95% of CISOs Pressured to Suppress or Delay Compliance-Related Security Issues, Even as AI-Generated Code Multiplies Their Attack Surface
PARAMUS, N.J., June 08, 2026 (GLOBE NEWSWIRE) -- Nearly all developers write code with AI, but fewer than one in five secure it as they go, citing limited use of in-IDE (Integrated Developer Environments) AppSec tooling and difficulty integrating security into existing CI/CD pipelines. Their CISOs face the same demands from the executive floor: 95% feel pressure to suppress or delay compliance-related security issues when business deadlines are at stake. These are some of the findings in the 2026 Future of Application Security Report from Checkmarx, the leader in agentic application security. The report, released today, draws on responses from 2,350 CISOs, AppSec managers, and developers from organizations in 14 countries.
While 96% of developers acknowledged having AI tooling in their IDEs and nearly unanimously rated it as effective, only 18% said they apply security continuously as they write code. The data highlights the unsettling fact that companies with 81-100% AI-generated production code are nearly three times more likely to ship software with known security vulnerabilities than companies with 1-20% AI code production (47% vs. 14%). The deeper issue cuts across all usage levels: seventy-five percent of organizations knowingly deploy vulnerable code at some point, driven by deadlines, complexity, and the hope that flaws will not be discovered.
Hope is No Longer a Security Strategy
New frontier AI models are simultaneously exposing new attack surfaces and reducing time to exploit. The 2026 Future of Application Security report highlights the best practices of leading organizations who embed hybrid security into every layer that pairs deterministic ground truth with AI-augmented reasoning; prioritizes formal AI governance policies; and uses automation to turn remediation from manual bottlenecks into defensive strengths. The data shows the widening gap between the organizations who evolve with the threat-scape and those who still hope flaws won't be found by the latest AI model advances.
Key findings of the research include:
- An ounce of prevention is worth a pound of code. More than 80% of developers do not apply AppSec continuously as code is written, instead catching issues at defined stages after the code already exists, or worse, reactively once incidents surface. Flaws caught late are flaws that can be exploited.
- Orgs acknowledge the AI risk, but action is lagging. In a year, the amount of vulnerable code knowingly shipped decreased from 81% to 75%, while formal AI governance policies at companies increased from 18% to 22%. As exploit windows collapse from years to minutes, incremental change is simply not enough.
- The maturity mirage is real. Ninety-three percent of organizations acknowledged a recent breach tied to their own applications, even as 73% describe their security posture as “advanced” or “highly mature”. There is a distressing disconnect between security confidence and security reality.
- Governance? What governance? The 78% of organizations who lack formal AI governance policies are leaving the door open for shadow AI tools to proliferate and for exploitation of the unchecked code they quietly produce.
“This report points to a massive disconnect between the security crisis that organizations are facing and the incremental steps that they are taking to address it. A completely new model is required,” said Sandeep Johri, CEO of Checkmarx. “Just like the student cannot grade their own exam, AI alone cannot secure code – and, as the research shows, it adds risk. Organizations need security that combines deterministic precision with probabilistic reasoning to identify novel exploitable patterns, while closing the gap between finding a vulnerability and fixing it with better human-guided remediation.”
The findings from this report will be highlighted in the upcoming virtual summit Agentic AppSec Unleashed 2026, hosted by Checkmarx on June 16, 2026. Security and engineering leaders from leading enterprises will join Checkmarx executives and industry thought leaders to discuss our collective growing challenges and identify solutions that are poised to make an impact.
"We are fighting a battle on two fronts as frontier models accelerate vulnerability discovery across legacy and open-source code, while AI-generated code widens the attack surface in every pipeline,” said Jonathan Rende, Chief Product Officer for Checkmarx. "What was once considered manageable risk, now looks like surrender. Organizations must urgently prioritize three things: collapsing raw findings into actionable signal, embedding remediation into every workflow, and maintaining visibility across every aspect of their software supply chain."
The Future of Application Security 2026 report was conducted by Censuswide on behalf of Checkmarx between March 10 and March 30, 2026, surveying 2,350 CISOs, AppSec managers, and developers across 14 countries. All responses were confidential. Censuswide is a member of the Market Research Society and the British Polling Council and adheres to MRS Code of Conduct and ESOMAR principles. The full report is available for free at https://checkmarx.com/foa-report/.
About Checkmarx
Checkmarx is the leader in agentic application security, delivering enterprise-grade protection while lowering engineering costs and accelerating development velocity. The Checkmarx One platform scans trillions of lines of code each year for companies, cutting vulnerability density by more than half. Its autonomous security agents detect and counter AI-driven threats across the SDLC, providing prevention-first protection for legacy, modern, and AI-generated code at enterprise scale. Follow Checkmarx on LinkedIn, YouTube, and X.
For more information:
PR@checkmarx.com
© Copyright Globe Newswire, Inc. All rights reserved. The information contained in this news report may not be published, broadcast or otherwise distributed without the prior written authority of Globe Newswire, Inc.
