The Agent Attack Surface: Why AI Is Breaking Software Security As We Know It

For decades, software security has followed a simple mental model: developers write code, security teams review it, and vulnerabilities get patched one by one. AI agents are about to break that model entirely. Agents don't just run code — they choose tools, write new code, and select dependencies throughout the development process, often without any human in the loop. They lack the context to make safe decisions about what they're pulling in: whether a package is malicious, maintained, or a typosquat of something legitimate. The software supply chain becomes dramatically harder to reason about when the software itself is deciding what to include. At the same time, AI is supercharging vulnerability discovery, finding hundreds of new flaws at a pace the current model can't absorb. Putting the burden on individual developers is no longer acceptable. We'll discuss what a new security model looks like — one that operates at the ecosystem level and responds automatically to emerging threats.