AI 生成程式碼為企業帶來供應鏈風險

AI-generated code leaves businesses open to supply chain risk

Companies that now depend on AI-generated code will find that these new coding processes can inject more risk into their supply chains.(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9b5bff48a2fe4ffc',t:'MTc2NzAzOTYxNy4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();

Black Duck research found that 95% of organizations rely on AI tools to generate code, yet only 24% apply comprehensive IP, license, security, and quality evaluations to that AI-generated code.

The result: companies are leaving the software supply chain increasingly vulnerable in ways traditional AppSec programs were never designed to handle.

"We're in a new era of rapid software innovation, fueled by AI, but these findings reveal a critical challenge: security isn't keeping pace," said Jason Schmitt, CEO at Black Duck. "It's imperative that organizations prioritize robust security frameworks, with a sharp focus on AI-generated code and meticulous dependency management, to build truly resilient software supply chains."

Other findings from the Black Duck report include:

“Organizations should assume that AI-generated code expands their software supply chain risk, not just their development speed,” said Jason Soroko, a senior fellow at Sectigo. “This leaves large blind spots in provenance, obligations, and exploitable flaws. AI can also amplify dependency sprawl and introduce opaque third-party components that traditional AppSec programs were not built to inventory or govern at rapid-release cadence. The result is a widening gap where shipping gets easier while accountability and assurance get harder.”

Security teams can close the gap by treating AI output like third-party software and enforcing the same controls by default inside the developer workflow, Soroko said. Start with dependency management because organizations that track and manage open source dependencies well report far higher preparedness, he continued, then harden the pipeline with automatic continuous monitoring to accelerate remediation.

Teams should make SBOM validation "non-optional" for suppliers because teams that always validate supplier SBOMs report stronger third-party readiness, Soroko added.

Saumitra Das, vice president of engineering at Qualys, said analysts expect that 95% of code will be AI-generated by 2030. It's reported that about 30% of code at large enterprises is generated by AI, while it's close to 90% to 95% at small startups in 2025.

"It’s important to understand that we are generating more code than humans can reasonably review for correctness, functionality, readability, and security issues," said Das. "As a result, we now have code review companies coming up that use AI models to review code, because humans cannot scale."

Because of the sheer volume of code being generated and the lack of people who can reasonably understand it, Das said we will need new architectures for dealing with the kind of issues discussed in the report, such as:

Related

OWASP GenAI Security Project Team December 29, 2025

SC StaffDecember 29, 2025

SC StaffDecember 26, 2025

Related Events

On-Demand Event

On-Demand Event

On-Demand Event

Get daily email updates

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

You can skip this ad in 5 seconds

Copyright © 2025 CyberRisk Alliance, LLC All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed
in any form without prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.