- 📝 Part 1: The AI Acceleration Trap: Speed vs. Component Integrity (Read below)
- đź”’ Part 2: The Shadow Supply Chain: AI Blind Spots & Transitive Risks (Next week)
- đź”’Part 3: Real-Time Scaffolding to Overcome the AI Speed Problem

AI can help us build software faster. But who checks the parts it uses?
AI coding assistants are becoming a normal part of software development, because they help developers write code, explain errors, suggest fixes, and get through repetitive work much faster than they could before.
That speed is genuinely useful, especially when teams are under pressure to deliver, although it also introduces a risk that is easy to miss when the code appears to work and everything looks fine on the surface.
When an AI assistant helps write software, it may also suggest using external packages, which are ready-made pieces of software created by other people and reused by developers so they do not have to build every feature from the ground up.
The issue is that an AI assistant may suggest packages without checking whether they are safe, whether the specific version has known security problems, or whether it pulls in other risky software behind the scenes.
For someone outside software development, this can sound like a minor technical detail, but in practice it can become a serious problem, because software is often only as safe as the parts it depends on.
What’s the risk of using AI coding assistants for software development?
The primary risk of AI coding assistants is that they prioritise development speed and code functionality over software supply chain security. Although AI models can quickly generate working code, they frequently recommend third-party software packages and open-source dependencies without verifying if those specific versions contain known vulnerabilities, creating hidden cyber security risks in the application lifecycle.
What are dependencies, in plain English?
Most modern software is not written entirely from scratch, just as most houses are not built by people who make their own bricks, glass, wiring, locks, pipes, and screws.
Instead, builders use trusted parts from suppliers, because doing everything manually would be slow, expensive, and unnecessary; software developers work in much the same way when they use ready-made packages for common tasks.
A developer building an application might use one package to handle dates, another to connect to a database, another to process images, another to send emails, and another to manage user login, because these are common problems that many other people have already solved.
These packages are called dependencies because the software depends on them, and although that may sound technical, the basic idea is simple: if your application relies on a piece of external software, then your application also inherits some of the risks that come with it.
Using dependencies is not bad; in fact, it is one of the main reasons modern software can be built quickly and affordably. The problem appears when one of those dependencies has a known security weakness, has stopped being maintained, or depends on something else that is vulnerable.
A simple example: the front door lock
Imagine you ask someone to help you build a small office, and as part of the job they choose a lock for the front door. The lock fits the door, the key works, and from the outside everything seems perfectly acceptable, although there is one important detail you cannot see just by trying the handle.
What if that lock model was recalled last week because thieves discovered that it could be opened in seconds with a cheap tool?
In that situation, the lock still works in the ordinary sense, because it opens and closes as expected, but it is no longer something you would want protecting your office.
Software dependencies can create the same kind of hidden risk, because a package may still do the job it was chosen for while also having a known weakness that attackers understand how to abuse.
This is why “the software works” and “the software is safe” are two very different statements.
What’s Next in This Series? 🔒
Understanding the basic building blocks is just the first step. But the threat rarely stops at the first package your AI assistant recommends. The real danger lies in the chain of hidden extras it brings with it.
Coming Next Week in Part 2 The Shadow Supply Chain
We’ll break down the “Subcontractor Effect” and explain how a single, confident AI code snippet can quietly weave a chain of fifty unverified third-party packages deep into your application architecture. Stay tuned for next week’s post.
