You just built an AI-powered app. It works. Customers love it. But have you checked whether your AI is leaking data, your API keys are exposed, or your database is wide open? AI security is the gap nobody talks about — until there's a breach. Here's what to audit and how.
Why AI-built apps have unique security risks
AI code generators (Cursor, Copilot, Claude Code) write functional code fast. But they optimize for “it works” not “it's secure.” Common patterns we see in AI-generated codebases:
- API keys in environment variables referenced client-side — the key works in development but is exposed in production browser bundles
- Row Level Security (RLS) policies set to USING(true) — the developer thinks only the service role uses the table, but the anon key can read everything
- No input validation on API routes — the AI generated the happy path but no error handling for malicious input
- Overpermissive CORS — allowing any origin to call your API because it was easier during development
- Missing rate limiting — an attacker can call your AI endpoint 10,000 times and run up a $500 OpenAI bill in minutes
The 10-point AI security audit checklist
1. API key exposure scan
Search your entire codebase for hardcoded keys. Check environment variable names — anything starting with NEXT_PUBLIC_ is visible to the browser. Your OpenAI key, Stripe secret key, and database service role should NEVER be prefixed with NEXT_PUBLIC_.
2. Database access control (RLS)
If you're using Supabase: run SELECT tablename FROM pg_tables WHERE schemaname = 'public' and verify every table has RLS enabled. Then check that no policy has USING(true) without a role check — that grants access to everyone including unauthenticated users.
3. Authentication on every API route
Every API route that reads or writes data must verify the user's identity. Check for routes that skip auth because they were “internal only” — in a serverless deployment, every route is publicly accessible.
4. Input validation
Every POST/PUT/PATCH endpoint should validate its input against a schema (Zod, Joi, etc.). Without validation, attackers can inject unexpected data types, oversize payloads, or SQL injection strings.
5. Rate limiting on AI endpoints
If your app calls OpenAI, Anthropic, or any paid API, rate-limit the endpoint. Without it, a bot can drain your API budget in minutes. Implement both per-user and per-IP limits.
6. CORS configuration
Check your Access-Control-Allow-Originheader. It should be your domain, not *. Overpermissive CORS lets any website make requests to your API on behalf of your users.
7. Security headers
Verify these headers are set: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy. Most AI-generated apps miss all of them.
8. Dependency vulnerabilities
Run npm audit or pip audit. AI-generated code often pins old dependency versions. Critical CVEs in your dependencies are your vulnerabilities.
9. Webhook signature verification
If your app receives webhooks (Stripe, Twilio, etc.), verify the signature on every request. Without verification, anyone can send fake webhook events to your endpoint and trigger actions (create fake payments, modify data).
10. Secret rotation plan
When was the last time you rotated your API keys? If they've been in your .env since day one and you've ever committed them to Git (even accidentally), they're compromised. Rotate them now.
Automated AI security scanning vs manual audits
Manual security audits cost $10K-$50K and take 2-4 weeks. They're thorough but expensive and slow. Automated AI security scanners can check 80% of the common vulnerabilities in minutes for a fraction of the cost.
The best approach: automated scanning for continuous monitoring (catch the obvious stuff fast) plus periodic manual audits for the complex stuff (business logic flaws, authentication bypass, privilege escalation).
At AffixedAI, we include a security baseline assessment in every AI implementation project. Because shipping an AI feature that leaks customer data is worse than not shipping it at all. Our free AI consultation includes a security posture check alongside the implementation roadmap.