Award Winners for Year 2026 have been Announced!

AI Is Writing More of the Software That Runs Logistics While Its Security Falls Behind

Tuesday, Jun 16, 2026

The more code an organization hands to artificial intelligence, the more likely it is to ship software with known security flaws. Companies where AI generated 81 to 100 percent of production code were nearly three times more likely to release known vulnerabilities than those where it accounted for 1 to 20 percent, a gap of 47 percent against 14 percent, and three out of four organizations acknowledged deploying code they knew to be vulnerable, driven by deadlines, complexity, and the hope that the flaws would not be found. The figures come from Checkmarx’s annual Future of Application Security report, published on June 8 and built on a Censuswide survey of 2,350 chief information security officers, application security managers, and developers across 14 countries. The report’s reach extends well beyond software firms, because logistics now runs on code, much of it AI-assisted, and the security of that code has become a live question for every freight broker, carrier, and 4PL that depends on a digital platform to move freight.

Ninety-five percent of CISOs reported feeling pressure to suppress or delay compliance-related security issues when business deadlines were at stake, a number that suggests security decisions are increasingly being made on commercial rather than technical grounds. That pressure sits on top of a development culture that has adopted AI faster than it has secured it. Ninety-six percent of developers said they had AI tooling inside their integrated development environments and rated it effective, yet only 18 percent said they applied security continuously as they wrote code. The rest caught issues at defined stages after the code already existed, or reactively once an incident had surfaced.

Progress over the past year has been incremental. The share of organizations knowingly shipping vulnerable code fell from 81 to 75 percent, and formal AI governance policies rose from 18 to 22 percent, which still leaves 78 percent of organizations without governance over the AI tools their developers reach for daily. Checkmarx frames that gap as an open door for shadow AI tools and the unchecked code they quietly produce. Ninety-three percent of organizations acknowledged a recent breach tied to their own applications, even as 73 percent described their security posture as advanced or highly mature, a distance between confidence and reality that runs straight through the data.

Sandeep Johri, the chief executive of Checkmarx, said the findings point to a disconnect between the scale of the crisis and the response to it. He argued that AI alone cannot secure code and in fact adds risk, likening it to a student who cannot grade their own exam, and called for security that pairs deterministic precision with probabilistic reasoning while closing the distance between finding a vulnerability and fixing it.

Jonathan Rende, the company’s chief product officer, located the threat on two fronts. Frontier models are accelerating the discovery of vulnerabilities across legacy and open-source code, he said, while AI-generated code widens the attack surface inside every pipeline. He pointed to three priorities for organizations: reducing raw findings to actionable signal, embedding remediation into every workflow, and maintaining visibility across the entire software supply chain.

The software supply chain is a supply chain in the literal sense. Modern logistics platforms are assembled from open-source libraries, third-party interfaces, and now AI-generated components, each of which carries the security history of its origin. A transportation management system, a visibility platform, or a broker’s pricing engine inherits the vulnerabilities of its dependencies in the same way a finished good inherits the quality of its inputs. As the firms that build and buy these tools lean harder on AI to write code faster, the report’s central caution applies with full force, because speed without security at the point of creation pushes risk downstream, where it costs more to locate and takes longer to remediate.

Checkmarx plans to present the findings at a virtual summit, Agentic AppSec Unleashed 2026, on June 16, where security and engineering leaders from several enterprises will join company executives to discuss the gap between insight and action. The full report is available from Checkmarx.

Leave a Comment

Your email address will not be published. Required fields are marked *

Generic placeholder image

Supply Chain Moves

Scroll to Top