A global survey of 828 enterprise IT professionals conducted by the Futurum Group finds well over a third of respondents expect their organization to increase spending on software security testing (39%) and application programming interface (API) security (36%) over the next 12 to 18 months.

Overall, about 35% said they also plan to make some type of investment in application security, the survey finds.

Mitch Ashley, vice president and practice lead for software lifecycle engineering for the Futurum Group, said the survey results suggest more organizations are starting to appreciate how much the actual velocity at which software is successfully built and deployed now depends on how well security is encoded into workflows, APIs, and, ultimately, artificial intelligence (AI) agents.

In general, guardrails are replacing gates as security policies are becoming executable, enforced continuously by pipelines, platforms, and increasingly AI agents, said Ashley. The fastest teams will not be the ones that bypass security, but rather the ones that make it invisible by design, he added.

The payoff is fewer late-stage surprises, less rework, and more predictable delivery in AI-accelerated development environments, said Ashley.

The depth to which best DevSecOps practices are adopted still varies widely from one organization to the next. Unfortunately, the volume of code being generated in the age of AI only continues to exponentially increase, with much of that code containing known vulnerabilities that were not discovered, if at all, until just before code is promoted into a staging server. A full 60% of respondents said their organization is now actively using AI to build and deploy software, the survey finds.

Hopefully, there will come a day soon when AI agents are able to identify and remediate vulnerabilities created by AI coding tools, but in the meantime many DevSecOps teams are simply being overwhelmed by the amount of code that needs to be scanned and remediated.

It’s not clear to what degree it might take a major application security incident that is directly attributable to code generated by an AI tool to motivate more organizations to more consistently apply best DevSecOps practices. Until then, however, DevSecOps teams should expect there will be more application security incidents in the months ahead that will require some type of patch to be rapidly built and deployed.

For now, application developers need to be cognizant of the vulnerabilities they might be inadvertently adding to a code base. If a vulnerability is discovered just prior, or worse yet after, an application is deployed the cost of resolving those issues is considerably higher. In fact, all the investments made in DevOps tools and platforms to accelerate deployment can be easily negated if the quality of the code being generated only serves to increase the amount of rework that needs to be done.

There is, at this point, no way that AI coding tools are going back in the proverbial bottle. The challenge and the opportunity now is to determine how best to ensure the quality of the code being generated at the very least meets, or hopefully exceeds, the quality of the code being generated by human developers without any help from AI.