diff --git a/cmake/AISClangCompilerOptions.cmake b/cmake/AISClangCompilerOptions.cmake
index b91c9362..825fa98d 100644
--- a/cmake/AISClangCompilerOptions.cmake
+++ b/cmake/AISClangCompilerOptions.cmake
@@ -48,6 +48,13 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         -Wno-c++14-compat-pedantic
         -Wno-pre-c++17-compat-pedantic
 
+        # Turn on stack protection options
+        -fstack-clash-protection
+        -fstack-protector-strong
+
+        # Turn on strict flex arrays (helps ASAN, _FORTIFY_SOURCE, etc.)
+        -fstrict-flex-arrays=3
+
         # Misc warnings
         #
         # This includes most warnings that are not enabled by default
@@ -74,6 +81,7 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         -Wcomma
         -Wconditional-uninitialized
         -Wconsumed
+        -Wconversion
         #-Wcovered-switch-default (flags default labels where we handle all enum values)
         -Wcstring-format-directive
         -Wctad-maybe-unsupported
@@ -95,6 +103,7 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         -Wformat=2
         -Wformat-non-iso
         -Wformat-pedantic
+        -Wformat-security
         -Wformat-type-confusion
         -Wfour-char-constants
         -Wfuse-ld-path
@@ -217,6 +226,15 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         )
     endif()
 
+    # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
+    string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
+    if(MYCXXFLAGS MATCHES "-O[2-3s]")
+        set(flags
+            -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
+            ${flags}
+        )
+    endif()
+
     set(${outvar} ${flags} PARENT_SCOPE)
 
 endfunction()
diff --git a/cmake/AISCompilerOptions.cmake b/cmake/AISCompilerOptions.cmake
index 58aea238..fc49b389 100644
--- a/cmake/AISCompilerOptions.cmake
+++ b/cmake/AISCompilerOptions.cmake
@@ -25,9 +25,9 @@ function(ais_set_compiler_flags target)
         # there's mismatch between IWYU's clang and the compiler you are using.
         if(NOT AIS_USE_IWYU)
             if(compiler_id STREQUAL "GNU" OR compiler_id STREQUAL "NVIDIA")
-                get_ais_gnu_warning_flags(compiler_flags compiler_version)
+                get_ais_gnu_warning_flags(compiler_flags ${compiler_version})
             elseif(compiler_id STREQUAL "Clang")
-                get_ais_clang_warning_flags(compiler_flags compiler_version)
+                get_ais_clang_warning_flags(compiler_flags ${compiler_version})
             endif()
         endif()
         target_compile_options(${target} PRIVATE $<$<COMPILE_LANG_AND_ID:${language},${compiler_id}>:${compiler_flags}>)
diff --git a/cmake/AISGNUCompilerOptions.cmake b/cmake/AISGNUCompilerOptions.cmake
index 070cd7db..3c0aaad0 100644
--- a/cmake/AISGNUCompilerOptions.cmake
+++ b/cmake/AISGNUCompilerOptions.cmake
@@ -83,13 +83,21 @@ function(get_ais_gnu_warning_flags outvar compiler_version)
 
     if(compiler_version VERSION_GREATER_EQUAL 12)
         set(flags
-            # Fortify source
-            -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
             # Misc warnings
+            -Wbidi-chars=any
             -Winterference-size
             -Wtrivial-auto-var-init
             ${flags}
         )
+
+        # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
+        string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
+        if(MYCXXFLAGS MATCHES "-O[2-3s]")
+            set(flags
+                -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
+                ${flags}
+            )
+        endif()
     endif()
 
     if(compiler_version VERSION_GREATER_EQUAL 13)