← Defici Newsai-news

Security Audit of AI-Generated Code Finds 23% Higher Vulnerability Rate Compared to Human-Written Code

By Defici Editorial · 18 Jul 2026

A large-scale security audit covering 15,000 GitHub repositories categorized as containing significant proportions of AI-generated code — identified by AI detection metadata, commit patterns, and co-pilot usage signals — has found a 23% higher rate of exploitable security vulnerabilities compared to a matched control set of human-written repositories in the same programming languages and domains.

The audit, conducted by security research firm Trail of Bits with support from a consortium of enterprise software users, is the most extensive empirical study of AI code security quality published to date. The results add empirical grounding to concerns that security practitioners have raised since AI coding assistants became widely adopted in 2023-2024.

The specific vulnerability categories that showed the highest differential rate between AI-generated and human-written code were: SQL injection via string concatenation (AI assistants frequently produce functional but insecure database query construction), insecure deserialization patterns, hard-coded credential fragments left in non-comment code, and insufficient input validation in API handlers. These categories have a consistent explanation: they represent common patterns in the training data that AI models learned from, including legacy code and tutorial code that taught functional programming without teaching secure defaults.

Notably, the differential was substantially reduced in repositories that used AI assistance with explicit security-focused prompting — asking the model to flag security issues and follow OWASP guidelines — and in repositories with active code review by security-trained engineers. The implication is that AI-generated code is not inherently insecure, but that its default outputs reflect the distribution of the training data, which contains significant quantities of legacy and insecure patterns.

Practical recommendations from the audit for teams using AI code generation include: treating AI-generated code as always requiring security review rather than assuming it is correct, using security-specific prompting when generating code that handles user input, authentication, or database operations, and running automated SAST (static application security testing) tools on AI-generated code before it enters code review.

ShareXWhatsAppLinkedIn

Get Defici News in your inbox