Safeguard
AI Security

Introducing Agentic Development Security (ADS)

As AI agents now author up to half of production commits, Safeguard introduces Agentic Development Security (ADS) — a new framework for securing autonomous coding.

James
Principal Security Architect
7 min read

SAN FRANCISCO — July 6, 2026. Sometime in the last eighteen months, the software industry crossed a line it hasn't fully reckoned with: more code is now scaffolded, refactored, and merged with the direct assistance of autonomous AI agents than at any point in history, and the security tooling meant to govern that code has not caught up. Industry surveys published through the first half of 2026 put the share of committed code touched by an AI coding agent — Claude Code, Cursor's background agents, GitHub Copilot Workspace, Devin-style autonomous engineers, and a growing list of internal "agent fleets" — at somewhere between 30% and 50% of production repositories at companies with mature engineering orgs, up from single digits just two years earlier. Safeguard is today introducing a name and a framework for the risk category this shift has created: Agentic Development Security (ADS).

ADS is not a rebrand of AppSec or a new coat of paint on SCA and SAST. It is the discipline of securing the software development lifecycle when the primary actor writing, testing, and merging code is an AI agent operating with real credentials, real repo access, and real deployment authority — often with minimal human review in the loop. The distinction matters because the threat model is different in kind, not just in degree, from anything CI/CD security tooling was built to catch.

The Trend: From Copilot to Colleague

The shift happened in three fast waves. First, inline code completion (2021-2023) made AI a suggestion engine sitting inside a human's editor — the human remained the sole author and reviewer of everything that shipped. Second, chat-based assistants (2023-2024) let developers delegate whole functions or files, but a human still opened the pull request. Third — and this is the wave defining 2025 and 2026 — agentic tooling now opens its own branches, runs its own test suites, iterates on failures without asking, and in a growing number of organizations, opens and even merges its own pull requests against tickets pulled directly from a backlog.

That third wave is what makes ADS necessary. When an agent can read a Jira ticket, write code across a dozen files, pull in new dependencies to satisfy a task, run the build, and push a PR — all in the time it takes a human reviewer to finish a coffee — the traditional checkpoints where security review used to happen (a developer pausing to think, a senior engineer skimming a diff) are compressed or skipped entirely. Safeguard's own telemetry across customer environments piloting agentic workflows in early 2026 shows PR volume per repository rising 2-4x quarter over quarter in teams that adopted autonomous coding agents at scale, while the average human review time per PR fell by roughly a third. Velocity went up. Scrutiny per line of code went down.

Why This Isn't Just "AppSec With Extra Steps"

Three properties of agentic development break assumptions baked into a decade of AppSec tooling:

1. Agents introduce dependencies faster than humans validate them. An agent solving a task will reach for a package to satisfy a missing capability with the same fluency it reaches for a standard library function — and it does this dozens of times a day across a fleet, not once per sprint. Typosquatting, slopsquatting (packages that don't exist but that LLMs hallucinate and typosquatters then register), and unvetted transitive dependencies are showing up in agent-authored commits at a materially higher rate than in human-authored ones, according to package-registry abuse reports circulating among supply-chain security teams this year.

2. Agents have standing credentials, not session-based access. A human developer's access is bounded by working hours and attention span. An agent fleet runs continuously, holds API tokens, cloud credentials, and repo write access as durable configuration, and can be prompted — by a malicious ticket, a poisoned dependency, or a compromised MCP server — into using that access in ways no human would have authorized in the moment. This is the same class of risk security teams have spent the last two years labeling "non-human identity" risk, except now the non-human identity can also write and ship the code that expands its own privileges.

3. Review capacity did not scale with commit capacity. Static analysis and dependency scanning were built on an assumption of a roughly linear relationship between code volume and review bandwidth. Agentic development breaks that linearity: one engineer can now supervise five, ten, or fifty parallel agent sessions. The scanners still run — but the humans who used to triage their output at a 1:1 ratio with pull requests are now triaging at 1:10 or worse, which in practice means low-signal findings get ignored and everything blurs into background noise exactly when precision matters most.

What "Agentic Development Security" Actually Covers

Safeguard defines ADS around four pillars, each mapped to a control gap opened up by autonomous coding:

  • Agent provenance and attribution — knowing which commits, dependencies, and infrastructure changes originated from an agent versus a human, and which agent, model, and prompt/task lineage produced them, so that incidents can be traced and scoped.
  • Real-time dependency and SBOM integrity — validating every package an agent pulls in at the moment of introduction, not at the next scheduled scan, because agent-driven dependency changes happen at a pace measured in minutes, not sprints.
  • Exploitability-aware triage — filtering the flood of agent-generated findings down to what is actually reachable and exploitable in the running application, since raw finding volume from AI-accelerated development has made "flag everything" scanning economically and cognitively unworkable.
  • Autonomous remediation matched to autonomous introduction — if agents can introduce risk at machine speed, the fix loop has to close at machine speed too, with human sign-off preserved at the merge gate rather than buried in a backlog.

None of these are hypothetical concerns for a future release cycle. They are the day-to-day reality inside any engineering org that has given AI agents write access to a monorepo, and they are the reason a growing number of CISOs are asking a version of the same question in board materials this quarter: "if half our commits are agent-authored, what part of our security program was built assuming they weren't?"

The Report Card So Far

Early data from organizations piloting agentic development at scale in 2026 paints a mixed picture. Deployment frequency and feature velocity are up substantially — some teams report cutting time-to-merge for routine tickets by more than half. But the same organizations are seeing a rise in dependency-related findings, secrets inadvertently committed by agents copying configuration patterns from one repo to another, and — most concerning to security leadership — a widening gap between the number of findings generated and the number of findings a human team can meaningfully act on before the next agent-driven release goes out. The pattern is familiar to anyone who lived through the early days of cloud migration and the CSPM alert-fatigue crisis that followed it: a step-function increase in the surface area to secure, arriving faster than the tooling and process needed to secure it.

How Safeguard Helps

Safeguard built its platform to close exactly this gap, and it's the foundation of our ADS approach. Griffin AI, Safeguard's security reasoning engine, sits alongside agent-authored commits and PRs the same way a senior reviewer would, correlating new findings against the specific code paths an agent actually touched rather than surfacing every theoretical issue in the repo. Reachability analysis is central to that triage: instead of drowning teams in CVE counts from every dependency an agent pulled in, Safeguard determines which vulnerable functions are actually called from exploitable, internet-facing code paths, cutting agent-era finding volume down to what genuinely warrants a human's attention. On the supply chain side, Safeguard generates and continuously ingests SBOMs at the pace agents introduce new packages — not on a weekly scan cadence — so a slopsquatted or newly malicious dependency introduced by an autonomous coding session gets flagged before it ships rather than after. And because agentic development moves too fast for a backlog-driven fix cycle, Safeguard closes the loop with auto-fix PRs that patch vulnerable dependencies and insecure code patterns directly, giving human reviewers a merge-ready fix instead of a raw finding — restoring the checkpoint that agentic velocity had quietly removed.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.