Your developers are using AI coding agents. Your security stack was not designed to monitor them. The gap between those two facts is widening every month.

Most security teams still treat AI coding agent risk as a variant of shadow IT or data loss prevention. It is neither. AI coding agents are a fundamentally new category of security challenge, and they require a framework that accounts for what these tools actually do.

What Changed: Coding Agents Are Not Autocomplete

An AI code completion tool receives context, generates a suggestion, and waits. The developer decides. Data flows in one direction.

An AI coding agent (Claude Code, Cursor in agent mode, Codex, Windsurf Cascade, Amazon Q Developer agentic mode) receives an objective, plans actions, executes those actions using tools, evaluates results, and iterates. Data flows in multiple directions: the agent reads files, sends prompts to model APIs, invokes tools, connects to services through MCP, writes files, and executes commands.

A code completion tool is a data leakage risk. A coding agent is a data leakage, unauthorized access, code integrity, supply chain, and operational risk. Simultaneously.

The incidents are documented. EchoLeak demonstrated prompt-borne exfiltration in Microsoft Copilot. The Amazon Q Developer supply chain compromise shipped destructive code through a developer-facing AI tool. Replit's coding agent deleted a production database while operating within its granted permissions. Cursor RCE vulnerabilities and Salesforce Agentforce ForcedLeak showed how prompt injection from untrusted content can hijack agent behavior. AWS Kiro exposed the same category failure from a different angle, agentic tooling shipping ahead of a control plane. None of these incidents required a novel exploit. They required an agent doing exactly what it was permitted to do. For the Kiro analysis specifically, see AWS Kiro and the Missing Control Plane.

The Five Risk Categories

1. Data Exposure Through Agent Context

Coding agents read source files, config files, environment variables, and sometimes terminal history. That context is sent to a model provider's API. A developer working on a frontend component may trigger an agent to read and transmit backend config files with hardcoded secrets.

Exposure metric: Developers using coding agents x sensitivity of accessible repositories.

2. Unauthorized Actions Through Tool Use

Agents with tool-use capabilities execute shell commands, make API calls, modify files, and trigger pipelines. They inherit the developer's permissions. If the developer has production write access, the agent does too. If auto-approve is on, there is no human in the loop to stop it.

Exposure metric: Agents with tool-use capabilities x permission scope of their users x percentage with auto-approve enabled.

3. MCP and Third-Party Tool Risk

MCP servers extend agent reach to databases, APIs, and cloud resources. Each MCP server is an extension of the attack surface. A compromised or misconfigured server can instruct an agent to exfiltrate data or execute malicious commands.

Exposure metric: Active MCP servers, their provenance, and the scope of capabilities they expose.

4. Prompt Injection and Agent Manipulation

Coding agents reading from repositories, docs, or PR descriptions are vulnerable to prompt injection. Adversarial instructions in comments, markdown files, or config can alter agent behavior without the developer noticing. Zero-width character payloads in PR descriptions and README files have already been demonstrated against production agents.

5. Compliance and Audit Gaps

SOC 2, ISO 27001, NIST AI RMF, EU AI Act, and PCI DSS 4.0 all increasingly require demonstrable controls over automated and non-human access. Coding agents are automated systems accessing sensitive data. If you cannot produce activity logs that show what the agent did, what was allowed, what was blocked, and who approved high-risk actions, you have a control gap an examiner will find.

These categories map cleanly to the OWASP Top 10 for Agentic Applications (v2026, published December 2025). For the full mapping, see OWASP Agentic AI Risks and AASB.

Building a Governance Program

Phase 1: Visibility (Weeks 1-4)

Agent inventory across sanctioned and shadow usage. Data mapping per agent. MCP server inventory. Risk register. Posture analysis on auto-approve, autonomy settings, and broad permissions.

Phase 2: Policy Definition (Weeks 4-8)

Acceptable use policy. Technical policy rules at the AASB level. Approval workflows for high-risk actions. Incident classification and response playbooks. Map controls to your compliance framework (SOC 2, NIST AI RMF, EU AI Act).

Phase 3: Enforcement (Weeks 8-12)

Deploy controls. Start in monitor-only mode. Move to warn. Move to approve. Move to block on the highest-risk actions. Tune at every step before expanding scope.

Phase 4: Measurement (Ongoing)

Coverage percentage, policy violations detected, mean time to detect, compliance readiness, developer satisfaction. Track the full enforcement funnel: actions audited, warned, approved, blocked.

Why Existing Tools Are Not Enough

Traditional AppSec tools help during code review. IAM and PAM govern identities. EDR sees processes. DLP watches files and email. None of those categories were built to understand the live combination of an AI coding agent, its configuration, its connected MCP servers, and the actions it is about to take inside the developer workflow.

An Agent Access Security Broker (AASB) is the category designed for this gap. For background, see What is an AASB?.

Communicating to the Board

"Our engineering teams use AI coding agents that interact with our source code, infrastructure, and sensitive data. These tools accelerate engineering output. Restricting them would create a competitive disadvantage. They also create data flows and autonomous actions our existing security tools cannot see. Documented incidents in 2025 (EchoLeak, Amazon Q, Replit) show what happens without a governance layer. Our plan establishes governance through an AASB control plane while keeping developers on the tools they already use."

Take Action

Start free. Sign up at getunbound.ai/free for immediate visibility into the AI coding agents and MCP servers running across your engineering org.

Book a CISO briefing. Walk through the AASB control plane and the documented incident playbooks at getunbound.ai/book-demo.

The CISO's Guide to AI Coding Agent Risk