AI coding assistants are transforming software development. The debate is no longer about whether to adopt them, but how to integrate them without compromising platform security, code quality, or operational compliance.AI has changed the economics of code productionWhether you're developing software in a proprietary enterprise or open source environment, you've witnessed a fundamental shift over the past year. Your developers are using AI coding assistants (GitHub Copilot, Cursor, Claude Code, ChatGPT Codex, etc.) to accelerate development. Productivity gains are real—features can ship faster and developers can spend more time on architecture and less on writing repetitive code.But this acceleration introduces new challenges for enterprise teams.Developers: AI generates code in seconds that would take hours to write manually. The temptation to merge without thorough review is strong, especially under deadline pressure.Architects: It's becoming more complicated to maintain security standards, code quality, and architectural consistency across teams generating AI-assisted code at an unprecedented scale.Security teams: Increased code review volume and speed. Pull requests and issues reports arrive faster, contain more code, and require scrutiny for AI-specific vulnerabilities that haven’t been seen before.This isn't just an enterprise problem. At Red Hat, we’re observing the same pattern in open source communities as well. A maintainer shared their experience with this AI-generated pull requests (PRs) in the blog post, "Open source has a bot problem." Maintainers need to review machine-generated contributions at machine speed but with human-level attention. The enterprise faces the same challenge with higher stakes. A security vulnerability in production doesn't just affect reputation, it impacts revenue, compliance, and customer trust.Security risks are documented and materialThe Open Worldwide Application Security Project (OWASP) Agentic Top 10 for 2026 identifies security threats in this new development era and almost half are connected to AI-assisted development:ASI02: Tool Misuse and Exploitation: AI-crafted code can trigger trusted legitimate tools (like CI/CD testing) to perform malicious actionsASI04: Agentic Supply Chain Vulnerabilities: AI assistants may introduce dependencies with known CVEs or incompatible licensesASI05: Unexpected Code Execution: Generated code may bypass security controls or execute with unintended privilegesASI09: Human-Agent Trust Exploitation: Developers over-trust AI output and skip validation stepsThese risks are manifesting in enterprise systems today, resulting in an expanded attack surface. With AI-generated coding, threats range from the distracting noise of AI "slop" and systemic maintainer burnout to sophisticated social engineering and CI/CD pipeline compromises and catastrophic software supply chain attacks. Far from a hypothetical warning matrix, each layer of this compounding threat is backed by documented, real-world incidents. To survive it, your traditional security workflow needs to evolve as well.As we transition toward a comprehensive AI software development lifecycle (AI-SDLC), enterprises must adopt a rigorous, multilayered defense posture at every phase of the pipeline, spanning from code development and review to automated testing and final deployment. Protecting these highly autonomous systems requires complex operational frameworks, using isolation techniques such as AI agent sandboxing. Yet, while fortifying the entire agentic architecture is essential, let's focus on one foundational and incredibly critical piece of this broader AI security strategy: how to practically make AI-assisted coding safer for developers and architects right now.A 3-pillar framework for AI-assisted codingAI-assisted development in the enterprise requires coordinated action across policy, skills, and automation.1. Policy: Establish governance and accountabilityEnterprise leaders need to clearly define their approach to AI code generation. Some enterprises still ban the use of AI assistants in production while others allow unrestricted use. Both approaches are bound to fail.Banning AI assistants drives developers to shadow IT where they use unapproved tools without security oversight, leading to a lack of visibility and control. Unrestricted use, on the other hand, creates compliance and security gaps. Developers merge AI-generated code without understanding licensing implications, security risks, or architectural misalignment. The effective approach is to define a clear AI-assisted development policy that balances innovation with governance. We see these patterns equally applicable to enterprise and open source development. For example, Red Hat helped the Fedora Project to come up with a responsible and meaningful AI Contribution Policy that was agreed upon by all community leaders.Red Hat has also published AI-assisted development: Supercharging the open source way, which includes 7 principles for AI-assisted code development, based on both internal practices and open source community experience. Here are some of the practical suggestions for developers:Human accountability: The developer submitting AI-generated code owns the security and quality outcomes. AI doesn't sign commits, developers do. Engineering best practices: Code review, testing, CI/CD gates, and security scans don't disappear because AI wrote the code.Security-conscious: AI-generated code should be treated as untrusted input until validated.Security-focused prompts: Developers must learn to prompt AI assistants toward security-focused patterns. Before submitting code, ask your AI assistant to identify security issues, edge cases, or logic errors.For architects and engineering leaders, these principles translate into actionable governance:AI tools: Standardize on enterprise-licensed AI coding assistants with appropriate data governance and privacy controls.Developer guidelines: Extend existing code review, security, and quality standards to explicitly address AI-generated code.Accountability: Developers own AI-assisted code. Managers enforce accountability in code reviews and post-incident reviews.2. Skills: Security-focused use of AISoftware development uses AI tools now, but knowledge is still uniquely human. Security-focused prompting isn't intuitive and isn't something you can fully outsource to AI. Developers need training on how to guide AI assistants toward security-focused, maintainable code. Red Hat experts collaborated with other industry leaders to release OpenSSF Security-Focused Guide for AI Code Assistant Instructions that provides practical patterns for secure prompting and Linux Foundation's Secure AI/ML-Driven Software Development course (free for everybody) offers foundational training on AI security risks and mitigation strategies.But there's a more powerful approach emerging: embedding security skills directly into AI tools. Red Hat Product Security has open sourced prodsec-skills, a library of more than 130 security skills that AI coding assistants can use while writing, testing, and auditing code.What are security skills?Security skills encode security best practices, security-focused architecture guidance, software supply chain hardening, and vulnerability testing strategies in a format AI assistants can read and apply. Instead of relying on developers to remember every secure coding principle, skills embed expertise directly into the AI's workflow.The library is constantly evolving, but it currently includes:CategorySkillsPurposeSecure development113Building security-centric software: cryptography, supply chain security, AI/agentic infrastructure, technology-specific hardeningSecurity testing17Vulnerability discovery through fuzzing and static analysisSecurity auditing4Security review workflows and differential code analysisDeveloper tooling4General development best practicesSkills are tool-agnostic—they work with Claude Code, Cursor, GitHub Copilot, ChatGPT, and any AI assistant that can read Markdown files.How can developers use AI skillsWhen reviewing API handler code for security risks, a developer can prompt their AI assistant to use an input-output-sanitization skill to review for injection vulnerabilities. The assistant reads the skill, applies structured security guidance, and surfaces issues the developer might have missed. To streamline skills deployment across enterprises, you can use AI context package manager LoLa to install only skills that you trust. Use the following command to instantly equip your development environment with localized secure development intelligence without any tedious manual configuration.lola mod add https://github.com/RedHatProductSecurity/prodsec-skills.git