AI coding agents are moving from code suggestion into software execution, creating a governance problem around the credentials, tools and developer environments they can reach.
The shift is the focus of this story: once coding agents can run commands, make code changes, invoke developer tools and work across repositories, enterprises have to decide how those agents are authenticated, scoped, logged and audited.
From assistance to autonomous execution
OpenAI’s Codex is the clearest example in this story of this happening, because it is no longer being positioned only as a coding assistant. OpenAI says Codex can understand large codebases, use tools, make changes, run tests and prepare work for human review.
The company also says Codex is used by more than 4 million people each week and by companies including Cisco, Datadog, Dell Technologies and Nvidia.
Cisco provides one public example of the move from assistance to execution. In an OpenAI case study, Cisco said it integrated Codex into production engineering workflows across multi-repository systems and C/C++-heavy codebases.
The case study says Codex wrote more than 95% of new AI Defense features, helped increase defect resolution throughput by 10 to 15 times and supported autonomous compile-test-fix loops. Those figures do not prove uniform enterprise adoption, but they show coding agents are already being used in operational software work, not only in isolated developer experiments.
OpenAI’s own safety guidance frames the enterprise issue as a control problem. In a May 8 post, the company described safeguards around agent access, human approvals, interaction with development systems and telemetry.
The guidance reflects a broader concern raised by security practitioners and vendors interviewed for this story: beyond questions of code quality or software vulnerabilities, organizations must determine how agents with write access, tool access and runtime credentials are authenticated, monitored and governed alongside human developers, privileged accounts and software supply-chain systems.
Credential handling and the control problem
Credential handling is one part of that problem. 1Password, an identity security vendor, announced a May 20 integration with OpenAI Codex that allows Codex-driven workflows to use 1Password-managed credentials through the 1Password Environments MCP Server, which is based on the Model Context Protocol.
The company said the integration keeps raw secret values out of prompts, code and model context, positioning 1Password as a trusted access layer for Codex rather than only a vault beside the agent.
“As coding agents take on more of the software development lifecycle, the question isn’t whether to give them access, but how,” said Nancy Wang, CTO of 1Password. “A credential that persists is already compromised. That’s why just-in-time credentials are the only viable security model for AI-native development.”
But security experts say the issue extends beyond where credentials are stored. David Girvin, AI security researcher at Sumo Logic, told TechInformed that agentic development changes the control point.
“Traditional controls are necessary but no longer sufficient. A vault governs who holds a secret, it says nothing about what an autonomous agent does with that access once it’s granted. Endpoint tools see process behaviour, not agent intent, and supply-chain scanning won’t catch an agent being prompt-injected into misusing legitimate credentials.”
A widening control surface and rising secret leaks
Public repository data shows why the control surface is widening. GitGuardian, a secrets-security vendor, said 28.65 million new hardcoded secrets were added to public GitHub commits in 2025, up 34% from a year earlier. Public GitHub commits climbed to about 1.94 billion, up 43%, while the developer base increased 33%.
The AI-specific subset grew faster. GitGuardian counted 1,275,105 AI-service secrets in 2025, up 81%, and reported that eight of the 10 fastest-growing detectors were tied to AI services. “When organizations scale creation faster than governance, secrets begin to spread everywhere,” the report said.
GitGuardian also found that Claude Code-assisted commits showed a 3.2% secret-leak rate, compared with a 1.5% baseline across all public GitHub commits. The company cautioned that this should not be read as a simple tool failure because developers still accept, edit, ignore or push agent-generated changes.
MCP files have become another exposure point. GitGuardian identified 24,008 unique secrets in MCP-related configuration files on public GitHub, including 2,117 valid credentials. The report linked part of the pattern to setup guides that place API keys in configuration files, command-line arguments or embedded connection strings.
GitGuardian’s findings help explain why 1Password is pushing runtime injection rather than static credential handling. In its technical blog, the company said secrets injected into an authorized process are not written to disk and remain available only during that execution or session.
The company said the MCP server does not read or return secret values through the MCP channel and does not surface them in the model’s context window. Codex can create environments, list variable names and invoke applications that use those secrets, while the underlying values remain inside 1Password.
Treating AI agents as governed identities
1Password’s design addresses custody of credentials. It does not answer every governance question around what an agent does once access is approved. Daniela Giannini, senior security engineer at Black Duck, said organizations need to treat agents as governed identities rather than ordinary applications.
“To securely deploy AI at scale, organizations must rethink access management by treating AI agents as first-class identities, enforcing least privilege, and ensuring that every action is executed ‘on behalf of’ a verified user context.”
Martin Schirmer, GVP NEMEA at Cloudera, said the right control model also depends on the agent’s purpose. “An internal knowledge assistant may use retrieval-based methods to surface current information, while a sales agent may need structured access to CRM data through controlled interfaces. In both cases, the goal is the same: accurate, relevant context without compromising security or governance.”
Schirmer added that agents also need data context, not only data access. “For agentic systems to work effectively, they need to understand what that data represents, how it is used, and how it relates to other information across the organization. Without context, agents can retrieve information, but they cannot interpret it with confidence or produce reliable outputs.”
Federal guidance and compliance pressures
Government guidance is beginning to formalize the same concern. On May 20, the NSA’s Artificial Intelligence Security Center released security design considerations for MCP, describing it as an application-level protocol used by many AI-enabled systems to manage interactions between services.
The NSA guidance said MCP can simplify agent workflows but requires careful implementation because design and operational gaps create risks around serialization, trust boundaries and agent misuse. It also said traditional controls such as authentication, authorization and input validation remain necessary, while agentic systems add risks such as dynamic tool invocation, implicit trust relationships and context sharing.
Security vendors are now moving controls closer to agent workstations. Endor Labs, a software supply-chain security company, launched Agent Governance and Package Firewall capabilities on May 12 for environments including Cursor, Claude Code and Google Antigravity. Socket, another software supply-chain security company, said it is extending coverage from package managers to browser extensions, code editor extensions, MCP servers and AI tools.
Existing frameworks already point to the gap. NIST’s Secure Software Development Framework recommends protecting development environments, monitoring privileged access on development endpoints and restricting access to source code and configuration-as-code on a least-privilege basis.
Those controls were not written for Codex or MCP specifically, but they apply to the repositories, endpoints and configuration files now being connected to coding agents.
Public companies also face a disclosure layer under SEC cybersecurity rules, which require material incident disclosures and annual reporting on cybersecurity risk management, strategy and governance.
For enterprise leaders, the immediate test is whether they can answer Girvin’s question: “If you can’t answer ‘what did this agent do, with which credential, and why,’ it shouldn’t be in your workflow.”