Why AI Changes the Risk Model for Application Security
[embedded content]
As AI becomes embedded in everyday development workflows, the security model for applications is shifting fast — and not always in ways teams are prepared for.
NDSS 2025 – Automatic Insecurity: Exploring Email Auto-configuration In The Wild
[embedded content]
As AI becomes embedded in everyday development workflows, the security model for applications is shifting fast — and not always in ways teams are prepared for. James Wickett, CEO of DryRun Security, breaks down why “AI everywhere” is forcing organizations to rethink what application security should look like when developers are shipping faster than ever.
Wickett explains the gap he saw in the original “shift left” movement: despite years of effort, many security tools still don’t feel tangible or helpful to developers. Too often, the industry tried to retrofit legacy approaches — pattern matching and noisy findings — into modern pipelines, leaving dev teams overwhelmed and security teams stuck prioritizing work that may not map to real exploitability.
The conversation then turns to what makes AI applications different. Wickett argues that the moment you put an LLM into production, you change the risk model: you’ve introduced a probabilistic system that can access new data, take actions, and behave in ways deterministic tools weren’t designed to assess. That mismatch shows up in practice as high usage paired with low trust — developers may rely on AI assistants for speed, while still worrying about instability and security regressions.
Wickett also shares what teams are asking for now: clearer definitions of AI risk, reference architectures, and best-practice controls that cover issues like prompt injection and excessive agency. The goal isn’t to slow development down — it’s to evolve security alongside AI so teams can keep moving quickly without flying blind.
About Author
