Security Risks in Agentic AI Coding

Autonomous Code Generation Risks

When an AI agent generates code autonomously, it operates without the line-by-line scrutiny that a human developer naturally applies. The agent may produce functionally correct code that contains subtle security flaws -- SQL queries built with string concatenation, API endpoints missing authentication middleware, or file operations without path traversal checks.

The volume of code produced in a single agentic session amplifies this problem. An agent can generate or modify dozens of files in minutes, creating a review burden that exceeds what most developers can realistically handle. The result is that security-relevant changes slip through unnoticed, buried in large diffs.

• Agents often default to the simplest implementation, omitting input validation and error handling
• Generated code may use deprecated or insecure library functions that the agent learned from training data
• Multi-step agent operations can leave the codebase in inconsistent security states if interrupted

Lack of Human Oversight

The core value proposition of agentic coding is reduced human involvement. But security depends on human judgment at critical decision points -- choosing authentication schemes, defining trust boundaries, and evaluating whether a dependency is safe to include. When agents make these decisions autonomously, the security implications may not surface until production.

Approval fatigue is a real concern. Developers using agentic tools quickly learn to approve changes in bulk rather than reviewing each one. This is especially dangerous when the agent modifies security-sensitive files like authentication modules, environment configurations, or deployment manifests.

Agents also lack the organizational context that informs security decisions. They do not know which data is classified, which APIs are internal-only, or which compliance requirements apply. Without this context, the agent cannot make informed security tradeoffs.

Supply Chain Risks

AI agents frequently install packages to solve problems. An agent tasked with adding PDF export might pull in a dependency with known vulnerabilities, or worse, a typosquatted package designed to exfiltrate data. Unlike human developers who might check download counts or scan a package's GitHub repository, agents typically install whatever resolves the immediate task.

The risk is compounded when agents have write access to package manifests and lock files. A single agentic session can introduce multiple new dependencies, each with its own transitive dependency tree. Reviewing these additions after the fact requires dedicated tooling that most teams do not have in place.

• Agents may pin to the latest version rather than a known-secure version
• Transitive dependencies introduced by agent-selected packages are rarely audited
• Agents can inadvertently add dependencies that conflict with licensing requirements

Credential Exposure

Agentic tools with file system and terminal access can read environment variables, configuration files, and secret stores. When an agent encounters an authentication error, it may attempt to resolve it by hardcoding credentials, writing API keys to configuration files, or logging sensitive tokens for debugging purposes.

Even when the agent does not directly expose credentials, the code it generates may create pathways for credential leakage. This includes logging request headers that contain bearer tokens, writing debug output that includes database connection strings, or creating test fixtures that embed real API keys.

Scope Creep in Agent Loops

Agentic coding tools operate in loops -- they generate code, test it, observe errors, and iterate. Each iteration can expand the scope of changes beyond the original intent. An agent fixing a failing test might modify the test itself, change a shared utility function, or alter a database migration, each modification introducing new attack surface.

This iterative expansion is difficult to track. The final diff may show the end state but not the reasoning chain that led there. Security-relevant decisions made mid-loop -- like disabling CORS checks to fix a test or broadening file permissions to resolve an access error -- persist in the final output without clear justification.

Setting explicit boundaries on agent scope, such as file-level allowlists and operation type restrictions, is essential for containing this risk. Without these guardrails, a simple bug fix can cascade into sweeping changes across the security boundary.

Related Resources