CEO & Co-Founder at Gomboc AI .

We’re in the middle of a paradigm shift in software development. AI-driven tools like GitHub Copilot and ChatGPT have transformed coding from a specialized skill into something closer to conversational magic. Ask for an app, and it materializes. Need a database connector? It’s yours in seconds. But as someone who’s spent decades on the frontlines of cybersecurity—battling everything from nation-state actors to ransomware syndicates—I see a dangerous paradox emerging: The very AI tools accelerating innovation are also quietly undermining its security foundation.

This isn’t fearmongering; it’s a wake-up call. AI-generated code is expanding attack surfaces at a pace that outstrips our ability to secure them. If we don’t act now, we’ll be buried under a mountain of technical debt no security team can recover from.

AI’s value is undeniable. I’ve seen junior developers deliver production-grade code in hours and startups pivot at breakneck speeds. But speed without security guardrails is reckless. AI-generated code is built on vast—often unverified—open-source datasets and that inheritance comes with hidden vulnerabilities.

What keeps me up at night?

• Hallucinated backdoors: Code that seemingly works but introduces hidden authentication bypasses.

• Poisoned patterns: AI models reproducing insecure coding practices (e.g., disabling TLS for “simplicity”).

• Opaque accountability: If AI-generated code leaks sensitive data, who is responsible? The developer? The tool? The AI model’s creators?

Traditional security practices can’t keep up. You can’t review what you don’t fully understand, and you can’t patch vulnerabilities you don’t even know exist.

Why ‘Shift Left’ Isn’t Enough Anymore

For years, we’ve championed “shift left”—embedding security early in development. But AI-assisted coding operates at the speed of thought, rendering manual security reviews obsolete. Telling developers to “be more careful” is like asking a Formula 1 driver to check their brakes mid-lap.

Security must evolve from a phase in development to a layer in AI-driven coding pipelines.

Agentic AI: The Silent Guardian Developers Need

The solution isn’t just more security tools; it’s pairing generative AI with what I call agentic deterministic AI—AI that doesn’t just create but adapts and protects. These systems act as hyper-vigilant counterparts to AI coding assistants, offering:

  1. Real-time risk interception: Scanning AI-generated code for vulnerabilities the moment it’s written.

  2. Enforced security policies: Blocking deprecated libraries, insecure APIs and misconfigurations at the IDE level.

  3. Automated remediations: Rewriting dangerous code on the fly, like a security-aware spellcheck.

Imagine this: An AI coding assistant suggests an outdated encryption method. Before the developer even finishes typing, agentic AI replaces it with a secure alternative and explains why. Or say a ChatGPT-generated cloud configuration defaults to public access. An automated policy engine locks it down instantly, logging the fix for audit purposes.

This isn’t science fiction—it’s possible today. But it requires rethinking security as a native feature of AI coding tools, not an afterthought.

Building A Future Where Security Enables Innovation

Speed doesn’t have to come at the cost of security. Here’s how to strike the balance:

  1. Integrate security into AI pipelines: Demand transparency from AI-generated code tools. If they can’t explain their output, they don’t belong in your stack. Use AI models trained on secure coding standards to reduce risky recommendations.

  2. Automate security at every stage: Deploy static analysis tools that scan AI-generated code in real time, not just in CI/CD. Automate dependency checks to block AI-suggested packages with known exploits.

  3. Redefine developer incentives: Measure teams on “secure velocity”—features shipped minus vulnerabilities introduced. Recognize developers who flag AI-generated risks and make security a celebrated achievement.

  4. Prepare for adversarial AI: Assume attackers are already using AI to generate malicious code (e.g., social engineering through “helpful” suggestions). Conduct red-team exercises focused on AI-generated attack vectors.

Security Is The New Speed

In my two decades in cybersecurity, one truth remains: Shortcuts always lead to long-term pain. But with AI, the stakes are even higher. A single vulnerable line of AI-generated code, replicated across thousands of projects, could spark a supply chain crisis worse than Log4j.

This isn’t a call to abandon AI but to reinvent security for the AI era. By embedding deterministic security guardrails into generative coding workflows, we can turn developers into unstoppable creators and uncompromising security enforcers.

The future belongs to those who wield AI’s power responsibly. Let’s build it—one secure line of code at a time.

Originally published on Forbes Technology Council on 2025-04-14.