As an organisation that moves fast on AI and low-code/no-code development, we produce a large amount of code/solutions very quickly. That speed is a strength, but it also means we have to pay close attention to the places where mistakes can hide. The Deriv security team has spent the last year examining how AI-assisted engineering works in practice, identifying potential pitfalls, and developing safer practices around it.

AI-assisted coding is in an awkward phase. It feels helpful and clever, and it saves time, so it quietly becomes part of everything we build. But the more we rely on it, the more we see a simple truth. AI will default to generating code that works, not code that is secure, unless you explicitly guide it. It has never lived through an outage. It has never been paged at 2 am with news that one of your externally exposed apps has been breached.

It just predicts what looks right. That is the gap.

Most AI-introduced vulnerabilities are small. They look reasonable. They slip past reviews. They compile cleanly. They appear harmless until the right scenario triggers them or the wrong person finds them first. This is why guardrails are not optional. They are the minimum layer of safety.

So the Deriv Security team is launching a new 5-part series on securing AI-assisted engineering. Not because the industry needs more talk, but because it needs a clear, practical framework for a world where code is no longer written only by humans and old habits no longer fully apply.

Here is what the series will cover:

The 5-part series

Part 1: Guardrails for AI-assisted and low-code/no-code development (published)

The essential boundaries that keep AI-generated code and LCNC workflows safe. What they must always enforce, what they must never allow, and why the safest place to stop failures is at the point of generation before the code or workflow enters an opaque runtime you can no longer fully control.

Part 2: Enforcing secure defaults inside AI development tools

The practical mechanics. How to embed rules directly into IDEs so insecure code never reaches a repository in the first place.

Part 3: AI-powered code review and automated scanning

How AI can catch mistakes that slip past humans. A look at real patterns, real issues, and blind spots that appear when humans assume AI output is safe.

Part 4: Real examples of AI-introduced vulnerabilities & pentesting AI/LCNC solutions

Small snippets that seem harmless but have real-world consequences. For example:

// looks fine at a glance
const user = req.query.user;
const result = await db.query(
  `SELECT * FROM clients WHERE name = ‘${user}’`
);

Compared to a guarded version:

const schema = z.object({ user: z.string().min(1).max(50) });
const parsed = schema.safeParse(req.query);
if (!parsed.success) return res.status(400).send(”Invalid input”);

const result = await db.query(
  “SELECT * FROM clients WHERE name = $1”,
  [parsed.data.user]
);

One trusts the world too much. The other knows the world can be complicated and full of people who type things they should not.

Part 5: A blueprint for responsible AI-driven engineering

How all the pieces fit together. A practical model that combines guardrails, IDE enforcement, PR scanning, LCNC governance, secret lifecycle automation, runtime isolation, observability, and AI change tracking into one secure engineering workflow. This part outlines the architecture, approval flows, monitoring pipelines, and habits needed to operate AI-assisted development safely at scale.

Why this matters

We now generate code faster than we can understand it. Humans write some of it. AI writes the rest. But only one of them understands consequences.

Most AI-generated code works, and that is the danger. When something works, you trust it. When you trust it, you stop checking. That is how small problems grow quietly into serious ones.

AI is helping us build faster. The real challenge is maintaining safety at the same pace.