COMMENTARY: AI coding assistants have quickly transitioned from experimental, “nice to have” tools to a non-negotiable for developers.Case in point: Coinbase CEO Brian Armstrong recently ordered every engineer at the company to adopt AI coding assistants – and subsequently fired those who didn’t or wouldn't.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Similarly, Accenture CEO Julie Sweet announced the company would be “exiting” employees who can’t be upskilled in AI. But Armstrong and Sweet are far from alone when it comes to executives mandating AI. Box, Duolingo, Meta, and Shopify are all requiring employees to use AI in their daily workflows.Overall, this shift is a net win. AI coding assistants enhance productivity, empower devs to try new things, and ultimately accelerate deployment. However, the widespread adoption, and mandatory use, of these tools will increase companies’ attack surfaces by orders of magnitude.Think about it: AI coding assistants operate based on all of the existing code that exists, be it online or in a company’s code base, including the risks, security flaws, and/or architecture flaws that live in that code base. So, while AI coding assistants potentially deliver 10x productivity, they also increase an organization’s risk level 10x as they perpetuate the issues that already reside within its code.Despite the risks, these tools are here to stay, and they’re fundamentally changing how software gets written. Now’s the time for security practitioners and developers to come together to determine a new set of secure coding strategies.Here’s how security teams can safeguard code and empower devs to reap the benefits of AI coding assistants:By following these three steps, security teams and devs can join forces to ensure the huge volumes of new code generated are secure, and the existing vulnerabilities in their code base aren’t being multiplied. When teams put the right tools,, guardrails and processes into place, AI coding assistants can then function as trusted partners, not risk-proliferators.Karen Cohen, vice president, product management, ApiiroSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Communication comes first
Security pros play a pivotal role in ensuring that organization adopt AI in a safe and successful manner. By leading with clear, collaborative communication, they can position themselves as trusted partners to developers, helping teams move faster while avoiding unnecessary risks.The most effective security teams make it clear that they want developers to use AI coding assistants confidently and responsibly. By focusing on transparency, education, and enablement, not gatekeeping, they strengthen the partnership with R&D and ensure that security becomes a natural part of innovation rather than a roadblock.Because AI coding assistants generate exponentially more code than humans, governance remains a major challenge. Research shows that while AI-assisted developers produce significantly more commits, they package them into larger, more complex pull requests that are harder to review. In practice, this means 10x productivity can also translate into 10x more code to review. Furthermore, other studies show that developers – even those who follow secure coding practices – are more likely to use or approve insecure code suggested by AI assistants than the code they write themselves.In addition to managing this increased volume and complexity, developers must still consider privacy, compliance, security, localization, and performance – responsibilities that don’t disappear just because an AI assistant wrote the code. They need to prompt AI coding assistants with these requirements and then verify the outputs, ensuring that accelerated development doesn’t come at the expense of security or quality.It’s a lofty task best accomplished when broken down into three steps:- Take a Secure-by-Design approach: While it’s nothing new to integrate security best practices from the very beginning of the software development lifecycle (SDLC), it’s even more crucial in the age of AI coding assistants. For the best outcomes, developers should partner with a security champion to conduct a pre-development design review that considers security, privacy, compliance, and performance requirements. Have security conversations early, before code gets written. This will let AI coding assistants accelerate development without introducing new vulnerabilities or amplifying existing ones.
- Conduct a planning "conversation" with the AI agent: After collaborating with an application security (AppSec) professional on a design review, developers can take those insights and continue the conversation with their AI coding assistant. For example, when building or extending a service, they can ask targeted questions such as, “What organizational policies or compliance requirements should this feature follow?” or “Given the context of this system, which authentication framework makes the most sense?” Use a governance tool that understands their policies, standards, and architecture.
- Implement guardrails to support the coding process: After conducting planning with both a security practitioner and the AI coding assistant itself, start the actual coding process. It’s critical to have guardrails in place to make sure the AI agent creates secure code. A security AI assistant, whether it’s built into an integrated development environment (IDE) or in the pull request, gives devs fast feedback on the security implications of the changes they make. Additionally, devs can prompt AI agents to create small, incremental (versus large, sweeping) changes, just as they would instruct a junior developer learning to code.




