Three-quarters of organizations have admitted to shipping vulnerable code, as AI risk proliferates in supply chains, according to two new studies out this week.

Checkmarx published new data on May 21 showing that 75% of organizations often or sometimes deploy code they know is vulnerable.

That’s down from a figure of 81% last year, but remains too high at a time when increasingly powerful AI models are enabling threat actors to find and exploit vulnerabilities with ever-greater efficiency.

What took an average of 840 days in 2018 to exploit, takes less than two days in 2026, Checkmarx claimed. Researchers on its Checkmarx Zero team predict that time-to-exploit will reach one minute by 2028.

Checkmarx VP, Eran Kinsbruner, argued that unvetted AI-generated code is a big part of the problem.

"The backlog isn't a process problem anymore; it's a math problem,” she said. “AI-generated code is outpacing every manual remediation model in existence.”

Read more on AI-coding threats: Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code

The risks highlighted by Checkmarx have been echoed elsewhere recently. This week, Verizon claimed in its Data Breach investigations Report (DBIR) that vulnerability exploitation accounted for nearly a third (31%) of initial access in data breaches over the past year – up from 20% in last year’s DBIR.

It suggested that adversarial use of AI could be to blame for the uptick.

“The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50,” the Verizon report noted.

UK Firms Concerned About AI in the Supply Chain

The findings chime with a separate study from UK insurer QBE out this week which revealed that 75% of UK businesses are worried about vendors and suppliers using AI.

They’re already on high alert for possible supply chain incidents. QBE claimed that the share of respondents experiencing a “cyber event in the past 12 months” rose from 53% in 2025 to 59% in 2026. This year, over a fifth (22%) claimed that “all or most” of the attacks they suffered involved a supplier.

However, despite their concerns, only 28% of AI-using businesses have taken steps to assess or audit their third-party suppliers’ AI systems, while just 35% have a formal AI usage or governance policy, QBE claimed.