detection in 2026: Summit Hype or Reality?
Frequently Asked Questions
What does it mean to “knowingly ship vulnerable code”?
It means organizations are aware that the code they are deploying contains known security weaknesses or vulnerabilities, but they choose to release it anyway, often due to pressures like speed-to-market or resource constraints.
How is AI making it easier to exploit vulnerabilities?
AI can be used by threat actors to rapidly identify potential vulnerabilities, craft sophisticated exploit code, and automate the process of testing and launching attacks, drastically reducing the time it takes to find and weaponize weaknesses.
Will this trend lead to more data breaches?
Yes, the combination of knowingly shipping vulnerable code and the increased efficiency of AI-powered exploitation significantly elevates the risk of more frequent and severe data breaches.
