In a troubling revelation, recent studies have shown that three-quarters of organizations acknowledge shipping vulnerable code, a challenge that is only exacerbated by the rising risks associated with artificial intelligence (AI) in supply chains. Findings from Checkmarx, published on May 21, indicate that 75% of organizations either frequently or occasionally deploy code they are aware is insecure. Although this figure marks a decrease from last year’s reported 81%, it remains alarmingly high, especially at a time when the capabilities of AI models are becoming increasingly sophisticated, giving cybercriminals enhanced tools to identify and exploit these vulnerabilities efficiently.
The implications of these findings are underscored by Checkmarx’s assertion that the duration required to exploit vulnerabilities is drastically decreasing. For instance, what previously took an average of 840 days to exploit in 2018 is anticipated to drop to less than two days by 2026. More alarmingly, researchers from the Checkmarx Zero team predict that this time frame could dwindle to just one minute by 2028. This rapid progression poses a severe threat to many organizations that struggle to keep their systems secure against evolving cyber threats.
Eran Kinsbruner, a Vice President at Checkmarx, emphasized the significant role of unvetted AI-generated code in this dilemma. They articulated that the process of addressing vulnerabilities is no longer merely a procedural challenge; it has transformed into a mathematical one. "AI-generated code is outpacing every manual remediation model in existence," Kinsbruner stated, highlighting the pressing need for organizations to evolve their security measures in tandem with advancing technology.
The risks identified by Checkmarx mirror findings from a recent Verizon report. In its Data Breach Investigations Report (DBIR), Verizon revealed that vulnerability exploitation was responsible for nearly a third (31%) of initial access points in data breaches over the previous year, a noteworthy increase from the 20% observed in the previous year’s report. This uptick suggests that the adversarial use of AI may be a contributing factor, as the median threat actor reportedly researched or employed AI assistance in 15 distinct techniques, with some employing as many as 40 to 50 techniques to facilitate their attacks.
In a parallel reaction, UK businesses have also expressed significant concern regarding the integration of AI in their supply chains. According to a study conducted by the UK insurer QBE, 75% of UK firms are apprehensive about vendors and suppliers utilizing AI technologies. These companies remain vigilant regarding potential supply chain incidents. QBE noted that the percentage of respondents who experienced a cyber event in the preceding 12 months increased from 53% in 2025 to 59% in 2026. Disturbingly, 22% of the respondents indicated that "all or most" of the cyberattacks they endured involved a third-party supplier.
Despite their awareness of the risks, there appears to be a significant gap in proactive measures taken by these organizations. The QBE study pointed out that only 28% of businesses utilizing AI have implemented procedures to assess or audit the AI systems of their third-party suppliers. Furthermore, merely 35% possess a formal policy governing the usage of AI technologies, raising questions about their preparedness to tackle the issues associated with AI-driven vulnerabilities.
As the landscape of cybersecurity continues to shift with the rapid advancement of AI, organizations are faced with pressing challenges that necessitate both robust security protocols and an adaptive mindset. The proliferation of AI-generated code presents new avenues for potential exploitation, making it paramount for firms to address vulnerabilities proactively rather than reactively. With the clear trends outlined in these studies, the stakes are higher than ever, emphasizing the urgent need for organizations to reassess their cybersecurity strategies and safeguards against emerging threats in the age of AI.
Failure to adapt could lead not only to reputational damage and financial loss but also to a broader crisis of trust in the safety of AI technologies across industries. As organizations navigate this complex landscape, the focus must shift toward greater accountability and thorough scrutiny of both internal coding practices and third-party partnerships, ensuring the integrity and security of digital infrastructures moving forward.