A sharp rise in AI-assisted software development is driving unprecedented increases in open source security and licensing risk, according to new research from Black Duck.
The company’s 2026 Open Source Security and Risk Analysis (OSSRA) report reveals that vulnerabilities in commercial software codebases have more than doubled year-on-year, highlighting growing concerns that organisations are producing software faster than they can effectively secure or govern it.
Based on an analysis of 947 commercial codebases spanning 17 industries, the report paints a picture of a rapidly expanding software attack surface driven by the widespread adoption of open source components and AI-generated code.
Vulnerabilities reach historic levels
The research found that the average number of open source vulnerabilities per application increased by 107%, reaching 581 per codebase, while 87% of audited applications contained at least one known vulnerability. Open source software is now effectively universal, appearing in 98% of codebases, meaning almost every modern application inherits third-party risk.
At the same time, software complexity continues to grow rapidly. Open source component counts rose by 30% year-on-year, while the number of files in codebases increased by 74%, further complicating visibility and risk management efforts. According to Black Duck, the increasing use of AI models in development environments is introducing a new and largely unregulated attack surface.
AI is accelerating legal and compliance exposure
Beyond security concerns, the report highlights mounting legal and licensing risks linked to AI-generated code. Two-thirds (68%) of audited codebases were found to contain open source licence conflicts, the highest rate recorded in the history of the OSSRA study, and a significant increase from the previous year.
AI coding tools may reproduce code governed by restrictive licences, creating intellectual property uncertainty and compliance challenges for organisations operating under emerging regulations such as the EU Cyber Resilience Act.
Despite widespread adoption of AI development tools, governance practices appear to lag behind usage. While most organisations assess AI-generated code for security risks, only 24% conduct comprehensive reviews that cover security, licensing, intellectual property, and quality considerations.
Visibility gap creates growing risk
The report also identifies a widening visibility gap across modern software supply chains. Around 17% of open source components enter applications outside standard package managers, including copied code snippets, vendor dependencies, binaries, and AI-generated outputs, making them difficult to detect with traditional scanning methods.
Jason Schmitt, CEO of Black Duck, said the findings demonstrate how fundamentally AI has reshaped software risk.
“AI has fundamentally changed the economics of software development — and with it, the economics of software risk. The pace at which software is created now exceeds the pace at which most organisations can secure it,” he said .
Governance struggles to keep pace
The OSSRA report concludes that organisations must modernise software supply chain governance to maintain visibility into open source components and embedded AI models. Without improved inventory tracking, software bills of materials (SBOMs), and AI governance policies, enterprises may struggle to meet rising regulatory expectations and customer demands for transparency. As AI-assisted development becomes inseparable from modern software creation, the research suggests that visibility, rather than speed alone, will increasingly determine organisational resilience and trust.




