Software is being built at record speed, but security is falling behind. In fact, recent research found that 81% of organisations knowingly shipped vulnerable code last year to meet the pressure for shorter production lifecycles.
The rise of generative AI is accelerating this trend. By helping developers churn out code faster, it also pushes insecure code into production before it can be properly reviewed. At the same time, AI tools are also enabling threat actors to find and exploit these vulnerabilities faster than ever.
The result is a widening gap. More vulnerable code means more flaws to patch after launch, more exposures for vulnerability management teams to track, and more opportunities for cyber attackers to strike. Organisations must be prepared to handle this new wave of riskier code.
And just as AI is contributing to the increase in vulnerabilities, it also has an important role in managing them through improving the automated vulnerability management processes that will help enterprises keep up.
How AI-driven development is fuelling a flood of vulnerable code
AI has rapidly transitioned from an experimental tool to a standard part of software development. Many developers have now deeply integrated AI tools into their processes, and in some cases, it’s involved in the majority of finished code.
AI tools are helping developers draft snippets, complete functions, or produce examples they can refine. This speeds delivery at a time when organisations face pressure to do more with fewer resources.
Yet while AI accelerates productivity, it also accelerates risk. The models behind these tools are trained on vast datasets that can include insecure coding patterns. Left unchecked, those flaws are replicated at scale.
While AI tools are progressing at an astounding rate, issues such as hallucinations are still common. In development, this can result in tools using non-existent dependencies and sources, creating code that is either non-functional or brittle and opaque.
And if AI starts taking on more responsibility for business-critical systems rather than supporting developers, the consequences will be far greater. Entirely new categories of vulnerabilities could emerge, giving attackers a fresh playground to exploit.
Vulnerable code means an explosion in CVEs
More insecure code in production inevitably translates into more vulnerabilities making it into live applications. Critical Vulnerabilities and Exposures (CVEs) are already at an all-time high – more than 33,000 were recorded last year, amounting to nearly 100 new flaws every day. And that is only the visible portion.
Many flaws remain hidden until exploited, while others sit in review backlogs waiting for enrichment. With AI accelerating development, organisations should expect an even sharper rise in disclosures.
The scale is daunting. Security teams already struggle to process daily advisories, and the backlog keeps growing. Without smarter triage, the AI-driven surge of vulnerabilities will overwhelm existing practices – leaving attackers with plenty of opportunities to exploit the gaps.
Why traditional approaches can’t cope
As the volume of vulnerabilities has continued to increase, vulnerability management has often failed to keep pace. Many programmes were built for a slower era, assuming CVEs would appear at a steady pace and that patching cycles could keep up. Today’s environment looks very different.
Manual processes, siloed tools, and reactive workflows are no match for the speed and scale of modern development. Over reliance on single feeds, such as the National Vulnerability Database (NVD), adds further risk, as delays in enrichment mean attackers can exploit flaws long before defenders have the full picture.
Team silos compound the problem. Different departments often work at cross-purposes, duplicating some activities, leaving gaps in others, and patching can be seen as disruptive rather than collaborative. In fast-moving environments, these cracks result in missed deadlines and unpatched systems. AI-driven development will only widen them.
Scaling vulnerability management for the AI era
If AI is accelerating the creation of vulnerabilities, defenders must accelerate their ability to manage them. That means modernising vulnerability management so it can keep pace with AI-driven development. Four priorities stand out:
1. Contextual prioritisation
Not every flaw deserves equal attention. Teams need to prioritise to take care of the most critical issues first, rather than trying to chase down everything. There are three key factors to consider: which asset is affected, how exposed it is, and whether there is evidence of active exploitation.
A medium-severity bug on a payments server may be far more dangerous than a critical flaw buried in a test environment. Context turns raw CVE lists into meaningful risk maps.
2. Unified visibility
Security data is often scattered across scanners, cloud platforms, and ticketing systems. Consolidating these feeds into a central inventory gives teams a single source of truth.
Without this, prioritisation is guesswork, and the flood of AI-generated flaws will overwhelm even capable teams. This is one of the areas where automation has a powerful role to play, automatically collating sources and applying context that helps with prioritisation.
3. Enriched intelligence
Sources such as the NVD have long been a mainstay of vulnerability management,with the recently launched European Vulnerability Database (EUVD) adding to the mix.
But waiting on third-party resources for full enrichment is no longer enough. Supplementing with other databases, proof-of-concept exploit data, and community signals ensures defenders are not blindsided by delays or blind spots. The richer the intelligence, the clearer the distinction between signal and noise.
4. Collaboration and orchestration
Technology alone cannot solve the challenge. Security, operations, and development teams need a coordinated model. Central hubs – such as a vulnerability operations centre (VOC) – bring accountability, track progress, and escalate issues before they become breaches.
Framing vulnerabilities in business terms, such as downtime or regulatory fines, also helps secure executive buy-in and accelerates action.
By combining context, visibility, intelligence, and collaboration, organisations can bring order to the chaos. These strategies allow vulnerability management to scale with AI-driven development – ensuring speed does not come at the expense of security.
Resilience requires a new pace and discipline
AI is transforming how software is built, but multiplying the risks that come with it. The same tools that boost productivity also unleash a surge of vulnerabilities, creating more CVEs to track and remediate than ever before.
Traditional patch-everything approaches are no match and resilience in the AI era depends on scaling defences to match the new pace. A more automated approach to vulnerability management is critical to keeping up, and AI will play an increasingly important role in supporting these processes as technology advances.
With discipline and coordination, vulnerability management can evolve from firefighting to foresight – protecting innovation at the speed AI demands.
