AI-generated code risks reach security, legal, and compliance teams

Most engineering organizations write code with AI, and a good number of them keep that code away from customers. A Flux survey of engineering leaders and practitioners found that nearly half run AI-generated code in production. Almost every company in the sample uses AI somewhere in development, with under 5% reporting no plans to adopt it within a year.

AI-generated code risks

Where teams trust AI

Teams reach for AI on repetitive work first. It writes documentation, fills out unit tests, and handles simple functions, the kind of tasks where a mistake stays small and easy to catch. Adoption thins out as the stakes rise.

On speed, the technology delivers close to what people hoped for. Two-thirds of current users report higher productivity, and a similar share report faster prototyping. Error reduction is the one promise that comes up short. Almost half of non-adopters expected AI to cut errors, and only about a third of current users see that happening.

Safeguards pile up before code ships

Ted Julian, CEO and founder of Flux, said the distance between writing AI code and shipping it has a pattern underneath. Teams add safeguards in overlapping layers, and no single purchase flips a team from cautious to live.

“The absence of a single unlocking safeguard is itself a finding: teams with substantial tooling in place still choose not to ship,” Julian told Help Net Security.

Teams that keep AI code out of production invest more heavily up front. They are far less likely to have bought nothing, and they show higher adoption of code quality analysis, software composition analysis, and training tied to coding assistants. Production teams lead in one area, automated code review.

The survey stopped short of asking what would tip a hesitant team into deployment. “We can’t identify a specific threshold or combination of tools that moves a team from hesitant to deployed,” Julian said. The same limit applies to reasons for waiting, which the questionnaire did not record by company size or industry.

Review load and visibility gaps

The catch is review. Code review already eats a large slice of the workweek for most developers, and roughly one in ten spend more than 40% of their time on it. More AI-generated code means more to read, and the code often looks different from what reviewers are used to, which slows them down.

People disagree on whether AI makes things buggier. About a third say it creates more issues, about a third say fewer, and the rest see no real change.

Visibility is where the strain shows. Most leaders say they can keep up with what changes week to week, and close to a third admit they cannot. The changes that hide best are the ones that hurt most when they slip by: security tweaks, dependency shifts, and performance hits. Those are the kinds of changes that turn into expensive incidents.

The junior developer question

The most common downside has little to do with bugs. Just over 40% of organizations point to lost learning opportunities for junior developers. The rate holds steady regardless of how widely a company spreads AI. Companies that use AI on a few teams, half their teams, or every team report the problem in a similar range, with no upward trend.

Company size tells a sharper story. Organizations with fewer than 50 developers report the impact at 31%, and every larger band sits between 44% and 46%. “Above the 50-developer mark, company size makes little difference,” Julian said.

Julian said the path for raising junior engineers is still forming. “Managing agents is a new skill they can learn to be productive team members,” he said, and added that “context about the organization, the market, etc. will be critical to success, even in a highly automated environment.” What stays uncertain, in his words, is “which traditional senior dev skills will remain crucial in the new world order for engineering and thus must be passed on to develop juniors into seniors.”

Spending on safeguards

Companies are opening their wallets to deal with this. Close to half have bought code quality analysis tools, and large minorities have added automated review, static and interactive security testing, and software composition analysis. Most of these categories barely existed a couple of years ago.

The way people work is changing too. More than 80% of organizations adjusted their development and release processes for AI-generated code, with most of those changes on the minor side. New policies on AI use are the most common move, followed by required training and stronger code reviews.

There is a pattern underneath all of this. Nearly two-thirds of respondents think AI could beat humans at code review in at least some respects, and 76% would value a tool that lowers the risk of AI-generated code. Companies are betting that more AI can clean up the problems AI created, and they are spending to find out.

Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation

Don't miss