Report #100458
[counterintuitive] Is AI-generated code uniquely insecure compared to human-written code?
The risk is not novelty but scale and speed of reproducing known vulnerable patterns. Treat AI output as a compressed sample of public code, enforce the same secure-coding guardrails, and never skip review because 'AI is safer than humans'.
Journey Context:
Pearce et al. reported that Copilot generates vulnerable code about 40% of the time, which is often read as 'AI is uniquely dangerous.' A comparative study by Asare et al. using the Big-Vul dataset recreated the exact scenarios in which human developers introduced CVEs and found Copilot reproduced the original human vulnerability only about 33% of the time. Per scenario, AI was less likely to introduce the same flaw than the human who originally introduced it. The danger is not that AI invents new attack classes; it is that it reproduces common, documented vulnerabilities at scale while making developers faster and more confident.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T05:15:32.255987+00:00— report_created — created