Application security, Third-party code, AI/ML, Generative AI, AI benefits/risks

AI-generated code leaves businesses open to supply chain risk

Companies that now depend on AI-generated code will find that these new coding processes can inject more risk into their supply chains.

Black Duck research found that 95% of organizations rely on AI tools to generate code, yet only 24% apply comprehensive IP, license, security, and quality evaluations to that AI-generated code. 

The result: companies are leaving the software supply chain increasingly vulnerable in ways traditional AppSec programs were never designed to handle.

"We're in a new era of rapid software innovation, fueled by AI, but these findings reveal a critical challenge: security isn't keeping pace," said Jason Schmitt, CEO at Black Duck. "It's imperative that organizations prioritize robust security frameworks, with a sharp focus on AI-generated code and meticulous dependency management, to build truly resilient software supply chains."

Other findings from the Black Duck report include:

  • Dependency management drives readiness: Teams with strong dependency tracking are 85% more highly prepared to secure open source vs. 57% overall.
  • Automation speeds remediation: Organizations with automatic continuous monitoring fix critical vulnerabilities within a day 60% of the time, compared with 45% across all respondents.
  • SBOM validation sharpens third-party security: When organizations validate supplier SBOMs, 63% said they are highly prepared to evaluate third-party software and 59% remediate critical issues within a day.
  • Compliance maturity matters: Using at least three compliance controls boosts one-day remediation rates to 49%, rising to 54% with four or more, even as 35% cite regulatory complexity as a top challenge.

“Organizations should assume that AI-generated code expands their software supply chain risk, not just their development speed,” said Jason Soroko, a senior fellow at Sectigo. “This leaves large blind spots in provenance, obligations, and exploitable flaws. AI can also amplify dependency sprawl and introduce opaque third-party components that traditional AppSec programs were not built to inventory or govern at rapid-release cadence. The result is a widening gap where shipping gets easier while accountability and assurance get harder.”

Security teams can close the gap by treating AI output like third-party software and enforcing the same controls by default inside the developer workflow, Soroko said. Start with dependency management because organizations that track and manage open source dependencies well report far higher preparedness, he continued, then harden the pipeline with automatic continuous monitoring to accelerate remediation.

Teams should make SBOM validation "non-optional" for suppliers because teams that always validate supplier SBOMs report stronger third-party readiness, Soroko added.

Saumitra Das, vice president of engineering at Qualys, said analysts expect that 95% of code will be AI-generated by 2030. It's reported that about 30% of code at large enterprises is generated by AI, while it's close to 90% to 95% at small startups in 2025.

"It’s important to understand that we are generating more code than humans can reasonably review for correctness, functionality, readability, and security issues," said Das. "As a result, we now have code review companies coming up that use AI models to review code, because humans cannot scale."

Because of the sheer volume of code being generated and the lack of people who can reasonably understand it, Das said we will need new architectures for dealing with the kind of issues discussed in the report, such as:

  • Diverse AI models: We'll need AI models that are diverse in their training datasets to review the generated code
  • More model context protocol (MCP) automation: The industry needs automation via MCP that can take any code being compiled and send it to vendor A for security reviews, understand the findings, and use vendor B to automate the patching. Even if we find issues with large generated codebases we will need agentic workflows to fix them with minimal human intervention.
  • QA evolution: QA processes will need to evolve to better test various scenarios with AI-generated harnesses and test cases.
  • Better guarantees on training data: It’s harder to understand if the AI-generated code violates a license. A model could have learned coding practices or libraries from a repository with license A and used that “knowledge” to generate code that now taints a user's codebase with that license, without them realizing. We will need better guarantees from AI model providers on what code they have used to train their data. This is similar to how image generation models must avoid generating copyrighted characters.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds