Checkmarx has published research showing that 95% of chief information security officers feel pressure to suppress or delay compliance-related security issues. The survey also found that 75% of organisations knowingly deploy vulnerable code at some point.
Based on responses from 2,350 CISOs, application security managers and developers across organisations in 14 countries, the findings point to a widening gap between awareness of software security risks and the ability to address them as AI-generated code becomes more common.
Developers reported widespread use of AI tools in coding environments. Some 96% said they have AI tooling in their integrated development environments, and almost all rated those tools as effective. Yet only 18% said they apply security continuously as they write code, suggesting most checks still happen later in the software development process or after incidents emerge.
The survey also linked heavier use of AI-generated code to higher rates of shipping software with known flaws. Organisations with 81% to 100% of production code generated by AI were nearly three times as likely to release software with known vulnerabilities as those with 1% to 20% AI-generated code, 47% versus 14%.
Confidence gap
Another sharp mismatch emerged between how companies rate their own security and what they experience in practice. According to Checkmarx, 93% of organisations acknowledged a recent breach tied to their own applications, even though 73% described their security posture as advanced or highly mature.
The figures also showed limited movement in some areas despite concern about AI risk. The proportion of organisations that knowingly shipped vulnerable code fell to 75% from 81% over the past year, while the share with formal AI governance policies rose to 22% from 18%.
That leaves 78% without formal AI governance rules. The report argues this creates room for unapproved AI tools and unchecked code to enter software development processes.
Business pressure appears to play a central role. CISOs reported pressure from senior management when compliance issues threaten delivery timelines, highlighting a conflict between product deadlines and efforts to reduce exposure to vulnerabilities.
"This report points to a massive disconnect between the security crisis that organisations are facing and the incremental steps that they are taking to address it. A completely new model is required," said Sandeep Johri, chief executive officer of Checkmarx.
"Just as a student cannot grade their own exam, AI alone cannot secure code - and, as the research shows, it adds risk. Organisations need security that combines deterministic precision with probabilistic reasoning to identify novel exploitable patterns, while closing the gap between finding a vulnerability and fixing it with better human-guided remediation," Johri said.
European picture
The research also pointed to a mixed picture in Europe. More than half of European CISOs surveyed, 52%, said their budgets had increased, the highest proportion among the regions covered.
At the same time, European respondents reported the highest breach frequency. Some 60% of organisations in the region said they had suffered three or more breaches over the previous 12 months, while 35% said they fixed fewer than half of identified vulnerabilities within 90 days.
Those numbers suggest larger budgets do not necessarily translate into faster remediation or fewer incidents. The data indicates that execution and workflow changes may matter as much as spending levels, particularly where AI-generated code is expanding the volume of software that needs review.
Jonathan Rende, chief product officer of Checkmarx, said security and engineering teams now face pressure from both older software risks and new AI-driven threats. The company argues that shorter exploit windows are making delayed remediation harder to justify.
"We are fighting a battle on two fronts as frontier models accelerate vulnerability discovery across legacy and open-source code, while AI-generated code widens the attack surface in every pipeline," Rende said.
"What was once considered manageable risk now looks like surrender. Organisations must urgently prioritise three things: collapsing raw findings into actionable signal, embedding remediation into every workflow, and maintaining visibility across every aspect of their software supply chain," he added.
The European results were also addressed by the company's commercial leadership. The findings suggest that investment alone is not resolving slower remediation rates or repeated breaches in the region.
"Our research found that over half of European CISOs, 52%, had increased budgets, the highest proportion by geographical region. Yet European respondents also reported the highest breach frequency, with 60% of organisations reporting three or more breaches over 12 months. At the same time, Europe has the slowest remediation rate, with more than a third of organisations, 35%, fixing fewer than half of identified vulnerabilities within 90 days. What should we make of this discrepancy? The problem is not resources, because a higher budget does not automatically lead to better outcomes. The issue lies in how those resources are deployed. In the AI era of development, organisations should not normalise risk but use the resources available to secure their code," said Yigal Elstein, chief revenue officer of Checkmarx.