AI code workflows are shifting from copilots to agent orchestration

At a glance

What this is: This is an interview-driven analysis of the shift from copilots to agent orchestration, with the key finding that context, not model size, is becoming the practical bottleneck.

Why it matters: It matters because identity teams now have to govern agent-driven software work, including how non-human credentials, access scope, and accountability change when developers direct multiple agents at once.

👉 Read WorkOS' interview on the shift from copilots to agent orchestration

Context

AI coding is moving from assistant-style completion to agent orchestration, where developers direct multiple systems that can plan and execute tasks across the codebase. That shift changes the identity and governance problem because access is no longer confined to a single human session, but increasingly distributed across non-human execution paths.

The core issue for IAM, NHI, and platform teams is not model capability alone. It is the combination of context retrieval, delegated action, and expanding enterprise reliance on agentic workflows, which makes access scope, approval boundaries, and cost accountability harder to define and review.

Key questions

Q: How should security teams govern developer agents that can act across code, build, and deployment systems?

A: Security teams should separate the authority to request work from the authority to execute it, then scope each agent to the minimum repositories, tools, and pipeline stages needed for its task. The safest design uses explicit approval points for sensitive actions, strong logging for delegated steps, and periodic review of which agent identities still need those permissions.

Q: Why does context retrieval change the risk profile of AI coding workflows?

A: Context retrieval changes the risk profile because an agent's behaviour depends on the files, tickets, and project history it can see. If retrieval is too broad, the agent may take correct actions based on incomplete or inappropriate context. That creates governance risk even when the model itself is well controlled.

Q: What breaks when parallel agents are allowed to scale without cost and quota controls?

A: Without cost and quota controls, parallel agents can multiply usage faster than approval and review processes can keep up. The result is not only higher spend, but also uncontrolled execution volume, weaker auditability, and a loss of visibility into which agent triggered which action. Governance fails when scale outruns attribution.

Q: How do IAM teams adjust governance when developers supervise agents instead of writing every line themselves?

A: IAM teams should treat supervision as a governed job function. That means recertifying whether a role still needs agent orchestration privileges, whether the holder can evaluate output critically, and whether their access is limited enough that mistakes cannot spread across systems. The control target is not typing speed, but accountable oversight.

Technical breakdown

From code completion to agent orchestration

Code completion tools suggest the next token. Agent orchestration changes the control plane entirely because the developer is no longer typing every step, but directing systems that can break work into tasks, call tools, and chain actions. That is a material shift in how work is executed, even when the underlying model remains the same. The governance question becomes who can initiate, constrain, and audit those agent actions across repositories, build systems, and deployment workflows. For identity teams, the relevant unit is no longer just a user session but a delegated execution path.

Practical implication: Map where developer-directed agents receive standing access, then separate human approval from agent execution paths.

Context retrieval is the real control point

The article makes context the moat, which is a useful way to think about how agent systems actually work in enterprises. Models do not know proprietary codebases by default, so retrieval layers supply the files, history, and project state that shape each action. That means the effective authority of an agent is defined as much by what context it can see as by what credentials it holds. If the wrong context is surfaced, the agent can act correctly on the wrong problem. In identity terms, context becomes part of the attack surface and the governance surface at the same time.

Practical implication: Treat retrieval scope and tool access as one control domain, not two separate engineering concerns.

Budget variability becomes an access and governance issue

The article also shows that AI cost is not a side issue. Spiky usage breaks annual forecasting assumptions, especially when work scales through many parallel agents rather than one user at a time. That creates a governance problem for identity and platform teams because billing, quotas, and execution limits all become part of safe access design. When agents can be multiplied cheaply, the practical boundary is not only who is allowed in, but how much work they are allowed to trigger. Cost controls and privilege controls increasingly overlap.

Practical implication: Tie agent quotas, execution budgets, and approval thresholds together so spend growth cannot outrun governance.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agent orchestration turns software delivery into a delegated execution problem. The article is not really about coding speed, it is about who is allowed to direct work that is now executed by parallel systems. Once agents become the primary workers, identity governance has to cover the instruction layer, the retrieval layer, and the action layer together. Practitioners should stop treating this as a simple developer productivity story.

Context is becoming the decisive identity boundary for AI-assisted work. The vendor's argument that retrieval is the moat points to a larger governance reality: what an agent can do is constrained as much by what it can see as by what it can call. That means access reviews limited to credentials miss the more important question of which code, tickets, repos, and data sources are exposed to machine-directed work. Practitioner implication: review context permissions with the same discipline as tool permissions.

Spiky AI consumption exposes a budgeting assumption that IAM programmes usually ignore. Traditional access governance assumes a relatively stable cost profile, but parallel agents can multiply usage faster than financial controls and approval workflows are designed to absorb. That creates a governance blind spot where access is technically authorised but operationally unbounded. The practitioner takeaway is to treat budget limits as a control surface, not just a finance concern.

Human skill expectations are shifting from production to supervision. The article describes a developer profile that values judgment, decomposition, and critical evaluation over manual code output. That change matters because IAM and security teams will increasingly govern people whose work is to steer machine execution rather than perform it directly. Practitioner implication: update role design and recertification criteria so supervision capability is visible, not assumed.

From our research:

• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• The stronger forward move is to align agent orchestration with lifecycle governance, as described in Ultimate Guide to NHIs , 2025 Outlook and Predictions.

What this signals

Agent orchestration is pushing identity teams toward context-aware governance. When work is delegated to parallel systems, the effective control boundary shifts from the human session to the data and tool scope that each agent can reach. That is why retrieval permissions, execution quotas, and delegated approvals need to be managed as one programme rather than separate controls.

Context sprawl will look a lot like secrets sprawl if teams do not govern it early. The same fragmentation pattern that shows up across secrets platforms shows up in agent orchestration when every team creates its own retrieval, tool, and approval model. With 6 distinct secrets manager instances on average in our research, the warning is clear: distributed control without shared governance erodes visibility quickly.

The practical next step is to align agent oversight with existing identity lifecycle and access review processes, then extend those controls to machine-directed work. That includes reviewing who owns the orchestration layer, how tool access is certified, and which agent actions should remain time-bound or approval-gated.

For practitioners

• Separate human intent from agent execution paths Define where a developer may initiate work and where an agent may continue autonomously without further human input. Use distinct approval points for repository changes, build actions, and deployment-related tasks so delegation is explicit.
• Review retrieval scope as a privileged control Inventory the documents, code, and project state each agent can retrieve, then limit that scope to the smallest workable set. Treat over-broad context access as a governance defect, not an engineering convenience.
• Align cost controls with access governance Set quotas, spend alerts, and execution thresholds for parallel agent use so activity cannot scale beyond what the programme can approve and explain. Connect those controls to identity ownership rather than only to finance reporting.
• Update role definitions for supervision work Revise job expectations and recertification criteria so the ability to specify, review, and challenge agent output is recognised as a control responsibility. Do not assume traditional developer competence automatically covers agent oversight.

Key takeaways

• Agent orchestration changes software delivery from direct human execution to delegated machine execution, which expands the identity governance surface.
• Context retrieval is now part of the control plane, because an agent's permissions are only as safe as the information and tools it can reach.
• IAM, NHI, and finance controls need to converge around agent quotas, approvals, and accountability before parallel automation scales faster than oversight.

Key terms

• Agent Orchestration: Agent orchestration is the coordination of multiple AI agents or workflows to complete a task set with limited human intervention. In identity terms, it creates delegated execution paths that need ownership, scope limits, and auditability because work is no longer performed only by a person in one session.
• Context Retrieval: Context retrieval is the process of supplying an AI system with the files, records, or project state it needs to act effectively. It becomes an identity concern when retrieval scope shapes what the agent can decide, access, and change, making data exposure part of the authorization boundary.
• Delegated Execution: Delegated execution is work performed by a system on behalf of a human or another identity, using permissions that were granted for a specific purpose. For agentic workflows, the delegation must be treated as a governed identity relationship, not just an automation feature.
• Context Scope: Context scope is the set of information an AI agent is allowed to see before it acts. It is an important control because overly broad context can expose sensitive code or data, while overly narrow context can cause bad decisions. Governance should treat context scope as a privileged boundary.

Deepen your knowledge

Agent orchestration, delegated access, and NHI oversight are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your teams are moving from copilots to supervised agent execution, it is worth exploring.

This post draws on content published by WorkOS: Augment Code CEO Matt McClernan on the shift from copilots to agent orchestration. Read the original.