AI writes your code now. Who secures it?

Members stopped debating whether to allow AI coding tools. That fight is over. The new question across the network is narrower and harder: how do you secure code your engineers did not write by hand?

Over the last 30 days, members in business services, finance, construction, real estate, and law all posted versions of the same ask. A business-services security VP named five sanctioned assistants in one breath: GitHub Copilot, Claude Code, Cursor, Lovable, and Google AI Studio. A finance security manager flagged the citizen developer problem, where staff with no software training ship apps built by ChatGPT. A construction security director wants to audit and remediate vulnerabilities in AI-generated code inside existing DevSecOps workflows.

The shift matters because the control surface moved. A year ago the risk was shadow AI tools nobody approved. Now the tools are approved, and the risk lives in their output. The code already ships. The question is who checks it, and how fast.

AI coding and agent tools named in member submissions this month: GitHub Copilot, Microsoft Copilot Studio, Claude Code, Cursor, Lovable, Google AI Studio, and ChatGPT. No single tool leads. The average submission that touches AI development names two or three at once, and one member listed five as sanctioned. That fragmentation is the point. You cannot secure AI-written code by standardizing on one assistant, because your engineers are already running several.

Three industries, three stages of the same problem: too many tools, untrained builders, and no clean way to secure the output.

Two raw asks pulled directly from member submissions, unedited:

One member cannot see what the AI changed. The other has to make AI-written code pass an audit. Both sit downstream of the same shift, and both are shopping right now.

This week's Signal is Bradley's day job. He leads information security at Paychex and helped stand up its AI governance work, so securing how the business builds with AI is exactly his beat, and he framed the security leader's role plainly in his DoGood member spotlight, "If you already have a seat at the table, your success isn't measured by how good a security expert you are. It's measured by how well you help your peers succeed and how much you move the organization's goals forward."

Read his full story →

The headlines are catching up to what the network already knew. On June 2, Salt Security published research showing 90% of security leaders are now worried about the security of AI-generated code. In the same study, 67% said AI coding assistants are already widely adopted on their dev teams. Yet 38% still rely mainly on manual review to catch problems in that code.

Bottom Line: The concern is universal, but the method has not caught up. Most teams review machine-written code by hand, at human speed, while the AI ships it at machine speed.

Pull the list of AI coding and agent tools your engineers actually use this week, sanctioned or not. For each one, name a single owner and the control that checks its output before merge. If any tool has no owner and no check, that is your first gap to close before Q3 planning.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.