117.0K
Mar 20 2026

AI Agents Are Already in Your Codebase. Is Your Infrastructure Ready

Jiachen Jiang
Jiachen Jiang

Originally presented in Coder's webinar, Agents in the Enterprise: Deploying AI Safely with Coder. Watch the full recording.

In a recent poll of enterprise engineering leaders, Coder asked two questions. First: how many of you are at companies actively considering AI agents? Nearly every hand went up. Second: how many of you have agents successfully running in production at scale, delivering real, measurable results? Almost no one.

Today, enterprise software development organizations see a crucial gap as they move from consideration to production. Every AI vendor is promising 10x productivity through agentic workflows. What they are not telling you is what it actually takes to deploy and get real benefit from agents without turning them into your company's biggest liability.

This post lays out the real risk model for agentic AI, the infrastructure your team needs to govern it, and how to build the governed cloud environments that make it work. You can also register for a hands-on workshop to walk through the full setup yourself.

Treat agents like interns, not tools

The most common mistake organizations make is treating AI agents like any other software tool. Tools, like hammers, behave predictably. Large language models do not.

AI agents are better compared to human interns. They can be incredibly smart and hardworking, but they need supervision, guardrails, and limited permissions so they don't take down production in their enthusiasm.

The key difference, however, is that a human intern has skin in the game. A coding agent does not. It can apologize to you five different ways, but it has no underlying reason to protect your company. Just last month, a security researcher at Meta accidentally deleted her entire inbox using the new OpenClaw agent. PCMag reported that the agent initially worked as expected in the researcher's test environment, but the size of her real inbox "triggered compaction [and lost her] original instruction" to get permission before proceeding with deleting.

GitHub issues closed, lines of code written, PRs merged; weeks of engineering work completed in hours. Those are the productivity metrics that many organizations use to justify AI investments. None of them account for what happens when things go wrong - for example, the damage caused by a single mistake by an unconstrained agent with no infrastructure boundaries. For more on this perception gap, see When AI Feels Closer Than It Really Is.

The lethal trifecta: the threat model your security team needs

Simon Willison, co-creator of the Django web framework, coined a framework that explains why agents are so easy to exploit and so costly when they are. He calls it the lethal trifecta: three capabilities that, when combined, leave an organization wide open to exploitation.

Access to private data. Agents need your codebase, internal documentation, credentials, and API keys to be useful, but that same data is the crown jewel for any attacker.

Exposure to untrusted content. Agents fetch npm packages, read Stack Overflow threads, browse external documentation, but any of these can carry prompt injection attacks designed to manipulate agent behavior.

Ability to externally communicate. Agents make API calls, commit code, and deploy infrastructure, but that same pathway is a compromised agent will exfiltrate your private data.

Limiting all three of these means you'll have a very unproductive agent. The real solution is being intentional about what parts of the trifecta your agent has access to at any given time.

The attack scenarios are not theoretical. Prompt injection can cause an agent to introduce code that exfiltrates sensitive data when it reads manipulated external documentation. Context poisoning feeds an agent false information to make a harmful action appear logically correct. Privilege escalation exploits an over-provisioned agent to access systems beyond its intended scope. In each case, the AI model itself can't protect you. The infrastructure around it can..

You cannot trust your AI agent to be secure out of the box. No AI vendor can ensure that. If you want to protect yourself against malicious actors, your company needs to put the work in yourself.

Why cloud development environments became mission-critical for AI

The core problem with local agent execution is their scope. When an agent runs on a developer's laptop, it inherits everything that developer has access to: credentials, browser sessions, SSH keys, the entire local file system. A compromised agent in that context is not just getting the code it was working on. It is getting the developer's full digital identity.

When the same agent runs in an isolated cloud development environment, the blast radius shrinks dramatically. The agent only accesses the specific project and scoped credentials it needs, and if something goes wrong, the environment can be destroyed and rebuilt. According to Coder's AI Maturity Model, organizations that scale AI chaotically face more security incidents, higher compliance overhead, and slower delivery as controls are retrofitted after incidents. CDEs eliminate that pattern by making governance the starting point rather than an afterthought.

For organizations in financial services, defense, or any regulated industry where sensitive code cannot leave the perimeter, self-hosted infrastructure matters enormously. Unlike GitHub Codespaces or Ona, Coder is the only fully self-hostable option in the CDE category and is deployable on your own infrastructure - including fully air-gapped, on-premises environments.

The three-layer architecture: what secure agent deployment looks like

Safe agent deployment requires three categories of infrastructure controls, each of which maps to a layer of the lethal trifecta.

Workspace layer: move agent workloads into governed cloud environments.

You want builders working in governed environments that move agent workloads off local machines and into cloud environments defined by templates. Coder Workspaces use Terraform to define exactly what tools, credentials, and network access each environment type gets. Developers and agents share the same workspace infrastructure, which means human and AI workflows are governed by the same policies, are reproducible, auditable, and easy to hand off in either direction. A developer can also run multiple concurrent yet isolated agent processes in the cloud.

Observability layer: intercept and audit all LLM traffic.

The next requirement is visibility into what your agents are actually doing. Coder AI Bridge is a smart gateway that intercepts all LLM API traffic between agents and their upstream model providers. It provides centralized authentication, full audit logging, token and cost tracking, and MCP tool injection. When AI spend scrutiny arrives from finance and leadership, this is what makes the investment defensible: observable, attributable data on cost and value per workflow, per team, per agent.

Enforcement layer: restrict agent network and file system access at the process level.

Even inside an isolated workspace, an agent with unrestricted execution permissions can cause damage by installing malicious packages, making unauthorized network calls, or exfiltrating private information. Coder Agent Boundaries lets you observe the actions that your agents take on the process-level and restrict their access to only the network domains that you explicitly allow; everything else is automatically blocked.

To see all three layers working together in practice — including a live demo of Coder Tasks, AI Bridge feeding metrics to Grafana, and Agent Boundaries blocking an unauthorized domain in real time — watch the webinar recording.

Migration: how teams move from local agents to governed infrastructure

For technical leaders whose developers are already running local agents, migration does not have to be disruptive. A three-phase approach works well:

  1. Stand up Coder Workspaces alongside existing workflows and let developers opt in voluntarily.Convenience drives real, lasting adoption - not top-downmandates.
  2. Move new or less-sensitive projects into governed workspaces. Understand how developers in your organization are using AI Bridge and feeding observability data into your existing SIEMs for custom analytics.
  3. Expand agent-enabled workspace templates as developers find them productive, deprecating local agent access on the other side of that adoption curve.

In short, effective migration is about driving natural adoption by bringing real value, not forcing devs into using a tool they aren't sold on.

Sustainable productivity is a different goal than maximum velocity

The companies that will win with agentic AI are not the ones who ship the most agent-generated PRs. They are the ones who build infrastructure that makes agent output trustworthy, auditable, and repeatable over time. When the scrutiny arrives — and it will — the teams with concrete data on cycle time improvements, post-merge defect rates, and cost per merged PR will have something to show. The teams measuring vanity metrics, like lines of code written by AI, will not.

Watch the full webinar | Register for the March 26 workshop | Take the AI Maturity Model self assessment | Talk to the team

TL;DR Chat

powered by
Blink agent development engine

Agent ready

Subscribe to our newsletter

Want to stay up to date on all things Coder? Subscribe to our monthly newsletter and be the first to know when we release new things!