AI is rewriting the rules of application security—and most organizations aren’t ready
None
<div class="col-xs-12 col-sm-9 two2575Right"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <p>For more than a decade, software security has evolved gradually—new tooling here, a policy tweak there, incremental cultural shifts toward DevSecOps. But with the rise of Generative AI and large language models (LLMs), that era is over. Application security (AppSec) isn’t evolving anymore. It is being <b>fundamentally rewritten</b>.</p> <p>The <a href="https://www.blackduck.com/resources/analyst-reports/bsimm.html">BSIMM16 report</a> provides the clearest industrywide snapshot yet of how AI is reshaping software security—across development, testing, compliance, governance, and even organizational culture. The data-driven Building Security in Maturity Model (BSIMM) shows how leading organizations actually build and run their software security programs. Instead of prescribing best practices, it documents 128 real-world software security activities observed across more than 100 firms, giving teams a clear, evidence‑based way to benchmark their maturity and prioritize improvements—especially as AI, supply chain risk, and automation reshape AppSec.</p> <p>And the message is unmistakable: <b>AI is driving the most significant shift in AppSec since the move to cloud-native architectures.</b></p> <p>Organizations that embrace this shift will accelerate innovation and reduce risk. Those that don’t will find themselves facing vulnerabilities they can’t see, threats they don’t understand, and regulatory obligations they can’t meet.</p> </div> </section></div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-top-sm vert-pad-bottom-sm "> <div class="container "> <section class="component-textcomp text-align-left "> <div class="component-text"> </div> <hr class="separator"> </section> </div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="1" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">AI is now a first‑class attack surface</span></h2> <p>For years, developers relied on intuition, experience, and pattern recognition to make secure coding decisions. AI changes this dynamic entirely.</p> <p>BSIMM16 makes it clear that <b>LLM‑generated code is not secure by default</b>—even if it looks clean, idiomatic, and professional. It often omits crucial security controls or introduces subtle logic vulnerabilities that automated scanners weren’t designed to detect. This creates a paradox: AI accelerates development dramatically, but it also accelerates the introduction of hard‑to‑spot vulnerabilities. As a result, organizations are forced to expand their threat models to include</p> <ul> <li>Prompt injection and model manipulation attacks</li> <li>AI‑assisted malicious payload generation</li> <li>Abuse of LLM integrations and data flows</li> <li>New vulnerabilities introduced by both developers and AI</li> </ul> <p>The firms leading the way are already investing in <b>AI‑specific attack intelligence</b> and developing <b>technology‑specific attack patterns</b> that account for this new paradigm.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="2" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">Governance and compliance are being rebuilt for the AI era</span></h2> <p>AI isn’t just a technical disruption—it’s a <a name="_Int_Amj5o28G" id="_Int_Amj5o28G"></a>governance disruption.</p> <p>Regulators around the world are raising expectations for software security, and AI‑driven development is accelerating that pressure. BSIMM16 shows significant growth in security activities that help organizations prove the trustworthiness of their development environments, including</p> <ul> <li>Protecting development endpoints</li> <li>Securing build and deployment toolchains</li> <li>Documenting software compliance</li> <li>Defining standards for adopting new technologies—especially AI</li> </ul> <p>The EU Cyber Resilience Act, U.S. government self‑attestation requirements, and similar initiatives worldwide are sending the same message: <b>If AI touches your software, you must be able to prove you built it securely.</b></p> <p>Organizations that treat AI as an “experiment” rather than a regulated software component risk falling behind—and falling out of compliance.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="3" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">Automation is no longer optional—it’s the backbone of AppSec</span></h2> <p>One of the strongest signals from BSIMM16 is the explosive growth in <b>automation across the software supply chain</b>.</p> <ul> <li>SBOM generation surged almost <b>30%</b></li> <li>Automated infrastructure security verification rose <b>over 50%</b></li> <li>Custom security rules for AI‑generated code increased notably</li> <li>Organizations scaled “governance‑as‑code” into CI/CD pipelines</li> </ul> <p>Why? Because manual review simply cannot keep pace with AI‑accelerated development velocity.</p> <p>AI writes code at machine speed. Security teams cannot defend it at human speed. The future of AppSec belongs to organizations that move from <i>manual enforcement</i> to <i>continuous, automated, verifiable controls</i>.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">Security training is becoming real‑time and embedded</span></h2> <p>BSIMM16 identifies a dramatic cultural shift in training: Traditional classroom education is giving way to <b>short‑form, context‑specific, just‑in‑time learning</b>—a shift driven largely by AI adoption.</p> <p>The activity “Provide expertise via open collaboration channels” grew <b>29%</b>, reflecting a move toward</p> <ul> <li>Instant access to SMEs</li> <li>Microlearning embedded in tools</li> <li>Training triggered by development behavior</li> </ul> <p>This mirrors how developers use AI: not through long lectures, but through <i>ambient, on‑demand guidance</i> that blends seamlessly into their workflow.</p> <p>Security knowledge must now move at the same speed as AI‑assisted coding.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">The most successful organizations are redesigning their AppSec programs around AI</span></h2> <p>Perhaps the most compelling insight from BSIMM16 is how leading organizations are restructuring their software security initiatives.</p> <ul> <li><b>They are merging governance and engineering into unified DevSecOps ecosystems.</b> Traditional siloed models can’t handle AI’s velocity.</li> <li><b>They are empowering security champions to scale expertise.</b> Ninety-six percent of the top BSIMM performers have active champions programs.</li> <li><b>They are re‑evaluating their entire software inventory—including AI agents, prompts, and training data.</b> AI components are now in scope as first‑class artifacts.</li> <li><b>They are implementing feedback loops and telemetry‑driven governance.</b> Security becomes an analytics discipline, not just a policy function.</li> <li><b>They are building secure‑by‑design AI patterns and integrating them early.</b> This includes approved design templates for AI/ML and LLM integrations.</li> </ul> <p>These organizations are not simply “adopting AI.” They are <b>transforming their security programs to enable AI safely and at scale</b>.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-sm "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">The strategic imperative: AI‑ready security programs</span></h2> <p>AI adoption is not slowing down. Code generation is only the beginning. Soon AI will</p> <ul> <li>Generate architectures</li> <li>Orchestrate pipelines</li> <li>Detect and fix real‑time vulnerabilities</li> <li>Manage policy enforcement</li> <li>Participate in incident response</li> </ul> <p>The organizations that thrive will be those that build <b>AI‑ready software security programs</b> today that</p> <ul> <li>Anticipate new attack classes</li> <li>Automate aggressively</li> <li>Provide real‑time developer enablement</li> <li>Unify engineering and security</li> <li>Embed governance directly into CI/CD</li> <li>Treat AI as a regulated, auditable component</li> </ul> <p>The BSIMM16 data is unambiguous: <b>AI-driven development requires AI-driven security models. </b>Those that fail to adapt will be left defending systems built faster—and broken faster—than they can secure.<br> </p> <p style="text-align: center;"><span class="component-button primary"><a href="https://www.blackduck.com/resources/analyst-reports/bsimm.html">Download the full report</a></span></p> </div> </section></div> </div> </div> <div class="blogsDev aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <section class="cmp-blogsdev"> <ul class="cmp-blogsdev__pagetags-container"> <li data-page-tag="black-duck:content-type/blog/appsec-best-practices"><a href="https://www.blackduck.com/blog/category.appsec-best-practices.html" title="AppSec Best Practices">AppSec Best Practices</a></li> <li data-page-tag="black-duck:content-type/blog/artificial-intelligence"><a href="https://www.blackduck.com/blog/category.artificial-intelligence.html" title="Artificial Intelligence">Artificial Intelligence</a></li> <li data-page-tag="black-duck:content-type/blog/manage-security-risks"><a href="https://www.blackduck.com/blog/category.manage-security-risks.html" title="Manage Security Risks">Manage Security Risks</a></li> </ul> </section></div> </div> </div> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/ai-is-rewriting-the-rules-of-application-security-and-most-organizations-arent-ready/" data-a2a-title="AI is rewriting the rules of application security—and most organizations aren’t ready"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fai-is-rewriting-the-rules-of-application-security-and-most-organizations-arent-ready%2F&linkname=AI%20is%20rewriting%20the%20rules%20of%20application%20security%E2%80%94and%20most%20organizations%20aren%E2%80%99t%20ready" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fai-is-rewriting-the-rules-of-application-security-and-most-organizations-arent-ready%2F&linkname=AI%20is%20rewriting%20the%20rules%20of%20application%20security%E2%80%94and%20most%20organizations%20aren%E2%80%99t%20ready" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fai-is-rewriting-the-rules-of-application-security-and-most-organizations-arent-ready%2F&linkname=AI%20is%20rewriting%20the%20rules%20of%20application%20security%E2%80%94and%20most%20organizations%20aren%E2%80%99t%20ready" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fai-is-rewriting-the-rules-of-application-security-and-most-organizations-arent-ready%2F&linkname=AI%20is%20rewriting%20the%20rules%20of%20application%20security%E2%80%94and%20most%20organizations%20aren%E2%80%99t%20ready" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fai-is-rewriting-the-rules-of-application-security-and-most-organizations-arent-ready%2F&linkname=AI%20is%20rewriting%20the%20rules%20of%20application%20security%E2%80%94and%20most%20organizations%20aren%E2%80%99t%20ready" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.blackduck.com/blog.html">Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Chai Bhat">Chai Bhat</a>. Read the original post at: <a href="https://www.blackduck.com/blog/ai-application-security-bsimm16-insights.html">https://www.blackduck.com/blog/ai-application-security-bsimm16-insights.html</a> </p>