A new report out today from application security posture management company Apiiro Ltd. reveals a growing divergence in how industries adopt and secure generative artificial intelligence in software development, with retail organizations moving fast into production and financial institutions taking a slower, risk-heavy approach.

Apiiro analyzed more than 100,000 enterprise code repositories using its Deep Code Analysis engine to assess how generative AI models, frameworks and training data are being introduced into software development pipelines across sectors. The findings highlight how risk exposure from generative AI is already significant, but interestingly, the risk varies dramatically depending on the industry.

Retail organizations were found to be integrating generative AI into customer-facing systems and shipping to production at more than twice the rate of financial services firms. Apiiro’s telemetry shows that 2.1 times more generative AI-related codebases exist in retail than in finance. Development activity was also found to be higher in retail, with 61% of generative AI repositories showing active contribution compared to just 22% in finance.

By contrast, financial institutions were found to be moving more cautiously, but with greater risk exposure. The average generative AI repository in finance was found to be 688 days old, nearly 1.5 times older than the retail average of 453 days.

Older codebases are typically correlated with higher security issues and, not surprisingly, Apiiro found a seven-fold increase in secrets exposure, such as hardcoded credentials or tokens in generative AI repositories compared to those without AI components. The risk is partially the result of generative AI being bolted onto legacy systems, creating blind spots in security posture as adoption grows without centralized oversight.

Data sensitivity was found to be another fault line between the industries. Retail codebases are 1.8 times more likely to contain sensitive data, with 26% of generative AI projects including payment information, customer records or personally identifiable information, compared with 15% in finance.

The exposure is tied to generative AI powering real-time personalization, which demands direct access to live customer data, versus financial institutions that often restrict AI to abstracted or internal datasets due to regulatory compliance concerns.

The report also highlights an arguably surprising divergence in generative AI tooling. Retail developers were found to be consolidating around OpenAI’s Python software development kits and LiteLLM. In contrast, financial teams were found to experiment more broadly across tools like LangChain and custom models, which provide greater flexibility but also add complexity and fragment risk surfaces.

Itay Nussbaum, product manager at Apiiro and the author of the report, says that there are clear conclusions. “Generative AI is already in your code — but what it touches and what it risks depends on your industry. In retail, generative AI is fast, customer-facing and wired into sensitive data. In finance, it’s slower, older and layered onto legacy systems. Both create risk — just in different ways.”

Image: SiliconANGLE/Reve