Shift Left Has Shifted Wrong: Why AppSec Teams – Not Developers – Must Lead Security in the Age of AI Coding

The 'shift left' security model that made individual developers responsible for finding and fixing vulnerabilities has failed — and AI-generated code is making it worse. With 48,000+ CVEs published in 2025 and 24.7% of AI-generated code containing security flaws, the manual developer-led approach can't scale. The argument is that AppSec teams should instead become security automation engineers: running automated scans, using AI to triage false positives (30-40% of SAST results), and delivering tested pull-request fixes directly to developers. Developers then only need to confirm fixes don't break functionality, while AppSec engineers validate the security correctness. This division of labor — centralized automation managed by security experts — is presented as the only viable model for the AI coding era.