As AI coding assistants become integral to software development, they are not only accelerating delivery but also introducing new challenges. A recent GitLab study conducted among DevOps professionals in Australia highlights that while AI generates over one-third of code, teams identify AI-driven security vulnerabilities and quality assurance as major hurdles to its adoption.
As the influence of AI coding tools expands, the resulting issues increasingly burden security teams. Although AI accelerates development, it simultaneously creates bottlenecks in the security review process that can hinder progress. Security engineers, who previously assessed hundreds of lines of code per hour, now grapple with tens of thousands due to AI’s widespread impact across the codebase. This surge in code volume far surpasses our ability to manage security effectively.
At the same time, malicious actors are utilizing autonomous strategies to uncover vulnerabilities more quickly than manual reviews can address.
This increasing pressure reveals a significant limitation. Security frameworks that once relied on human reviews were effective when code volumes were manageable. However, they become inadequate at the scale introduced by AI. Organizations face the risk of lagging behind both attackers and their development teams unless they adapt their approach to integrating security within development processes.
Below are two critical failures contributing to these bottlenecks, along with recommendations for how Australian organizations can mitigate them.
Scaling AI Without Redesigning Security Review Workflows
The “shift left” strategy aimed to eliminate security bottlenecks by transferring security responsibilities to developers earlier in the software development lifecycle. While incorporating security testing into development processes sounds promising, compelling developers to address security checks—especially those that often generate false positives—can be counterproductive. This approach can inadvertently extend their working hours without tangible incentives. Developers frequently seek workarounds to meet feature deadlines.
The shift-left approach neglected to consider the entire software development lifecycle, leading to unintended downstream repercussions. Currently, teams are repeating this oversight with AI coding assistants.
These assistants focus on optimizing code generation while the review process remains stagnant. The resolution does not lie in simply adding more personnel or tools in isolation. Instead, organizations should adopt a holistic approach, evaluating the entire pipeline and mapping their value streams before introducing additional AI tools.
This necessitates documenting processes that rely on implicit institutional knowledge, complicating the way teams define and assess the value AI brings. If AI enhances an undocumented process, quantifying or justifying that value becomes unfeasible.
Leaders should implement scalable review methodologies that integrate AI with pragmatic human oversight, setting up prioritization frameworks based on measurable risk. For example, code that accesses sensitive customer information or production databases demands a more thorough review than a feature for customizing an application’s theme.
Securing AI Agents Using Outdated Frameworks
Traditional security frameworks are predicated on predictable human behavior. In contrast, AI agents do not conform to these norms, creating an entirely new realm of risk.
The complexity escalates when agents interact across organizational boundaries. When your internal agent receives commands from a third-party agent, which in turn derives instructions from another external system, your security model must account for potentially malicious requests that exist beyond your immediate visibility.
To avert these challenges, it is crucial to develop security controls aimed at limiting permissions and monitoring agent behaviors. Innovative strategies, such as establishing composite identities for AI systems, can connect AI actions to human accountability by tracing which agents executed specific actions and who authorized them.
Moreover, instilling system design fluency within security teams can facilitate better assessments of how a new AI implementation may impact existing security parameters. Many security engineers today struggle to explain how the backend of a large language model functions, yet understanding the architecture of an AI system is vital for comprehending AI security risks. This does not necessitate deep engineering expertise for every aspect, but rather a fundamental grasp of how the various components interrelate to achieve outcomes, similar to the understanding security professionals have of web applications.
The Path Forward
For the next two years, many Australian organizations will work towards enhancing their AI capabilities on systems they know have flaws. Waiting for all issues to be resolved is neither feasible nor essential. There’s no one-size-fits-all approach to securing AI-driven development. The key is to acknowledge risk, manage it proactively, and refine controls as AI adoption grows.
Security teams cannot bear this burden alone. Recent DX research indicates that while many developers utilize AI tools and save several hours weekly, organizational friction—like meetings, disruptions, slow reviews, and continuous integration delays—often negates those benefits. Some teams achieve faster delivery and enhanced stability, whereas others accrue technical debt rapidly.
The distinguishing factor is not the AI tools themselves but the resilience of the underlying engineering practices. As continuous delivery expert Bryan Finster points out, “AI is an amplifier. If your delivery system is healthy, AI makes it better. If it’s broken, AI makes it worse.”
AI reveals foundational issues on a large scale. Security reviews occur downstream, absorbing the consequences of inefficient processes.
To advance, security teams must promote practices that facilitate secure AI adoption: well-documented workflows, thorough testing, and continuous delivery methodologies that incorporate security throughout the development lifecycle. Often, the real constraint lies in the quality of what reaches security teams initially.
Organizations that take proactive steps to resolve these structural challenges will be better positioned to handle the increasing volumes of AI-generated code, ensuring these issues do not become overwhelmingly difficult to address.
