Hang on, why is it costly for in-house to run AI scanners but near zero for threat actors to do the same?

I've seen multiple proprietary places now including a routine AI scan of their code because it's so cheap and they may as well use-up unused tokens at the end of the week.

I mean, it's literally zero because they already paid for CC for every developer. You can't get cheaper than that.