Software is being built at record speed, but security is falling behind.ย In fact,ย recent research found thatย 81% of organisations knowingly shipped vulnerable code last yearย to meet the pressure for shorter production lifecycles.ย ย
The rise of generative AI is accelerating this trend. By helping developers churn out code faster, it also pushes insecure code into production before it can beย properly reviewed.ย At the same time,ย AI tools are also enabling threat actors to findย and exploit these vulnerabilities faster than ever.ย ย
The result is a widening gap. More vulnerable code means more flaws to patch after launch, moreย exposuresย for vulnerability management teams to track, and moreย opportunities forย cyberย attackers to strike.ย Organisations must be preparedย to handle this new wave of riskier code.ย ย
And just as AI is contributing to theย increase in vulnerabilities, it also hasย an important roleย in managing them through improving the automated vulnerability management processes that will help enterprises keep up.ย ย
How AI-driven development is fuelling aย flood of vulnerable codeย
AI hasย rapidly transitioned from an experimental tool to a standard part ofย software development.ย Many developers have now deeply integrated AI tools into theirย processes, and in some cases,ย itโsย involved inย the majority ofย finished code.ย ย ย
AI tools areย helping developers draft snippets, complete functions, or produce examples they can refine. This speeds delivery at a time when organisations face pressure to do more with fewer resources.ย
Yet while AI accelerates productivity, it also accelerates risk. The models behind these tools are trained on vast datasets thatย canย include insecure coding patterns. Left unchecked, those flaws are replicated at scale.ย ย
While AI toolsย are progressing at an astounding rate, issues such as hallucinations are still common. Inย development, this can result in tools usingย non-existent dependencies and sources, creating code that is either non-functional or brittle and opaque.ย ย
And if AI starts taking on more responsibility for business-critical systems rather than supporting developers, the consequences will be far greater. Entirely new categories of vulnerabilities couldย emerge, giving attackers a fresh playground to exploit.ย
Vulnerable code means an explosion in CVEsย
More insecure code in production inevitably translates into more vulnerabilitiesย making it into live applications.ย Critical Vulnerabilities and Exposures (CVEs) are already at an all-time high โ more than 33,000 were recorded last year, amounting toย nearly 100ย new flaws every day.ย And that is only the visibleย portion.ย ย
Many flawsย remainย hidden until exploited, while others sit in review backlogs waiting for enrichment. With AI accelerating development, organisations should expect an even sharper rise in disclosures.ย
The scale is daunting. Security teams already struggle to process daily advisories, and the backlog keeps growing. Without smarter triage, the AI-driven surge of vulnerabilities will overwhelm existing practices โ leaving attackers with plenty of opportunities to exploit the gaps.ย
Why traditional approachesย canโtย copeย
As the volume of vulnerabilities has continued to increase,ย vulnerability managementย has often failed to keep pace. Manyย programmes were built for a slower era,ย assumingย CVEs would appear at a steady pace and that patching cycles could keep up. Todayโs environment looksย very different.ย
Manual processes, siloed tools, and reactive workflows are no match for the speed and scale of modern development. Overย reliance on single feeds, such as theย National Vulnerability Database (NVD), adds further risk, as delays in enrichment mean attackers can exploit flaws long before defenders have the full picture.ย
Team silos compound the problem.ย Different departments often workย at cross-purposes,ย duplicating some activities, leaving gaps in others, andย patchingย can beย seen as disruptive rather than collaborative. In fast-moving environments, these cracks result in missed deadlines and unpatched systems. AI-driven development will only widen them.ย
Scaling vulnerability management for the AI eraย
If AI isย acceleratingย the creation of vulnerabilities, defenders must accelerate their ability to manage them. That means modernising vulnerability management so it can keep pace with AI-driven development. Four priorities stand out:ย
1. Contextual prioritisationย
Not every flaw deserves equal attention.ย Teams need to prioritise to take care of the most critical issues first, rather than trying to chase down everything.ย There are three key factors to consider: which asset is affected, how exposed it is, and whether there is evidence of active exploitation.ย ย
A medium-severity bug on a payments server may be far more dangerous than a critical flaw buried in a test environment. Context turns raw CVE lists into meaningful risk maps.ย
2. Unified visibilityย
Security data is often scattered across scanners, cloud platforms, and ticketing systems.ย Consolidatingย these feeds into a central inventory gives teamsย a single sourceย of truth.ย ย
Without this, prioritisation is guesswork, and the flood of AI-generated flaws will overwhelm even capable teams.ย This is one of the areasย whereย automation has a powerful role to play,ย automatically collating sources and applyingย context that helps with prioritisation.ย ย
3. Enriched intelligence
Sources such as the NVD have long been a mainstay of vulnerability management,withย theย recently launched Europeanย Vulnerabilityย Database (EUVD) adding to the mix.ย
Butย waiting on third-party resources for full enrichment is no longerย enough. Supplementing with other databases, proof-of-concept exploit data, and community signals ensures defenders are not blindsided by delays or blind spots. The richer the intelligence, the clearer the distinction between signal and noise.ย
4. Collaboration and orchestrationย
Technology alone cannot solve the challenge. Security, operations, and development teams need a coordinated model. Central hubs โ such as a vulnerability operations centreย (VOC)ย โ bring accountability, track progress, and escalateย issuesย before they become breaches.ย ย
Framing vulnerabilities in business terms, such as downtime or regulatory fines, also helps secure executive buy-in and accelerates action.ย
By combining context, visibility, intelligence, and collaboration, organisations can bring order to the chaos. These strategies allow vulnerability management to scale with AI-driven development โ ensuring speed does not come at the expense of security.ย
Resilience requiresย aย new pace and disciplineย
AI is transforming how software isย built,ย butย multiplying the risks that come with it. The same tools that boost productivity also unleash a surge of vulnerabilities, creating more CVEs to track and remediate than ever before.ย
Traditional patch-everything approachesย are no matchย and resilience in the AI era depends on scaling defences to match the new pace.ย A more automated approach to vulnerability management is critical to keeping up, and AI will play an increasinglyย important roleย inย supporting these processes as technology advances.ย ย
With discipline and coordination, vulnerability management can evolve from firefighting to foresight โ protecting innovation at the speed AI demands.ย
