GenAI is already in your code — what’s at risk depends on your industry

Twice the adoption, 7× the risk: GenAI in retail vs finance

GenAI is already reshaping enterprise codebases — but how it’s adopted, built, and secured differs drastically across industries.

Apiiro, the leading Agentic Application Security platform, used its patented Deep Code Analysis (DCA) engine to examine over 100,000 code repositories across the software development lifecycle. The objective: to understand how organizations are integrating GenAI — including AI frameworks, models, and training data — from code to runtime.

Before diving into the data, one thing is clear: AI risks cannot be assessed in isolation. Repeating the siloed mistakes of traditional SCA, SAST, and other scanners won’t work. GenAI is one node in your software architecture graph — and must be evaluated in full context, alongside every software component — from code to runtime.

The results reveal a sharp industry divide:

• Retail companies are moving fast, embedding GenAI into customer-facing systems and pushing to production at 2× the rate of other sectors.
  
• Financial institutions are more cautious but face 7× more embedded secrets in GenAI codebases compared to non-GenAI ones — increasing exposure despite slower adoption.

This report unpacks what’s really happening inside the code — and what it means for AppSec and platform teams racing to secure GenAI in the real world.

1. Retail is pushing GenAI into production faster. Finance is still experimenting.

Retail orgs aren’t just dabbling in GenAI — they’re putting it into production.

In Apiiro’s dataset of enterprise code repositories, GenAI adoption shows a clear trend:
Retail companies are embedding GenAI at 2.1× the rate of Financial Services, based on the proportion of repositories that include GenAI components.

And they’re not just shipping faster — they’re building more actively. In Apiiro’s telemetry, 61% of Retail GenAI repositories show active development, based on commit activity and contributor engagement. In Financial Services, that number drops to 22%.

That’s a 2.7× difference in dev activity, reflecting how Retail teams are moving GenAI projects through the build-test-ship cycle — while many Finance teams remain in slower, more siloed experimentation phases.

This isn’t just speed for speed’s sake. It reflects how Retail teams are using GenAI to power real-time, customer-facing features like recommendation engines and automated support. With shorter feedback loops and direct revenue impact, the incentive to ship is constant.

Financial institutions, by contrast, operate under heavier regulatory scrutiny. Their GenAI work is more cautious, often confined to internal systems — and it shows in the development patterns.

2. Financial firms are sitting on older GenAI code — and 7× the risk

In GenAI, code age isn’t just a number — it’s a risk multiplier.

Financial Services organizations tend to hold onto GenAI projects longer. According to Apiiro telemetry, their average GenAI repository is 688 days old — significantly older than the 453-day average in Retail.

That longevity comes at a cost: GenAI repositories in Finance carry 7× the risk density of their non-GenAI counterparts, based on secrets exposure, software composition vulnerabilities, and embedded credentials.

The most common risk: secrets exposure, including hardcoded API keys and tokens. These often accumulate over time in legacy pipelines — especially when GenAI features are bolted onto existing services.

Retail, by contrast, shows lower risk density in GenAI code overall. While static analysis findings are slightly higher (likely due to rapid release cycles), their codebases are newer and less encumbered by tech debt or brittle integration layers.

This highlights a critical reality: in Finance, the very structure of GenAI adoption — incremental, cautious, long-lived — may be increasing exposure over time. Even in organizations with strong governance, older GenAI projects become blind spots unless actively maintained, refactored, or retired.

Retail teams aren’t just shipping GenAI faster — they’re plugging it straight into sensitive systems.

Apiiro’s repository-level analysis found that 25.7% of Retail GenAI projects include sensitive data, such as payment info, customer records, or personally identifiable information (PII). In Financial Services, that number is 14.6%. That makes Retail 1.8× more likely to embed sensitive data directly into GenAI pipelines.

Why? Because in Retail, GenAI often powers customer-facing use cases: personalized product recommendations, automated support, tailored promotions. These systems rely on real-time, user-specific context — and that means direct access to sensitive data.

In Finance, GenAI usage remains more siloed, less client-facing: pilot programs, internal assistants, or data-abstracted training scenarios. Regulatory pressure plays a role, but so does engineering culture — pipelines are less often wired directly into live user data.

3. Retail consolidates on OpenAI; finance experiments broadly

Tooling is strategy — and GenAI stacks reveal how industries build.

In Apiiro’s telemetry, Financial Services teams use a wide range of GenAI tools, including OpenAI Client, LangChain, and LiteLLM. Their projects span multiple model types and dataset formats — a sign of active experimentation across varied use cases.

Retail, by contrast, has converged on a smaller, tighter stack: OpenAI Python SDKs and LiteLLM dominate. These tools feed into high-leverage, customer-facing use cases like product recommendations and personalized search.

That focus pays off. Fewer tools mean fewer integration points, tighter pipelines, and more repeatable patterns — all of which support faster operationalization.

Meanwhile, Finance’s broader stack creates fragmented risk surfaces and steeper governance complexity. What it gains in flexibility, it loses in consistency.

GenAI is already in your code, but risk looks different by industry

What This Means for AppSec and Platform Teams

GenAI is already in your code — but what it touches, and what it risks, depends on your industry.

In Retail, GenAI is fast, customer-facing, and wired into sensitive data. In Finance, it’s slower, older, and layered onto legacy systems. Both create risk — just in different ways.

AppSec and platform teams need to calibrate accordingly:

• In Retail, start with data mapping, access control audits, and early-stage static analysis to catch issues before deployment.
  
• In Finance, prioritize secrets detection, dependency hygiene, and reviewing whether dormant GenAI projects should be refactored or retired.

At Apiiro, we help teams trace GenAI adoption across the SDLC — from design, to the first experimental commit, to full production rollout. Our platform correlates where GenAI appears, what data it touches, and what risks it introduces, so teams can act early — before tech debt becomes breach risk.

If you want to understand your GenAI risk exposure, visit Apiiro and get a live demo.