Guidance – AI, open code and vulnerability risk in the public sector

This article examines UK government guidance on balancing AI adoption, open code practices, and vulnerability risk in the public sector. It highlights key principles like rejecting security by obscurity, assuming shorter discovery-to-exploit windows, and strengthening remediation capability. The guidance sets a minimum operational security bar aligned with NCSC Secure by Design, OWASP ASVS, and ISO 27001. It argues that risk is driven by weaknesses and remediation capability, not code visibility. However, it notes that open-by-default can amplify exposure for organizations lacking maturity in patching, CI/CD security, and vulnerability response. The article concludes that openness is beneficial only for organizations that can patch rapidly, detect continuously, and respond to disclosures.