TL;DR: Sentry’s ERC 2025 demo showed LLMs turning traces, logs, and code context into root-cause summaries and proposed fixes, then handing structured context to coding agents that can generate pull requests and even auto-merge green builds. That shifts the security question from faster diagnosis to who governs machine-driven remediation when execution moves beyond observation.
At a glance
What this is: Sentry’s demo showed AI moving from error diagnosis toward proposed and automated code remediation, with LLMs converting runtime telemetry into fix suggestions.
Why it matters: For IAM and NHI practitioners, the shift matters because once software can create and submit changes through external agents, identity, authorisation, and approval controls need to cover the remediation chain as well as the original system of record.
👉 Read WorkOS's recap of Sentry's AI-powered error resolution demo
Context
AI-assisted remediation is not just a developer productivity change. It is a governance change, because the system that observes an error can now also initiate an action path through another identity, another tool, and potentially another approval boundary. In identity terms, the control problem moves from visibility into execution.
For non-human identity programmes, the key question is whether the remediation path is still bounded by predictable entitlements, or whether structured context handed to an external coding agent creates a new class of delegated access. That makes lifecycle, approval, and traceability controls part of the same operating model, not separate concerns.
Key questions
Q: How should security teams govern AI-assisted remediation workflows?
A: Treat AI-assisted remediation as a delegated identity path, not a developer shortcut. Separate observability access, code generation rights, merge authority, and deployment permissions across different identities, and require human approval for any machine-authored change that can affect production behaviour. That keeps diagnostic insight from turning into uncontrolled execution.
Q: What breaks when an observability platform can trigger code changes?
A: The normal separation between seeing an incident and changing the system starts to fail. If traces and logs can be converted into pull requests or deployments, the organisation may lose clarity on who authorised the change, what evidence justified it, and whether the resulting action stayed within scope.
Q: When does AI-assisted remediation create more risk than it reduces?
A: It becomes riskier when the system can progress from diagnosis to merge or deployment without a clear human checkpoint. At that point, a model error can be operationalised at machine speed, and the security model depends on the accuracy of inference rather than the strength of governance.
Q: How do you know if automated remediation is actually safe to use?
A: Look for proof that every remediation action is attributable, reviewable, and reversible. A safe workflow has separate identities for analysis and execution, records the provenance of the generated fix, and keeps deployment authority outside the tool that inferred the problem.
Technical breakdown
LLMs as context engines for runtime telemetry
Sentry’s approach uses an LLM to correlate stack traces, spans, logs, and source context into a higher-level explanation of failure. The important technical shift is not the model itself, but the way it turns fragmented runtime data into an actionable hypothesis. That makes the system less about searching for symptoms and more about assembling a narrative from observability signals. In practice, that can reduce time to diagnosis, but it also creates a new trust boundary around the quality and provenance of the context the model consumes.
Practical implication: separate diagnostic read access from any pathway that can turn telemetry into executable remediation.
From root-cause summary to pull-request generation
The demo showed structured context being passed to an external coding agent, which then generated a proposed fix as a pull request. That matters because the tool chain now spans multiple identities: the observability platform, the coding agent, and the source control system. Each step introduces a distinct authorisation decision. The security issue is no longer only whether a fix is correct, but whether the agent is entitled to create code changes from telemetry-derived instructions without a human in the loop.
Practical implication: require explicit delegation boundaries between observability systems and code-writing agents.
Auto-merge and deployment create a remediation trust chain
The most consequential part of the demo was the suggestion that green builds could be auto-merged and deployed. That closes the loop from detection to runtime change, but it also collapses the time available for human review. At that point, the identity question is not just who can propose the patch. It is who can authorise the next state of the system after an agent has transformed machine observations into code and delivery actions. This is where governance becomes a chain of custody problem.
Practical implication: bind merge and deploy permissions to separate controls from the agent that generated the remediation.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI-assisted remediation expands the identity perimeter from observation to execution. Once telemetry is handed to an external coding agent, the security boundary is no longer the dashboard or the alert stream. The boundary becomes the full remediation chain, including code generation, pull request creation, merge authority, and deployment rights. Practitioners should treat that chain as an identity pathway, not a developer convenience.
Standing assumptions about human review no longer hold when fixes are machine-authored. Traditional change control assumes a person can inspect intent before code moves forward. Here, intent is inferred from traces and converted into action by software, which means review is no longer checking a human decision but validating an automated interpretation. That changes accountability for application security and IAM governance alike.
Approval boundaries need to follow the action, not just the data. The observability platform may only read runtime signals, but the agent can turn those signals into a write path against source control and deployment systems. That is a non-human identity governance problem because access has shifted from passive visibility to active modification. Practitioners should evaluate remediation workflows as delegated execution paths, not isolated integrations.
Automated remediation creates identity blast radius inside the software delivery chain. If a model misclassifies the root cause, the resulting patch can propagate quickly through merge automation and deployment automation. The failure mode is not only a bad fix. It is the acceleration of a bad fix by identities that were never meant to hold end-to-end decision authority. Teams should re-evaluate where human approval is still structurally required.
The governance issue is not whether AI can suggest fixes, but whether the organisation can prove who authorised the fix path. When a coding agent writes a pull request based on structured runtime context, attribution becomes fragmented across systems. That is exactly where NIST CSF governance, access control discipline, and NHI lifecycle thinking intersect. Practitioners need auditability for the full remediation path, not just the original alert.
From our research:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- From our research: Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- The next governance step is to apply the same rigor to AI-assisted remediation chains that security teams already expect for secret handling and privileged access.
What this signals
Identity governance now has to extend into the software delivery loop. When AI turns runtime telemetry into code changes, the relevant control question is no longer just detection accuracy. It is whether the organisation can bound who may transform an observation into a production change, and whether that change remains attributable across systems.
Remediation chain custody is emerging as a distinct control concept. The phrase captures the gap between insight and execution when multiple identities participate in the fix path. That gap matters because once code generation, merge, and deployment are split across tools, the organisation needs proof that each step stayed within its intended authority boundary.
With 43% of security professionals concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec, remediation workflows also become data-governance workflows. The same telemetry that helps a model fix defects can also expose sensitive patterns if access boundaries are loose.
For practitioners
- Map the remediation identity chain Document every identity that can move from error detection to code change, including observability tools, coding agents, source control, and deployment systems. Treat each hop as a separate authorisation decision, not a single automation flow.
- Separate read access from write authority Allow telemetry systems to collect and analyse runtime data, but keep pull request creation, merge rights, and deployment permissions under distinct identities and approval rules. That prevents a diagnostic system from becoming an implicit release authority.
- Require human sign-off on machine-authored fixes Set a policy that AI-generated patches can be proposed automatically but cannot merge or deploy without explicit review. Use this control especially where the agent is acting on inferred root cause rather than deterministic rules.
- Log provenance for every automated change path Preserve trace data, model output, code snippet provenance, and the final approval record in a single audit trail. That makes it possible to reconstruct who or what initiated remediation and whether the action stayed within intended scope.
Key takeaways
- AI-assisted remediation changes the identity problem from observing failures to authorising machine-driven change.
- The real risk is not only a bad patch, but a fast bad patch moving through code, merge, and deployment identities.
- Security teams should govern remediation workflows as delegated execution paths with separate approval and audit controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent-authored fixes and delegated execution are core agentic governance concerns. | |
| NIST CSF 2.0 | PR.AC-4 | Least privilege applies when remediation tools can move from read to write paths. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The demo creates a non-human execution path that must be lifecycle-governed. |
Inventory remediation identities and review their entitlements as part of NHI lifecycle control.
Key terms
- AI-assisted remediation: AI-assisted remediation is the use of models or agents to propose, generate, or apply fixes for software failures. In identity terms, it creates a delegated action path that can move from observation to change, so governance must cover both the decision and the execution boundary.
- Remediation identity chain: A remediation identity chain is the sequence of human and non-human identities involved in turning an incident signal into a production change. It includes observability tools, coding agents, source control, and deployment systems, each of which needs its own authorisation and audit treatment.
- Identity blast radius: Identity blast radius is the amount of damage that can occur when a credential, permission, or delegated action path is overextended. In AI-assisted workflows, it grows when one identity can both interpret runtime data and push changes into build or deployment systems.
- Delegated execution path: A delegated execution path is any workflow where one identity hands off a task to another identity that can take action without re-requesting human intent. This matters in automation and agentic systems because the original operator may no longer be the one authorising the final outcome.
Deepen your knowledge
AI-assisted remediation and delegated execution paths are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance into software delivery and agent-driven workflows, this is a relevant starting point.
This post draws on content published by WorkOS: Sentry's Lightning Demo: When AI Meets Error Resolution At Enterprise Ready Conference 2025. Read the original.
Published by the NHIMG editorial team on 2025-10-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
