Application security, AI/ML, DevSecOps

Code, control, and chaos: Rethinking security in the age of AI-driven development

A group of androids busy developing software in a messy workplace, wearing hoodies, looking tired and surrounded by empty energy-drink cans.
Created with SocialSight AI.

Modern software development has outpaced traditional security models and created new risks that organizations are struggling to manage, agreed a group of CISOs and other top IT and security managers in a recent roundtable discussion.

That discussion, hosted by the CyberRisk Collaborative (CRC) and sponsored by AutoRABIT, followed the Chatham House Rule, so we're not at liberty to tell you who was at the meeting or what each participant specifically said. But the latest CRC report, "CI/CD Security, Developer Trust, and AI Code Risks," presents five takeaways from the conversation.

The full report is available to CyberRisk Collaborative members. Click here to get started.

Today's biggest security challenges, the participants agreed, are not external threats, but internal misalignments, such as those between speed and control, developers and security teams, and legacy processes and modern workflows. Organizations are investing heavily in tools, yet still face persistent vulnerabilities rooted in fragmented systems, poor integration, and outdated expectations.

The first takeaway from the discussion is that security must evolve to match the speed and structure of modern software development. Traditional approaches that apply security as a checkpoint after code is written are no longer effective.

Instead, security must be embedded directly into developer workflows, such as by integrating tools like static and dynamic testing, software composition analysis, and secrets detection into CI/CD pipelines and developer environments.

The rise of AI-assisted coding introduces another layer of complexity, as stated in the second takeaway. While AI tools accelerate development, they also generate new risks, including insecure code patterns, outdated dependencies, and intellectual property concerns.

Organizations must resist the temptation to treat AI-generated code as inherently trustworthy. Accountability remains firmly with developers and their organizations, requiring rigorous validation, governance, and oversight. AI, in this sense, amplifies both productivity and risk, making strong guardrails essential.

Identity and access management also emerge as foundational challenges. The third takeaway from the report is that excessive permissions, orphaned accounts, and poorly governed service identities create a vast and often invisible attack surface.

In cloud and hybrid environments, identity has become the primary control plane, and poor identity hygiene, reflected in privilege creep or lack of visibility, can lead to systemic vulnerabilities. Addressing these shortfalls requires continuous enforcement of the principle of least privilege, the practice of just-in-time access, and ongoing entitlement reviews, supported by automation.

Another key insight, and the fourth takeaway from the CISO roundtable, is that developer behavior is often shaped less by intent and more by incentives. Developers typically prioritize speed and feature delivery because those are the metrics by which they are evaluated. Security, which can impede both metrics, is often deprioritized.

To change this dynamic, organizations must realign incentives by embedding security into performance metrics, providing continuous feedback, and fostering a culture in which secure coding is integral to success.

The report's fifth and final takeaway highlights a major disconnect between legacy audit models and modern development practices. Traditional compliance frameworks, designed for slower, linear release cycles, are ill-suited for today's rapid, iterative CI/CD environments. This results in inefficient dual processes and superficial compliance.

The solution: Automate compliance within pipelines, enabling real-time evidence collection and continuous assurance.

The overall discussion underscored that secure development is not merely a technical challenge, but also an organizational one. Success depends on aligning security, development, and governance into a unified operating model.

The organizations that embed security into workflows, enforce identity discipline, align incentives, and modernize compliance will be best positioned to innovate securely in an AI-driven future.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AppletBannerBrowserCache CrammingCommon Gateway Interface (CGI)ClientCookieDLL InjectionDynamic Link LibraryFuzzing

You can skip this ad in 5 seconds