OpenSSF CTO Christopher Robinson warns that AI is overwhelming open source maintainers with scale, exposing human limits in security, trust, and vulnerability response.
Open source security is entering a new phase of risk, where artificial intelligence is amplifying threats at a scale that human maintainers cannot match. Speaking at KubeCon Europe 2026, Christopher Robinson, Chief Security Architect and CTO at Open Source Security Foundation, underscored that the core issue is not technological—but human.
“What we’re going through today with AI is bananas. The fact that MCP and agentic didn’t exist a year ago, and now agentic is the only thing people are talking about – it’s insane.”
A key pressure point is the surge in AI-generated vulnerability reports. “Each PR, depending if it’s a security issue, takes developers between two and eight hours to effectively triage… you’re getting hundreds of reports flooding these people’s inboxes.”
While some maintainers are rejecting such reports, Robinson warned: “If the researcher or the agent can’t get treated by the project, they’re going to go fully public and ruin the reputation of the project.”
The scale problem is compounded by persistent vulnerabilities. The Log4Shell crisis remains unresolved, with 619 million downloads in 2025 and 42 million vulnerable versions still in use. AI further worsens the risk through flawed recommendations, including a 27.76% hallucination rate and suggestions of compromised packages.
“Everything within security circles around identity,” Robinson noted, pointing to trust frameworks such as the Linux Foundation’s First Person project.
With AI-driven attacks evolving, he cautioned: “The robots have infinite patience and velocity and time that we don’t have. Humans have to sleep sometimes.”
