According to DX Research Q1 2026, AI-generated code now accounts for roughly 27% of all production code — up from 22% the previous quarter. That code is being committed at machine speed, often with no human reviewer anywhere near it. DevSecOps was built around human review cycles: a developer reads the diff, a reviewer approves it, SAST scans deterministic patterns. All three of those assumptions fall apart when AI agents are writing and committing autonomously.
Security leaders are restructuring where in the lifecycle security actually operates. The emerging label for that restructuring is DevSecEng — Development Security Engineering — which moves the primary security control upstream to the specification and prompt layer, before code generation begins. This article maps the control-point differences, explains what that shift means in practice, and gives you a 90-day path to get there. It is part of our broader coverage of the application security blind spot created by AI-generated code. If you want the technical diagnosis first, start with why traditional DevSecOps tooling misses AI code vulnerabilities.
Why are security leaders restructuring DevSecOps?
Volume and velocity broke the model.
Faros AI found that teams with high AI adoption merge 98% more pull requests while PR review time increased 91%. AI doubled throughput without growing the human review queue. A December 2025 CodeRabbit study found AI-authored PRs generated 2.74 times more security issues. AI commits expose secrets at 3.2% of commits versus 1.5% for human-only commits — double the rate, at double the volume.
Veracode’s Spring 2026 GenAI Code Security Report found AI-generated code introduces vulnerabilities in 45% of development tasks. Security pass rates are stuck at around 55% — virtually unchanged from two years ago. And traditional SAST compounds the problem: it relies on deterministic patterns, and AI code introduces inconsistent access control implementations and hallucinated dependency chains that rule-based scanners simply miss.
RSAC 2026 was when this became industry-wide acknowledgment — Forrester introduced the Agentic Development Security (ADS) framework, Checkmarx received the Global InfoSec Award for agentic security. The data and the frameworks now align. For a detailed account of the industry consensus emerging from RSAC 2026, see our conference synthesis.
What is DevSecEng, and how is it different in practice?
DevSecEng (Development Security Engineering) is the organisational label for a shift in when security operates. Where DevSecOps places primary controls at code review, merge, and deploy, DevSecEng places them at prompt authoring, context injection, and specification review — before code generation begins.
The nearest official framework is Forrester’s ADS framework, spanning eight capability areas: code and dependency analysis, coding guardrails, triage, remediation, dynamic testing, quality gates, supply chain protection, and governance analytics. DevSecEng is the organisational label; ADS is the technical structure underneath it.
Two concepts define DevSecEng. Prompt Layer Security is the practice of reviewing what gets submitted to AI coding tools — checking whether prompts are scoping into security-sensitive areas without the right constraints. The Specification Gate is the formalised control point: a mandatory security review before code generation begins. Neither of those exists in conventional DevSecOps. That is the structural difference.
DevSecOps moved security from deploy-time to commit-time. DevSecEng extends that to prompt-time, because by the time AI-generated code reaches review it may already have been committed by an autonomous agent.
Where do new control points live in the lifecycle?
The clearest way to see the shift is to put them side by side.
DevSecOps primary control points: code review, PR approval, SAST advisory scan, pre-deploy gate.
DevSecEng primary control points: specification gate, prompt layer injection, pre-commit secrets detection, SAST as a blocking gate, human-in-the-loop checkpoint, AI code provenance log.
Cycode puts it directly: “AI agents generate code on their own, pull dependencies, call external tools, and commit changes without a developer ever opening a traditional IDE.” Some controls are additive — provenance tracking, prompt interception. Others are policy changes on tools you probably already have: SAST moving from advisory to blocking, secrets detection extended to AI service credential patterns, branch protection requiring human approval tokens rather than just a passing test suite. For the full autonomous pipeline control architecture, see the autonomous pipeline that makes DevSecEng non-negotiable.
How do you make SAST a blocking gate for AI-contributed code?
Advisory SAST means a report gets generated. Blocking SAST means the CI build fails. For AI-contributed code, advisory is unworkable — reports pile up faster than anyone can action them.
Tag AI-origin commits, route them to a dedicated pipeline stage, and configure SAST to fail the build on high or critical findings — keep it separate from your existing pipeline so you can build a baseline without disrupting the team.
CSA recommends a phased rollout: advisory mode for 30 days, blocking for high and critical in month two, blocking for medium by month three. Moving straight to blocking everything creates false positives that breed bypass habits. And your existing SAST config was written for human-authored code — tuning it for AI output patterns like credential embedding and excessive privilege assignments is a separate task worth doing properly.
What pre-commit checks are needed when AI handles credentials?
GitGuardian’s 2026 report documented 28.65 million new hardcoded secrets in public GitHub commits in 2025. AI-service credentials increased 81% year-on-year. Most detection tools were written to catch AWS, GitHub, and Stripe formats. AI-generated code pulls in credentials for OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex AI, Cohere, and Hugging Face. Your detection signatures need to be a living list, not a set-and-forget config from 2024.
MCP configuration files are an attack surface most teams have missed entirely — GitGuardian found 24,008 unique secrets in MCP-related config files on public GitHub. If your team uses MCP-enabled AI tools, those files need to be in scan scope.
Tune your reject rules before you enforce them. A developer who learns to override a false positive block will override it when it is a real secret too.
What does a human-in-the-loop checkpoint policy look like for autonomous agents?
Autonomous agents do not observe conventions. A cultural norm like “developers should review security-sensitive changes” is unenforceable when the committer is not human. The checkpoint policy has to be a CI/CD rule, full stop.
OWASP’s Top 10 for Agentic Applications identifies “Excessive Agency” as a primary risk. The tiered structure that has emerged: low-risk changes (documentation, tests) proceed autonomously; medium-risk changes (feature code, dependencies) require async human approval; high-risk changes (infra, auth, secrets) require synchronous human review before the pipeline proceeds. Encode this with branch protection rules and a CI step requiring an explicit human approval token — not just a passing test suite.
How do you track AI code provenance without drowning in metadata?
Provenance tracking answers three questions: which code was AI-generated, by which model, and from which prompt. That gives you targeted SAST re-runs, audit attribution when AI code introduces a CVE, and compliance evidence for regulated environments.
Start with a commit metadata convention — a standardised tag identifying AI-origin commits. This lets the pipeline route them to the blocking SAST gate without needing a dedicated platform. The more comprehensive approach is an AI-BOM (AI Bill of Materials) inventorying models, prompts, and dependencies. Per-line authorship attribution and full prompt history storage are overkill for most teams.
For FinTech and HealthTech operators: EU AI Act enforcement begins August 2026, requiring AI code provenance records and audit trails for high-risk AI systems. The OWASP AI Testing Guide provides a practical control mapping for teams working toward audit readiness.
Do you actually need a new framework — or is this just DevSecOps done properly?
You do not need to adopt the DevSecEng label. The practical question is whether you have the five control points that distinguish it from DevSecOps: a specification gate, prompt layer security, SAST as a blocking gate for AI-contributed code, pre-commit secrets detection tuned for AI credential patterns, and a human-in-the-loop checkpoint policy encoded as a CI/CD rule. 63% of organisations lack AI governance policies. If you have all five, the label does not matter. If you are missing three of them, the label is the least of your concerns.
Here is a sequenced 90-day path:
Month 1: Implement a commit metadata convention to tag AI-originated commits. Enable pre-commit secrets detection with AI service credential signatures — OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex AI, plus MCP config files in scope. Put SAST in advisory mode for AI-origin code to build a baseline.
Month 2: Escalate SAST to blocking on high and critical findings. Write the human-in-the-loop checkpoint policy in tiered form. Configure branch protection rules for production-bound commits. The month one baseline is what lets you distinguish real findings from false positives before you start blocking anything.
Month 3: Enforce checkpoints technically, not just as policy. Begin provenance tracking beyond commit tags. Review coverage against the ADS Framework pillars.
The AI code security challenge is structural: tools and processes designed around the exception now need to handle the plurality. You get to decide what you call the response — but you do have to respond. For the full context on the application security blind spot created by AI-generated code — including the vendor landscape and compliance requirements — see the series overview.
Frequently asked questions
What does DevSecEng stand for? Development Security Engineering. An emerging successor label to DevSecOps, signalling that security must operate at the specification and prompt layer before AI code is generated — not primarily at code review and deploy gates.
Is DevSecEng an official standard or framework? No. It is not a certified framework or vendor product. The nearest official framework is Forrester’s Agentic Development Security (ADS) framework, which provides the technical structure DevSecEng describes organisationally.
How is the ADS Framework different from DevSecEng? ADS is Forrester’s eight-pillar technical framework covering code analysis, guardrails, triage, remediation, dynamic testing, quality gates, supply chain protection, and governance analytics. DevSecEng is the organisational label for the shift ADS requires. ADS is the what; DevSecEng is the how-we-work.
What is a Specification Gate? A mandatory security review before AI code generation begins — checking requirements and prompts for authentication scope, data access patterns, and credential handling. It is the defining upstream control of the DevSecEng approach.
Which AI-service credential patterns should pre-commit secrets detection cover? At minimum: OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex AI, Cohere, and Hugging Face — in addition to standard AWS, GitHub, and Stripe patterns. MCP configuration files also need to be in scope. Static rulesets from 2024 will miss 2026 credential formats.
What is AI code provenance tracking and do I need it? It records which code was AI-generated, by which model, from which prompt context. A commit tagging convention is the minimum viable approach. Full AI-BOM is more comprehensive but only necessary for regulated organisations facing EU AI Act compliance requirements from August 2026.
How do I know if an autonomous CI/CD agent is operating with excessive agency? When it performs actions outside its intended scope — modifying infrastructure when scoped to application code, or self-approving pull requests. Controls include least-privilege agent identity, human-in-the-loop checkpoints for high-risk changes, and audit log review. OWASP Top 10 for Agentic Applications covers this in detail.
Does DevSecEng apply to teams using AI coding assistants, not fully autonomous agents? Yes. Teams using GitHub Copilot, Cursor, or Claude Code still benefit from SAST as a blocking gate, pre-commit secrets detection tuned for AI credential patterns, and Prompt Layer Security. The human-in-the-loop checkpoint policy is primarily relevant when agents operate autonomously.
What is the difference between DevSecOps and DevSecEng in one sentence? DevSecOps integrates security into the human-authored code review and CI/CD pipeline; DevSecEng extends that to the specification and prompt layer, because by the time AI-generated code reaches review it may already have been committed by an autonomous agent.
How does GitGuardian relate to pre-commit secrets detection? GitGuardian is a secrets detection vendor whose State of Secrets Sprawl 2026 report documented 28.65 million new hardcoded secrets on public GitHub in 2025 and an 81% year-on-year increase in AI-service credential leaks. It represents the category of tooling that needs to be deployed and tuned for AI credential patterns.
What does the EU AI Act require from engineering teams regarding AI-generated code? Documentation of training data, model decisions, and system outputs — translating for engineering teams to AI code provenance records, audit trails for autonomous agent actions, and evidence that security controls were applied. The OWASP AI Testing Guide provides a practical control mapping for audit readiness.
Where does DevSecEng fit within the Forrester ADS framework? DevSecEng maps primarily to three ADS pillars: Coding Guardrails (prompt layer and specification gate controls), Quality Gates (SAST as blocking gate, pre-commit detection), and Governance Analytics (provenance tracking, audit logs). The remaining five pillars require additional tooling covered in the vendor comparison article.
