Subscribe to the Non-Human & AI Identity Journal

What breaks when human-in-the-loop review is the only control for AI coding agents?

The review loop breaks when the agent can act faster than a person can inspect the change. A single session can include file edits, dependency installation, and command execution before anyone approves the result. Runtime controls have to intervene earlier than manual review alone can.

Why This Matters for Security Teams

Human-in-the-loop review is a useful backstop, but it is not a primary control for AI coding agents. These systems can edit files, pull dependencies, run commands, and chain actions before a reviewer even sees the diff. That changes the security problem from “approve the change” to “constrain what the agent can do at runtime.” OWASP’s OWASP Agentic AI Top 10 and NHIMG’s Analysis of Claude Code Security both point to the same operational risk: agents introduce execution paths that review-only workflows do not meaningfully contain.

The biggest mistake is assuming code review can catch misuse after the fact. If an agent has access to source control, package managers, cloud credentials, or shell execution, it can cause damage during the task itself. Review may still be useful for quality and policy validation, but it is too late to prevent secret exposure, malicious dependency insertion, or unsafe command execution. In practice, many security teams encounter agent abuse only after a repository or build pipeline has already been altered, rather than through intentional review of the change set.

How It Works in Practice

Effective control for coding agents starts with narrowing authority before the first action. The runtime should issue just-in-time access, scoped to the task, and revoke it when the session ends. That means short-lived secrets, workload identity, and policy decisions at request time rather than standing permissions. NIST’s NIST AI Risk Management Framework is useful here because it treats governance as an ongoing operational process, not a one-time approval gate.

For coding agents, review should be layered after guardrails, not before them. A practical control set usually includes:

  • Scoped repo access with branch-level and path-level restrictions.
  • Ephemeral credentials issued per task, not reused across sessions.
  • Tool execution policies that block risky commands unless explicitly approved in context.
  • Dependency allowlisting or provenance checks for package installation.
  • Real-time logging of file edits, shell actions, and outbound network calls.

NHIMG’s The State of Secrets in AppSec highlights why this matters: the average time to remediate a leaked secret is still measured in weeks, which is far longer than an agent needs to expose it during a session. That is why runtime policy, not post-commit review, has to stop unsafe access early. These controls tend to break down when the agent is allowed to operate inside broad CI or developer environments because the same identity can inherit too many downstream permissions.

Common Variations and Edge Cases

Tighter runtime control often increases friction, requiring teams to balance developer speed against blast-radius reduction. There is no universal standard for this yet, and current guidance suggests tuning controls to the agent’s authority level and the sensitivity of the target environment. A low-risk documentation assistant does not need the same constraints as an agent that can modify infrastructure code or deploy to production.

Two edge cases matter most. First, human review still helps when the goal is semantic quality, style, or policy compliance, but it should not be the only safety net. Second, autonomous multi-step agents can hide risk across a sequence of individually reasonable actions, so a single approved diff may not reveal the full chain of execution. That is why a combination of CSA MAESTRO agentic AI threat modeling framework and the OWASP NHI Top 10 is useful for identifying where review-only workflows miss the real control point. The practical rule is simple: if the agent can execute, review alone is already late.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Agent tool misuse and unsafe execution are the core failure mode here.
CSA MAESTRO M1 MAESTRO addresses agent threat modeling and runtime guardrails.
NIST AI RMF AI RMF supports ongoing governance beyond a one-time human approval.
OWASP Non-Human Identity Top 10 NHI-03 Ephemeral credential handling is central when agents can act autonomously.
NIST CSF 2.0 PR.AC-4 Least privilege and access control must limit what the agent can do.

Map agent permissions to least-privilege access and review entitlements continuously.