ai
Photo by Growtika on Unsplash

The rapid adoption of AI coding assistants has sparked widespread concern about cybercriminals exploiting AI-generated software. But according to Arnica CEO Nir Valtman, enterprises face a far more immediate threat: the operational chaos created by AI-generated code that lacks meaningful governance.

Speaking at the OWASP Global AppSec EU conference in Vienna, Valtman argued that organizations are focusing too heavily on hypothetical AI attacks while overlooking the day-to-day realities of managing an unprecedented volume of machine-generated code.

"When people ask what represents the greater risk today, malicious AI attacks or ungoverned AI-generated code, the answer is operational chaos by a significant margin," Valtman said.

The Real Problem Is Visibility, Not Vulnerability

Emerging threats such as goal hijacking, insecure communication between AI agents, and autonomous agents replicating insecure coding patterns are legitimate concerns. However, Valtman believes those threats are being overshadowed by a more immediate challenge: organizations are generating code faster than they can effectively review it.

According to Arnica's internal data, approximately 63% of findings produced by AI-powered code review tools are dismissed during the triage process. Valtman argues this is rarely because the findings lack value. Instead, security and development teams simply lack the capacity to investigate every alert.

"When every code review requires the same level of scrutiny regardless of risk, reviewers become overwhelmed or begin approving changes without meaningful review," he said. "That is how minor issues become production incidents. Not because an attacker exploited the system, but because nobody had the time to properly evaluate the code."

The consequence extends beyond productivity. As organizations accumulate growing volumes of poorly governed code, distinguishing genuine security threats from routine development noise becomes increasingly difficult.

"You have to govern the volume before you can effectively detect the attack," Valtman said.

AI Security Has Moved Beyond Theory

Valtman said one of the biggest surprises at OWASP Global AppSec EU was how knowledgeable attendees already were about the risks surrounding agentic AI.

Rather than introducing the topic, Arnica found itself discussing practical implementation challenges with practitioners who were already deploying AI-assisted development at scale.

"The awareness is already there," Valtman said. "The messaging is there. The solutions simply haven't caught up yet."

He described the mood throughout the conference as one of informed concern. Organizations recognize both the productivity gains and the security implications of AI-generated software, while acknowledging that governance capabilities have not advanced at the same pace as AI adoption.

That growing awareness has also been reinforced by the recent release of the OWASP Top 10 for Agentic Applications, which formally categorizes many of the security risks practitioners have been discussing over the past year.

"Agentic AI has crossed from experimentation into production," Valtman said. "Once software is being shipped to customers, theoretical risks become operational incidents."

Engineering Teams Are Driving Demand

While regulations such as the EU AI Act and NIS2 continue to evolve, Valtman believes customer demand and engineering realities are driving adoption faster than compliance requirements.

Development teams experience the impact of overwhelming review cycles every day, creating pressure to find governance solutions regardless of regulatory timelines.

"When something fails in production because of AI-generated code, the first question isn't whether regulations were satisfied," he said. "It's whether someone actually reviewed the code."

That question, Valtman noted, is increasingly appearing during customer procurement and vendor due diligence conversations long before regulators become involved.

Governance Must Move Earlier

One of Valtman's strongest criticisms was directed at how the industry currently defines AI governance.

Many vendors describe governance as providing visibility into AI-generated code or scanning software after it has already been written. Valtman argues those approaches identify problems but do little to prevent them.

"Visibility without intervention is simply observation," he said.

Instead, Arnica advocates embedding security policies directly into the specifications AI coding agents use before code generation begins. By establishing guardrails upfront, organizations can reduce the need for repetitive cycles of code generation, scanning, remediation, and rescanning.

The company also emphasizes governance at the repository level rather than relying on developers to install individual security tools, allowing policies to be applied consistently across engineering teams.

AI Governance Will Become Standard Security Practice

Looking ahead, Valtman expects AI code governance to become a permanent category within enterprise application security, following a trajectory similar to traditional AppSec over the past decade.

The difference, he argues, is the pace.

"The adoption curve is compressed because AI adoption is moving so quickly," he said.

As AI agents assume a larger role in software development, governance will increasingly shift earlier into the development lifecycle until secure code generation becomes part of the default development process rather than an additional review step.

One requirement, however, will remain constant.

"As more software is created without a human watching every line of code in real time, organizations will increasingly need to demonstrate that meaningful governance existed somewhere in the process," Valtman said. "That expectation isn't going away."