COMMENTARY: Just two years ago, security teams could reasonably believe that with enough review cycles, disciplined testing, and structured remediation, they could bring software to a stable state. Not perfect, but sufficiently secure within the limits of available knowledge to sustain or move into production.That stability has become harder to sustain – not because teams are less disciplined, but because the analytical tools examining their systems have become more capable.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]In several vulnerability discovery categories, AI systems are already outperforming manual review. Automated fuzzing, static analysis, and pattern recognition across large dependency trees now identify misconfigurations and insecure components at a scale and depth that human teams cannot consistently replicate. In constrained environments, machine-driven discovery is not speculative: it’s operational reality.Yet, finding weaknesses faster does not automatically translate into reducing risk faster. Discovery represents only the first step in a longer chain of decisions.Exploitability does not exist as simple function of flawed code or vulnerabilities that attackers can chain together. It’s shaped by how applications connect to infrastructure, how identities are permissioned, where sensitive data flows, and which business processes depend on the affected systems. A vulnerability with a high technical severity score may pose limited practical risk in one organization, while a seemingly minor issue can become a high-impact event when coupled with privileged access or external exposure.As AI models evolve, they expand the exploit search space itself. New generations identify vulnerability patterns that earlier systems did not recognize. They reason more effectively across interconnected systems and construct more complex attack chains. It’s a subtle implication, but important: what appears secure under one analytical baseline may warrant reassessment under the next.That dynamic becomes more visible in supply chain environments. Modern software depends heavily on open-source components and third-party services. When a weakness gets discovered in a widely-adopted dependency, the downstream impacts spans organizations and can impact millions of users. We have already experienced the disruption a single library flaw can cause. As discovery accelerates, the interval between identification and ecosystem-wide awareness compresses, increasing the need for coordinated response.In many organizations, it’s no longer about the ability to detect vulnerabilities. It’s the ability to interpret, prioritize, and remediate them without creating operational friction. Findings accumulate. Ownerships are often ambiguous. Risk scoring may vary across teams. Without shared context, faster discovery risks producing a faster-growing backlog.Preparing for this environment doesn’t mean abandoning established practices. It means reexamining and rebalancing them.Embedding AI-driven analysis earlier in development pipelines, infrastructure-as-code workflows, and identity configuration processes reduces remediation complexity. Issues addressed at creation are almost always cheaper and less disruptive than those discovered post-deployment.Automation also has a role, but only if it’s governed properly. AI can assist with triage, correlation, and even initiating routine responses. But automation should operate within defined policy boundaries, with visibility into why decisions are made and how actions are executed. Explainability and the ability to audit build trust, particularly as organizations increase reliance on machine reasoning.Context sharing also has a role to play. Application security, infrastructure, IAM, SOC, and compliance teams often operate from different data views. A more unified understanding of assets, relationships, and business impact allows risk decisions to become more consistent and less reactive.Today, it’s no longer whether AI will continue to improve vulnerability discovery. It will, for both attackers and defenders.The relevant question right now: How can organizations ensure that increased visibility translates into coordinated action rather than growing complexity?Security has always been iterative. AI simply accelerates the pace at which teams must reassess systems. In that environment, it’s better to think of “secure code” as a moment in time within a continuously evolving landscape. What ultimately matters isn’t whether discoveries are fast, but whether they are connected to execution in a way that keeps risk manageable as analytical capabilities expand.Uzair Gadit, co-founder and CEO, Secure.com; founding partner, Disrupt.comSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
AI/ML, Application security, DevSecOps
What ‘Secure Code’ means in the AI world
(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds