AI Security
In-depth guides and analysis on ai security from the Safeguard engineering team.
676 articles
The supply-chain and IP risk hiding inside AI coding assistants
GitHub has disclosed that Copilot suggestions match training-set code verbatim about 1% of the time — and a class action over it is still being argued in 2026.
Why AI-generated code quality problems compound into security risk
Developers using AI coding assistants wrote less secure code in 4 of 5 tasks in a 2023 Stanford study — and were more confident it was safe.
The Security Pitfalls Hiding in AI-Generated Code
A 2021 NYU study found roughly 40% of Copilot completions on security-relevant prompts contained exploitable flaws. Here's a field guide to catching them.
Where AI actually helps AppSec — and where it quietly makes things worse
One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.
AI Red Teaming vs. AI-SPM: Why You Need Both
OWASP's 2025 LLM Top 10 and MITRE ATLAS both treat adversarial testing and posture scanning as separate disciplines — most AI programs still run only one.
AI Developer Tools: Weighing Productivity Against Security and IP Exposure
NYU found 40% of Copilot-generated code contained exploitable flaws; Samsung banned ChatGPT after three leaks in under 20 days. The productivity math still isn't simple.
Code injection risks in GenAI-generated code
Nearly 40% of GitHub Copilot's suggested programs contain exploitable vulnerabilities, and 19.7% of AI-generated code samples reference packages that don't exist.
Why AI-generated code needs DAST, not just SAST
Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.
Detecting AI Hallucinations in Generated Code
A USENIX Security 2025 study found 19.7% of packages recommended by 16 LLMs across 576,000 code samples don't exist — and attackers are registering them first.
Guardrails for Autonomous AI Agents: Allowlisting, Validation, and Human-in-the-Loop
OWASP's 2025 LLM Top 10 splits Excessive Agency into three root causes. Here's how tool allowlisting, output validation, and approval gates address each one.
Why static scanners miss malicious AI agent skills
In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.
LLM-assisted vulnerability autofixing: approaches and how to validate the patches
At DARPA's AIxCC finals in August 2025, AI systems patched 68% of vulnerabilities they found — up from 25% at semifinals. Here's how the approaches differ and why validation still matters most.