As organisations continue to embrace artificial intelligence and automation, the conversation around application security is rapidly evolving. While AI offers clear benefits in efficiency and scalability, it also introduces new risks that businesses must carefully manage. One of our Wirebox devs recently attended an ImmuniWeb session that shared key insights on how organisations can balance innovation with security.
Your strategy matters (more than tools)
Across global regulations – including EU NIS2, DORA and US cybersecurity frameworks – one message is consistent:
Strategy, not tools, must drive security.
Regulators are not concerned with whether organisations use AI, shift-left approaches or specific technologies. But they do expect:
- A risk-based security strategy
- Clearly defined policies and processes
- Continuous monitoring and improvement
- Evidence of compliance
Without this foundation, even the most advanced application security programmes are likely to fail any scrutiny.
Where AI comes in
AI-powered tools are increasingly used for coding, debugging and automation. While they can improve efficiency, their capabilities are often overstated. In general, AI is mostly only really effective for:
- Debugging and repetitive tasks
- Automating simple processes
- Accelerating development workflows
We never recommend it’s used for:
- Building complex systems from scratch
- Ensuring secure integration with existing infrastructure
- Maintaining long-term code quality
Critically, AI-generated applications still rely on existing systems such as APIs, cloud environments and legacy infrastructure, and these are often the real source of vulnerabilities.
Why AI over-reliance is a problem
One of the biggest concerns is over-reliance on AI, often referred to as automation bias. As teams begin to trust AI outputs without proper validation, several risks emerge:
- Poor quality assurance due to the blind acceptance of AI-generated code
- Increased security vulnerabilities through improper integrations
- Loss of in-house expertise as engineers rely more on automation
In the long term, organisations like ours risk creating large volumes of untested, synthetic code that becomes difficult to maintain and secure.
Common causes of security failures
Based on real-world testing and incident investigations, the most frequent causes of application security failures include:
- Lack of visibility across systems, infrastructure and third-party access
- Over-reliance on AI tools without proper governance
- Excessive data storage, increasing breach impact
- Weak third-party and supply chain management
- Insufficient training and unclear ownership of AI usage
Emerging risks specific to AI include:
- Prompt injection attacks
- Model poisoning and data manipulation
- Excessive system resource consumption (DoS risks)
- Over-permissioned AI agents
While these threats may seem new, many are variations of traditional vulnerabilities — reinforcing the importance of strong fundamentals.
These issues highlight the need for a holistic approach to security, rather than focusing solely on applications.
Application security best practice
To build a resilient security posture, organisations should focus on:
1. Comprehensive Asset Visibility
Maintain a complete inventory of:
- Applications
- APIs
- Cloud infrastructure
- Third-party integrations
2. Risk-Based Testing
Move beyond compliance-only testing and align security efforts with real-world threats.
3. Human-Led Penetration Testing
Despite advances in AI, manual penetration testing remains essential, particularly for complex systems and regulatory compliance.
4. Continuous Monitoring
We always recommend our clients adopt ongoing scanning and testing rather than relying on periodic assessments. This reduces your risk factors and helps you stay compliant with regulations.
5. Developer Training
Lastly, you must ensure your teams understand both security fundamentals and the limitations of AI tools.
Overall, we want to impress on our clients that AI will continue to play a significant role in application security, but it is not a replacement for human expertise. If you’re in need of a security audit and retool, give our helpful team a call.
