Why AI-generated code tends to be vulnerable
Three forces compound. Models optimize for a working happy path, so the unhappy paths - malformed input, hostile users, missing permissions - are under-served. Generated code reaches for permissive defaults because they are the shortest path to "it runs." And the sheer volume means more code ships with less human eyes per line than ever before.
The weakness classes that show up most
Across AI builders and assistants, the same handful of issues dominate. None are exotic; they are the basics that get skipped under speed.
- Broken access control
Endpoints and data rules that check authentication but not whether the user owns the specific record. The single most exploited class.
- Exposed secrets
API keys and credentials that end up in client-reachable code or committed files.
- Missing input validation
Trusting client input, opening the door to injection and malformed-data bugs.
- Hallucinated dependencies
Packages suggested by a model that do not exist - and that attackers register to hijack (slopsquatting).
How to check your own app
You do not need to read every line. Focus on the seams: verify per-record authorization on data access, confirm secrets are server-side, validate inputs at the server boundary, and audit your dependency tree for anything you did not intend. The most reliable approach is to make that review automatic on every change rather than a one-time audit that goes stale the next commit.
The pre-launch checklist
- Verify per-record authorization everywhere
Not just "is logged in" - "owns this record".
- Move all secrets server-side
Rotate anything that reached the client.
- Validate inputs at the server boundary
Treat all client input as hostile.
- Audit the dependency tree
Confirm every package is real, intended, and pinned.
- Add rate limiting to public endpoints
Protect unauthenticated surfaces from abuse.
- Make security review automatic
A per-commit check beats a one-time audit that goes stale.
Run this checklist on your repo, automatically
PeakStack scores every commit for security, scalability, and cost - with the exact line and a fix.
Request accessFAQ
Is AI-generated code safe to use in production?
It can be, with review. The code is not inherently broken, but studies find a large share ships with a security weakness - most often broken access control. Treat generated code like any code: review the security-critical seams before launch.
What percentage of AI-generated code has security issues?
Research from Wiz and Databricks and others puts it around 45% containing a known weakness, and vulnerabilities per codebase have risen sharply year over year. The exact number varies by study, but the direction is consistent.
How do I check if my AI-built app is secure?
Focus on per-record authorization, secret handling, input validation, and your dependency tree - and automate the review. PeakStack scores security on every commit with the exact line and a fix.