I'm working at a medium sized SaaS vendor. We've been using Aikido Code which tries to filter vulnerability impact using AI. Results are generally positive, though we are still struggling with keeping the amount of CVEs down, due to the size of our code bases and the amount of dependencies.
I'd be weary to trust AI with something like that, especially if I had to assert to a third party that we absolutely do not have a vulnerability.