← Blog

The state of AI code risk in 2026, the numbers

AI now writes a large share of new code, and the security data is catching up. A short, sourced look at what the 2025–2026 research says about AI code risk.

The debate about whether AI-written code is risky is mostly over; the data has arrived. Here is a short, sourced snapshot of where things stand in 2026.

AI writes a lot of the code now

By recent developer surveys, AI already writes close to half of all new code, and the share keeps climbing. The code ships either way, the open question is who checks it. That is the verification gap in one sentence.

The risk is measurable

A few numbers that show up repeatedly in 2025–2026 research:

  • ~10× more security findings in AI-assisted code compared to human-only baselines (Apiiro, 2025).
  • 45% of AI coding tasks introduced a security flaw in controlled testing (Veracode GenAI Code Security Report, 2025).
  • 1 in 5 organizations reported a serious incident linked to AI-generated code (Aikido Security, 2026).
  • +107% open-source vulnerabilities per codebase in a single year as AI ships dependencies faster than anyone reviews them (Black Duck OSSRA, 2026).

The pattern is consistent: AI raises velocity and raises vulnerability at the same time.

Where the new risk concentrates

It is not exotic. The data points at old problems reappearing where no human would put them:

  • Hallucinated and typosquatted packages, roughly one in five AI-suggested libraries can be fabricated, and attackers register the names.
  • Exposed secrets on reachable routes.
  • Tests that pass without proving anything, creating false confidence.
  • Runtime gaps in auth and rate limiting that only appear in production.

What it means in practice

If your team uses Copilot, Cursor, Claude Code, or Codex, the base rates above are not someone else’s problem, they are your default risk unless something independent is checking. The practical response is not to stop using AI; it is to add a verification layer that audits the code and the running app on a schedule and returns findings you can act on.

The first audit is free. See a sample report to see what the findings look like.

Sources: Apiiro (2025), Veracode GenAI Code Security Report (2025), Aikido Security (2026), Black Duck OSSRA (2026), Sonar Developer Survey (2026).