Black Duck Releases BSIMM16: AI and Regulatory Compliance Reshaping Application Security Processes
The industry’s largest application security study reveals how organizations are adapting to AI-generated code, government mandates, and evolving training methods.
BURLINGTON, Mass., Feb. 4, 2026 /PRNewswire/ — Black Duck®, a leader in AI-powered application security, has announced the release of BSIMM16, the 16th edition of the Building Security In Maturity Model. This report highlights the transformation of software security initiatives (SSIs) as organizations manage risks introduced by AI adoption, increasing regulatory pressures, and the need for more agile security training approaches.
AI: The Defining Challenge in Application Security
For the first time in BSIMM’s 16-year history, AI has overtaken all other forces in reshaping security priorities. The BSIMM16 study is based on assessments of 111 organizations across multiple industry verticals, including financial services, healthcare, technology, and independent software vendors (ISVs), providing unprecedented insights into real-world application security practices protecting approximately 91,200 applications developed by 223,700 developers.
Key Trends and Insights from BSIMM16
- AI Adoption and Security: Organizations are now tasked with securing AI-powered coding assistants while defending against AI-enabled attacks. The report highlights significant shifts, including a 10% rise in teams using attack intelligence to track emerging AI vulnerabilities and a 12% increase in using risk-ranking methods for LLM-generated code.
- Regulatory Compliance: Global mandates are pushing organizations to strengthen application security, focusing on software supply chain transparency and securing development environments. Nearly 30% more organizations are now producing SBOMs (Software Bill of Materials) to meet transparency requirements.
- Software Supply Chain Security: Organizations are expanding their focus beyond internally developed code to secure the entire software supply chain ecosystem. BSIMM16 reports a more than 40% rise in establishing standardized technology stacks, indicating that supply chain security is becoming a core priority.
- Training Evolution: Traditional multi-day security courses are being replaced by just-in-time, bite-sized learning that fits modern development workflows. BSIMM16 shows a 29% increase in organizations delivering expertise through open collaboration channels, providing instant access to security guidance.
The Illusion of Correctness in AI-Generated Code
As Jason Schmitt, CEO of Black Duck, states, “The real risk of AI-generated code isn’t obvious breakage—it’s the illusion of correctness. Code that appears polished can still conceal serious security flaws.” This growing trust in AI-produced code lacks the security instincts of seasoned experts, making the surge in SBOM adoption critical for transparency in understanding software components.
BSIMM: A Maturity Model for Software Security
Established in 2008, BSIMM serves as a maturity model that tracks the activities of software security professionals. It helps organizations plan, execute, and measure their software security initiatives through comprehensive interviews and anonymized data analysis.
For the first time in its history, BSIMM16 introduces no changes to the framework structure, signaling the maturity and stability of application security practices across the industry.
In conclusion, as AI continues to redefine application security, organizations must adapt to the evolving landscape of risks and regulations, ensuring that their software security initiatives remain robust and transparent.
To learn more, download the BSIMM16 report.
