Most Developers Will Not Understand Security in 5 Years

Developers are already shipping code they didn't write and couldn't fully explain. They described what they wanted and an agent built it. That's not a criticism, it's just the next abstraction layer, same as every one before it. Assembly to C. C to Python. Python to "hey Claude, build me this feature."

Each time we abstract, we gain speed and lose depth. That is the tradeoff. Nobody complains that developers do not write assembly anymore.

But here is the thing nobody in security wants to say: if a developer does not really understand how the code works, they definitely do not understand how secure it is. And we are all kind of tiptoeing around that.

The old DevSecOps model was already barely holding. Developers would write the code, security would run a scanner, get a report that says "SQL injection, line 84," and try to get the developer who wrote line 84 to go fix it while praying that the finding is relevant. It was clunky and slow but it worked because there was a human who had context.

What happens when a human is not the one who wrote line 84? When the diff is 3,000 lines and it came from an agent interpreting a Jira ticket?

Throwing a CVE report at the developer guiding the agent is almost a joke. They don't know what the agent was thinking. Neither do you. And that is in the easy case of a SAST or dependency finding - what if the risk is a chain of lows across multiple repos, or an architectural flaw? This is bound to fail.

This doesn’t mean security goes away, it just has to find a new home in this process.

It is not the developer who needs to know security anymore. It is the agent. Security teams have to get in front of it at the design stage, defining what the agent should do and how it should do it according to how the organization actually works. Then enforce that during the build with guardrails - think prompt-level policy enforcement, tool-call allow-listing, and output scanning - that keep the agent on track in real time. And then test. Nobody is ready to let agents just run unsupervised, compliance won't allow it and, honestly, common sense won't either. Testing is how security teams verify that none of that went wrong. No vulnerabilities, no compliance gaps, no drift from the guidance the agent was given.

Which means the full process looks pretty familiar: guide the agent upfront, give it secure guardrails, test the output. Same thing security teams tried to do with developers for twenty years. Except developers argued back. Agents do not.

There is a consequence to that nobody is talking about yet. Every security and compliance framework assumes you can trace a decision back to a person. When something ships with a vulnerability today there is a chain: who wrote it, who reviewed it, who approved it. When an agent wrote it, that chain dissolves. The agent does not remember its reasoning. The developer did not write the code. Everyone was involved and nobody is accountable. That means the audit trail has to move from people to systems. Agent actions logged, decisions traceable, guidance on record. Not for compliance theater. Because when something goes wrong that record is the only chain left.

And the guidance has to be right. If the security context the agent receives is wrong or incomplete, it will faithfully reproduce the flaw at scale, across every repo, every feature, every team using that agent. That is not a lower bar than the old model. It is a considerably higher one.

Security teams that get this have a real opportunity right now. Not to slow things down, that ship has sailed, but to finally be at the table when the rules get written. The business is moving to agents whether security is ready or not. The only question is whether security shapes how those agents are built, or spends the next decade cleaning up after them.