How AI Accelerates Security Problems and How to Fix Them

In February 2026, hackers used Claude Code and GPT-4.1 to exfiltrate 195 million Mexican government identity records across nine federal agencies. The model itself generated about 75% of the attack code. Two months later, Vercel was breached because one of its employees had connected a third-party AI tool to their enterprise Google account with full OAuth permissions. When that AI tool's own systems were later compromised, those permissions became the attacker's path straight into Vercel.

Vercel's incident report described the attacker as highly sophisticated, citing operational velocity and a deep understanding of the API surface. Translated, that means the attacker was moving faster than any human realistically could.

I had the chance to talk about this in two different conferences at ColuxChain 26 (on my birthday) and DTX Manchester 2026. Today, I'm going to share all I know about it.

Agents amplify what's already broken

Most CI pipelines have been slow for years and the access controls were written for humans who sleep. None of that mattered much when attacks were manual. It matters enormously when the attacker's agent can probe and exploit in the time it takes an on-call engineer to read a Slack notification.

Agentic development creates the same acceleration problem internally. An AI agent doing deployments inherits every bottleneck in the pipeline and multiplies them. Where a human developer might open six PRs a week, an agent will happily churn out sixty, and most review processes weren't designed for that pace.

At DTX, the conversation kept coming back to one question: have teams actually sat down and talked about what agentic development means for how they work? Most haven't. They've adopted the tools and assumed the process would sort itself out.

Treating agents like principals

The phrase "zero trust" has been in vendor decks for so long it's almost lost meaning. But for agentic systems, the underlying idea is worth taking seriously again.

An agent doing the same actions as a human developer is subject to the same supply chain risks. A version upgrade pulled in automatically can take a project from a vulnerable dependency to a malicious one, and the agent won't second-guess it before shipping.

The answer is giving agents explicit guardrails: what they can touch and what requires a human to sign off before anything moves.

For any irreversible transaction, the agent should surface a plain-English explanation a non-engineer can actually read, before proceeding. That one mechanism stops a compromised agent cold, because even if the attacker fully owns the agent, they still hit a human wall before anything moves.

Security is still the training you click through

Engineers who'll happily rewrite a Kubernetes config from scratch will hesitate before touching a security policy. Security is culturally "someone else's problem" in most engineering organisations, and agentic development hasn't changed that.

The early signal is usually already in the data. An unusual spike in traffic from a specific country, or an unexpected pattern of API requests, can be the first warning of a state-sponsored attack wave. Engineers paying attention to those anomalies often catch them days before any threat intelligence platform flags anything.

Decentralising security expertise means engineers need enough context to spot those signals on their own. That awareness can't be outsourced to a dedicated team if the attacks are moving faster than tickets can be raised.

Getting leadership to fund this is a separate problem, but the framing is simple: find a specific known vulnerability in the stack, calculate the exact revenue impact if it's exploited, and bring that number to the budget conversation. That's the only thing that moves it.

DeFi has a faster version of every enterprise problem

A similar conversation played out at Coluxchain 26 in Leeds, this time in the context of decentralised finance. The threat model looks different on the surface, but the dynamics are identical.

The Drift Protocol hack involved no broken code. Six months of fake identities, two manipulated human signers, and the drain took ten seconds. The weakest link was people, the same as it's always been. AI makes social engineering cheaper to run at scale. The CFO scam where every person on a video call except one was a deepfake is getting easier to replicate every year.

On the development side, a retail trader can now deploy a multi-signal trading agent over a weekend that would have required an institutional quant team a few years ago. The intelligence layer is genuinely democratised. But institutions still win because they have more capital to experiment with and years more experience making mistakes. The knowledge gap survives the tooling revolution.

Autonomous agents can already execute end-to-end attacks on known vulnerable smart contracts without a human attacker involved, and those same agents could just as easily be pointed at patching the same list. DeFi has been rewarding speed to market over safety since the beginning. That's speedrunning capitalism, and AI has made it faster.

The intern mental model

The most useful reframe from both panels: agents are interns with poor judgment.

Nobody would give an intern unrestricted production access on their first day. They'd be sandboxed with the minimum permissions for the task, and required to get sign-off before anything irreversible. Most teams deploying agents aren't thinking this way, because they're focused on outcomes and the agent feels like a tool rather than an actor.

It is an actor that makes decisions, and some of those decisions will be wrong. In agentic financial systems, wrong decisions are measured in seconds and settle in ledgers.

Have that conversation with the team about what agentic development means before it becomes an incident review.