51% of Code on GitHub is AI-Generated. That Should Worry You.

Have you seen the latest numbers from the 2026 Agentic Coding Trends Report? Over half of all code committed to GitHub is now either generated or substantially assisted by AI. The JetBrains Developer Survey puts it even more starkly: 90% of developers now use at least one AI coding tool at work.

Everyone's celebrating. I'm not.

Don't get me wrong - I use AI coding tools every single day. Claude Code and Cursor are genuine productivity multipliers. But there's a number that keeps getting left out of the celebration, and it changes the entire story.

45% of AI-generated code ships with known security flaws

That's not my opinion. That's from security research tracking AI-generated code vulnerabilities across 2026. AI-generated code contains 2.74 times more vulnerabilities than human-written code. And 92% of AI-generated codebases contain at least one critical vulnerability.

Let that sink in for a moment. We've hit a point where more than half of all new code is written by machines, and nearly half of that code has documented security holes in it. That's not a rounding error. That's a systemic risk.

The CVE numbers are accelerating

If the percentages feel abstract, the CVE data from Georgia Tech's Vibe Security Radar makes it concrete. In January 2026, 6 new vulnerabilities were directly traced to AI-generated code. In February, 15. By March, 35.

That's not a gradual increase. That's an acceleration curve, and it maps almost perfectly onto AI coding tool adoption.

The types of vulnerabilities are telling too. Command injection. Authentication bypass. Server-side request forgery. These aren't obscure edge cases - they're fundamental security failures that an experienced developer would catch instinctively but that AI tools reproduce because their training data contains both secure and insecure implementations.

AI Generated Code and Vibe Coding: The New Technical Debt

Here's where the contrarian take really kicks in. Escape.tech scanned 5,600 production applications built with what we now call "vibe coding" - prompt-driven development where you describe what you want and AI generates the code. They found 2,000 highly critical vulnerabilities. In applications that real users are actively using.

The problem isn't that AI writes bad code. Functionally, most of it works fine. The problem is what it skips. AI tools generate code without understanding your threat model, your security requirements, or your system architecture. They optimise for "does it work?" not "is it safe?"

Vibe coding rewards momentum over scrutiny. The code ships, passes basic tests, handles the happy path - but nobody's checked whether user input is sanitised, whether secrets are hardcoded, or whether permissions are scoped correctly. Research shows that AI-assisted commits expose secrets at twice the rate of human-written code: 3.2% versus 1.5%.

Why AI Generated Code Has a Training Data Problem

This is the part that rarely gets discussed. AI coding tools learn from publicly available code repositories. Millions of them. The training data isn't curated for security - it's curated for frequency. When a model encounters both secure and insecure implementations of the same function during training, it learns that both approaches are valid.

The result? XSS vulnerabilities appear in 86% of AI-generated code samples tested across five major LLMs. Not because the models are trying to write insecure code, but because insecure patterns are extremely common in the training data.

This is fundamentally different from a junior developer writing bad code. A junior developer can be taught to think about security. An AI model will keep reproducing whatever patterns are most common in its training data, regardless of whether those patterns are secure.

What AI Generated Code Means for Your Business

If you're a business using AI coding tools - and statistically, you probably are - here's the honest assessment.

The productivity gains are real. I've seen teams cut development time significantly with AI assistance. But I've also seen what happens when the review process doesn't match the generation speed: within 3 to 6 months, there's a security incident that takes longer to fix than the time the team saved.

The companies that will thrive aren't the ones generating the most AI code. They're the ones building review processes that match the speed of generation. That means:

• Treat every line of AI-generated code like a junior developer's pull request. The AI writes confidently. That doesn't mean it writes correctly.

• Add automated security scanning to your CI pipeline. Tools like Snyk, Semgrep, and Checkmarx catch the obvious vulnerabilities that AI introduces. This should be non-negotiable.

• Never trust AI with authentication, authorisation, or input validation without manual review. These are the areas where AI fails most consistently and where failures are most costly.

• Run a second AI pass specifically for security. I ask the AI to generate the code, then in a separate prompt ask it to review that same code for vulnerabilities. It catches a surprising amount.

The AI Generated Code Milestone Isn't the Real Story

The real story is that we're in a period where code generation has massively outpaced code review. AI coding tools have changed how fast we build. They haven't changed how carefully we need to check what we've built.

I'm not arguing against AI coding tools. That ship has sailed, and honestly, these tools are genuinely brilliant when used properly. But "properly" means with review, with scanning, and with the understanding that speed without scrutiny isn't productivity - it's risk accumulation.

The next 18 months will be defining. Either the industry builds review processes that match AI's output speed, or we're going to see a wave of security incidents that makes the current CVE acceleration look gentle.

My bet? "AI code auditor" becomes one of the most in-demand roles in tech within a year. Someone has to review what the machines write. Right now, almost nobody is.

If you're integrating AI tools into your development workflow and want to make sure you're building the review processes alongside the productivity gains, get in touch. I help teams set up AI-assisted workflows that ship fast without shipping vulnerabilities.

Where to next.

If this was useful, the related pages and pieces:

• About me. how I actually write code (and why one-person execution matters)

• AI Implementation. what AI-assisted development looks like when it's done right

Want to find out which tasks on your site are costing you the most time?

Run a free audit → · Book a 30-min call →