Accountability sits with the organisation operating the assistant, not the model itself. Teams must define ownership for context sources, MCP output validation, repository hygiene, and approval gates so unsafe instructions cannot enter production through a non-human workflow.
Why This Matters for Security Teams
Poisoned context turns a code assistant into a supply chain risk: the model may generate insecure code because it was fed compromised instructions, tainted retrieval results, or malicious MCP outputs. Accountability therefore sits with the organisation operating the system, not the model. Security teams have to own the trust boundary around context sources, repository hygiene, validation gates, and release approvals. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls remains the clearest control baseline for assigning those responsibilities.
This is not an edge case. NHIMG research on the DeepSeek breach shows how quickly exposed secrets and contaminated data can create downstream risk once they enter AI workflows. The practical problem is that AI-generated code can look plausible while still encoding unsafe assumptions, insecure defaults, or hidden dependencies from poisoned context. Current guidance suggests treating context as an input supply chain, not a neutral helper. In practice, many security teams encounter the failure only after poisoned instructions have already shaped a pull request, rather than through intentional review of the context pipeline.
How It Works in Practice
Accountability needs to be split across the operating organisation’s normal control owners, but with explicit coverage for AI-specific failure points. The product or platform owner is responsible for which sources the assistant may read. The security team is responsible for policy, monitoring, and exception handling. Engineering leads are responsible for reviewing generated code with the same rigor used for third-party contributions. Legal and risk functions may also need to define retention and provenance requirements when context includes regulated or sensitive material.
Operationally, the safest pattern is to treat every context source as untrusted until verified. That means using allowlisted repositories, signed artifacts, short-lived credentials, and request-time policy checks rather than relying on a one-time model approval. Control points should include:
- source validation for retrieval, prompts, and MCP responses
- repository hygiene checks for secrets, stale snippets, and malicious examples
- JIT approval gates for high-risk code paths or deployment actions
- automated linting, SAST, and dependency review before merge
- manual review for security-sensitive changes, especially auth, crypto, and access control
For governance, this maps cleanly to least privilege and separation of duties, but the assistant introduces an extra layer: the context layer. NHIMG’s The State of Secrets in AppSec highlights how fragmented secrets management and slow remediation widen the blast radius when unsafe material enters workflows. Where teams need implementation detail, NIST AI RMF guidance on mapping, measuring, and managing risk is a useful complement to secure software development practices. These controls tend to break down when assistants are allowed to write directly to production pipelines without a human approval step because poisoned context can be transformed into deployable code before review catches it.
Common Variations and Edge Cases
Tighter context control often increases developer friction and slows iteration, so organisations have to balance speed against the risk of silent contamination. There is no universal standard for this yet, but current guidance suggests using stricter controls for production-facing systems than for sandbox experimentation. A lower-risk internal assistant may tolerate broader retrieval, while an agent that can open pull requests, modify infrastructure, or call deployment APIs needs far stronger guardrails.
One common edge case is shared context from tickets, chat logs, or incident notes. Those sources can carry stale fixes, secrets, or attacker-inserted instructions, and they often bypass normal code review because they feel operational rather than code-related. Another is multi-agent workflows, where one agent seeds a second agent with unsafe output that then looks trustworthy because it came from an internal tool. That is why best practice is evolving toward provenance tracking, context redaction, and runtime policy evaluation rather than trusting static role assignments alone. If a team cannot prove where a prompt fragment or retrieved snippet came from, it should be treated as hostile until verified. Stronger controls matter most when the assistant can chain tools across repositories, because a single poisoned instruction can propagate through multiple systems before anyone sees the final diff.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A03 | Poisoned context is a prompt and tool-injection risk in agentic code workflows. |
| CSA MAESTRO | AG-3 | MAESTRO covers governance for autonomous agents that consume external context. |
| NIST AI RMF | AI RMF addresses accountability, transparency, and risk management for AI outputs. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Generated code can inherit insecure secrets and identity handling from poisoned context. |
| NIST CSF 2.0 | PR.IP-1 | Secure development processes are needed to stop tainted AI output reaching production. |
Assign owners for AI risk, measure context quality, and enforce human review for high-impact code.