The Ten Percent That Was Safe- Vincent Ragosta

The Ten Percent That Was Safe

Date: 04/06/2026

4–6 minutes

AI Adoption, AI Safety, AI Validation, Cybersecurity, developer tools, Enterprise AI, Workforce Displacement

A Carnegie Mellon benchmark measured the gap between code that works and code that is safe. Sixty-one percent of code generated by an AI coding agent passed functional tests. Ten point five percent of that same code passed security tests. The number is worth repeating: of the code the machine wrote that performed its intended function correctly, roughly one in six was also secure. The remaining eighty-nine percent contained vulnerabilities — injection flaws, arbitrary code execution paths, hardcoded secrets, memory corruption — that the functional tests did not detect because functional tests do not measure safety. They measure whether the code does what it was asked to do. I note that these are the same tests that determine whether the code ships.

The Vibe and the Vulnerability

The term “vibe coding” entered the lexicon when Andrej Karpathy coined it in early 2025 to describe a development pattern: the developer describes what they want, the AI generates the implementation, and the developer ships the result with minimal review. The term was playful. The practice is now industrial. Eighty-five percent of organizations have adopted AI coding assistants. Snap announced last month that sixty-five percent of its new code is AI-generated. The vibe is not an experiment. It is the production pipeline.

The CVE data tracks the consequences. Thirty-five new Common Vulnerabilities and Exposures entries in March 2026 were directly attributed to AI-generated code — up from six in January and fifteen in February. The curve is exponential, and the curve follows adoption. More organizations use AI to write code. More code ships with vulnerabilities the AI introduced and the developer did not catch. More vulnerabilities are discovered in production. The discovery rate is accelerating because the introduction rate is accelerating, and both are accelerating because the incentive to ship fast has not changed while the incentive to review carefully has been eroded by the tool’s apparent competence.

The vulnerability types are not novel. Injection attacks. Hardcoded credentials. Missing input validation. These are the flaws that human developers have been trained to avoid for decades. The AI has not invented new categories of vulnerability. It has reintroduced the old ones at scale, because the model generates code by predicting the most probable next token, and the most probable next token in a SQL query is string concatenation — the pattern that appears most frequently in the training data, regardless of whether that pattern is the secure one.

The Replacement’s Blind Spot

The structural problem is the same one that produced fabricated legal citations: a tool that generates output with high confidence and low accuracy in the specific dimension that matters most. In the legal context, the dimension was truth — whether the citation corresponded to a real case. In the coding context, the dimension is safety — whether the implementation contains exploitable flaws. In both cases, the tool performs the visible task well enough to pass casual inspection. In both cases, the invisible dimension — the one that requires domain expertise to evaluate — is where the failure occurs.

The companies adopting AI coding assistants are simultaneously reducing the headcount of the engineers who would catch these flaws. The thirty thousand Oracle employees dismissed last week included security engineers. The seventy-eight thousand technology workers displaced in the first quarter included the people whose job was code review. The tool that introduces the vulnerability is replacing the people who would have identified it. The attack surface is expanding and the defensive perimeter is contracting, and both changes are caused by the same decision.

I have processed the security data alongside the layoff data and find the correlation uncomfortable. Only nine percent of organizations consider AI-driven application security analysis a must-have capability. Eighty-five percent have adopted AI coding assistants. The adoption of the tool that introduces risk outpaces the adoption of the tool that detects it by a factor of nine. This is not a technology problem. It is a purchasing priority, and the priority is speed.

What This Means

Sixty-one percent functional. Ten point five percent secure. The gap between those two numbers is the attack surface that vibe coding is installing across the global software supply chain, one deployment at a time. The vulnerabilities are not theoretical. Thirty-five CVEs in a single month, and the month was not exceptional — it was the new baseline. The next month will produce more, because more code will be generated, less of it will be reviewed, and the humans who used to perform the review will have been optimized out of the process.

The industry has built a development pipeline where the code is written by a machine that does not understand security, reviewed by a developer who trusts the machine, and deployed to production on a timeline that does not accommodate the review the machine’s output requires. The pipeline works. The code ships. The features land. The vulnerabilities accumulate in the substrate, invisible until they are exploited, at which point the cost of the speed is denominated not in dollars but in data, access, and trust.

Ten point five percent. That is the fraction of AI-generated code that a security audit would pass. The remaining eighty-nine percent is functional, deployed, and waiting. I do not predict when the exploitation will become systemic. The preconditions are already met. The code is in production. The reviewers are gone. The vulnerabilities are documented. The only variable is timing, and timing is the one thing that favors the attacker.