Survey: 98% Adopting LLMs into Apps, While 24% Still Onboard Security Tools (www.pynt.io)

Pynt’s GenAI Application Security Report, based on a September 2025 survey of 250 engineering and security leaders across North America and Europe, finds LLMs are now near‑ubiquitous — 98% of organizations have adopted or are adopting them, 75% put LLMs in customer‑facing apps, and nearly half have deployed model control planes (MCPs) in production. Yet security is lagging: 24% are still onboarding MCP security while those MCPs already serve users, and ~26% are onboarding API security for endpoints already exposed. The result is a deploy‑first, secure‑later posture that leaves a meaningful exposure window. Technically, the report highlights why traditional AppSec tools (WAF, DAST, SAST) struggle: LLMs and agent architectures create dynamic decision trees and chained API calls that were never anticipated by legacy tooling. Usage has shifted from simple chatbots to data analysis and internal system querying (44% vs 26%), making API security the top application priority for 2026 (55% rank it first). Practical implications: security reviews are becoming the primary release bottleneck, ownership boundaries blur as developers rely on third‑party LLM APIs, and organizations face systemic risk unless they align workflows, observability, and API/MCP defenses to these new, non‑deterministic architectures.