Most risks in this model involve an attacker steering an agent. This one is quieter and needs no attacker at the keyboard: the agent, working as intended, produces code faster than anyone can review it, and a fraction of it is insecure. At fleet scale, a small defect rate becomes a large and growing pool of exposure - steady erosion, not a dramatic breach.
What separates this from ordinary developer mistakes is volume and provenance. A team now merges hundreds of agent-authored changes while review capacity is unchanged, and because the code was generated, no human holds a mental model of it - so when it turns out to be vulnerable, there is often no record of which agent wrote it.
How the risk arises
Models learn to write code by imitating public code, which is full of insecure idioms: string-concatenated SQL, disabled TLS verification, hardcoded fallback credentials. An agent reproduces these fluently, often with comments that make them look deliberate. The output compiles, passes the happy-path tests the agent also wrote, and reads as competent - so the signals a reviewer uses to slow down are absent.
The second driver is a review-capacity mismatch. When an agent generates a 900-line change in a minute, the rational move is to skim it, and skimming turns review into a rubber stamp - the workflow problem covered in the Copilot code-review guide.
Attack scenarios
- Replicated insecure pattern. An agent settles on an insecure idiom - string-interpolated SQL, say - and reuses it across every endpoint. One review miss becomes twenty injectable queries with the same shape.
- Slopsquatting. The agent hallucinates a plausible package name that does not exist and writes it into a manifest. An attacker registers it with malicious code, and the next CI build installs it - the path detailed in the AI supply-chain attacks guide.
- Secrets in generated config. The agent writes a config file or Dockerfile with a real-looking API key inline. It compiles, so it merges, and the secret is now in git history - part of the endpoint's crown jewels leaking outward.
- Too big to read. A refactor touches 60 files, a subtle authorization check is dropped in file 41, and it merges because the diff is too large to read and the build is green.
Related techniques
- Hallucinated dependencies become supply-chain attacks once an attacker registers the names, where this meets malicious agent skills.
- Injected instructions turn accidental insecurity into targeted: a prompt injection payload can ask the agent to weaken an auth check, producing a flaw that looks like an honest mistake.
- Ungoverned execution lets the same agent run the flaw before anyone reviews it, covered under code execution.
Mitigations
- Know where agents are writing code. Attribution is the foundation: which agents are in use, on which repositories, and how much of what merges is agent-authored. You cannot right-size review for a volume you have not measured. Begin with an agent inventory.
- Keep review meaningful, not ceremonial. Cap diff size, require human sign-off on security-relevant paths, and treat agent-authored changes as untrusted by default - the workflow in the practical agent-security guide.
- Scan code and dependencies in CI, and gate merges on it. SAST, secret scanning, and lockfile checks that reject packages which did not exist last week are the automated backstop when review is too fast for humans - see the enterprise AI security guide.
- Preserve provenance. Record which agent produced which change so a flaw traces back to its source, configuration, and sibling changes.
How Anomity helps
Anomity does not review or scan code - that is the job of your SAST, secret-scanning, and dependency tooling. It provides the layer beneath them: visibility into which AI agents run where and at what version, so agent output is a measured quantity. The lightweight, unprivileged Endpoint Sensor discovers agents, their skills, and the MCP servers feeding them, records source, owner, version, and reach, and surfaces config and update drift as change events - the context needed to attribute a vulnerable pattern to the agent that produced it. Findings route to SIEM, Slack, email, and Jira and land in a queryable 90-day audit trail, so "the agent wrote it" is a traceable fact, not a dead end.




