The “builder” boom breaking security

Someone on your go-to-market team is probably building a new AI automation right now. They’re watching a YouTube tutorial, downloading a model from Hugging Face, and sharing a new Claude skill. They have no idea they just introduced an untrusted model to company infrastructure. 

‍

This is the paradox at the center of “builder culture,” where traditionally non-technical roles are being redefined, and employees are encouraged to build, optimize, and ship. It’s driving an explosion in vendor adoption across departments and introducing a brand-new form of AI security exposure that didn't exist twelve months ago. 

‍

Our latest Trust Signals drop explores how builder culture is changing the risk landscape, and what happens when security is still built for a world where only product engineers shipped.

‍

Shipping for a living

Not long ago, “builder” described a specific kind of person within a company. It was an engineer or a developer, and usually someone who lived in a terminal window. But that definition has radically expanded.

‍

Builder is now the baseline expectation for ambitious professionals across every function. Titles like "GTM engineer," "marketing engineer," and “legal engineer” are multiplying fast. Across Vanta’s 16,000+ customer base, builder roles have grown 311% YoY. When mapping job titles within our HRIS integrations, we see a 1,329% YoY surge in “GTM Engineers” specifically, and 850% YoY growth in “Legal Engineer” roles. 

‍

The expectation to ship has moved well beyond engineering. Everyone is prototyping, automating, integrating, and deploying. And when everyone is asked to ship and try new tools, vendor growth follows. Organizations with builder roles use 42% more vendors than those without. They evaluate, adopt, and integrate them quickly to get the job done. 

‍

AI adoption: Led by builders

As you’d expect, AI adoption is the most telling disparity between organizations with builder roles and those without. Builder organizations adopt AI vendors at a 73% higher rate. The top three AI-native vendors in use at builder organizations are OpenAI, Anthropic, and Cursor.

‍

The vendor mix shows where priorities sit. More builder organizations are now using OpenAI (32%) and Anthropic (26%) than traditional staples like HubSpot (25%) and Salesforce (22%). This is the early shape of the so-called SaaSpocalypse. Core systems aren’t being replaced (CRMs are still part of the stack, for example). But builders are using AI to wire up custom workflows that sit between those systems and the actual work getting done, instead of purchasing point solutions. 

‍

The appeal is real when writing code costs a fraction of what it used to. But cheaper code doesn’t necessarily mean cheaper software, when you consider that initial development is only a fraction of the total software lifecycle cost. The other 70-80% is maintenance, operations, security patches, and compliance updates.

‍

Security wasn’t built for this

Alongside the builder role surge, a new pattern emerged in Vanta's data: a brand new alert category called "AI security." Twelve months ago, it triggered zero alerts across our entire customer base. Now, hundreds of alerts are popping up each month.

‍

Nearly half those alerts (49%) are flagged as "VMs running suspicious or untrusted AI models." This could stem from a variety of factors. Sometimes it's technical and non-technical personnel experimenting in test environments. Other times, it's non-technical employees accessing VMs and unknowingly introducing models that carry hidden risk. Either way, it's a direct signal of how easily exposure escalates when more employees have access to company infrastructure. 

‍

Vendor risk exposure

The vendor risk picture compounds the problem. Builder organizations are bringing in more vendors, faster, and using AI vendors at higher rates. When that happens, risk concentration gets higher. Of all vendors used by builder organizations, more than 1 in 3 are flagged as high or critical risk. 

‍

Often, vendors come into the mix outside of proper procurement channels—our previous Trust Signals drop noted that 70% of organizations have Shadow AI and there’s been a 36% increase YoY in Shadow IT. It leaves organizations vulnerable to risk, as 98% of Shadow IT vendors never get a security review. 

‍

In builder culture, another layer of exposure makes things even more complicated. Workflow automations stitched together in no-code platforms, open-weight models pulled from Hugging Face, and AI agents wired directly into infrastructure all sit below the vendor layer. These don't look like vendors to a procurement team, so they don’t even enter a security review queue.

‍

Building security for how work actually happens

Builders are doing exactly what the business needs them to do. The security program has to scale with them. That means automated vendor review, AI risk detection that doesn’t require a security analyst to catch every alert, and coverage that matches the pace of adoption.

‍

What security teams can do right now:

‍

• Replace intake forms with risk-tiered automation. Map your third-party inventory to data classification and system criticality so reviews trigger automatically based on risk profile, not requester diligence.
• Find out what AI tools are actually running across the organization, then build an approved AI tool registry and define acceptable-use guardrails.
• Audit OAuth grants and app access logs. Rather than defaulting to blocklists, prioritize widely adopted tools for expedited security review based on risk tier. Then build a repeatable app request process from that baseline.
• Extend SSDLC beyond engineering. Establish lightweight security review gates for apps built outside traditional development pipelines, including no-code tools, workflow automations, and AI agent integrations. Define a minimum bar for what "built securely" means, regardless of who built it.
• Catch misconfigurations before production. Integrate policy-as-code tooling into your CI/CD pipeline so infrastructure changes are validated at the pull request stage, and maintain a library of pre-approved, hardened infrastructure templates.

‍

Tooling alone won't close this gap. Governance has to scale at the same pace as AI enablement—covering builder-built apps, not just products shipped by engineering.

‍

Vanta’s Third Party Risk Management solution is built for the pace of builder culture. It automatically surfaces, scores, and tracks the vendors your team is bringing in, including the AI tools builders are adopting faster than any review process was designed to handle. It runs continuously, so builders can continue to build while the organization maintains visibility into the risks being introduced. 

‍

Builder culture isn't a trend security teams can wait out. Tomorrow your GTM teammate will open the next tutorial, download the next model, and ship the next automation. The organizations that get ahead build security processes around how work actually happens, when everyone has a deploy button.

‍

Methodology: 

The anonymized data used in this analysis comes from Vanta’s platform, spanning vulnerability management, vendor risk management, security alerts, and compliance workflows across thousands of businesses from February 2024 through April 2026. By integrating customer account data with platform activity, we analyze trends in remediation behavior, risk levels, alert engagement, and overall security posture across different segments and company sizes. Vendor risk levels and alert categories are based on Vanta’s internal scoring and detection frameworks, with a particular focus on emerging patterns such as AI tool usage. Segment comparisons follow Vanta’s FY27 definitions (Downmarket and Upmarket), and year-over-year analyses use consistent customer cohorts to ensure comparability over time.