The embedded software world is undergoing one of its most profound shifts in decades, according to Black Duck’s State of Embedded Software Quality and Safety 2025 report.
The global survey of 785 developers, managers, and security professionals reveals the two major forces reshaping the industry: the rapid adoption of AI for development, and the growing importance of transparency.
Most Orgs Use AI, But Not Enough Have Effective Guardrails
AI is now a fundamental part of embedded software development. According to the Black Duck report, an overwhelming 89% of organizations now use AI-powered coding assistants, while 96% have embedded open source AI models into their products.
However, as is the case in so many industries, AI governance is lacking. 21% of organizations admit they are not confident they can prevent AI-related vulnerabilities, while 18% report that developers are using “shadow AI” tools against company policy – introducing unmonitored and potentially dangerous code into production.
Diana Kelly, CISO at Noma Security, warned that agent-based AI systems, in particular, pose unique risks. “AI interprets prompts as executable commands, so a single malformed prompt can reasonably result in wiped systems,” she said. This fragility, combined with the scale at which AI agents can act, makes strong governance and oversight essential.
However, Nicole Carignan, SVP of Security and AI Strategy at Darktrace, believes that organizations can only implement effective AI governance once they have their data practices in order.
“AI systems are only as reliable as the data they’re built on. Before organizations can think meaningfully about AI governance, they need to lay the groundwork with strong data science principles,” she explained.
SBOMs Become a Market Imperative
Software supply chain attacks and vulnerabilities have made headlines over the past few years. As a result, Software Bills of Materials (SBOMs), once a compliance checkbox for government contracts, have become a mainstream commercial requirement, with 71% of organizations now producing them.
Customer and partner demand is driving this shift: 39% of respondents said SBOMs are required by clients.
Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, noted that SBOMs are critical for effective incident response. “SBOMs bring visibility into which components are being used in a project. This can definitely help in a post-compromise scenario where triaging for affected systems is necessary,” he explained.
Developer Skills in Transition
The report also captures how demand for developer skills is changing. 80% of companies now use memory-safe programming languages, such as Rust, Go, or Python. In fact, Python has overtaken C++ in some embedded contexts – a monumental shift for an industry that has long relied on C and C++.
Satyam Sinha, CEO of Acuvity, believes this transition is part of a wider skills challenge. “In our discussions with customers, it is evident that they are overwhelmed on how to prioritize and tackle the issues – there’s a lot that needs to be done, he said.” He added that GenAI-native security products, combined with specialized training, will be crucial in closing the widening knowledge gap.
Managers and Developers See Things Differently
Concerningly, however, the report also reveals a concerning disconnect between leadership and developers. While 86% of executives describe [projects as successful, only 56% of developers agree. According to Black Duck, this is not just a perception problem; it’s fundamental disconnect regarding risk.
Managers celebrate on-time delivery, but developers see the compromises that go into achieving that delivery: rushed testing, deferred technical debt, and cut corners on quality. This optimism gap may mask systemic risks that could surface as vulnerabilities or costly rework.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.