AI coding assistants are now central to professional software development, yet their impact on how developers think about and practice security remains poorly understood. While prior work has documented vulnerability rates in AI-generated code, a more fundamental question persists: how do these tools transform security awareness in authentic, ongoing development practice? We conducted semi-structured interviews with 15 professional software engineers and observed them completing security-relevant coding tasks with AI assistance, spanning 3 experience cohorts defined by their relationship to AI tools during professional formation. We find that AI coding assistants reorganize rather than eliminate security thinking, shifting it from the act of writing code to the act of reviewing it. This transition from preventive to reactive security is structurally encouraged by interaction models that frame code generation as a functional task, leaving security as an afterthought. Notably, none of our coding session participants specified security requirements in their initial prompts, even when they possessed the relevant knowledge, revealing a decoupling of security awareness from security behavior. We further document informal coping strategies developers had independently invented to manage AI security risk, none of which are supported by current tools or organizations, and find that the experience cohort did not reliably predict security performance. This paper contributes a practice-grounded account of how AI-assisted development reshapes the human side of secure coding, offering empirical foundations for the design of more security-aware tools, training programs, and organizational policies.

翻译：人工智能编码助手已成为专业软件开发的核心工具，然而它们如何影响开发者对安全的思考与实践仍缺乏充分理解。尽管已有研究记录了AI生成代码中的漏洞率，但一个更为根本的问题依然存在：这些工具如何在真实、持续的开发实践中改变安全意识？我们对15名专业软件工程师进行了半结构化访谈，并观察他们在AI辅助下完成安全相关的编码任务——参与者根据其职业形成期与AI工具的关系分为三个经验队列。研究发现，AI编码助手并非消除安全思维，而是对其进行重组：将安全思考从代码编写环节转移至代码审查环节。这种从预防到反应的转变，源于将代码生成框定为功能性任务的交互模型，使安全沦为事后考量。值得注意的是，所有编码环节参与者均未在初始提示中明确安全需求——即便他们具备相关知识——揭示了安全意识与安全行为之间的脱节。我们进一步记录了开发者自发创造的应对AI安全风险的非正式策略，这些策略目前均未获得现有工具或组织支持，同时发现经验队列并不能可靠预示安全表现。本文从实践视角阐释了AI辅助开发如何重塑安全编码中的人类因素，为设计更具安全意识的工具、培训项目及组织政策提供了实证基础。