Why Non‑Deterministic AI Agents Break Traditional Security
AI agent security refers to the technical and procedural controls that restrict what autonomous AI agents can do, which data they can access, and how safely they perform non-deterministic actions across enterprise systems and workflows. Traditional software behaves deterministically: the same input reliably produces the same output. Agentic AI turns that assumption upside down. Because agents rely on large language models and natural language, their behavior changes with subtle variations in prompts and context. That unpredictability opens doors to prompt injection vulnerability, where hidden or malicious instructions in text cause an agent to exfiltrate secrets or misoperate tools. Enterprises that once trusted static policies and access lists now face AI systems that can compose code, call APIs, and move data in ways even their creators cannot fully predict. Human-in-the-loop review and secondary “judge” models help, but at scale these controls are expensive and incomplete.
CodeIntegrity’s Runtime Guardrails for Unpredictable Agents
Security startup CodeIntegrity is focusing directly on the non-determinism problem. Its USD 5 million (approx. RM23,000,000) seed round is aimed at putting permanent guardrails around agentic AI applications. Co-founder and CTO Abi Raghuram describes the core challenge: AI agents are powered by models that can be tricked through prompt injection, making them expose sensitive data or perform unintended operations. Co-founder and CEO Steven Jung says the company wants “to actually provide that deterministic control for these companies.” CodeIntegrity’s approach is a runtime control layer that sits between agents and enterprise systems. Acting as both translator and filter, it restricts which tools and data an agent can touch, and enforces strict rules on every action regardless of how a prompt changes. This aims to replace fragile prompt engineering and ad hoc oversight with a standardized security layer that can be audited, tuned, and reused across different agent deployments.
GitLab 19.0: DevSecOps Integration for Agent‑Aware Pipelines
Platform vendors are also baking AI agent security into everyday developer workflows. GitLab 19.0 positions itself as a full DevSecOps integration “orchestra,” bringing security closer to where code — and AI-generated code — is written and shipped. A central change is GitLab Secrets Manager, now in public beta for Premium and Ultimate users. Instead of sharing credentials across all CI/CD jobs, it scopes each secret to the specific jobs that require it, following the principle of least privilege. According to GitLab’s Manav Khurana, “GitLab Secrets Manager flips the default” by forcing creators to define where and when a credential can be used. Agentic workflows also gain guardrails: Developer Flow reads AGENTS.md and agent-config.yml to encode project-specific rules, standards, and environment details. This means AI agents that assist with merge requests run tests and follow local conventions before committing, reducing the risk that autonomous changes bypass established security checks.
Self‑Hosted Models and Open Source as Security Valves
Enterprises worried about AI agent security are increasingly turning to self-hosted and open source models to regain control over data and behavior. GitLab’s Duo Agent Platform now supports four additional open source models — including Mistral Devstral 2 123B and GLM-5.1 — and allows on-premises and private cloud deployment. This gives teams the option to keep sensitive code, prompts, and tool calls inside their own perimeter instead of sending them to third-party providers. It also enables hybrid setups where some features rely on vendor-managed models while others run entirely self-hosted, based on data sensitivity and compliance needs. Running models locally does not remove the risk of prompt injection vulnerability, but it reduces external exposure and makes it easier to pair agents with existing identity, secrets management, and audit systems. In effect, model placement becomes another enterprise AI guardrail, alongside runtime controls and pipeline policies.
The Convergence of DevSecOps and AI Agent Management
The emerging pattern is a convergence between DevSecOps practices and AI agent management. Security controls that once applied mainly to human-written code now must cover AI-generated changes, tool calls, and autonomous workflows. Platforms like GitLab are pulling security earlier into the lifecycle with scoped secrets, agent-aware merge requests, and visibility into which CI/CD components and models are running where. Meanwhile, companies like CodeIntegrity are adding a runtime control layer that standardizes how agents interact with production systems, aiming to restore deterministic guarantees on top of non-deterministic models. Together, these approaches signal a shift from experimenting with agents to operating them as first-class infrastructure. Enterprises want secure, controllable automation, not opaque bots. The next phase of AI agent security will likely look less like a separate discipline and more like an extension of DevSecOps integration, with shared policies, shared telemetry, and shared accountability.