Sign in Subscribe
DevSecOps

AI Code Generation: Superpower or Security Blindfold?

Jean-Paul Lizotte

2 min read
AI Code Generation: Superpower or Security Blindfold?

 At JPSoftWorks, we like to say: “Speed without security is just chaos with better sneakers.”

The rise of AI-powered code assistants has been breathtaking. A third of organizations already generate most of their code through AI, yet fewer than one-in-five have actual policies for how to use these tools. That’s like building a skyscraper with a jetpack: impressive to watch, terrifying for those inside.


The numbers are stark:

  • 98% of organizations experienced code-related breaches this past year (up from 91%).
  • Over 80% knowingly shipped vulnerable code to production.
  • In North America, only 51% of orgs say they’ve adopted DevSecOps practices at all. (It's less in the Montreal metropolitan area: 30%).*

It isn’t hard to see the problem. AI is turbocharging our pipelines, but without security guardrails, it’s pouring fuel onto already smoldering vulnerabilities.

Where AI Meets SecDevOps (and Stumbles)

AI assistants can suggest code that “works,” but rarely code that works securely. Input validation? Dependency hygiene? Secure defaults? Often left out. And when developers trust the machine too much, we get what we call “vibe-driven coding.” It compiles, it runs, it even looks elegant, until someone discovers it also opens a backdoor.

The JPSoftWorks Take:

From our perch, the fix isn’t to throw away AI. It’s to govern it.

  • Tag & Track AI-generated code: Know what came from the bot, and treat it with extra suspicion.
  • Shift-Left Security: Plug SAST, DAST, IaC scans right into your CI/CD pipelinebefore code hits prod.
  • Human Review is Non-Negotiable: An AI can’t be accountable. Your devs can. Put human reviews in the pipeline as well.
  • Secure Prompting: Teach teams to request security-aware outputs (“with input validation,” “using parameterized queries”).
  • Policy, Policy, Policy: No more Wild West AI. Organizations need to set boundaries on how assistants are used.

Closing Thought

AI is the intern who types really, really fast. It doesn’t know your compliance frameworks, it doesn’t care about your threat model, and it has no sense of shame when it hands you vulnerable code. That’s your job.

Don't wait until your shop become the source of a breach. Let’s use the jetpack, but with a parachute, a helmet, and a solid flight plan.

Links:
AI Code Generation Creates Blind Spots in DevSecOps

* While there’s no Montréal-specific DevSecOps adoption data, North American benchmarks help. Only ~22% of organizations have a formal DevSecOps strategy, and around 36% currently develop using DevSecOps pipelines. Applied to Montréal’s ~7,000 software/IT firms, this suggests 1,500–2,500 firms (or 20–35%) are actual DevSecOps adopters. A 30% adoption rate is a rational midpoint—realistic, grounded, and based on reported behaviors.