New research from offensive security firm Pentest-Tools.com has quantified a growing disconnect between the speed at which AI tools are generating code and the ability of security teams to validate it before it reaches production, with significant implications for enterprise risk and compliance.
The survey, conducted in March 2026 with 241 confirmed AI coding tool users across the UK, Europe, and the US, found that just 9% of developers believe vulnerability testing keeps full pace with their development speed. More than half (51%) reported finding security vulnerabilities in AI-assisted code after it had already been deployed.
The validation window is shrinking
AI coding tools are now embedded infrastructure rather than an experimental add-on. Three-quarters of respondents (76%) use them ‘always’ or ‘usually’, and 82% work in organisations that actively encourage or mandate their use. The challenge, the research makes clear, is not the tools themselves, but the growing gap between how quickly code is being written and how rigorously it is being checked.
Thirty percent of respondents said they do not have sufficient time to thoroughly review AI-generated code before deployment. A further 34% acknowledged that development speed has caused code to ship before vulnerabilities were fully explored.
“I get exhausted from reviewing so much AI-generated code and let some code through that causes bugs after deployment.” – Survey respondent
The nature of vulnerabilities is shifting
Qualitative responses in the survey pointed to a change in the character of vulnerabilities emerging from AI-assisted development, not just their frequency. Practitioners consistently reported fewer obvious syntax errors, but a rise in subtler, harder-to-catch issues – the kind that pass a fast review.
Recurring patterns included:
- Weak authentication checks copied from AI-suggested patterns
- Insecure defaults and unsafe input handling
- Logic flaws and architectural misconfigurations that individual code components pass review, but fail when combined
- Vulnerabilities that compound across multiple pull requests rather than appearing as discrete issues
One respondent summarised the shift: “It’s moved vulnerabilities from obvious bugs to harder-to-spot review failures.”
Traditional static analysis tools are poorly suited to catching this class of issue. The report notes that such flaws often only surface when code is running, when systems interact, or when an attacker reaches the deployed application — not at the point of code inspection.
Compliance implications
The report draws a direct line between the validation gap and audit readiness. Under frameworks including SOC 2, ISO 27001, PCI DSS, DORA, and HIPAA, organisations are expected to produce evidence that a vulnerability existed, was remediated, and that testing was repeatable. A passing CI build or raw scanner output does not satisfy those requirements.
When code ships before validation is complete, as 34% of respondents acknowledged happens, the documentation trail required for audit weakens. The report argues that evidence capture needs to become a routine output of the testing process, not a separate audit-preparation exercise.
What better-performing teams are doing differently
The survey identified a cohort of practitioners reporting stable or improving security conditions. Their common practices included:
- Treating AI-generated code as untrusted by default, reviewed with the same scrutiny applied to third-party dependencies
- Moving security validation closer to the merge boundary, with automated scans gated to pull requests rather than running post-deployment
- Using AI tooling to conduct a first-pass review of AI-generated code, surfacing likely issues before human review
- Restricting AI code generation to lower-risk areas of the codebase, keeping authentication flows, payment paths, and data access under stricter human authorship
The full report, ‘The Shrinking Validation Window’, is available here.
