It remains unclear how AI-powered coding assistants influence developers’ security awareness and practices in real-world software development. This study addresses this gap through a qualitative investigation involving semi-structured interviews and observational analysis of live coding tasks with 15 professional engineers, stratified by their experience interacting with AI tools. The findings reveal that developers rarely articulate security requirements in their initial prompts, leading to a disconnect between security awareness and actual practice. AI assistants tend to shift security reasoning from proactive secure coding toward reactive code review. Although participants spontaneously developed informal strategies to mitigate security risks, current AI tools offer little support for these efforts. Notably, developers’ experience levels did not reliably predict security performance, underscoring the need for improved security-aware design in AI-assisted programming environments.

AI coding assistants are now central to professional software development, yet their impact on how developers think about and practice security remains poorly understood. While prior work has documented vulnerability rates in AI-generated code, a more fundamental question persists: how do these tools transform security awareness in authentic, ongoing development practice? We conducted semi-structured interviews with 15 professional software engineers and observed them completing security-relevant coding tasks with AI assistance, spanning 3 experience cohorts defined by their relationship to AI tools during professional formation. We find that AI coding assistants reorganize rather than eliminate security thinking, shifting it from the act of writing code to the act of reviewing it. This transition from preventive to reactive security is structurally encouraged by interaction models that frame code generation as a functional task, leaving security as an afterthought. Notably, none of our coding session participants specified security requirements in their initial prompts, even when they possessed the relevant knowledge, revealing a decoupling of security awareness from security behavior. We further document informal coping strategies developers had independently invented to manage AI security risk, none of which are supported by current tools or organizations, and find that the experience cohort did not reliably predict security performance. This paper contributes a practice-grounded account of how AI-assisted development reshapes the human side of secure coding, offering empirical foundations for the design of more security-aware tools, training programs, and organizational policies.