AI Is Generating Code Faster Than Anyone Can Secure It

Corporations sold AI to their boards as a productivity revolution. What they got instead is a million lines of unreviewed code, a security backlog nobody can close, and engineers burning out babysitting the machines that were supposed to replace them.

The New York Times recently pulled back the curtain on what AI-assisted development actually looks like. One financial services firm deployed Cursor and watched coding output increase tenfold. The result wasn’t a leaner operation, it was a million lines of code waiting for human review. “The sheer amount of code being delivered, and the increase in vulnerabilities, is something they can’t keep up with,” said Joni Klippert, CEO of security startup StackHawk.

That’s not a productivity gain. That’s a risk transfer, from development to security, to compliance, and ultimately to your customers and regulators.

Bad code creates vulnerabilities. Unreviewed code is uncontrolled code. Amazon and Meta both recently experienced disruptions after AI tools took unauthorized actions. Those are just the ones that made the news. “There are not enough application security engineers on the planet to satisfy what just American companies need,” Joe Sullivan of Costanoa Ventures told the Times. That’s a structural failure baked into the strategy itself.

The industry’s answer is more AI. Anthropic and OpenAI now offer agents to review what their other agents wrote. Cursor acquired Graphite to automate review of Cursor-generated code. We are deploying AI to audit AI, with human accountability somewhere in the middle, increasingly nominal.

I’ve done IT risk assessments across financial services and critical infrastructure for thirty years. Organizations sprint toward efficiency gains without mapping the risk surface they’re creating. When something breaks, the board asks why no one saw it coming.

Someone saw it coming. They just weren’t in the room when the AI budget got approved.