I want to tell you about a bootstrap endpoint. It was in a production app, live, serving real users. The endpoint existed because an AI assistant had helpfully included it during scaffolding. It returned the application's master authentication token. To anyone who asked. No login required. No API key. No nothing. One HTTP request and you had every LLM API key, every database password, every third-party credential the app had ever touched. Fourteen secrets, handed over cheerfully by an app that had no idea it was doing anything wrong. The developer who built this wasn't careless. They were fast. That's the whole point. How We Got Here Georgetown's CSET ran the numbers on AI-generated code versus hand-written code. The result was 2.74 times more vulnerabilities. Not a little worse. Nearly three times. That tracks with what we see. Not because AI is bad at writing code — it's genuinely extraordinary at writing code.…