If you’ve wired up an autonomous coding agent in the last six months, you’ve probably given it more than you’d give a new hire on day one: repo write access, a cloud role, API keys, maybe a path to prod. And unlike the new hire, it acts at machine speed and never asks twice. Let’s walk the actual chain, because the abstract version (“AI is risky!”) convinces no one.
- The trigger isn’t always you. Agents increasingly act on external input , a webhook, an email, a scraped page, a ticket. Which means untrusted text is now an instruction source. Prompt injection stops being a chatbot party trick the moment the model on the other end can run gh pr merge or aws s3 rm.
- The action is the artifact. Traditional pipeline: code → review → CI → deploy, with a human gate somewhere. Agent pipeline: goal → plan → action → next action, often with the gate removed because removing it is the productivity win. The thing you’d want to inspect already happened.
- Your existing tools watch the wrong layer.
A SAST scanner reads files. The agent’s risky move (assume-role admin, DELETE FROM users, open 0.0.0.0/0) isn’t a file.
A CI gate runs at build time. The agent is acting at runtime, against live systems, possibly nowhere near a build.
Secret scanners find secrets committed to a repo. They don’t see an agent using a valid secret to do something it shouldn’t.
-
“Human in the loop” quietly becomes a rubber stamp. When an agent proposes 200 actions a day, the human approving them reads maybe five. The loop exists on the org chart, not in reality. None of this means agents are bad. They’re the most productive thing to happen to engineering in a decade. It means the control surface moved from code to actions and we haven’t moved our tooling with it. What governing the action layer actually looks like, concretely:
-
Observe every agent action as a first-class event (not buried in app logs): tool calls, queries, infra changes, with the agent identity attached.
-
Policy at the action level: “agents may read prod, never run destructive writes without a human key”; “no agent opens a security group to 0.0.0.0/0.” Enforced in real time, not discovered in a postmortem.
-
Block and quarantine the dangerous action before it lands, and isolate the session that tried it.
-
Explain + audit: a plain-English account of what was attempted and an immutable record of what happened.
You can approximate pieces of this by hand a wrapper here, a deny-list there, a Slack alert. We did, for a while. It rots the moment your agents, tools, or providers change, and it never gives you the one thing that matters at 2am: a single, trustworthy answer to “what did the agents do, and what got stopped?”
That’s the layer we’re building. If you want to see it against your own repo, the scan is free BETA30 knocks 30% off if you later want the governance and fixes. But even if you never touch ZenVeil: move your thinking from “is the AI’s code safe?” to “is the AI’s action allowed?” That reframe is the whole game now.