VerifiVerifi Security
Back to blog
Supply Chain

AI Coding Is Creating Dependency Sprawl

Verifi Research Labs· 2 May 2026· 6 min read

AI coding assistants are transforming how software is built, but they are also quietly flooding enterprise codebases with unvetted dependencies at a scale security teams were never prepared for.

The Acceleration Problem

When a developer asks an AI assistant to add authentication to an API, the tool does not just write code. It reaches into a vast training corpus and selects packages it has seen used in similar contexts. It suggests installs and dependency declarations with the confidence of a senior engineer, but without the institutional memory of what your organisation has already approved, what versions are known-safe, or whether a given library is still actively maintained.

The result is dependency sprawl. Teams ship faster, but the software ingredient list grows faster still.

What the Data Shows

In analyses of enterprise repositories before and after adopting AI coding tools, dependency counts per service increased by an average of 34% within six months. More concerning: the proportion of dependencies flagged as having known vulnerabilities, being end-of-life, or having low maintenance scores increased by over 50%.

This is not a criticism of AI coding tools. They are genuinely transformative. But they were not designed with supply chain hygiene in mind. Their job is to produce working code quickly. The hygiene layer has to come from elsewhere.

Why the Gap Exists

Most organisations already run software composition analysis. Scanners generate findings. The problem is that findings alone do not resolve risk. When a dependency is flagged, who creates the pull request? Who assigns it? Who tracks whether it gets merged? Who verifies that the same package does not get re-introduced next sprint?

That coordination layer is missing. Security teams are drowning in backlogs. Engineering teams are focused on shipping. And AI tools keep adding to the pile.

The Orchestration Gap

What is needed is not more detection. It is orchestration. A system that takes the signal from scanners, maps it to real repository and pipeline context, enforces consistent policy decisions, and drives remediation to completion.

That is what Verifi is built to do. Not to replace your scanner. But to orchestrate what happens after it fires.

What Comes Next

AI coding is not going away. Neither is the dependency sprawl it creates. The organisations that win in this environment will be the ones that build systematic, automated hygiene workflows, not the ones that hire more people to manually triage backlogs.

The ingredient list of modern software is too long and too dynamic to manage by hand. It needs orchestration.

Related
More from the blog
Opinion

Adversaries Are Publishing at Scale. Speed Is Now the Only Defence.

Opinion

H2 2026: Packages Are the New Phishing Email, and Your Secrets Are the Target