Gewirtz: AI and CI/CD Have Put Application Security on an Unsustainable Patching Treadmill

In a May 11, 2026 column, David Gewirtz warns that the longstanding reactive model of application security — finding vulnerabilities after release and fixing them-is collapsing under the combined pressure of continuous deployment (CI/CD) and AI‑assisted development. The speeding release cadence is creating growing vulnerability backlogs that overwhelm teams and prolong technical debt. That means organizations must shift security upstream so protection travels with code as it is authored and deployed.

Gewirtz uses a treadmill metaphor to describe the cycle: automated scanners and tests surface flaws, developers patch them, and then new code or updated dependencies reintroduce similar defects. The net result is a repeating remediation workload rather than steady reduction of risk, with security teams stuck addressing symptoms instead of preventing root causes.

He details how the process works in practice. Vulnerability scanners and penetration tests generate defect reports; teams set up triage queues and sometimes run dedicated remediation sprints; and development often pauses new feature work to apply patches. When fixes are impractical or too risky, organizations resort to defend‑and‑defer measures — firewalls, runtime protections, monitoring, segmentation, access restrictions and other compensating controls — to reduce exposure without removing the underlying flaws.

The article highlights how release practices have altered the threat model. Software that once shipped major releases annually or quarterly now moves continuously through CI/CD pipelines, and AI tools are enabling faster code production. Gewirtz cites industry signals showing that 77% of IT managers say their AI agents are out of control, a statistic he uses to underscore the unpredictability AI introduces into development and testing.

Those shifts have concrete operational impacts: vulnerability backlogs outstrip developer capacity, fixes lag behind rapid release schedules, and some critical flaws are buried so deeply in legacy code that full remediation would require disruptive rewrites. Faced with these constraints, organizations increasingly apply temporary runtime mitigations that extend the lifetime of technical debt rather than eliminate it.

Gewirtz cautions that find‑and‑fix together with defend‑and‑defer will not disappear, but he argues they cannot remain the primary strategies. He calls for moving application security earlier in the lifecycle — toward code creation — and for integrating security into development workflows, tooling and governance. He adds that the non‑deterministic behavior of large language models amplifies the need for upstream controls and validation. keep using runtime protections and triage processes, but prioritize securing new code at creation and adapt tools and governance to the faster, AI‑accelerated release rhythms or risk staying on the patching treadmill.