Application security teams are facing a widening gap between vulnerability detection and remediation thanks to the rapidly growing use of AI in both software development and vulnerability scanning, according to Monash University’s application security lead Luke Bampton.
Bampton and his colleagues support more than 40 development teams across Monash, which in recent years has grown into a global higher education and research organisation with 98,000 students and more than 20,000 staff.
This story is part of the 2026 iTnews State of Security Report. Read it for free here.
“With our vision to be global leaders in higher education comes a matching digital footprint, which includes half a million IP addresses,” Bampton said.
“When you combine that with the innovation and collaboration appetite that is unique to higher education, cyber threats simply become a way of life.”
The university’s developer community presents its own challenges, with skill levels ranging from experienced engineers to undergraduate students. Rather than enforcing a single set of tools, Bampton focused on ensuring consistent security outcomes.
“They want to do the right thing, and application security is the enabler that helps them do that properly,” he said.
That approach is under increasing pressure as developers accelerate their work using AI tools. While Bampton said AI had improved the speed of identifying vulnerabilities, organisations were struggling to translate that into faster remediation.
“We are dealing with pre-AI ways of working that weren’t designed to fix problems in production ‘yesterday’,” he said.
“It has never been faster to identify vulnerabilities, but there is still a lag in the time to remediate.”
Recent developments such as Anthropic’s Mythos had further highlighted this shift, demonstrating how generative AI could move upstream into application security. Bampton said the next step would be trusted AI-driven remediation.
“It will only be a matter of time before AI is able to assess, review, and secure code,” he said.
“But for now, we are living in a world where AI is a force multiplier for delivering digital products, while the security aspects are still catching up.”
Despite these changes, Bampton said the fundamentals of application security remained unchanged, with communication and relationships playing a central role.
“That starts with a conversation,” he said.
“You are not going to be able to help people if they don’t know who you are or don’t feel that you are approachable. It’s about taking what is traditionally a technical problem and turning it into a marketing and awareness challenge.”
Communication was also a critical aspect when educating developers about the growing risks from software supply chains, particularly through open-source dependencies.
“Supply chain attacks are through the roof, and developer credentials are under significant threat,” he said.
“In the age of AI, you still need vulnerability scanning and mechanisms to investigate third-party libraries.”
At the same time, Bampton warned against over-reliance on AI tools, noting the risk of developers losing critical security skills through “cognitive offloading”. Education, he said, remained a core priority.
Bampton said the university’s application security strategy was also evolving in response to the commissioning of its MAVERIC AI supercomputer. He said Monash had deployed a small fleet of dedicated AI development machines in addition to the supercomputer to further support researchers with local, controlled access to advanced compute resources.
“As an application security practitioner, a lot of my work is shifting towards AI and non-deterministic ways of working,” Bampton said.
“I am optimistic about our ability to guide developers on how to use this technology responsibly.”
“But the fundamentals still hold. At the end of the day we want secure code, functional code, and robust solutions that scale.”

