The rapid integration of artificial intelligence (AI) into application security (AppSec) has been lauded as a game-changer, promising to alleviate the overwhelming manual efforts and accelerate vulnerability detection. With expanding attack surfaces, limited resourcing, and pressure to ship more code faster (but still securely), we hypothesized that AI could help fill that gap.
Indeed, our latest survey reveals a striking trend: a staggering 90% of respondents are already leveraging or actively considering AI within their AppSec programs; spread across regions and industries, 77% of respondents are already using AI, and 13% are evaluating AI to at least some extent within their AppSec programs and workflows.
Yet, beneath this enthusiastic adoption lies a critical, and perhaps concerning, paradox. Despite this heavy reliance on AI, respondents report little to no oversight of AI results. A third of respondents reported that 50% or more of the AppSec issues identified by AI tooling in their workflows are acted upon without human review.
Is this an indicator of trust or a symptom of teams taking calculated risks in the name of keeping pace?
AI adoption trends: An industry deep dive
77% of total survey respondents reported already using AI within their existing AppSec workflows, with the High Tech industry coming in highest (88% are using AI in AppSec use cases). SaaS (86%) and Healthcare (82%) were close behind, with Media & Entertainment (73%) and Public Sector (64%) slightly lagging in AI adoption.
When asked about AI integration into existing CI/CD pipelines and the extent of AI-driven security tooling in place, only 25% of survey respondents reported that AI is fully integrated into their existing development pipelines. The majority (39%) reported that it is partially integrated, while 31% are ‘experimenting’ with implementation, and only 6% is ‘not at all integrated’ into existing workflows at this time.
By Industry, High Tech reported the most complete integration (40%) compared to other industries: Media & Entertainment (19% fully integrated), Gaming (15% fully integrated).
The benefits of AI to respondents are clear: 55% report an (obvious) reduction in manual effort, 50% report ‘faster vulnerability detection’, 36% report faster vulnerability remediation timelines, and 43% noted better triage capabilities. But are these benefits at the expense of accuracy and true security?
Trust and accuracy: Evaluating AI’s reliability in AppSec
Considering heavy adoption and integration numbers, we wanted to further understand respondents’ sentiments around AI’s reliability and trustworthiness. We asked respondents about their reported prevalence of false positives stemming from AI-driven security tooling.
37% reported occasional false positives and 12% reported frequent false positives, for nearly half (49%) of survey respondents who see at least somewhat frequent false positive results—a finding which could pose significant negative impacts to any security program. Only 11% reported that they ‘never’ see false positives. This begs the question of whether AI-driven security tooling is really yielding ‘good enough’ security results.
We dug further, questioning overall trust in AI’s accuracy. Only 22% ranked it as ‘excellent’, while 48% said it was ‘good enough’, and a combined 30% said it was either fair or as far down as ‘very poor’. We wanted to explore further what challenges security teams are seeing while using AI in their security workflows. Able to select various answers, respondents reported that ‘integration complexity’ (46%), Lack of trust in results (36%), Poor explanation of security findings (23%), internal skills gaps (38%), and regulatory or compliance concerns (33%) are giving security teams pause.
In free-form responses, respondents reported that they “have too much debugging [they] have to do afterward”, and that they “have ethical and compliance concerns” around AI usage in their security workflows.
The critical gap: AppSec issues acted upon without human review
A clear trend emerges when reviewing adoption/integration numbers with responses around AI oversight, trust, and results: AI is integrated, it’s helping to speed things up, and it’s helping to fill the gap where resources and skills lack—but it‘s certainly not perfect. With false positives and differing sentiments towards its trustworthiness and overall accuracy, we wanted to understand what, if any, guardrails organizations have in place to verify security results.
This is all to say that a third of respondents report that 50% or more of the AppSec issues identified by AI-driven tooling in their workflows are acted upon without human review of any kind. Given the mixed sentiments provided above about AI’s overall accuracy and performance, it’s safe to assume that the lack of oversight here is a mixture of limited resources and bandwidth, paired with risk tolerances high enough to accept that AI is “good enough”.
For those orgs that DO practice some level of AI oversight, we asked what governance controls they have in place to verify results. Capable of selecting more than one answer, 66% reported review checkpoints, 49% use AI model vetting, 46% use auditing and logging, and 32% rely on secure sandboxing. While it’s promising to see some level of oversight, these values should again be viewed in tandem with the responses above: While there are some decent oversight practices in place, the percentage of respondents who practice them is concerningly limited.
The future of AI in AppSec: Potential for more (better) AI
Looking ahead, most respondents are actively exploring how AI can better support AppSec — with 80% already experimenting or planning to do so. When asked what improvements they hope to see, many emphasized a need for greater accuracy, transparency, and contextual understanding. Respondents expressed that they want AI tools to reduce false positives, detect threats in real time, and better grasp complex business contexts to prioritize vulnerabilities effectively.
As one participant put it, the goal is for AI to “differentiate between legitimate and malicious activities while explaining the rationale behind its decisions.” These open-ended insights highlight that while AI in AppSec is making progress, practitioners are calling for smarter, more explainable, and business-aware systems to truly elevate application security in the years ahead.
For more information, visit https://www.fastly.com/
Read More from This Article: In AI we trust? Increasing AI adoption in AppSec despite limited oversight
Source: News
