TL;DR

Nearly half of AI-generated code fails basic security tests — and that number hasn't budged as models got bigger.

Java is the riskiest language, XSS is the vulnerability models handle worst, and it's not close.

Three cheap layers (prompt, pre-commit, CI/CD) catch most of it. None take more than an afternoon to set up.

AI coding tools like Claude Code, Cursor, and Codex have changed how software gets written. But they've also introduced a class of risk most teams haven't caught up with yet.