Three-Quarters of Firms Knowingly Ship Vulnerable Code

The prevalence of vulnerable code is no longer a niche concern; it has become a systemic risk amplified by AI‑generated software. Checkmarx’s data shows three‑quarters of firms still ship known flaws, while AI tools enable threat actors to locate and weaponize those weaknesses at unprecedented speed. The drop from 840 days to under two days for a typical exploit underscores a shifting threat landscape where traditional patch cycles are outpaced, prompting security teams to adopt continuous, automated testing and rapid remediation pipelines.

Supply‑chain exposure compounds the problem, especially in regions like the United Kingdom where 75% of businesses cite AI‑driven vendor risk as a top worry. QBE’s findings reveal a paradox: heightened anxiety coexists with limited action—only 28% of AI‑using firms assess third‑party AI, and just 35% have formal governance frameworks. This gap leaves organizations vulnerable to cascading attacks that originate from a single compromised supplier, magnifying the potential impact of a breach across entire ecosystems.

Industry leaders are responding by integrating AI governance into broader risk‑management programs. Best practices now emphasize mandatory code provenance checks, AI model validation, and contractual security clauses for vendors. As exploit times shrink toward minutes, the cost of a breach escalates, making proactive auditing and policy enforcement essential. Companies that embed AI oversight into their development lifecycles will be better positioned to mitigate fast‑moving threats and protect both their own assets and those of their partners.