The rapid adoption of AI coding assistants is creating a new governance challenge for enterprise security teams, according to research released by Salt Security, which found that nine in ten security leaders are concerned about the security risks associated with AI-generated code. The research, AI Coding Assistants and the New Security Challenge, surveyed 100 IT security leaders across the UK and US and highlights the growing tension between software development speed and security oversight.
According to the study, 67% of organisations now report widespread adoption of AI coding assistants across development teams, reflecting how deeply AI has become embedded in modern software engineering practices. However, governance frameworks have struggled to keep pace. While organisations increasingly rely on AI to accelerate development, 38% still depend primarily on manual reviews to assess AI-generated code, a process many security leaders believe is becoming unsustainable.
Among respondents, 29% identified insecure coding patterns as the biggest risk introduced by AI assistants, while 15% cited concerns about generated code failing to align with internal security policies.
The findings mirror wider industry concerns about the quality and security of machine-generated software. According to figures cited by Salt Security, AI coding assistants now generate nearly half of all code written on platforms such as GitHub, while independent research has found that a significant proportion of AI-generated code contains known vulnerabilities.
“AI coding assistants are fundamentally changing how software is built, but governance has not kept pace,” said Roey Eliyahu, CEO and co-founder of Salt Security.
“Most organisations recognise the risks, but many are still trying to manage AI-generated code using security processes designed for a pre-AI world. That approach does not scale. Security leaders need visibility, consistency and embedded governance across the AI-assisted development lifecycle before code volumes become unmanageable.”
The research also revealed that larger enterprises face greater operational complexity as AI adoption grows. Organisations with more than 500 employees were significantly more likely to report challenges around governance consistency, developer overreliance on AI-generated outputs and policy enforcement across distributed development teams.
The findings coincide with the launch of Salt Code, a new addition to the company’s Agentic Security Platform designed to enforce security policies directly within AI coding assistants such as Claude Code, GitHub Copilot, Cursor, Gemini CLI and Codex. Salt Code is designed to move security controls earlier in the software development lifecycle. Rather than relying solely on traditional security testing tools after code has been written, Salt Code applies organisational security policies during code generation itself.
At the heart of the platform is Salt’s Posture Governance Engine, which allows organisations to define security and compliance requirements once and enforce them consistently across code creation, deployment and runtime environments. The platform includes pre-built policy packs covering frameworks such as the OWASP API Top 10, MCP Security Top 10, LLM Security Top 10 and OpenAPI/Swagger compliance.
According to Salt Security, the approach is intended to address what it describes as “security drift”, or the gradual divergence between organisational policies and actual development practices that can occur as AI-generated code volumes increase.
“AI is writing code faster than organisations can govern it, whether that AI is Claude, Gemini, Copilot, or the next tool a developer downloads tomorrow,” Eliyahu said.
“For the first time, security policy travels with the code itself, from the first prompt through every stage of the pipeline and into runtime. Organisations no longer have to choose between the speed AI enables and the security their business requires.”
Industry analysts have argued that governance will become increasingly important as AI-generated code forms a growing share of enterprise software. Salt’s research suggests that organisations are already recognising the challenge, with security leaders expressing concerns that manual review processes are struggling to scale alongside AI-assisted development.
“I regularly point organisations toward Salt because the full Agentic Security Graph is genuinely differentiating. Salt Code is the piece that ties it together,” said Christopher M. Steffen, CISSP, CISA, CCZ, VP of Research, Information Security, Risk and Compliance Management, Enterprise Management Associates. “With code-level context layered onto runtime behaviour, Salt is building a multi-dimensional defence for agentic systems rather than another single-point tool. That is the direction this market needs to move.”
The company is encouraging organisations to focus on improving visibility into AI-generated code, reducing dependence on manual review, standardising secure development practices and treating AI coding assistants as part of the wider software supply chain.
As enterprises continue to embrace AI-assisted development, the findings suggest that the next phase of adoption may be defined less by productivity gains and more by how effectively organisations can govern and secure the code these systems produce.
