Making AI Coding Agents Safe Enough to Use

One of the most misunderstood risks in Application Security right now is not whether tools like Claude Code or Codex can write secure code. It is whether we can safely let them operate inside real developer environments.

Agentic coding tools are powerful because they can read files, run commands, inspect repositories, call tools, and reason across large amounts of context. That is also what makes them risky. A malicious instruction hidden in a README, issue, dependency, MCP server response, or source file can potentially steer the agent away from the user’s intent. In the worst case, the agent may expose secrets, leak proprietary code, modify files in unsafe ways, or execute commands that create real business impact.

That is why I am interested in the emerging category of agentic coding guardrails, including companies like Bay Security, Onyx Security, and Ciphero. The value is not another code scanner. The value is a control layer between the coding agent and the environment: detecting prompt injection, blocking secret exfiltration, constraining tool use, monitoring file and network access, and giving security teams auditability over what agents are actually doing.

The lesson for me is that AI coding security has to move closer to runtime. Secure SDLC controls still matter, but they are too late if the agent can already read credentials, follow malicious instructions, or send sensitive context somewhere it should not go.

My view is that enterprises will not fully embrace agentic coding until they can answer a simple question: what can the agent see, what can it do, and what prevents it from being tricked?