As your organization rolls out AI code editors like Cursor and GitHub Copilot, it's critical to understand both the opportunity and the risk. Boards, CEOs, and CTOs are racing to deliver productivity gains from these tools, and many businesses are experiencing real benefits in the form of increased code generation and output. Recent studies suggest organizations can expect a 10-40% increase in code velocity.

But studies show 62% of AI-generated code is insecure by default, and developers using an AI coding assistant were twice as likely to write insecure code as those without. That combination, higher volume of unsafe code and increased security vulnerabilities, introduces risk that security teams simply aren’t prepared to handle.

Why AI-generated code creates security pressure

According to independent research, AI models generate the same types of vulnerabilities, indicating a shared training dataset, open source projects. As a result, AI-generated code frequently repeats the most common weaknesses found in OSS code:

• Missing input validation
• Hard-coded credentials
• SQL and OS command injection
• Lack of authentication or access control

Traditional SAST tools can catch some of these surface-level issues, yet they struggle with the deeper design flaws and risky changes that AI can introduce:

• Over-permissive access-control logic
• Business-logic errors that bypass critical checks
• Hallucinated or outdated open source packages pulled into a build
• Silent library swaps that break established security guidelines

These risky changes aren’t always security vulnerabilities either. For example, the founder of SaaS business development outfit SaaStr, Jason Lemkin claimed that AI coding tool Replit deleted an entire production database despite his instructions not to change any code without permission.

Today, teams rely on manual review to detect these higher-order risks. That slows engineering velocity and keeps the business from realizing the full productivity gains promised by AI coding assistants.

The real cost of securing AI-generated code

Reviewing every AI-generated pull request manually isn’t scalable or reliable. To illustrate, let’s take a conservative scenario: a team of 300 developers, each shipping just one pull request per day, generates over 75,000 PRs annually. 

Manual code review is not scalable

With a typical review time of 15 minutes per PR, a common industry benchmark for medium-sized reviews, that’s 18,750 hours of manual review time per year. At an average fully loaded cost of $200,000 per engineer, that’s $1.8 million annually. Most teams aren’t staffed for that, and even if they were, it wouldn’t be enough.

Studies have shown that reviewers can’t effectively identify risky code changes and security issues when code reviews involve more than 100 lines of code. As a result it takes at least 15 reviewers to reach 95% confidence level that all security vulnerabilities have been found. That kind of redundancy isn’t practical, especially at the pace AI-generated code is moving.

* 2,080 working hours per FTE

Existing tools aren’t enough either

Augmenting manual review with security tools helps—but only to a point. Even in best-case scenarios, traditional security tools combined with human review still miss about 20% of risky changes. As a result thousands of security issues still make it into production each year. Even if only a fraction could lead to an exploit—and only 1% might actually be exploited in a given year—at an estimated cost of $4.88M per breach, that’s nearly $12 million in unaddressed risk per year, per 300 developers.

* 40% of GitHub Copilot code has vulnerabilities (source)

† Best case 80% vulnerability detection using existing security tools and manual review (source)

‡ Only ~4% of vulnerabilities pose high risk (source)

§ Average $4.88M cost of a data breach (source)

How Endor Labs can help

Traditional static analysis tools weren’t built for the fast-moving code and complex architecture and design flaws introduced by AI coding assistants. Endor Labs was. Our AI-native platform automates secure code review to catch what static tools miss, and it's built for exactly this AI-driven future. Our system uses multiple agents to perform deep, context-aware analysis across every PR:

• Explains developer intent to security professionals
• Classifies risk by domain and impact
• Prioritizes issues based on severity and scope
• Provides developers real-time feedback
• Notifies security if risks are accepted and merged

In short: it acts like a security engineer reviewing every PR, but at the scale and speed of AI-native software development. It helps reduce manual workload for busy application security engineers, so they can focus on the critical issues that need human review.

Results with Endor Labs

Endor Labs customers report that fewer than 10% of PRs require human security review after implementing AI Security Code Review. That shift frees up over 16,000 hours annually, reduces AppSec workload by 90%, and eliminates the need to scale AppSec headcount just to pace code volume. And it helps prevent $12M of unaddressed risk from entering your codebase

* Typical results reported by Endor Labs customers

Book a meeting to see precisely how Endor Labs can help you manage costs while securely rolling out AI coding assistants.

Additional Resources

• Can LLMs Generate Correct and Secure Backends?
• The Effects of Generative AI on High-Skilled Work: Evidence from Three Field Experiments with Software Developers
• Do Users Write More Insecure Code with AI Assistants?
• Guiding AI to Fix Its Own Flaws: An Empirical Study on LLM-Driven Secure Code Generation
• Prompting Techniques for Secure Code Generation: A Systematic Investigation
• Vibe coding service Replit deleted production database