45% of AI code-generation tasks introduce a known security flaw, and that failure rate has barely moved in two years despite models writing syntactically correct code more than 95% of the time. That's the short answer. The longer answer is what it's costing engineering teams in review time, churn, and technical debt.
Every founder pitching me an AI-native engineering team leads with the velocity number โ 10x output, half the headcount, code shipped in hours instead of sprints. Almost none of them lead with the security and quality data, because it complicates the story. I've now sat through enough diligence calls where the CTO can't answer "what's your AI-code defect rate" that I started asking it every time. Here's the data behind why that question matters.
Figures are 2026 estimates blended from Veracode's Spring 2026 GenAI Code Security report, GitClear's Maintainability Gap analysis, and a May 2026 survey of 307 senior technology and security leaders.
What Are the AI-Generated Code Security Risks in 2026?
The core AI-generated code security risk is that models write functionally correct code far more reliably than they write safe code: Veracode's Spring 2026 benchmark of over 150 large language models found only about 55% of code-generation tasks produce output free of a known security flaw, meaning 45% introduce at least one โ a pass rate that has barely moved in two years even as syntax accuracy climbed past 95%. Java remains the riskiest language for AI-generated code, and the gap between "it compiles" and "it's secure" is the risk most engineering teams haven't priced in yet.
That gap matters more every quarter because AI-assisted code isn't a niche โ nearly half of all code written inside enterprise engineering teams is now AI-assisted, per the same 2026 leadership survey. A 45% flaw-introduction rate applied against that volume is a structurally different risk surface than the same rate applied to a handful of prototype scripts, which is exactly why security and platform teams that were comfortable with AI tools in 2024 are re-litigating that comfort in 2026.
AI-Generated Code vs Human-Written Code: The Data Side by Side
The multipliers below are the numbers I now ask every portfolio CTO to know cold. They come from three independent 2026 datasets โ Veracode's model benchmark, GitClear's commit-level analysis of over 150 million lines of code, and a May 2026 survey of 307 CTOs, CISOs, and CIOs.
| Metric | Baseline / Earlier Period | AI-Generated Code (2026) | Source |
|---|---|---|---|
| Code-gen tasks producing secure code | ~55% (2024 benchmark) | ~55% (45% introduce a flaw) | Veracode Spring 2026 |
| Pull request defect rate | 1x (human-authored) | 1.7x more defects | May 2026 leader survey (n=307) |
| Vulnerability density | 1x (human-written) | 2.74x more vulnerabilities | 2026 enterprise security benchmark |
| PRs introducing an OWASP Top 10 flaw | โ | 45% | May 2026 leader survey (n=307) |
| Code churn (rewrite/revision rate) | Low-AI-usage repos | ~2x higher in AI-heavy repos | GitClear, 2026 |
| Copy-pasted code share of new commits | 8.3% (2021) | 12.3% (2024) | GitClear, 150M+ lines analyzed |
| Refactored / properly moved code share | ~24% (2021) | Under 10% (2024) | GitClear, 150M+ lines analyzed |
| Developers debugging more since adopting AI | โ | 67% report more time debugging | 2024 survey, 800+ developers |
Figures are 2026 estimates blended from Veracode, GitClear, and a May 2026 survey of 307 senior technology and security leaders (35% CTOs). Human-code baselines are drawn from the same studies where a direct comparison group was reported.
The Multipliers That Matter Most
Stripped of context, "1.7x more defects" sounds manageable. It isn't, once you multiply it by volume: if AI now generates close to half of new enterprise code, a 1.7x defect multiplier on that half means total defect volume across the codebase is rising even if the human-written half stays constant. The vulnerability multiplier is worse โ at 2.74x, AI-generated code is introducing the majority of new security debt in any codebase where AI adoption has crossed 40-50% of commits, which is now common.
Why AI-Generated Code Security Risks Keep Growing Despite Better Models
The counterintuitive part of the 2026 data is that model capability and code security have decoupled. Frontier models like GPT-5.2, Gemini 3, and Claude 4.6 write syntactically correct code more than 95% of the time โ up sharply from a few years ago โ while the security pass rate has stayed pinned near 55% for two straight years. Models are optimized and benchmarked on whether code runs and passes functional tests, not on whether it validates input, manages secrets correctly, or avoids injection patterns, so capability gains show up in the metric being measured and not in the one that actually determines breach risk.
GitClear's commit-level data explains the second half of the problem: copy-pasted code climbed from 8.3% of new commits in 2021 to 12.3% in 2024, while properly refactored, moved code fell from roughly 24% to under 10% over the same window. AI tools make it faster to generate a new block than to refactor an existing one, so codebases are accumulating duplicated logic faster than teams are consolidating it โ which is also why code churn runs roughly 2x higher in AI-heavy repositories than in low-AI-usage ones. Speed at the point of generation is being paid for later, in maintenance.
The Testing and Review Overhead Nobody Budgeted For
The productivity pitch for AI coding tools rarely accounts for the downstream cost of catching what they get wrong. A 2024 survey of more than 800 developers found 96% expressed concern about the reliability of AI-generated code, and 67% said they now spend more time debugging since adopting AI assistants โ meaning a meaningful share of the raw speed gain is being spent right back on cleanup rather than banked as net throughput. Security teams flag a related problem: when review time for AI-authored pull requests matches review time for human-authored ones, it's a signal reviewers are rubber-stamping rather than actually scrutinizing AI's subtler failure modes, which tend to hide in logic and access-control edge cases rather than obvious syntax errors.
Code Quality Metrics: 2021-2022 Baseline vs 2024-2026 AI-Tool Era
GitClear Maintainability Gap analysis; 2024 developer reliability survey (800+ respondents); May 2026 survey of 307 senior technology and security leaders.
Figures are blended 2021-2026 estimates; individual team results vary by AI-tool adoption rate, language mix, and existing test coverage.
What CTOs Are Actually Doing About AI-Generated Code Security Risks
Only 18% of enterprises have a formal, distinct set of guidelines or automated checks specifically for AI-generated code, versus 12% of small and mid-sized businesses, per the May 2026 leadership survey โ which means more than four out of five organizations are still applying the same review process to AI-authored code that they used before any of it existed. The CTOs I see ahead of that curve are doing three specific things: adding AI-specific static analysis and SAST gates that run before a human reviewer ever sees the diff, requiring mandatory human sign-off on any AI-authored change touching authentication, payments, or data access, and tracking AI-code defect and vulnerability rates as a separate engineering KPI instead of folding them into an aggregate bug count that hides the trend.
None of this is an argument against using AI coding tools โ the productivity case is real, and I've written separately about what the productivity studies actually show. It's an argument for treating AI-generated code as a distinct risk category with its own review gate, the same way most engineering orgs already treat third-party dependencies or open-source packages differently from first-party code.
What This Means for Founders and Investors Evaluating Engineering Teams
For founders, the practical takeaway is that "we ship faster with AI" is now an incomplete answer in a diligence conversation. The follow-up question โ what's your AI-code defect rate, and do you have a distinct review gate for it โ is quickly becoming standard, and teams that can't answer it read as teams that haven't measured the tradeoff, not teams that avoided it. Across the roughly 65 companies I've backed, the engineering teams with the best long-term velocity aren't the ones generating the most code fastest; they're the ones who paired AI-tool adoption with a testing and review process built for AI's specific failure modes rather than assuming their pre-AI process would generalize.
For investors, this belongs in technical diligence alongside the usual SaaS valuation metrics: ask for AI-code adoption percentage, defect rate by source (AI vs human), and whether a distinct review policy exists. A team with 50% AI-assisted code and no distinct policy is carrying quiet technical and security debt that won't show up in ARR or growth metrics until it surfaces as an incident, a failed SOC 2 audit, or a slowdown in shipping velocity as the team is forced to retrofit review process onto a codebase that already has the debt baked in.
45% of AI code-generation tasks introduce a known security flaw, and only 18% of enterprises have a policy built for it.
AI coding tools are a speed win and a security liability at the same time โ the teams that win are the ones that stopped pretending it's only one or the other.
The Bottom Line
AI-generated code security risks are real and measured: a 45% flaw-introduction rate that's stayed flat for two years, defect rates running 1.7x human baselines, vulnerability density at 2.74x, and copy-paste code growing while refactoring collapses. None of that means AI coding tools aren't worth using โ it means the review and testing process most teams are running was built for human-authored code and hasn't caught up to a codebase that's now close to half AI-generated. The 18% of enterprises with a distinct AI-code policy are the ones treating that gap as solved; everyone else is treating it as someone else's problem until an incident makes it theirs.
Compare how engineering-heavy companies are being valued on our SaaS Valuations dashboard, or track fund-level exposure to AI-native engineering teams on VC Performance.
Follow VC and startup engineering data on Value Add VC. Reach out at t@nyvp.com or @Trace_Cohen.
Get VC data most people never see โ free.
Weekly benchmarks, valuations, and fund data. No spam, unsubscribe anytime.