Artificial intelligence has overtaken all other forces shaping application security, according to a major new industry study that shows organisations racing to secure AI-generated code while responding to growing regulatory pressure.
The 16th edition of the Building Security In Maturity Model (BSIMM), released by Black Duck, analysed real-world software security practices across 111 organisations worldwide, covering more than 91,000 applications developed by 223,000 developers. It is the largest and longest-running study of its kind, offering a data-driven view of how application security programmes are evolving in 2026.
For the first time in BSIMM’s 16-year history, AI has emerged as the single most influential factor reshaping security priorities. Organisations are now grappling with a dual challenge: securing AI-powered development tools such as large language model (LLM) coding assistants, while defending against increasingly sophisticated AI-enabled attacks.
AI-generated code introduces new security risks
The report highlights growing concern that AI-generated code, while often appearing polished and production-ready, can conceal serious security flaws. As a result, organisations are introducing new controls specifically designed to manage AI-related risk.
BSIMM16 found a 12% increase in organisations using risk-ranking methods to determine where LLM-generated code can safely be deployed, alongside a 10% rise in teams applying custom security rules to automated code review tools to detect vulnerabilities unique to AI-generated code. There was also a 10% increase in the use of attack intelligence to track emerging AI-related threats.
Rather than relying on trust in AI tools, security teams are increasingly embedding automated checks and governance mechanisms into the software development lifecycle to compensate for the limitations of AI-assisted coding.
Regulation accelerates security investment
Alongside AI, government regulation is a powerful driver of change. New and emerging mandates, including the EU Cyber Resilience Act and U.S. federal software security requirements, are forcing organisations to strengthen software supply chain visibility and improve their ability to demonstrate compliance.
The study reports a near-30% increase in organisations producing software bills of materials (SBOMs) for deployed software, reflecting growing demands for transparency into software components. Automated verification of infrastructure security increased by more than 50%, while processes for responsible vulnerability disclosure grew by over 40%, indicating a shift toward more structured, auditable security operations.
These changes suggest that regulatory compliance is no longer treated as a checkbox exercise, but as a catalyst for long-term improvements in application security maturity.
Supply chain security moves centre stage
BSIMM16 also shows organisations expanding their focus beyond internally developed code to address risk across the wider software supply chain. Increased use of third-party components, open source software, and AI-assisted development has heightened the need for standardisation and visibility.
The report observed a more than 40% rise in organisations establishing standardised technology stacks, as well as continued growth in SBOM adoption, signalling that supply chain security is becoming a core element of application security programmes rather than a specialist concern.
Security training adapts to modern development
Traditional security training approaches are also evolving. Lengthy classroom-based courses are increasingly being replaced by just-in-time, role-specific guidance delivered directly within developer workflows.
BSIMM16 recorded a 29% increase in organisations providing security expertise via open collaboration channels, allowing developers to access immediate support when security questions arise. This shift reflects the realities of agile development environments, where short, targeted guidance is often more effective than formal training sessions.
Framework stability signals maturity
Notably, BSIMM16 introduces no changes to the framework structure for the first time since the model was created. While many individual security activities showed significant growth, none shifted sufficiently to warrant reclassification.
According to the report’s authors, this stability signals that application security as a discipline has reached a level of structural maturity, even as AI, regulation, and supply chain complexity continue to reshape how organisations implement security in practice.
As organisations navigate an increasingly AI-driven development landscape, BSIMM16 provides a snapshot of how leading security teams are adapting, offering a benchmark for others seeking to balance innovation, compliance, and risk management in modern software environments.
