EP 24 — Apiiro's Karen Cohen on Emerging Risk Types in AI-Generated Code

AI coding assistants are generating pull requests with 3x more commits than human developers, creating a code review bottleneck that manual processes can't handle. Karen Cohen, VP of Product Management of Apiiro, warns how AI-generated code introduces different risk patterns, particularly around privilege management, that are harder to detect than traditional syntax errors. Her research shows the shift from surface-level bugs to deeper architectural vulnerabilities that slip through code reviews, making automation not just helpful but essential for security teams.

Karen’s framework for contextual risk assessment evaluates whether vulnerabilities are actually exploitable by checking if they're deployed, internet-exposed, and tied to sensitive data, moving beyond generic vulnerability scores to application-specific threat modeling. She argues developers overwhelmingly want to ship quality code, but security becomes another checkbox when leadership doesn't prioritize it alongside feature delivery. 

Topics discussed:

• AI coding assistants generating 3x more commits per pull request, overwhelming manual code review processes and security gates.
• Shift from syntax-based vulnerabilities to privilege management risks in AI-generated code that are harder to identify during reviews.
• Implementing top-down and bottom-up security strategies to secure executive buy-in while building grassroots developer credibility and engagement.
• Contextual risk assessment framework evaluating deployment status, internet exposure, and secret validity to prioritize app-specific vulnerabilities beyond CVSS scores.
• Transitioning from siloed AppSec scanners to unified application risk graphs that connect vulnerabilities, APIs, PII, and AI agents.
• Developer overwhelm driving security deprioritization when leadership doesn't communicate how vulnerabilities impact real end users and business outcomes.
• Future of code security involving agentic systems that continuously scan using architecture context and real-time threat intelligence feeds.
• Balancing career growth by choosing scary positions with psychological safety and gaining experience as both independent contributor and team player.