AI Coding Assistants Shift Developers from Preventive to Reactive Security

A new study accepted at the 2026 Symposium on Usable Privacy and Security (SOUPS) reveals a fundamental shift in how developers approach security when using AI coding assistants. Researchers from multiple universities interviewed and observed 15 professional software engineers across three experience cohorts as they completed security-relevant coding tasks with AI assistance. The key finding: AI tools reorganize rather than eliminate security thinking, moving it from the act of writing code to the act of reviewing it. This transition from preventive to reactive security is structurally encouraged by interaction models that frame code generation as a functional task, leaving security as an afterthought.

Notably, none of the participants specified security requirements in their initial prompts, even when they possessed relevant security knowledge — revealing a decoupling of security awareness from security behavior. The researchers also documented informal coping strategies developers independently invented to manage AI security risks, none of which are supported by current tools or organizations. Perhaps most surprising, the experience cohort (years of professional development) did not reliably predict security performance. The paper provides a practice-grounded account that can inform the design of more security-aware tools, training programs, and organizational policies for AI-assisted development.