AI Models Find More Vulnerabilities — But AI Code Creates More Attack Surface

AI companies claim their models are getting better at finding software vulnerabilities. Epoch AI Research just published data on CVE (Common Vulnerabilities and Exposures) trends since 2022 — and the numbers show a clear acceleration in reported vulnerabilities. But the structural question underneath is more uncomfortable: is AI finding more bugs, or creating them?

The Paradox

89% of Cognition’s code is written by Devin, its own AI. GitHub Copilot has 5 million+ weekly users. Autonomous coding agents now ship entire feature branches without human review. The volume of AI-generated code entering production is growing exponentially.

More code means more attack surface. The vulnerability count goes up even if the vulnerability rate per line stays the same — or even improves. A codebase that’s 10x larger has 10x more potential entry points, regardless of how clean each individual function is.

The Enterprise Cost Implication

The enterprise AI cost stack already runs $9-19M annually for a mid-market company — inference, licenses, cloud, deployment, internal team. AI security adds another line item: monitoring, patching, and auditing AI-generated code at scale. The tools to do this (Snyk, SonarQube, CrowdStrike’s AI security suite) add cost that most AI ROI calculations don’t include.

The Structural Question for CISOs

If AI makes development 10x faster but makes the attack surface 10x larger, the net security posture might be negative. The companies that solve AI security at scale — not just AI capability — capture the next wave of enterprise spending. Security is the constraint that capability alone can’t solve.

Sources

• Epoch AI Research — Cyber Vulnerabilities explorer, CVE data since 2022

Get structural AI business analysis every week — free. Subscribe to Business Engineer →