AI has become as indispensable to software development. Ninety percent[i] of organizations report using AI coding assistants such as Copilot and Claude Code. Over 96% of organizations are using open source AI models to power core functions like data processing, computer vision, and process automation in the software they ship. And one-fifth of organizations prohibit AI tools but know their developers are using them anyway.

There’s no doubt that AI helps developers code faster. But AI coding tools just create code that mimics patterns observed in open source projects and other publicly available code. Traditionally, AI code generators are trained to prioritize functional code—security is often no more than a happy coincidence, and software license compliance is just a suggestion. So how can you get the best of AI without exposing your organization to the worst?

Ultimately, as with any DevSecOps initiative, you need the efforts of contributors from both development and security aligned in strategy to achieve defined goals. If dev seeks speed, it must come along with the security controls AppSec seeks and the IP protections sought by legal. That’s a lot of moving parts. What could go wrong?

[i] All statistics quoted in this blog post are from the 2024 Black Duck “Global State of DevSecOps” report