Artificial intelligence has shortened the timeline for software development from months to days. But according to new research, that acceleration is creating significant risks for security and compliance issues.

Black Duck’s 2026 Open Source Security and Risk Analysis (OSSRA), based on audits of 947 commercial codebases spanning 17 industries, shows that vulnerabilities inside enterprise applications has surged over the past year. The average number of open-source vulnerabilities embedded in an application rose a remarkable 107%, reaching 581 per codebase.

Open-source components now appear in 98% of audited applications, effectively making third-party code a foundational layer of modern software. Over the past year, the number of open-source components per application climbed 30%, while file counts expanded 74%. The increase reflects not only developer productivity gains but also a widening level of dependency.

Many of the vulnerabilities counted are inherited indirectly through nested dependencies, libraries within libraries, creating sprawling chains of exposure that are hard to unwind. Critical flaws were identified in 44% of applications reviewed, and high-severity issues appeared in 78%.

Meanwhile, software supply chain attacks have become more of a threat. Sixty-five percent of surveyed organizations reported experiencing such an attack within the past year, revealing that hackers are actively targeting these layered ecosystems.

AI Coding Assistants

The normalization of AI coding assistants is driving these problems. More than half of organizations formally allow developers to use AI-powered tools, and even companies that officially block the tools acknowledge informal adoption. These systems are optimized to produce functional code rapidly, often recommending widely used libraries without evaluating whether those dependencies increase the attack surface.

Traditional application security models assumed code would be written and reviewed at human pace. Yet automated code generation introduces dependencies far faster than security teams can catalog and remediate them. The imbalance is creating a widening gap between coding speed and human oversight capacity.

Maintenance practices add another layer of exposure. The OSSRA findings show that 93% of audited codebases included components that had not seen active development in at least two years. Ninety-two percent relied on software that was four or more years old, and a mere 7% of components were fully up to date.

When dormant projects later reveal security flaws, companies face tough choices: replace the component, assume maintenance internally, or accept the compliance risk.

Potential Legal Issues

Legal uncertainty is a growing issue. Sixty-eight percent of reviewed codebases contained conflicting open-source licenses, the highest rate recorded in the report’s history. Again, the integration of AI-generated code is contributing to the problem. Models trained on public repositories may use fragments governed by restrictive licenses without carrying forward the associated obligations. If this is built into commercial software without scrutiny, those fragments can create intellectual property problems.

Despite the rising exposure, comprehensive review practices remain spotty. A minority of organizations conduct full-spectrum evaluations of AI-generated contributions for security, quality and licensing compliance. Code introduced through copy-and-paste workflows or automated suggestions may not be captured by traditional manifest-based scanning tools, limiting visibility.

The bottom line here, it seems, is that even as code is written at ever faster rates, transparency into what is running in production might prove more important than the speed at which it was written.