Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI coding assistants and the governance gap teams keep missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: AI coding assistants can speed up scaffolding and boilerplate, but multiple studies cited by Cerbos show that experienced developers often slow down, review burden rises, and insecure output can increase privilege paths and secrets exposure. The real issue is not typing speed but whether production-ready code, credentials, and review gates can keep up.

NHIMG editorial — based on content published by Cerbos: AI coding assistants expose the gap between speed and production safety

By the numbers:

Questions worth separating out

Q: How should teams govern AI coding assistants in production software delivery?

A: Treat AI coding assistants as privileged workflow components, not neutral productivity aids.

Q: When do AI coding assistants create more risk than they reduce?

A: They create more risk when the organisation assumes faster drafting equals safer delivery.

Q: What do security teams get wrong about AI-generated code?

A: The common mistake is reviewing AI output only for obvious bugs and syntax errors.

Practitioner guidance

  • Define assistant privilege boundaries Limit what coding assistants, plugins, and extensions can access in the developer environment.
  • Require secret-safe development workflows Block API keys, tokens, and credentials from being pasted into prompts or shared with external AI systems.
  • Tighten review for AI-generated privilege changes Route changes that affect roles, service accounts, or permission checks through deeper scrutiny than ordinary feature work.

What's in the full article

Cerbos' full blog post covers the operational detail this post intentionally leaves for the source:

  • The specific study findings behind the productivity numbers, including the developer cohorts and task types used in the analysis.
  • Examples of AI-generated code issues that create privilege escalation paths, secrets exposure, and review overhead.
  • The article's discussion of assistant-driven attack surfaces across plugins, extensions, and cloud-connected developer workflows.
  • The team's perspective on when AI coding help is useful for MVP work and when it becomes a net drag on production delivery.

👉 Read Cerbos' analysis of AI coding assistants, productivity, and security risk →

AI coding assistants and the governance gap teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

AI coding assistants are not just productivity tools. They are privileged participants in the software delivery trust chain. Once an assistant can read code, suggest changes, and interact with extensions or cloud-connected tooling, it becomes part of the control surface around identity, secrets, and release governance. That means the security question is no longer only whether developers like the tool. It is whether the organisation has defined what authority the tool should have in the first place. Practitioners need to treat these systems as governed participants, not neutral helpers.

A few things that frame the scale:

  • Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How can organisations tell whether AI-assisted development is actually working?

A: Use downstream indicators such as escaped defects, rework after merge, security findings, and time spent validating generated code. If the assistant increases review load, secret exposure, or release friction, the apparent speed gain is likely being paid back later in the delivery lifecycle.

👉 Read our full editorial: AI coding assistants expose the gap between speed and production safety



   
ReplyQuote
Share: