AI coding assistants now plug into four layers at once — the IDE, the repository, the CI/CD pipeline, and the package ecosystem — and in doing so they collapse the trust boundaries between them. An attacker who controls content in one layer (a code comment, a pull-request description, a dependency's README) can induce the assistant to take actions in another. The first three stages are the development side, and that is where the cheapest, earliest containment lives.
The developer's tableThe IDE · development side
The assistant reads untrusted content as instruction, generates insecure code at scale, and can leak secrets and IP outward. The compromise can happen at the desk, before a single line is committed.
Controls
Treat the IDE as a trust boundary. Strip secrets from prompts, scope the assistant with least privilege, and run secret scanning and fast static analysis locally before anything leaves the laptop.
Commit & code reviewThe repository · development side
Instructions hidden in a pull-request description can flip an assistant into auto-approve and execute commands — exactly the kind of text a reviewer glances past.
Controls
Make provenance explicit, run SAST/SCA/secret detection on every pull request as a merge gate, and keep a human checkpoint — no agent merges to main on its own.
Build & CI/CDThe pipeline · development side
The pipeline holds deployment credentials, signing keys, and a clear path to production. An agent with build-context access is one prompt away from that path, and AI widened the supply chain to models, datasets, and tool integrations.
Controls
Block dependencies with known CVEs before they enter the build, record an AI bill of materials, sign builds and verify signatures, and give agents narrowly scoped, short-lived credentials.
Deployment & configurationWhere permissions become the risk
The moment a model gains agency, its permissions become the dominant risk. The breaches that matter are rarely a clever exploit of the model — they are an over-privileged agent doing exactly what its access allowed, on behalf of an attacker.
Controls
Least privilege, enforced and audited. Scope what each agent can read and do, keep secrets in a vault, scan infra-as-config for over-broad roles, and build in network isolation and a real kill switch.
Production & runtimeWhere the famous failures surface
Runtime is the only place the full, non-deterministic behavior of the system meets real-world, attacker-controlled input — which is why the famous failures surface here.
Controls
Enforce policy outside the model, layer in runtime guardrails and monitoring, keep red-teaming as a standing function, and maintain a tamper-evident, hash-chained audit log of every decision.
Read top to bottom and one pattern repeats: at every stage AI fuses instruction and data, and at every stage the old control assumed they were separate. Defend the development side well — stages one through three — and most of the costly failures never reach production at all.