As AI coding becomes part of the developer toolkit, application security is taking a major hit, according to software testing platform Checkmarx. The vendor surveyed 2,350 CISO, AppSec managers and developers for an annual report and found a growing disconnect between AI usage and security governance among developers.
Nearly all of the developers surveyed — 96% — have AI tooling at their disposal but only 18% apply security continuously while coding. It’s a problem crying out for oversight that AI alone cannot provide.
“Just like the student cannot grade their own exam, AI alone cannot secure code — and, as the research shows, it adds risk,” Checkmarx CEO Sandeep Johri said in a release accompanying the report. “Organizations need security that combines deterministic precision with probabilistic reasoning to identify novel exploitable patterns, while closing the gap between finding a vulnerability and fixing it with better human-guided remediation.”
The findings underscore the need for third-party providers to embed guardrails in processes without slowing innovation, rather than additional application security tools, Jonathan Kozimor, VP of channel Americas at Checkmarx, told Channel Dive.
“What we're seeing is a growing disconnect between how quickly AI is being adopted and how quickly security practices are evolving to keep pace,” Kozimor said.
Partners who can transition from product sellers to strategic operators have an opportunity to step in, according to Kozimor.
“Companies don’t need more tools and scanners as much as they need help making those tools work together,” he said. “That’s where partners can make a real impact — by helping organizations embed security into development processes, streamline workflows and ensure developers can address risks before code reaches production.”
The deeper AI-generated code gets into production environments, the higher the stakes.
Companies with 81% to 100% AI-generated production code are nearly three times as likely to ship software with known vulnerabilities as companies in the 1% to 20% range. Three-quarters of respondents acknowledged their organization had knowingly deployed vulnerable code.
The pace of change creates demand for workflow design, remediation, governance and software supply chain visibility services. It has also changed the application security sales.
“Customers are increasingly looking for guidance on how to operationalize security, reduce complexity and improve outcomes,” Kozimor said. “The conversation is shifting from products to processes, from alerts to remediation, and from technology deployment to measurable business results.”
Kozimor said partners should embed security into the developer experience, advocating for partner-led workflow design, remediation guidance and tool integration.
“Developers are already working inside AI-powered environments, so security guidance needs to be available there as well,” he said. “If security only appears at the end of the development cycle, it becomes a bottleneck instead of an enabler.”
A race is on
As organizations prioritize efficiency gains, security leaders are in a bind. Most of the CISOs surveyed — 95% — said they felt pressure to suppress or delay compliance when business deadlines are at stake.
Partners can provide the right kind of leverage, according to Kozimor.
“The most effective partners help customers make informed decisions rather than simply saying yes or no,” he said. “That means providing visibility into risk, helping organizations understand the potential impact and creating clear remediation plans when issues can't be addressed immediately.”
Governance presents another opportunity for partners. Only 22% of organizations have formal policies, Checkmarx found. Consultants and IT services firms can guide policy definition, manage risk and support responsible AI use across the development lifecycle.
“A risk-based approach is critical,” Kozimor said. “Not every issue carries the same level of urgency and organizations need frameworks that allow them to prioritize effectively while maintaining accountability. When risks are documented, understood and tied to concrete remediation timelines, security becomes part of the business decision-making process rather than an obstacle to it.”
The goal, Kozimor added, is to help organizations move quickly without increasing risk.
Checkmarx has put the theory to the test in the public sector with Carahsoft, an IT services firm and reseller that serves federal, state and local governments.
The partnership gives Checkmarx a route into a highly regulated sector. The wider channel mandate extends well beyond government agencies. Checkmarx found that 93% of organizations acknowledged a recent breach linked to in-house applications, even as 73% described their security posture as advanced or highly mature.
“One of the most important findings from this year’s report is that the challenge isn’t a lack of awareness or a lack of technology,” Kozimor said. “The issue is turning that visibility into action.”
As AI accelerates software development, it also increases the speed at which vulnerabilities can be introduced, he noted. Because of that, organizations relying on manual processes and siloed teams will struggle to keep up.
“The partners who succeed will be the ones who help customers move faster while improving security outcomes,” Kozimor said. “That's a much more strategic conversation than simply deploying another security product.”
