AI agents are moving from suggestions to actions.
AI agents are changing shape.
A year ago, most engineering teams still thought about AI as something that lived in the editor: autocomplete, chat, maybe a refactor when you asked nicely. Useful, sometimes surprising, but still mostly bound by the developer sitting in front of it.
That boundary is getting thinner.
GitHub’s Copilot coding agent is now described as an asynchronous, autonomous developer agent that can be assigned work, create a draft pull request, and request review when it is done. (The GitHub Blog) OpenAI’s Codex is positioned as a cloud-based software engineering agent that can read and edit files, run commands, execute tests, fix bugs, and propose pull requests from an isolated environment. (OpenAI) The newer Codex app points to the next shift: developers orchestrating multiple agents across projects, with work spanning hours, days, or weeks. (OpenAI)
That is not just “better autocomplete.”
That is delegation.
And delegation changes the security model.
The agent is becoming part of the system
The trend across the AI agent space is not hard to see: agents are getting closer to the systems they operate on.
They read more context. They run longer. They call tools. They connect to external systems via protocols such as MCP. They create files, install dependencies, execute shell commands, and move work through the development pipeline.
MCP is a good example of why this matters. The Model Context Protocol describes itself as an open-source standard for connecting AI applications to external systems, including files, databases, tools, workflows, and prompts. (Model Context Protocol) The MCP specification is explicit about the security implications: the protocol enables powerful capabilities through arbitrary data access and code execution paths, and implementors need to address consent, authorization, access control, and tool safety carefully. (Model Context Protocol)
That is the honest tension.
The same connection layer that makes agents useful also gives them reach. The same tool call that lets an agent deploy a fix can let it run the wrong command. The same MCP server that gives an agent useful context can become a new supply chain dependency. The same background worker that saves an engineer three hours can also make three hours of decisions without the team seeing each step clearly.
This does not mean teams should slow down. It means the control plane has to catch up.
The new attack surface is not just the model
A lot of early AI security discussion focused on the model: jailbreaks, hallucinations, prompt injection, unsafe output. Those still matter. OWASP’s LLM Top 10 continues to put prompt injection, insecure output handling, supply chain vulnerabilities, sensitive information disclosure, and insecure plugin design near the center of the risk conversation. (OWASP)
But agents add something else: action.
The question is no longer only, “Can the model say something unsafe?”
It is also:
Can the agent run something unsafe?
Can it install a package we would not have approved?
Can it pass secrets into a prompt?
Can it invoke a tool based on poisoned metadata?
Can it authenticate to production using a human token?
Can it make a change that is technically valid but operationally wrong?
OWASP’s MCP Top 10 captures this shift clearly. It calls out tool poisoning, software supply chain attacks, command injection, and intent-flow subversion as MCP-specific risks. (OWASP) Those are not abstract model behaviors. They are system behaviors. They happen at the boundary between model reasoning, tool metadata, credentials, code, and infrastructure.
That boundary is where security needs to move.
Identity is becoming the next control point
One of the most important trends is agent identity.
For years, automation has often borrowed human identity. A script ran with someone’s token. A bot used a shared secret. A service account had more access than it needed because tightening it was painful.
With agents, that pattern gets harder to justify.
The FIDO Alliance recently announced workstreams for trusted AI agent interactions, including an Agentic Authentication Technical Working Group focused on secure delegation, phishing-resistant authentication, and clear boundaries between user-initiated and agent-initiated actions. (FIDO Alliance) FIDO also said its payments work will explore agent-initiated commerce, with contributions like Google’s Agent Payments Protocol and Mastercard’s Verifiable Intent framework. (FIDO Alliance)
That is a big signal.
Agents need to act on behalf of people without becoming people.
That means scoped permissions. Clear delegation. Auditable intent. Expiring authority. Human approval at the right moments. Credentials that belong to the task, not the developer’s entire account.
For engineering teams, this is going to matter well before agentic payments do. The same principle applies when a coding agent opens a pull request, calls a deployment API, reads private docs, installs a package, or edits infrastructure code.
The agent needs its own boundary.
The security loop is moving earlier
Traditional security feedback often arrives late.
A developer writes code. Maybe an AI agent helped. The code gets committed. A CI job runs. A scanner flags something. Someone opens a ticket. The developer has already moved on.
That loop was already slow for human-written code. With agents, it gets painful.
Agents can generate vulnerable code quickly. They can also generate the fix quickly. The question is whether security feedback reaches the agent while the work is still in motion.
This is why generation-time and runtime controls are becoming more important.
GitHub now says Copilot, the coding agent, automatically analyzes newly generated code with CodeQL, checks new dependencies against the GitHub Advisory Database, and uses secret scanning to detect API keys and tokens. (The GitHub Blog) Claude Code hooks give teams lifecycle-level control: PreToolUse hooks can allow, deny, ask, or defer a tool call before it runs, while PostToolUse hooks can provide feedback to Claude after a tool completes. (Claude API Docs) (Claude API Docs)
That is the right direction.
Not because CI stops mattering. It still matters.
But CI is not enough when the agent is actively writing, editing, running, and retrying. Security has to become part of the agent loop itself.
That is the idea behind Batou. We built it as a Claude Code hook that scans every Write, Edit, and NotebookEdit operation in real time, with PreToolUse scanning before code is written and PostToolUse analysis after the write so Claude can fix issues while it is still working. Batou uses a layered pipeline — regex rules, AST parsing, taint analysis, and call graph context — because generation-time security needs to be fast, but it also needs enough depth to avoid becoming noise.
The point is simple: don’t wait for the agent to finish before you tell it what went wrong.
What engineering leaders should do now
The map is still being drawn. Nobody has the complete playbook for governing AI agents across code, cloud, identity, and security operations.
But we can see enough to act.
Start with visibility. Know which agents are being used, where they run, what tools they can call, which MCP servers they connect to, what credentials they hold, and what actions they can take. Shadow AI is hard to govern because it is hard to see.
Then define boundaries. Agents should not inherit broad human permissions by default. Give them scoped credentials, task-specific access, and clear approval points. Separate read access from write access. Separate staging from production. Separate suggestion from execution.
Next, move checks into the workflow. Scan prompts for secrets before they leave the machine. Validate commands before they run. Check dependencies when the agent installs them. Scan generated code at write time, not just at commit time. Treat MCP tool metadata as untrusted unless it comes from a trusted source. Log the tool call, the input, the output, and the decision.
Finally, treat security agents like production systems. They need audit trails, rollback paths, policy controls, and human review for high-impact actions. A security agent that patches code or changes identity policy is still an agent taking action inside your environment.
This is not about slowing teams down.
It is about making speed safer.
Having problems with software at speed? Turen can help. Sign up for a 14-day trial at https://turen.io or view the live demo at https://try.turen.io
