> It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.

I think that misses the bigger point: automated scanners have gotten better and the floor for issues has risen. Security@ mailing groups are going to be getting more messages that aren't just noise from people running automated scanners.