.svg)
The AI security gap: 98% integrate LLMs, 48% deploy MCPs in production, 24% still onboarding security for them.
Pynt's latest research, The GenAI Application Security Report, surveyed 250 engineering and security leaders across North America and Europe to understand how organizations are adopting LLMs, MCPs, and AI-driven development. The finding: near-universal adoption of AI infrastructure, but security deployment lags behind by months.
Three-quarters of organizations use LLMs in customer-facing applications. Nearly half deploy MCPs in production. Yet a quarter are still onboarding dedicated MCP security solutions while their MCPs already serve users.
As organizations rush to integrate AI, they're discovering that without proper security workflows and team alignment, they're just shifting risk, not managing it.
Inside Our Research
This research is based on an independent survey conducted in September 2025 among 250 professionals across various industries, functions, and company sizes. The participants were specifically from technical and security-oriented roles:
- 29% IT/Software security managers
- 26% Software engineering leaders
- 20% Software engineers/Lead
- 17% DevOps managers
- 8% CISO/Security leaders
The geographic distribution included 40% from North America, 20% from the United Kingdom, 20% from Germany, 10% from Spain, and 10% from Italy. Company sizes ranged from startups under 50 employees to large enterprises over 5,000 employees, ensuring diverse organizational perspectives.
Respondents were independent, unaffiliated with Pynt, and unaware of Pynt's role in commissioning this survey.
Key Findings
AI went from zero to mandatory infrastructure in 24 months: 98% adopted or adopting, only 2% resisting.
LLM integration is no longer a competitive advantage. It's the baseline. Organizations that haven't adopted aren't being cautious, they're being left behind.
One in four organizations is still onboarding MCP security tools.
24% are currently onboarding MCP security while their MCPs already serve users. Deploy first, secure later. If the breach doesn't hit first.
49% of non-adopters cite security as the reason they're staying out.
Not cost. Not latency. Not trust issues. Security is the top barrier keeping the 2-4% holdouts from adopting AI. They might be the only ones being honest about the risk.
Nobody's building chatbots. They're querying your databases.
Data analysis crushes chatbots 44% to 26%. LLMs aren't answering customer questions. They're accessing internal systems, parsing sensitive data, and triggering API calls to infrastructure that was never designed for AI workloads.
API security just became the top application security priority for 2026.
55% rank API security as their top concern, eclipsing LLM-specific tools (27%) and traditional AppSec (17%) combined. The API problem was never solved. AI just made it exponential.
The developer autonomy era is over. Security reviews are the new release bottleneck.
Third-party LLM APIs and MCP orchestration mean developers no longer control their stack. Security compliance isn't slowing releases. It's gating them entirely. Speed traded for dependence.
75% put LLMs in customer-facing apps. 26% still don't have API security fully deployed.
AI is production infrastructure serving end users, but security deployment lags by months. The exposure window isn't hypothetical. It's open right now.
The Architecture Changed. Security Didn't.
In the pre-AI era, APIs were predictable. A handful of endpoints powered web, B2B apps, and mobile experiences. Security tools like WAF, DAST, and SAST were designed for this world: linear, contained, testable.
Applications today are networks of LLMs, agents, and MCPs, each consuming APIs dynamically.
Old apps: Fixed API calls. Predictable workflows. Security tools could map everything.
New apps: LLM decision trees triggering dozens of chained API calls per user action. Dynamic execution paths that shift based on LLM outputs. Traditional security can't keep up.
This isn't incremental change. It's an architectural disruption.
And most organizations never fully secured their APIs in the first place.
The Adoption-Security Lag: By the Numbers
The data exposes the gap between AI deployment and security readiness:
The pattern is consistent: deploy first, secure later. 24% are onboarding MCP security while MCPs serve production traffic. 26% are onboarding API security for endpoints already exposed.
Regional data shows this isn't isolated. North America and Europe both report the same lag.
Full Survey Data
The complete GenAI Application Security Report includes all 250 responses, detailed breakdowns by role and region, adoption timelines, use case analysis, security deployment patterns, and the full survey methodology.
.png)