AI-driven coding reshapes vulnerability management

The rise of AI-assisted software development and continuous integration/continuous deployment (CI/CD) pipelines is accelerating changes in how vulnerabilities are identified, tracked, and remediated. As developers increasingly rely on AI agents to generate and refactor code, the static models underpinning vulnerability management systems like the Common Vulnerabilities and Exposures (CVE) catalog and Common Vulnerability Scoring System (CVSS) are showing their age. Industry experts argue that these systems, designed for a slower, version-based software landscape, may no longer align with the realities of cloud-native architectures and AI-driven development workflows.

Traditional vulnerability management assumes a relatively static codebase, where patches are applied to specific versions and vulnerabilities persist until manually addressed. In contrast, AI-assisted development enables rapid, large-scale code regeneration. When a vulnerability is detected, AI tools can scan the entire codebase, identify similar flaws, and rewrite sections to eliminate them—often resolving unknown vulnerabilities in the process. This approach leverages updated architectural patterns, zero-trust principles, and secure API designs embedded in the AI’s training data. The result is a dynamic environment where vulnerabilities may be eradicated before they are even cataloged, raising questions about the ongoing relevance of CVEs as live threat indicators.

The limits of static vulnerability tracking

The CVE system was built to coordinate awareness and remediation across vendors and operators, ensuring that known vulnerabilities are addressed before they can be exploited. However, in environments where code is continuously regenerated and deployed, the assumption that vulnerabilities persist until patched no longer holds. If an AI-driven pipeline automatically resolves a vulnerability and verifies its removal, the CVE entry may become redundant for active threat feeds. While historical records remain valuable for analysis, the utility of CVEs as real-time signals diminishes in highly dynamic systems.

Similarly, CVSS scores, which assign severity ratings based on static assessments of vulnerabilities, struggle to account for the operational context of modern deployments. A vulnerability’s impact can vary dramatically depending on environmental controls, such as trusted execution environments or runtime exploit detection. A static CVSS score may overstate risk for workloads running in secure enclaves or under continuous monitoring, while understating it for unprotected systems. Experts suggest that future scoring systems may need to incorporate environmental factors to remain relevant.

Persistent risks and future challenges

Despite the potential for AI to reduce vulnerabilities, risks remain. Memory safety issues, while mitigated by modern languages, are not the only concern. Insider threats, embedded malicious code, and hardware-based vulnerabilities—such as Spectre and Meltdown—require ongoing attention. AI can rapidly rewrite software to mitigate hardware flaws, but the underlying hardware limitations persist. Additionally, the shift to AI-generated code does not eliminate the need for rigorous oversight. Legacy codebases, though declining, still pose challenges, and the transition to newer languages and architectures is not uniform across the industry.

The rapid evolution of software development practices demands corresponding changes in vulnerability management. Kathleen Moriarty, founder of SecurityBiaS and former IETF Security Area Director, emphasizes the need for proactive engagement in shaping these changes. "CVEs, CVSS, and threat feeds were designed for a slower, more static world," she notes. "It is time to step back and consider the implications not only for vulnerabilities and exploits, but also for the processes we use to manage them."

What to watch

The industry is likely to see growing experimentation with alternative vulnerability tracking mechanisms tailored to CI/CD and AI-driven workflows. These may include automated verification systems that confirm remediation before deprecating CVE entries or scoring models that incorporate runtime context. As cloud-native architectures become the norm, the distinction between development, deployment, and vulnerability management will continue to blur, requiring closer collaboration between security teams and developers.