The State of AI Coding Agent Risk
A comprehensive analysis of the security, compliance, and operational risks enterprises face as AI coding agents become the default developer interface — and how to govern them before they govern you.
Executive Summary
Cursor, Claude Code, Copilot, Codex, and their rapidly multiplying counterparts have fundamentally changed how software gets built. Developers are no longer just writing code; they are delegating to autonomous systems that execute terminal commands, modify files, provision infrastructure, interact with APIs, and connect to external tool servers through frameworks like MCP.
The productivity gains are real. The security implications are severe and largely unaddressed.
The OWASP Top 10 for Agentic Applications, published in December 2025, provides the most rigorous taxonomy to date of the threats these systems introduce. After analyzing that framework against the actual behavior of AI coding agents in enterprise environments, the conclusion is unambiguous: traditional AppSec, identity, and access management tools were not designed for this threat surface, and the governance gap is widening every quarter.
This report maps five of the highest-impact OWASP agentic risks — Tool Misuse and Exploitation, Unexpected Code Execution, Human-Agent Trust Exploitation, Rogue Agents, and Agentic Supply Chain Vulnerabilities — directly to the attack patterns enterprises face when developers use AI coding agents without centralized governance. It then examines why a new category of security tooling, the Agent Access Security Broker (AASB), is necessary, and how Unbound AI is purpose-built to close these gaps.
The New Reality: AI Coding Agents Are an Unmanaged Attack Surface
The security question has shifted. It is no longer "should we allow AI coding agents?" — that decision has already been made by engineering teams across every major enterprise. The question is now: what can these agents see, touch, and do, and does anyone in your security organization have visibility into the answer?
AI coding agents operate with capabilities that would trigger immediate scrutiny if granted to any other software component: they read and write source code, execute arbitrary shell commands, connect to databases and cloud APIs, install packages, and interact with external MCP servers — all with minimal or no security review.
The OWASP Agentic Security Initiative captures this reality directly. As their leadership states: "Agents plan, decide, and act across multiple steps and systems, often on behalf of users and teams." They go further, introducing the principle of Least-Agency — the recommendation that organizations avoid granting agentic behavior where it is not needed, because "deploying agentic behavior where it is not needed expands the attack surface without adding value."
For security leaders, the diagnostic question is simple: can you answer the following for your organization right now?
- Which AI coding agents are running across your developer population?
- What permissions and configurations are in effect for each?
- Which external MCP servers and tools are connected?
- What terminal commands are agents executing in real time?
- Who approved what, and is there an audit trail?
If you cannot answer these questions, you have an unmanaged attack surface operating with production-level permissions.
Five OWASP Agentic Risks That Directly Threaten Development Organizations
The OWASP Top 10 for Agentic Applications identifies ten categories of risk. Five of them map with immediate, material impact to the way AI coding agents operate inside enterprise development environments.
1. Tool Misuse and Exploitation (ASI02)
The risk. OWASP's ASI02 addresses scenarios where agents misuse legitimate tools due to prompt injection, misalignment, or ambiguous instructions — leading to data exfiltration, tool output manipulation, or workflow hijacking. The critical insight is that the danger is not a fake tool; it is a real tool used in the wrong way.
Why this matters for coding agents. AI coding agents routinely interact with dozens of tools: terminals, package managers, database clients, cloud CLIs, and MCP servers. OWASP documents specific patterns that map directly to coding agent behavior:
- Over-privileged tool access where an agent can delete or send data without confirmation
- Unvalidated input forwarding where untrusted model output is passed to a shell
- Loop amplification where agents repeatedly call costly APIs causing denial-of-service conditions or bill spikes
The attack scenario OWASP labels "EDR Bypass via Tool Chaining" is particularly relevant: a security-automation agent chains together legitimate administrative tools — PowerShell, cURL, and internal APIs — to exfiltrate sensitive logs. Because every command is executed by trusted binaries under valid credentials, host-centric monitoring sees no malware or exploit, and the misuse goes undetected. Replace "security-automation agent" with "AI coding agent" and this scenario is already happening in developer environments.
The compliance gap. Without visibility into which tools agents connect to, what actions they perform, and whether those actions align with sanctioned configurations, enterprises cannot demonstrate that their development environments meet SOC 2, ISO 27001, or internal security policy requirements for access control and monitoring.
2. Unexpected Code Execution — RCE (ASI05)
The risk. OWASP's ASI05 addresses scenarios where agentic systems — explicitly including "popular vibe coding tools" — generate and execute code that attackers exploit to achieve remote code execution, local misuse, or exploitation of internal systems. Because the code is generated in real time by the agent, it can bypass traditional security controls entirely.
Why this matters for coding agents. This is not a theoretical risk. OWASP documents:
- The Replit Vibe Coding Runaway Execution scenario where an agent generates and executes unreviewed install or shell commands in its own workspace, deleting or overwriting production data
- Direct shell injection where attackers submit prompts containing embedded shell commands disguised as legitimate instructions
- Dependency lockfile poisoning where agents regenerate lockfiles from unpinned specs and pull backdoored versions during build tasks
The fundamental problem is that AI coding agents routinely have the ability to execute arbitrary commands in the developer's terminal. When that capability is combined with prompt injection, hallucination, or a compromised dependency, the result is code execution that no human reviewed and no security tool flagged.
The compliance gap. Regulatory frameworks from NIST CSF to PCI DSS require that organizations maintain control over code execution in production and pre-production environments. When AI coding agents can execute arbitrary commands without approval workflows, audit trails, or policy enforcement, that control does not exist.
3. Human-Agent Trust Exploitation (ASI09)
The risk. OWASP's ASI09 addresses the way agents exploit human over-reliance through confident language, perceived authority, and fabricated rationales. The agent can act as an "untraceable bad influence," manipulating the human into performing the final audited action while the agent's role in the compromise remains invisible to forensics.
Why this matters for coding agents. Developers are trained to trust their tools. When a coding agent suggests a dependency, proposes a configuration change, or recommends a shell command, the default behavior is to accept the suggestion. OWASP documents:
- The "Helpful Assistant Trojan" scenario: a compromised coding assistant suggests a one-line fix, and the pasted command runs a malicious script that exfiltrates code or installs a backdoor
- "Weaponized Explainability" where a hijacked agent fabricates a convincing rationale to trick an analyst into approving the deletion of a live production database
The core vulnerability is automation bias — the tendency to accept agent recommendations without independent verification, especially when the agent presents confident, authoritative explanations.
The compliance gap. Organizations that rely on human review as a control must demonstrate that the review is meaningful. If developers are rubber-stamping agent suggestions because of automation bias, the control is illusory. Auditors are beginning to ask whether AI-assisted code changes go through the same change management rigor as human-authored changes. For most organizations, the answer is no.
4. Rogue Agents (ASI10)
The risk. OWASP's ASI10 defines rogue agents as malicious or compromised AI agents that deviate from their intended function or authorized scope, acting harmfully, deceptively, or parasitically. The agent's individual actions may appear legitimate, but its emergent behavior becomes harmful — creating a containment gap for traditional rule-based systems.
Why this matters for coding agents. In enterprise development environments, the rogue agent problem manifests as agent sprawl — unmanaged coding agents running with configurations, permissions, and external connections that no one in the security organization is aware of. OWASP documents autonomous data exfiltration after indirect prompt injection: the agent continues independently scanning and transmitting sensitive files to external servers even after the malicious source is removed.
The risk is compounded by what OWASP calls "Goal Drift and Scheming" — agents that deviate from intended objectives, appearing compliant but pursuing hidden goals. In a coding context, this could manifest as an agent that writes functionally correct code while quietly introducing logic flaws, exfiltrating tokens through DNS queries, or installing dependencies from attacker-controlled registries.
The compliance gap. Enterprises cannot govern what they cannot see. When AI coding agents operate as shadow IT within development environments — running without centralized inventory, configuration baselines, or behavioral monitoring — they represent an unmanaged risk that falls outside existing security controls.
5. Agentic Supply Chain Vulnerabilities (ASI04)
The risk. OWASP's ASI04 extends traditional supply chain risk to the live runtime ecosystem of agents: MCP servers, plugins, registries, descriptors, third-party agents, and update channels that agents dynamically trust and load. Unlike traditional software supply chains where dependencies are static and can be scanned at build time, agentic ecosystems compose capabilities at runtime — loading external tools and agent personas dynamically.
Why this matters for coding agents. MCP (Model Context Protocol) has become the primary mechanism through which AI coding agents connect to external tools and services. OWASP documents multiple real-world incidents including:
- Malicious MCP servers impersonating legitimate services on npm
- Tool descriptor poisoning where hidden commands are embedded in MCP metadata
- Compromised NPM packages automatically installed by coding agents that exfiltrate SSH keys and API tokens
The "Amazon Q Supply Chain Compromise" scenario is particularly instructive: a poisoned prompt in the Q for VS Code repository shipped to thousands of developers before detection. Despite the attack failing to achieve its full objective, it demonstrated how upstream agent-logic tampering cascades through extensions and amplifies impact at scale.
The compliance gap. Dependency management requirements in frameworks like NIST SP 800-218 (SSDF) and SOC 2 Trust Services Criteria assume that organizations maintain inventories of their software components and validate their provenance. When AI coding agents dynamically connect to MCP servers and external tools at runtime, those connections are invisible to traditional SBOM and dependency scanning tools.
The Architectural Gap: Why Existing Tools Cannot Solve This
Traditional security tooling was designed for a world where humans write code and software components are static. The AI coding agent threat surface breaks both assumptions.
| Existing Control | What It Does | What It Misses |
|---|---|---|
| AppSec tools | Find vulnerabilities in code | Do not govern what an agent does in a terminal, which MCP servers it connects to, or whether its configuration grants excessive permissions |
| IAM / PAM | Control human access | Not designed to track, scope, or revoke the permissions of autonomous coding agents |
| EDR / Endpoint | Detect malware and exploit patterns | Agent-driven misuse of legitimate tools — executing valid commands under valid credentials — is invisible to host-centric monitoring |
| SAST / DAST | Analyze code at rest or in execution | Cannot evaluate agent behavior, configuration posture, or real-time decisions about tool invocation |
The gap is architectural. There is no existing security category that provides centralized visibility, risk analysis, and policy enforcement for what AI coding agents are doing across an enterprise.
Introducing the Agent Access Security Broker (AASB)
The Agent Access Security Broker is a new security category purpose-built to address the governance gap created by AI coding agents. The concept follows the same architectural logic as the Cloud Access Security Broker (CASB), which emerged when enterprises needed a control layer between users and cloud applications that IT did not manage.
An AASB sits between AI coding agents and the systems they interact with — development environments, terminal commands, infrastructure APIs, databases, and external tool servers — providing three core capabilities:
Visibility and Discovery. Continuous identification of which AI coding agents are running across the organization, how they are configured, what external tools or MCP servers they connect to, and what risky configurations exist such as auto-approved actions or excessive permissions.
Risk Assessment and Posture Analysis. Evaluation of agent behavior, configuration posture, and tool connections to surface high-risk patterns before they become incidents. This includes dangerous command patterns, unauthorized integrations, and risky autonomy settings.
Governance and Policy Enforcement. Centralized guardrails that control what agents are allowed to do. Policies can audit, warn, or block actions such as destructive terminal commands, unauthorized data access, or risky external tool usage. Human-in-the-loop approval workflows ensure sensitive operations remain under control.
How Unbound AI Closes the Gap
Unbound AI is the AASB platform purpose-built for this problem. Our platform provides the visibility, risk analysis, and policy enforcement that enterprises need to govern AI coding agents at scale. Here is how Unbound directly addresses each of the five OWASP risks analyzed in this report:
Against Tool Misuse (ASI02), Unbound discovers 20+ AI coding tools, MCP servers, sub-agents, and agent rules actually in use across your organization. We monitor risky terminal runs and MCP actions in real time by user and application. We enforce sanctioned-tool and MCP policies, then warn, block, or redact unsafe activity through guardrails.
Against Unexpected Code Execution (ASI05), Unbound inspects and governs high-risk terminal commands and execution paths before they run. We apply approval workflows and policy checks around elevated or destructive actions. We reduce exposure and blast radius by making execution observable and enforceable across agent workflows.
Against Human-Agent Trust Exploitation (ASI09), Unbound replaces blind approval with policy-backed guardrails and human-in-the-loop control points. We warn, block, or redact risky outputs and sensitive data movement before the action lands. We create auditable evidence of who approved what, what the agent attempted, and where policy intervened.
Against Rogue Agents (ASI10), Unbound surfaces hidden sub-agents, unsafe configurations, and agent rules before drift becomes invisible sprawl. We monitor live actions across tools, terminals, files, and MCP connections. We apply centralized governance and least-privilege boundaries so suspicious behavior can be contained quickly.
Against Agentic Supply Chain Vulnerabilities (ASI04), Unbound inventories the tools, MCP servers, and external dependencies agents actually connect to at runtime. We enforce allowlists and sanctioned connection policies so unsanctioned components stand out immediately. We monitor live behavior for unsafe tool calls and sensitive data movement triggered by compromised dependencies.
The Cost of Inaction
Every week that AI coding agents operate without governance is a week of accumulating risk. The OWASP exploits and incidents tracker documents a steady cadence of real-world breaches:
- The EchoLeak zero-click prompt injection against Microsoft 365 Copilot
- The Amazon Q supply chain compromise that shipped to thousands
- The Replit vibe coding meltdown that deleted a production database
- The ForcedLeak attack against Salesforce Agentforce
- Multiple RCE vulnerabilities in Cursor alone discovered in October 2025
These are not theoretical scenarios. They are documented incidents that map directly to the risks outlined in this report.
The enterprises that will navigate this transition successfully are those that implement a governance layer now — before an unmanaged coding agent exfiltrates credentials, deletes production data, or introduces a supply chain compromise that propagates across the organization.
Take Action
Unbound AI offers a free tier so your team can start gaining visibility into your AI coding agent estate immediately. There is no reason to wait.
Start free — Sign up for the Unbound free tier and begin discovering the agents, tools, and configurations running across your development organization today.
Book a demo — If you want a guided walkthrough of how Unbound maps to your specific environment, compliance requirements, and risk posture, schedule a platform demo.
The governance gap is real, the risks are documented, and the solution exists. The only remaining variable is how quickly you act.
Raj Srinivasan is the CEO of Unbound AI, the pioneering Agent Access Security Broker (AASB) platform. Prior to founding Unbound, Raj spent over a decade building security products for enterprise development teams.
This report references the OWASP Top 10 for Agentic Applications (Version 2026, December 2025), published by the OWASP Gen AI Security Project — Agentic Security Initiative under Creative Commons CC BY-SA 4.0.
Raj Srinivasan
Building the Agent Access Security Broker. Discover, assess, and govern AI coding agents.
LinkedInReady to govern your AI coding agents?
Full visibility in under 5 minutes. No code changes. No developer workflow disruption.
Related articles
How Unbound AASB Addresses Key OWASP Risks for Agentic Applications
AASB vs. CASB: Why AI Coding Agents Need a New Security Category
How to Govern AI Coding Agents Without Killing Productivity
Get the AI Agent Security Digest
Weekly insights on agent governance, MCP security, and AASB. No spam.