How AI Is Redefining Security Engineer Training: From Code Review to Threat Modeling

AI‑Powered Development Raises New Code‑Security Challenges

Under DevOps pressure, CISOs already struggle to enforce secure coding practices. Gartner predicts that AI coding assistants, used by only about 14% of software engineers two years ago, will be adopted by 90% of engineers by 2028, and Faros AI reports a 98% increase in merged pull requests from AI‑assisted developers.

From Output Review to Result Evaluation

As AI coding tools mature, they increasingly handle routine vulnerability detection and automatic fixes for classic issues such as SQL injection, XSS, and insecure configurations. However, Ankit Gupta (Senior Security Engineer, Exet Financial) warns that AI‑generated code can be syntactically correct yet contextually reckless, forcing developers to treat security as a verification step rather than a creation process.

Hasan Yasar (Technical Director, Carnegie Mellon Software Engineering Institute) emphasizes shifting from line‑by‑line review to assessing the security performance of functional outcomes in deployment environments, focusing on integration points, architecture, and logical risk.

Threat Modeling Becomes a Core Capability

Yasar argues that system‑level thinking is essential for scalable threat modeling, which traditionally suffers from a lack of contextual knowledge about application usage, architecture, and risk. He suggests AI can streamline the labor‑intensive modeling process by integrating organizational context and architectural patterns, but developers must still master fundamentals such as trust boundaries, asset identification, and attacker‑use‑case prediction.

Michael Bell (Founder, Suzu Labs) recommends immersive, hands‑on training—like cyber‑range exercises—to develop "threat‑modeling intuition," noting that when AI handles routine coding, human value shifts to judgment and assessment.

Embedding Training into Security Guardrails

Emilio Pinna (Co‑founder, SecureFlag) observes that static, one‑off courses no longer work; effective training occurs continuously within real engineering contexts, delivering situational micro‑learning triggered by security guardrails in the pipeline.

These guardrails translate risk into actionable guidance, surface compliance rationales via pop‑ups, and can launch on‑demand 5‑15 minute tutorials. The data generated by guardrail triggers also helps AppSec teams target deeper education.

The New CISO Training Agenda

Forward‑looking CISOs recognize that AI‑assisted coding demands heightened security awareness. Beyond traditional fundamentals, they must teach developers how to use AI tools safely, evaluate AI outputs, and embed governance policies that define when human review is required, what data may feed AI systems, and the pre‑production usage standards.

Prompt engineering can embed compliance requirements at code‑generation time—for example, directing an AI to produce a web login page that meets HITRUST standards—providing a concrete entry point for "secure‑by‑design" practices.

Ultimately, security training will not disappear; instead, CISOs must weave threat modeling, guardrails, and AI governance into the daily developer workflow to build more resilient software systems.