Introduction to AI-Generated Code Risks
Meanwhile, the use of AI-generated code is becoming increasingly popular, however, it also introduces significant risks into the development process. For example, a recent Sonatype report found that AI hallucinated 27% of upgrade recommendations for open source projects.
Additionally, research from Veracode discovered that AI introduced security vulnerabilities in 45% of 80 coding tasks across 100+ different LLMs. Therefore, it is essential to understand the risks associated with AI-generated code.
IP and Licensing Risks
A new report from Black Duck has shed light on another pressing issue related to AI-generated code: IP and licensing risks. The company’s 2026 Open Source Security and Risk Analysis (OSSRA) report analyzed 947 commercial codebases and found that two-thirds of them had license conflicts.
This represents a 12% increase from last year, which breaks a record for the largest jump in the report’s history. Furthermore, one of the codebases that Black Duck audited contained 2,675 distinct licensing conflicts, indicating the complexity of managing IP has grown exponentially.
License Laundering
Black Duck explained that this rise is partly driven by ‘license laundering,’ where AI assistants generate code snippets derived from copyleft sources (like GPL) without retaining the original license information. For instance, the report shows that 17% of open source components are entering codebases outside of traditional package managers.
This presents a challenge, as code that enters this way may be invisible to traditional manifest-based scanning tools. However, there are steps that organizations can take to mitigate these risks, such as implementing continuous supply chain transparency.
Vulnerabilities in Code
This year’s OSSRA report also found that the mean number of vulnerabilities in code has nearly doubled since last year. Eighty-seven percent of the codebases had at least one vulnerability, 78% had high-risk vulnerabilities, and 44% had critical-risk vulnerabilities.
Meanwhile, the company discovered a “zombie component” problem when digging into the research. Ninety-three percent of codebases contained components that hadn’t seen active development in two years, 92% contained components that were at least four years out of date.
Abandoned Components
Only 7% of components in use were upgraded to the latest version. These abandoned components are a ticking time bomb, as when a vulnerability is discovered in a project that hasn’t been touched in years, there is often no maintainer left to fix it.
Organizations are left with difficult choices: fork the project, refactor the application, or accept the risk. Therefore, it is crucial to address the issue of abandoned components and ensure that all components are accounted for.
Conclusion
In conclusion, the use of AI-generated code introduces significant IP and licensing risks, as well as security vulnerabilities. However, by understanding these risks and taking steps to mitigate them, organizations can ensure the security and integrity of their codebases.
Finally, it is essential to move toward a model of continuous supply chain transparency, where every component, whether human-written, AI-generated, or open source, is accounted for. By doing so, organizations can reduce the risks associated with AI-generated code and ensure the long-term security of their applications.
Frequently Asked Questions
- What are the risks associated with AI-generated code?
- How can organizations mitigate the risks of license laundering?
- What is the impact of abandoned components on code security?
- How can organizations ensure continuous supply chain transparency?
- What are the benefits of using AI-generated code in software development?








