ChatGPT
Perplexity
Most teams budget for agentic coding tools the way they budget for any developer software. Per-seat licensing, some infrastructure, and a line item for model tokens. The proposal gets approved, the agents get deployed, and the work moves faster.
The security layer that makes those agents safe to run against a production codebase is a separate investment category, and it rarely appears in that first proposal. It tends to surface after something has already gone wrong, when remediation costs far more than the controls would have at the planning stage.
How does giving an AI agent write access change your security threat model?
Write access changes who the attacker has to be. Standard application security looks for flaws in human-written code, and it was never designed for an agent that can be redirected by the content it reads.
When an agent has write access to your codebase and pipeline, an attacker no longer needs to get through your perimeter. They need to influence what the agent ingests, and the delivery surface is ordinary project material, such as a repository file, a pull request comment, or an issue body.
In August 2025, Microsoft patched CVE-2025-53773, a critical prompt-injection flaw in GitHub Copilot for VS Code that let instructions buried in repository files silently switch the agent into auto-approval mode and escalate to remote code execution.
Researchers showed the technique could be made self-propagating through the same files agents routinely read. This was not an edge case one vendor missed.
OWASP has ranked prompt injection as the top risk for LLM applications since 2023, and Microsoft’s own AI Red Team has documented agents being misled by instructions hidden in everyday content and having their reasoning redirected through manipulated task framing.
What can you do?
Before any agent gets production write access, have your security team try to redirect it through a crafted pull request comment or issue body. If no one has run that test, treat the agent as untested.
Stay updated with Simform’s weekly insights.
What does securing AI coding agents cost beyond the license?
The license covers seats, infrastructure, and tokens. It does not cover the controls that make agent-written code safe to ship, and those controls are a separate budget line.
Spending tends to flow where it already flows, toward AI-powered defense, while the agents generating the code go comparatively unguarded.
Gartner’s 4Q25 forecast split the AI cybersecurity market for the first time, and the gap is stark. Roughly $49 billion went into AI-amplified security in 2025, against $2.8 billion spent securing the AI itself, an asymmetry of about 17 to 1.
That gap has a measurable cost in the code. GitGuardian’s State of Secrets Sprawl 2026 found that commits co-authored by Claude Code leaked secrets at roughly twice the rate of human-written commits, and separately identified thousands of valid credentials sitting in Model Context Protocol configuration files on public repositories.
IBM’s breach research adds a price tag: shadow-AI breaches cost, on average, $670,000 more than conventional ones.
The controls that close this exposure are not features of the coding tool. Each agent needs its own auditable identity instead of a shared service account, with access scoped to only the data and systems it requires.
What can you do?
Secret scanning has to run before code reaches a shared repository, and audit trails have to be able to reconstruct what an agent did and on whose authority.
Each of those is a separate line item, and none of them ship with the license.
The most immediate one to fund is pre-commit secret scanning, so hardcoded credentials in agent-generated code get caught before they ever reach a shared branch.
Who is accountable when an agentic coding tool causes a breach?
The exposure usually lands in a different seat than the one that approved the tool. A CTO evaluates an agentic coding stack on what it can do and how fast it ships. A COO carries the regulatory and operational fallout if it goes wrong, and those two vantage points rarely meet in the same decision.
That difference shows up in the data. Grant Thornton’s AI impact survey of 950 US business leaders found that 54% of COOs were concerned about regulatory and compliance uncertainty from agentic AI, compared with 20% of CTOs.
The gap tracks where the exposure lands rather than how seriously each role takes it. Regulatory and compliance risk is the COO’s domain, so it registers most sharply in that seat.
The same survey found that three in four organizations already give agentic AI access to their data and processes, while only one in five has a tested incident-response plan.
The result is a coordination problem. The case for the tool and the accountability for its failure sit in different seats, and the security layer falls into the space between them.
Closing that gap does not slow delivery. When Salesforce embedded security guardrails structurally into its agentic SDLC from the first deployment, work items completed per developer rose by just over 50%, with speed and quality improving together rather than trading off.
What can you do?
Put the security and compliance conversation in the same room as the tooling decision, and name an owner for each agent-enabled process before it goes live, not after the first incident makes the question urgent.
What do regulated industries owe when an agent touches protected data?
In regulated sectors, an agent’s action is a regulated event, and accountability stays with the firm and its named people rather than the model vendor.
None of the rules governing healthcare or financial services were written with autonomous agents in mind. Still, they apply anyway, because they attach to the data and the decision rather than to who performed it.
Under HIPAA, an agent querying a patient record is a regulated access event, subject to the same access controls, audit logging, and minimum-necessary rules as a human analyst.
The FDA distinguishes AI that informs a clinician’s judgment from AI that replaces it, with the latter potentially crossing into medical-device territory.
In US financial services, SR 11-7 expects model documentation, validation, and ongoing monitoring, while NYDFS Part 500 requires access controls and audit trails for any AI processing customer data.
The UK’s FCA is blunt about it. Delegating a decision to an algorithm does not transfer accountability; a named senior manager remains personally liable.
The EU AI Act sets firm dates rather than leaving this open-ended, with high-risk obligations applying from December 2027 and a further deadline of August 2028 for high-risk AI embedded in products.
What can you do?
Map each agent action to the regulation that governs it before deployment, and put a named senior manager behind every agent-enabled process. No regulator will accept “the algorithm did it.”
How should a mid-market team sequence its agentic security investment?
Start with a funding order, not a governance program. For a three-to-five-person team, a full buildout is more than you can absorb at once, and the controls do not all carry equal urgency on day one.
Early on, the problem is hygiene, the basic work of giving each agent its own identity, scoping its access to least privilege, and scanning its output for secrets before anything merges.
As you scale, the cost shifts rather than disappears, moving from prevention toward compliance, auditability, and proving what happened.
Grant Thornton found that 78% of organizations could not pass an AI governance audit within 90 days, which becomes a real expense the moment a regulator or customer requests the records.
Microsoft’s own agent-governance guidance starts from the same place, treating each agent as an identity with least-privilege access and a tested incident plan before anything scales.
Fund hygiene first, then build audit and incident-response capability before scaling agents across the pipeline, so the proof exists before anyone asks for it.
Your first real test is an audit request
The first real test of an agentic coding program is rarely a breach. It is the day a regulator or a major customer asks what an agent did and on whose authority, and gives you a narrow window to answer.
So the question worth sitting with is narrower than the question of whether your agents are secure. It is whether, if an agent pushed something it should not have last week, you could produce the action, the authority behind it, and the blast radius before that window closes.
If you are working out how to build the governance layer that makes agentic coding safe to run in production, here is our approach.
