
Security cannot follow AI. It has to lead.
getty
AI software security, or AISec, is emerging as a critical new discipline as artificial intelligence moves from a supporting role into the core of how software is created, deployed and operated. AI is no longer just assisting developers—it is actively participating across the entire software lifecycle and increasingly driving enterprise operations. As this shift accelerates, it fundamentally changes what must be secured, how risk is introduced and why existing security models are no longer sufficient.
Having tracked the technology industry through more than four decades of architectural transitions, from mainframes to PCs, from client/server to the cloud, and from mobile to the current AI era, I can say that each one changed how software is developed, and security disciplines adapted accordingly. We are now witnessing the most impactful transition yet, and it calls for an entirely new security discipline.
AI used to be merely a tool helping developers code faster. Now it participates in all stages of the software lifecycle, from designing a system to implementing and testing it to operating and tuning it, with minimal human involvement. Meanwhile, companies are moving toward what I call the Autonomous Enterprise, where AI agents perform sensing, reasoning, deciding, acting, and learning across business processes and IT operations on their own.
This is not a minor evolution of software. It is a revolution in the essence of software development, and it requires us to reexamine what should be secured, governed and trusted.
From Application Security to AI Security
For the last two decades, application security has been about protecting software developed by people. Static analysis, dynamic testing, software composition analysis and governance frameworks have become key components of this discipline, developing alongside Agile, DevOps, and the cloud. All of these still matter. However, a common assumption behind these tools and methods is no longer true: that the software being protected is built and operated by people.
Software is no longer created solely by people; it is also generated, built and operated by artificial intelligence. It is written by large language models, tested by autonomous agents, deployed through AI orchestration, operated in real time and makes operational decisions without human involvement. The object of protection has changed, and our protection framework should adapt accordingly.
This shift is not incremental—it changes the foundation of the software lifecycle itself. When both humans and AI agents are responsible for creating, modifying, and operating systems, the assumptions underlying traditional security approaches no longer hold. What is needed is a security model designed for this new reality.
Why This Matters Now
The reason for urgency is adoption. Enterprises are not waiting for governance frameworks to mature before using AI agents in production. Coding assistants are becoming the norm in development teams. Agentic platforms are being deployed across business processes in finance, customer service, supply chain and IT operations. The competitive pressure is real, and so is the risk of rushing before security tools catch up.
This shift introduces real risk. AI-generated code can introduce vulnerabilities faster than teams can realistically review. At the same time, AI is no longer just assisting—it is making changes to systems, adjusting configurations and pushing updates into production, often without direct human oversight. Existing testing approaches were not designed for that kind of environment. As a result, it becomes much harder to answer basic questions about where code came from, who is responsible for it and whether it can be trusted.
What AISec Needs to Cover
AISec needs to go beyond what traditional application security was built to handle. It has to account for things like securing models and prompts, making sure autonomous agents behave as expected, and putting guardrails around how AI makes decisions in production. It also means being able to track and understand what’s happening throughout the entire lifecycle, even as both people and machines shape it.
It is quite a challenge, and it will not come overnight. Still, enterprises that get ahead with AISec practices now, rather than trying to retrofit them after an incident, will be much better prepared in a world where the Autonomous Enterprise becomes the rule rather than the exception.
I have seen this pattern before. Each major shift, including cloud, mobile, and now AI, has been met with the same tendency to move fast and address security later, often at a cost. We should not repeat that mistake here. The move to AI-generated, AI-assisted, and AI-operated software is already well underway and accelerating faster than any transition I have seen in my career. This time, security cannot follow. It has to lead.

2 hours ago
1













English (US)