Why AI-Driven Legacy Upgrades Are Creating Security Vulnerabilities

By 2030, half of all enterprises will face rising maintenance costs from poorly managed AI-generated code, according to recent Gartner research. One of the biggest factors, in my opinion, will be the security vulnerabilities introduced by organizations rushing to modernize legacy systems without understanding what those systems do.

Facing spaghetti code, missing documentation and risky applications that desperately need modernization, organizational leaders face intense pressure to fix these problems quickly. The timing of this maintenance cost crisis isn’t coincidental; AI coding tools have made it faster than ever to rewrite legacy systems, but they’ve also made it easier to introduce vulnerabilities at scale.

The Real Opportunity With AI

Modern AI agents can reconstruct system behavior and map security logic flows before code changes happen. They can recover lost requirements buried in code, expose hidden dependencies and edge cases and map what security controls exist versus what’s documented.

This capability transforms modernization with AI from a purely speed exercise into an understanding exercise.

When you use AI to analyze legacy systems before rewriting them, you learn or rediscover things your team forgot or never knew. For example, a seemingly redundant permission check might prevent a race condition that only occurs when users access the system in a specific sequence, or an “overcomplicated” authentication flow may be defending against a class of attacks your new framework doesn’t even consider.

Many organizations still treat modernization as purely a coding problem, generating new code without mapping what the old code does. During penetration testing, I regularly find vulnerabilities that didn’t exist in the legacy system but were introduced during modernization, creating gaps that turn modernization projects into security incidents.

What Leaders Can Do: A Security-First Modernization Checklist

Modernization doesn’t have to be a choice between speed and security, but it does require a different approach. Here’s a nine-step practical approach for business leaders:

Before you modernize:

1. Document current system behavior. Use AI to accelerate this process, but don’t skip it. You can’t preserve security you don’t understand, and assumptions about “how it probably works” can lead directly to vulnerabilities.
2. Identify and preserve security logic that’s working. Not all legacy code is bad. Some checks exist because someone encountered an edge case attack years ago. While the documentation may be long gone, the vulnerability may still exist and need to be accounted for.
3. Validate that documented security matches reality. From what I’ve seen in most organizations, documentation diverged from implementation years ago. Official specs may describe a simple authentication process, while the actual code includes undocumented checks for legacy integrations, grandfathered permissions or patches for long-forgotten vulnerabilities.
4. Assess why specific libraries and patterns were chosen. Dependencies that look outdated may exist for security reasons that aren’t obvious. That ancient validation library might be the only thing preventing a specific class of injection attacks.

During modernization:

5. Embed security validation throughout development. Continuous validation catches problems when they’re easier to fix. Waiting until the end means security issues require architectural rework instead of code adjustments.
6. Include penetration testing during the process. Traditional approaches test after deployment, when fixing vulnerabilities requires significant rework and delay. According to Microsoft’s 2025 Digital Defense Report, 18% of breaches exploit unpatched public-facing services, highlighting the gaps that emerge during modernization. Test early and test often.
7. Ensure the team understands security decisions, not just business logic. The same Microsoft report notes that identity-based attacks increased 32% during the first half of 2025. These vulnerabilities often emerge when authentication complexity is simplified without understanding its purpose. When developers know why security implementations exist, they’re less likely to eliminate them as “unnecessary complexity.”

After modernization:

8. Document security implementations for future teams. You’re creating the next generation’s “legacy system.” Make it easier for them than it was for you by documenting not just what the code does, but why those security decisions were made.
9. Validate that security posture improved; it didn’t just change. Different isn’t better. Measure actual security outcomes with testing that confirms you reduced risk rather than just moving it around.

Speed and Security Can Coexist

AI-augmented modernization can deliver both speed and security, but only with the right approach.

Organizations that treat AI as a practical tool for understanding systems, rather than just generating code faster, position themselves to modernize without expanding their attack surface. Use modern tools to understand old systems better than their original developers did, and then modernize in ways that improve security instead of just moving vulnerabilities into newer code.

When teams use AI agents to accelerate understanding, map actual system behavior, expose hidden dependencies and validate security logic, they make informed modernization decisions rather than blind rewrites. Treating system understanding as a security requirement before modernizing is the difference between reducing risk and accidentally expanding your attack surface while trying to improve it.

Gartner’s prediction about rising costs from poorly managed AI-generated code doesn’t have to include your organization. Your legacy systems may be risky, but modernizing blindly is riskier.

This article was originally published on Forbes.com.