Safeguard
AI Security

AI Code Security Tools: risks of restricting them

Banning AI coding assistants doesn't remove the risk, it just removes visibility. Here's why restriction backfires and what actually secures AI-generated code.

Safeguard Research Team
Research
Updated 7 min read

When Samsung banned ChatGPT company-wide in May 2023, the trigger wasn't hypothetical: engineers had pasted proprietary semiconductor source code into the chatbot three separate times in a single month. Three years later, that same reflex — restrict first, ask questions never — has hardened into policy at hundreds of enterprises, and competitor research keeps supplying justification for it. It's the same pattern enterprise security tools adoption has followed for a decade: ban the risky category outright instead of building the governance to actually monitor it. Veracode's 2025 GenAI Code Security Report found that 45% of AI-generated code samples introduced security flaws, with some languages failing more than 70% of the time. The conclusion many security teams draw is simple: lock down the AI coding tools, route everything through a scanning gate, and hope developers comply. But restriction is not the same as control. When organizations ban or heavily throttle AI code security tools instead of governing how they're actually used, they don't remove the risk sitting in their codebase — they remove their own visibility into it, and push the same vulnerabilities into channels nobody on the security team is watching.

Why Are So Many Enterprises Restricting AI Code Security Tools?

Enterprises are restricting AI code security tools because a handful of expensive, visible incidents made an outright ban feel like the responsible default. Samsung's 2023 incident is the canonical example, but it wasn't isolated — Apple, Verizon, and several major banks quietly barred employees from using ChatGPT and Copilot on internal systems that same year, and a 2023 BlackBerry survey of roughly 2,000 IT leaders found that 75% of organizations globally were either implementing or actively considering workplace bans on ChatGPT-style tools. Vendor research has reinforced the instinct ever since. Veracode's own GenAI Code Security Report tested more than 100 large language models across 80 coding tasks and found no meaningful security improvement over the prior year of model releases — bigger, newer models produced code just as likely to fail an OWASP Top 10 check as older ones. For a CISO facing an audit, "we don't allow it" reads as a cleaner answer than "we allow it and here's how we monitor it." The problem is that clean answer is usually false.

Does Blocking AI Coding Assistants Actually Stop Developers From Using Them?

No — restriction policies overwhelmingly push usage underground rather than eliminating it. GitHub reported that Copilot had crossed 1.8 million paid subscribers and was in use at more than 90% of Fortune 100 companies by early 2024, which means adoption was already structural well before most governance policies caught up. Where employers block sanctioned tools, engineers routinely fall back to personal ChatGPT accounts, browser-based assistants, or unmanaged extensions that never touch a corporate license — activity security teams call "shadow AI," and it's functionally identical to the shadow IT problem that plagued unsanctioned SaaS adoption a decade earlier. The difference is what's at stake: a shadow SaaS tool might leak a spreadsheet, but a shadow AI coding session can inject an unreviewed dependency, a hardcoded credential, or a subtly broken auth check directly into a production repository, with no scan, no log, and no audit trail pointing back to how it got there.

What New Risks Appear When AI-Generated Code Goes Unscanned?

The two biggest risks are insecure code patterns and hallucinated dependencies, and both have been independently measured at scale. On the code-quality side, Veracode's 45% flaw rate is the headline number, but a 2023 Stanford study by Perry et al. found the more troubling behavioral pattern underneath it: developers given AI coding assistance wrote less secure code than a control group, while simultaneously reporting more confidence that their code was secure. On the dependency side, researchers from the University of Texas at San Antonio analyzed 576,000 code samples generated by 16 different LLMs and found that 19.7% of the software packages those models recommended didn't exist at all — averaging 5.2% for commercial models and 21.7% for open-source models, and yielding more than 205,000 unique hallucinated package names. Attackers have already operationalized this as "slopsquatting": registering the exact hallucinated names an LLM keeps confidently suggesting, so the next developer who accepts the AI's autocomplete pulls down a malicious package instead of a typo. None of that shows up in a policy document that says "AI tools are banned" — it shows up in the dependency tree of whichever engineer decided the ban didn't apply to them today.

Is Veracode's Scan-and-Gate Model Built for How Developers Use AI Tools Today?

Not really — Veracode's approach, like most traditional app security tools, is built around point-in-time static analysis, which catches a flaw after code is written rather than governing how AI-assisted code and its dependencies enter the pipeline in the first place. That distinction matters more than it sounds: a scan-and-gate model assumes every commit reliably flows through one controlled path, but Veracode's own data shows the underlying problem is structural rather than incidental — across successive model generations tested for the 2025 report, security failure rates didn't meaningfully improve, meaning the same class of flaw keeps recurring regardless of which LLM wrote the code. A tool that only checks output after the fact will keep re-discovering the same 45% failure rate release after release, without ever addressing where the AI-suggested package came from, whether it has a verifiable build provenance, or whether it entered through a sanctioned pipeline versus a developer's personal Copilot session on an unmanaged laptop. Scanning tells you a problem exists. It doesn't tell you which of your seventeen AI tools introduced it, or whether it's still happening right now in a repo nobody's watching.

What Happens When Restriction Replaces Governance in the Software Supply Chain?

When restriction replaces governance, organizations lose exactly the artifacts that supply chain security and compliance frameworks depend on: provenance, attestation, and an accurate SBOM. A policy that says "no AI coding tools" doesn't stop AI-suggested code from entering a codebase — it just means that code arrives with no record of which model generated it, what training data or licensing risk it carries, or whether its dependencies were verified before merge. That's a direct problem for SOC 2 audits and for frameworks built around Executive Order 14028's software provenance requirements, both of which expect organizations to demonstrate control over how software gets built, not merely assert that a category of tool is forbidden. Gartner has projected that the overwhelming majority of enterprise engineers will be using AI code assistants within the next few years regardless of policy, which means the honest compliance question in 2026 isn't "did we ban it" — it's "can we prove, dependency by dependency, where every line of AI-assisted code came from." Restriction-only policies can't answer that question. Continuous, tool-agnostic visibility can.

How Safeguard Helps

Safeguard is built on the premise that you can't secure what you can't see, and banning a tool is not the same as seeing what happens when someone uses it anyway. Instead of gating AI code security tools behind a static, point-in-time scan, Safeguard tracks provenance continuously across the software supply chain — every dependency an AI assistant suggests, every package that gets pulled into a build, and every artifact that ships gets tied back to a verifiable source, so a hallucinated or slopsquatted package gets flagged before it reaches production rather than discovered in a post-mortem. Safeguard's SBOM generation and monitoring runs continuously rather than at a single gate, which means AI-assisted commits from sanctioned tools and unmanaged "shadow AI" usage alike surface in the same view instead of one being invisible by policy. For teams under SOC 2, FedRAMP, or EO 14028 obligations, that continuous provenance record is the evidence auditors actually ask for — not a policy memo asserting AI tools are restricted, but a verifiable chain showing exactly what entered the codebase, from where, and whether it was validated before it shipped. The goal isn't to tell developers no. It's to make sure that whatever they say yes to is something your security team can actually see. Most enterprise security tools were built to gate a known set of inputs; the AI-assisted workflow breaks that assumption, which is exactly why provenance-first visibility has to replace ban-first policy as the actual app security tools control.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.