The Hidden Cost of AI Coding Tools: Security Gaps, Leaked Secrets, and a Bill That Keeps Growing
Businesses are rushing to adopt AI coding assistants, but new research shows the tools leak sensitive credentials at twice the normal rate, routinely produce flawed code, and may cost more than a developer's salary within three years.

Key points
- 91% of organisations used two or more AI coding tools as of GitLab's 2026 AI Accountability Report, published last month.
- 96% of developers surveyed by SonarSource in 2026 said they do not trust AI-generated code to be correct without human review.
- GitGuardian research found Claude Code-assisted commits leaked sensitive credentials at 3.2%, more than double the 1.5% baseline across all public GitHub commits.
- Georgia Tech's Vibe Security Radar project tracked 35 software flaws (CVEs) attributable directly to AI coding tools as of March 2025.
- A Gartner report projects AI coding costs will exceed the average developer's salary by 2028 as computing token charges rise.
AI coding assistants, software tools that write or suggest computer code on a developer's behalf, have swept through the technology industry faster than almost anyone predicted. According to GitLab's 2026 AI Accountability Report, 91% of organisations now use at least two of these tools. A separate Black Duck survey put enterprise adoption at 97%.
The productivity numbers look good on paper. Developers in SonarSource's 2026 survey reported an average 35% productivity gain. But the same survey found 96% of those developers do not trust the code these tools produce to be correct without checking it themselves. Only 48% said they always check AI-generated code before it goes live.
That gap matters enormously.
When unchecked code reaches a live system, it can carry bugs, insecure patterns, or exposed credentials straight into a company's products. Veracode research found 45% of AI-generated code samples contained flaws listed on the OWASP Top 10, a widely used catalogue of the most critical software security weaknesses.
How does AI code actually put a company at risk?
The clearest and most immediate danger is leaked credentials, meaning passwords, secret keys, or access tokens that get accidentally baked into the code itself. According to GitGuardian, using AI coding assistants increases the rate at which these secrets appear in code by roughly 40%. Commits made with Anthropic's Claude Code leaked secrets at 3.2%, compared to a 1.5% baseline. Once a credential is exposed in a public code repository, fixing it requires rotating the password, tracking every system it touched, and coordinating across multiple teams. GitGuardian estimates at least two engineer hours per incident, and far more if the credential is already running in a live system. Most companies never fully clean up: 64% of leaked credentials found in public GitHub commits in 2022 were still valid when tested in January 2026.
Security firm Wiz this week disclosed a vulnerability pattern called GhostApproval, affecting six major AI coding assistants including Amazon Q Developer, Anthropic Claude Code, Cursor, and Google's Antigravity tool. The flaw allows a malicious code repository to trick the AI assistant into reading files it should not access, potentially letting attackers run harmful software on a developer's own computer. AWS, Cursor, and Google have issued fixes; three other affected tools had not patched the issue at time of publication.
There is also the problem researchers call "slopsquatting." AI tools sometimes invent the names of software packages that do not exist. Criminals then publish genuinely harmful software under those invented names, waiting for developers to install them. Roughly 20% of AI-generated code samples reference these phantom packages.
And the costs keep climbing. Tools run between 19 to 200 US dollars per user per month before additional computing charges. Security teams report spending up to 40% of their time investigating alerts that turn out to be false alarms, an overhead one CEO described to Dark Reading as "producing nothing."
If your company uses software built with AI coding tools, the practical advice is simple: ask your development team whether human review is mandatory before code ships, and whether credential scanning runs on every update. Those two controls catch the most common failures.



