• Post author:
  • Post category:AI World
  • Post last modified:November 24, 2025
  • Reading time:4 mins read

Inside Thomas Dohmke’s bet to secure AI‑generated code

What Changed and Why It Matters

GitHub’s former CEO Thomas Dohmke is joining Apiiro as an advisor. Apiiro is an application security startup focused on code-to-cloud risk.

The headline is simple. The signal is not.

AI coding tools are everywhere. Productivity is up. So is unseen risk. Companies are discovering a new class of vulnerabilities introduced by LLMs: insecure defaults, package hallucinations, missing auth checks, and subtle misuse of APIs. Traditional AppSec wasn’t built for that.

“Ex-GitHub CEO Thomas Dohmke is betting Apiiro can help companies catch—and fix—security gaps others miss.”

Here’s the part most people miss. Securing AI-generated code isn’t just scanning more. It’s redesigning guardrails where code is conceived, reviewed, merged, and deployed.

The Actual Move

What happened:

  • Thomas Dohmke, former GitHub CEO, joined Apiiro as an advisor. The focus: new protections for AI coding workflows and the security flaw threatening AI coding tools reported in mainstream coverage.
  • Public commentary around Dohmke’s move aligns with his long-running stance: AI will augment developers, not replace them, but skills and safety nets must evolve.

What this likely means in practice at Apiiro:

  • Detect and flag AI-introduced vulnerabilities early in code review.
  • Policy guardrails for AI-generated changes across repos and services.
  • Visibility into dependency and supply chain risk amplified by AI tooling.
  • Workflow integrations that sit in PRs, CI/CD, and developer IDEs.

“AI will reinvent developers, not replace them.”

“Keep your coding skills sharp amid the AI revolution.”

Even if you love Copilot, someone needs to own the blast radius. That’s the gap Apiiro is aiming at—with Dohmke’s help.

The Why Behind the Move

Zoom out and the pattern becomes obvious: AI accelerates shipping; attackers accelerate, too. The edge goes to teams who control the feedback loops between generation, review, and runtime.

• Model

LLMs write code fast, but they also normalize insecure patterns. Guardrails must be model-agnostic and workflow-native. That’s a platform problem, not a model problem.

• Traction

Developer AI adoption is broad. Security adoption lags. Bridging the two is high-leverage: a small set of policies can govern thousands of code generations.

• Valuation / Funding

Apiiro operates in a well-funded AppSec category. Security spend is sticky and budget-resilient, especially when tied to SDLC risk and compliance.

• Distribution

The moat isn’t the model—it’s the distribution into developer flow: PR checks, CI/CD, and repo governance. Advisory from a former GitHub CEO helps open doors and integrations.

• Partnerships & Ecosystem Fit

This slot complements GitHub, JetBrains, VS Code, and CI providers. Expect integrations, not replacements. The winning pattern: layer safety on top of existing dev tools.

• Timing

Enterprises are moving from AI experiments to AI-in-production. Security leaders are now asking what’s changing in code review, dependency selection, and secret handling.

• Competitive Dynamics

Crowded field: SAST/DAST vendors, code scanners, and newcomer AI-security layers. The wedge: AI-specific risk signals and PR-native controls that catch issues before merge.

• Strategic Risks

  • Commodity scanning pressure if incumbents ship “AI-safe” checkboxes.
  • False positives eroding developer trust.
  • Keeping pace with rapidly changing AI tooling and agent workflows.

What Builders Should Notice

  • Shift-left must include AI. Guardrails belong in prompts, PRs, and pipelines.
  • Trust is the moat. Tools that reduce noise and catch real defects will win.
  • Don’t outsource judgment to LLMs. Keep humans in the review loop.
  • Distribution beats features. Ship where developers already live.
  • Measure AI’s blast radius. Track which changes were AI-assisted and govern them.

Buildloop reflection

The future of secure software isn’t more scans—it’s earlier decisions.

Sources

Tags: , , , , , ,