Context is king for secure, AI-generated code

Summary of Context is king for secure, AI-generated code

by The Stack Overflow Podcast

28mOctober 7, 2025
Listen to Episode

Summary — "Context is king for secure, AI-generated code"

Host: The Stack Overflow Podcast
Guest: Dimitris Stiladis, CTO & co‑founder, Endor Labs

Overview

This episode examines how AI-generated code is changing application security (AppSec). Dimitris Stiladis explains two broad categories of AI coding tools, the security implications of each, and why context and human oversight remain essential as AI begins producing far more code than before. The conversation covers practical ways teams can reduce risk when adopting AI-assisted development.

Key points & main takeaways

  • Two distinct AI-code ecosystems:
    • General-purpose AI agents (e.g., large language models / multi-capability agents): have “infinite degrees of freedom” and can modify any part of a codebase, which increases the risk of introducing vulnerabilities.
    • Opinionated, platform-driven tools (e.g., code generators targeted at non‑coders): produce constrained, predictable outputs within a defined framework, which can simplify AppSec controls.
  • AI models are trained on mixed-quality data (open source, forums, etc.) and may be out of date with the latest vulnerabilities — so they can generate both good and bad code.
  • Agents improve when given iterative feedback and integrated tooling (linters, dependency analysis, scanners). Using AI “out of the box” without guardrails is risky.
  • The volume of code being generated by AI increases the need for scalable security tooling and automated checks.
  • Human engineers remain responsible for the code: review, context-awareness, and judgment are necessary. Bad engineering practice (e.g., blindly accepting AI output) — not AI itself — is the principal risk.
  • Cultural and process considerations matter: maintainers may treat AI-generated contributions differently (example: Mitchell Hashimoto asking contributors to disclose AI-generated PRs).

Notable quotes / insights

  • “AI is a seismic shift on how we will be approaching software in the next five years.”
  • “People are still in charge of this.”
  • “It’s another layer of abstraction.”
  • Example policy by a maintainer: “If you contribute PRs that are generated by AI, tell me.” (Mitchell Hashimoto)

Topics discussed

  • Types of AI coding tools and their characteristics
  • How AI training data and recency affect security
  • Integration of AppSec tools into AI-driven development loops
  • Developer psychology (imposter syndrome) and the social effects of using AI
  • Code review practices and maintainer policies for AI-generated PRs
  • Need for scalable security tooling to handle increased code generation

Risks highlighted

  • AI producing insecure or outdated patterns (vulnerabilities, bad dependencies)
  • Lack of context-awareness in generated code leading to logic/security mismatches
  • Over-reliance on AI by less-experienced engineers, causing unreviewed insecure code to be merged
  • Increased volume of code outpacing manual security review capacity

Action items & recommendations

For engineering teams:

  • Treat AI as a tool, not an autopilot — require human review of AI-generated code.
  • Require disclosure of AI-generated contributions where appropriate.
  • Add guardrails: provide style/security guidelines and enforce them in the generation loop.
  • Integrate AppSec tooling (linters, static analyzers, dependency scanners) into AI agents/CI so feedback is iterative and automated.
  • Use opinionated frameworks or constrained generators when predictability and safety are priorities.

For security teams:

  • Evolve tooling to scale with AI-generated code (automated policy enforcement, faster scans).
  • Implement “policy-as-code” to enforce organizational security rules automatically.
  • Monitor dependency hygiene and keep scanners up to date for newly disclosed vulnerabilities.

For maintainers & open-source projects:

  • Define clear contribution policies around AI-generated code (e.g., disclosure requirements).
  • Prioritize provenance/attribution so reviewers know when extra scrutiny is needed.

Bottom line

AI will drastically increase the amount and speed of code production. That creates both opportunities (faster development, automatic checks in opinionated systems) and risks (out-of-context or outdated insecure code from general-purpose agents). Context, guardrails, integrated AppSec tools, and human responsibility are essential to keeping AI-generated code secure.