Research from RSAC 2026 and Veracode’s October 2025 GenAI Code Security Report documents 74 CVEs attributed to AI-generated code across tools including GitHub Copilot, Claude Code, Devin, Cursor, Google Jules, Atlassian Rovo, and Roo Code, with vulnerability classes concentrated in CWE-22 (path traversal), CWE-79 (XSS), CWE-77/78 (command injection), and CWE-20 (input validation). This is a structural risk rather than a patchable vulnerability: AI coding assistants are introducing well-understood flaw patterns at a velocity that existing SAST and code review processes were not designed to absorb. Security teams should audit SAST coverage for these CWE classes in AI-assisted codebases, enforce gated SAST in CI/CD pipelines, and brief engineering leadership on the control adaptation required — specific CVE identifiers cited (CVE-2025-55526, GHSA-3j63-5h8p-gf7c) should be independently verified against NVD before operational use.