AI code ships. Who patches it?

Three enterprise security leaders submitted the same ask to the DoGood network in five business days. All three lead security programs at organizations where AI coding assistants are deployed company-wide across hundreds of engineers.

The specifics span three industries. A VP & CISO in Business Services is managing 1,300 software engineers currently building applications with AI coding assistants and needs a way to automatically remediate the vulnerabilities those assistants produce at scale. A Cybersecurity Director also in Business Services wants a platform that identifies, audits, and remediates vulnerabilities introduced by AI-generated code and integrates directly into existing DevSecOps workflows. A CISO in Manufacturing is looking for AI governance tooling to prevent data loss in agentic AI and embedded AI in SaaS platforms specifically.

The pattern is not about which AI tools are deployed. It is about what those tools produce without adequate security controls on the output side. The ask that has crystallized: who governs the code that AI writes before it ships to production, and can they do it automatically at scale.

Most-mentioned vendors in member priority submissions over the last month:

Microsoft (6), ChatGPT (4), Claude (4), Azure (3), Salesforce (3), AWS (2), GCP (2), Copilot (2), VMware (2), Entra/Entra ID (2)

Aggregating Microsoft, Azure, and Copilot, the Microsoft platform carries 11 total mentions — well above every other vendor. No single AppSec or AI code governance vendor approaches that concentration. The production AI stack is converging on a handful of platforms. The security layer for what those platforms produce has not converged.

The phrase "like most of my peers" in the second submission is the tell. This is not a forward-leaning security team exploring an edge case. It is a category becoming default enterprise behavior.

Two raw asks pulled directly from member submissions in the last 14 days, unedited:

Both members are naming the same gap: AI-assisted development is generating more code than their security pipelines were designed to handle, and no vendor in their current stack has a clear answer on automatic remediation at scale.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

Veracode's June 2 brief for security leaders on AI-assisted development confirmed what the DoGood network was already surfacing. Across more than 150 large language models tested, 45% of AI-generated code contains known security vulnerabilities when no security guidance is provided. The security pass rate for AI-generated code has held flat at 55% for two consecutive years, even as syntax correctness has surpassed 95%. Model capabilities improved substantially. Security performance didn't move.

The same week, Salt Security released research showing nine in ten security leaders are concerned about AI-generated code risks, and that most organizations lack the governance infrastructure to secure what AI builds. The gap between concern and tooling is the business problem the network is naming this week.

Bottom Line: The 55% security failure rate hasn't moved through two model generations. The fix isn't in the next release.

Ask your AppSec lead how many of your AI-assisted code commits have automated security scanning in-pipeline versus queued for manual review. The gap between those two numbers is your current exposure surface. If you don't have that answer within a week, you don't have line of sight into what your engineering team's AI stack is shipping to production.

The network is naming AI-generated code security as an active buying priority right now. If your team is sitting on the same question, your peers are already comparing notes.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.