AI coding tools often sit near terminals, browsers, cloud tokens, and shared content, so a single installation can expose both local and remote identities. That makes the trust path itself part of the identity problem. If users can be steered into a fake install page, the attacker can reach credentials without breaking the product.
Why This Matters for Security Teams
AI coding tools are not risky because they are “software” in the abstract. They are risky because they are installed into the same trust path that already contains browser sessions, terminal access, cloud credentials, package managers, and source-code access. A normal download may run in a contained user context; an AI coding tool often operates where secrets are copied, commands are executed, and remote services are authenticated in real time. That makes the installation path a credential path.
This is why identity teams should treat AI coding tools as high-value workload touchpoints, not just developer convenience software. The problem is amplified when the user is steered to a fake install page, because the attacker does not need to break the product itself. The trust boundary collapses at the moment the user authorises the install, and that can expose both local identity material and remote service tokens. NHIMG research on the Ultimate Guide to NHIs shows how often NHI controls fail once secrets are stored or reused outside managed boundaries.
In practice, many security teams discover this only after an extension, plugin, or helper agent has already touched developer tokens and code repositories.
How It Works in Practice
Ordinary software downloads usually present a narrower risk profile: the installer may request local execution, but it does not necessarily sit inside a live workflow with cloud identity, repository access, and command execution. AI coding tools are different. They commonly integrate with terminals, IDEs, browsers, issue trackers, and model backends, which means one successful compromise can expose the identity chain around the developer rather than just the machine itself.
That is why current guidance suggests treating these tools as identity-bearing components. A safer model starts with workload identity for the tool or agent, not trust in the desktop session. Use short-lived, task-scoped credentials, preferably issued just in time, and avoid long-lived API keys in local config or code. Runtime authorisation should be evaluated per request, not assumed from install-time approval. Controls from the NIST Cybersecurity Framework 2.0 help frame this as access management and continuous protection, while 52 NHI Breaches Analysis shows the real-world pattern of compromised identities cascading into broader exposure.
- Validate the publisher and package source before install, especially for IDE plugins and CLI helpers.
- Issue per-task credentials with short TTLs and automatic revocation on completion.
- Bind access to workload identity, not to a developer’s standing browser or shell session.
- Log tool-to-tool actions so a prompt, a plugin, and a cloud API call can be correlated.
- Separate human approval from machine execution authority wherever possible.
These controls tend to break down when the tool runs inside shared developer images or unmanaged endpoints because the identity boundary is no longer observable.
Common Variations and Edge Cases
Tighter identity control often increases developer friction, requiring organisations to balance faster onboarding against stronger abuse resistance. That tradeoff becomes sharper with AI coding assistants because teams want low-latency access to repositories, package registries, and cloud sandboxes, yet each additional permission expands the blast radius if the tool or its supply chain is compromised.
There is no universal standard for this yet, but best practice is evolving toward context-aware approval. For example, a locally installed assistant that only writes unit tests should not inherit the same permissions as a tool that can open pull requests, call deployment APIs, or read production logs. Static RBAC alone is usually too coarse for this environment, because the risk is driven by intent and context, not just job title.
Edge cases include shared workstations, ephemeral cloud workspaces, and agentic coding systems that can chain tools automatically. In those environments, even well-designed controls can fail if secrets are copied into chat windows, clipboard managers, or transient build steps. The Top 10 NHI Issues resource is useful here because it highlights the governance gaps that appear when identities are numerous, short-lived, and hard to inventory.
When AI tooling can execute actions on behalf of a user, the real question is no longer “did the software run?” but “what identity did it borrow, for how long, and with what downstream authority?”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers secret exposure and identity sprawl from developer tools. |
| OWASP Agentic AI Top 10 | A-03 | AI coding tools can act autonomously and chain privileged actions. |
| NIST AI RMF | Addresses governance for AI systems that create identity and access risk. |
Inventory tool-issued credentials and eliminate static secrets from AI coding workflows.
Related resources from NHI Mgmt Group
- Why do malicious AI repositories create both human and NHI identity risk?
- Why do browser extensions create identity and access risk beyond normal endpoint software?
- Why do AI agents create more IAM risk than ordinary developer tools?
- Why do AI agents create more identity risk than ordinary SaaS integrations?
