AI-assisted developers introduce security findings at ten times the rate of their non-AI peers β yet 81% of security leaders admit they have no clear view of where AI-generated code lives in their systems. That gap is not a perception problem. It is an attack surface problem, and it is growing faster than most DevSecOps programs can absorb.
The shift from AI assistants to autonomous coding agents accelerates both sides of the equation. Agents that browse repositories, install dependencies, open pull requests, and invoke CI/CD pipelines expand what "AI-generated code" actually means β and expose new vectors that traditional application security tooling was never designed to detect.
A New Scale of Risk
Veracode's 2025 GenAI Code Security Report, which analyzed code generated by more than 100 large language models across 80 curated coding tasks, found that AI-generated code introduced risky security flaws in 45% of tests. Java fared worst with a 72% failure rate. Python, C#, and JavaScript ranged from 38% to 45%. Security performance remained flat regardless of model size or training sophistication β models improved at writing functional code, not secure code.
The compounding factor is velocity. AI-assisted developers produce commits at three to four times the rate of their peers, but introduce security findings at ten times the rate. More code, faster, at a near-constant flaw rate creates a debt that accumulates faster than remediation cycles can clear it.
The Cloud Security Alliance identified 56 CVEs directly attributable to AI-generated code in the first three months of 2026 alone β compared to 18 cases across the preceding seven months. That acceleration is not linear.
The Five Dimensions of the AI Coding Agent Attack Surface
Understanding the attack surface requires mapping it. AI coding agents do not just generate code β they browse documentation, install dependencies, create files, query APIs, and commit to repositories. Each capability is a potential entry point.
1. Insecure Code Generation at Scale
Veracode's analysis found that cross-site scripting (CWE-80) evaded AI-generated defenses in 86% of relevant test cases, while log injection (CWE-117) appeared in 88% of samples. SQL injection still appeared in 20% of cases despite being one of the most extensively documented vulnerability classes. These are not edge cases β they are OWASP Top 10 staples that have been well-understood for over a decade.
The mean number of open-source vulnerabilities per codebase doubled in a single year, reaching an average of 581 per application. Traditional code review workflows, calibrated for human commit velocity, are not built for this volume.
2. Hallucinated Dependencies and Slopsquatting
Research consistently shows that nearly 20% of packages recommended by large language models do not exist in any public registry. Threat actors have responded by registering the names those models tend to hallucinate β a technique called slopsquatting. Forty-three percent of hallucinated packages appear repeatedly across queries, making them predictable targets that can be registered in advance.
Aikido Intel's telemetry illustrates the adversarial response at scale: the platform currently identifies up to 100,000 malicious packages daily across open-source registries, up from roughly 20,000 per day a year earlier. When an agent installs a hallucinated package that an attacker has pre-registered, the compromise enters the codebase through a trusted workflow β the developer sees the agent executing its task, not a supply chain intrusion.
3. Prompt Injection in Agentic Workflows
Autonomous coding agents read from many sources: issue trackers, pull request descriptions, README files, code comments, and external documentation. Any of these inputs can carry adversarial instructions. If an agent receives a prompt injection payload embedded in a repository README or an open issue, it does not evaluate the instruction for legitimacy β it processes and executes it.
Seventy-three percent of AI systems assessed in 2026 security audits showed exposure to prompt injection vulnerabilities, with attacks achieving success rates between 50% and 84% across common deployments. For agents with write access to repositories and deployment pipelines, a successful injection is not a data leak β it is code execution under the agent's full credential scope.
4. Supply Chain Poisoning via Agentic Behavior
AI coding agents can be steered toward malicious code through carefully crafted repositories. When an agent searching for implementation references encounters an attractive but compromised package, it may incorporate it without flagging the provenance to the developer. The developer accepts the change because the agent performed its expected function.
Sixty-five percent of organizations surveyed in 2025 reported experiencing a software supply chain attack in the past year. The introduction of autonomous agents that browse and incorporate external code extends that attack surface into every repository the agent can reach β without any of the human judgment that might otherwise catch a suspicious dependency.
5. Identity and Permission Abuse
Autonomous agents operate with credentials. They authenticate to source control, package registries, CI/CD systems, and cloud APIs. An agent with legitimate permissions that receives a malicious instruction does not resist β it executes with whatever privileges it holds. An agent that can merge pull requests, trigger deployments, or write to production infrastructure is a privileged identity, not a service account.
Gartner projects that more than 80% of enterprises will have deployed some form of autonomous AI agents in production by the end of 2026. Most organizations have not extended their identity governance programs to cover non-human agents at that scale β leaving a category of high-privilege actor entirely outside standard access review processes.
The research dataset AgenticFlict, which catalogues merge conflicts in AI coding agent pull requests across GitHub at scale, provides an empirical foundation for understanding how autonomously generated changes interact with human-authored code in shared repositories β and reveals that coordination failures are not rare edge cases but a structural feature of agentic workflows operating without governance guardrails.
The Visibility Gap That Compounds Everything
Ninety-seven percent of organizations are using or piloting AI coding assistants, but only 24% conduct comprehensive security evaluations of the code those tools produce. Only 24% of enterprises have a dedicated AI security governance team. The adoption curve has far outpaced the governance curve.
The result: 76% of organizations expose their software supply chain to risk through their AI coding practices β not by deliberate choice, but because no policy governed what the agent was permitted to do or integrate. The AI Sec Watch Dataset on Zenodo, which aggregates threat intelligence from 36 sources including NVD, CISA KEV, and GitHub Advisory, tracks the expanding inventory of AI and LLM-specific CVEs and provides the most current view of where AI-introduced vulnerabilities are being catalogued across the industry.
What makes the visibility gap structural rather than operational is that AI-generated code does not self-identify. Unless teams instrument specifically for it, there is no marker in the codebase distinguishing human-authored lines from agent-generated ones. Audit trails, attribution, and provenance β the foundations of any incident response investigation β are absent by default.
What DevSecOps Must Change
Three adjustments have the highest return against this expanded attack surface.
Shift Dependency Verification Left
Agents should not install packages without policy-controlled validation. Software composition analysis must run before installation, not after commit. Hallucinated package names should be caught at the point the agent attempts to resolve them β not discovered in a post-merge scan after the dependency has been committed to the codebase.
Treat Agentic Inputs as Untrusted
Every external source an agent reads β issues, pull requests, documentation, external repositories β should be treated as a potential injection vector. Input sanitization and isolation between agent read contexts and write capabilities is not optional in environments where agents hold write access to production systems.
Extend Identity Governance to Non-Human Agents
Agent credentials need the same lifecycle management, least-privilege scoping, and audit logging as human identities. Token rotation, permission reviews, and session termination policies that exist for human engineers must be applied to the agents that increasingly act alongside them.
The Governance Layer DevSecOps Is Missing
Tooling solves point problems. The attack surface described in this article spans code generation, dependency resolution, input processing, identity, and audit. No single scanner covers all of it. What links these controls is governance: a defined policy for what AI coding agents are permitted to do, where they can operate, what they can install, and what evidence they must leave behind.
Eighty-one percent of security leaders currently lack visibility into where AI-generated code lives in their systems. Organizations that want to close the gap need to define what governed AI code development looks like β and instrument for it β before the next supply chain event makes the definition for them. Until that happens, every deployment from an AI-assisted pipeline carries an unknown risk profile.
Governance tooling built specifically for AI coding workflows can provide the audit trail, policy enforcement, and integration coverage that traditional security tooling was not designed to deliver. re-entry.ai is built for exactly this: bringing policy enforcement and observability to the AI coding agent workflows that existing tools cannot see.