AI agents, non-determinism and a new security problem
AI agent security refers to the strategies, tools, and operational practices used to constrain autonomous, non-deterministic AI systems so they cannot misuse credentials, exfiltrate data, or perform unsafe actions across enterprise infrastructure. Unlike traditional applications, agentic systems are driven by large language models that respond to natural language and context, so the same input can produce different actions over time. This breaks many assumptions behind conventional AppSec and QA, where deterministic behavior lets teams prove that code paths are safe. As more enterprises give AI agents access to source code, CI pipelines, documentation, and internal tools, non-deterministic behavior turns into a moving attack surface. Security teams face a gap: they are responsible for outcomes, yet they cannot fully predict an agent’s behavior with static tests, unit suites, or one-off red-team exercises.
Prompt injection vulnerabilities: the attacker’s new playbook
Prompt injection vulnerabilities are emerging as a core threat to enterprise AI deployments because they exploit the way agents follow natural language instructions. A malicious user, document, or web page can hide adversarial prompts that override system policies and steer an agent into leaking secrets, altering data, or calling dangerous tools. As CodeIntegrity’s founders have shown by compromising real applications, non-deterministic agents make it hard to guarantee that a prompt will never push them into unsafe territory. Defensive patterns such as human-in-the-loop review or a second model acting as a judge help, but they do not scale well and can still be bypassed. For DevSecOps platforms, this means prompt injection must be treated like a first-class application security risk, with continuous monitoring, explicit allowlists for tools and data, and runtime controls that sit between agents and critical systems.
GitLab 19.0: secrets management and agent-aware workflows
DevSecOps platforms are starting to respond by baking AI agent security into their core features. GitLab 19.0 introduces GitLab Secrets Manager, a native secrets management capability that scopes each secret to only the CI/CD jobs allowed to use it. According to GitLab’s Manav Khurana, “GitLab Secrets Manager flips the default” by replacing broad environment variables with fine-grained, least-privilege access based on branches, environments, and protection status. This is vital when AI agents can write or modify pipeline definitions; an injected prompt should not automatically gain access to every credential in a project. GitLab’s extended Developer Flow also reads AGENTS.md and agent-config.yml, so agentic workflows inherit project-specific guardrails, test commands, and standards before committing changes. Together, these updates show how a modern DevSecOps platform can embed enterprise AI guardrails directly into the software lifecycle instead of treating AI as an external helper.
CodeIntegrity and runtime guardrails for unpredictable agents
While platforms evolve, new vendors are focusing on runtime controls tailored to non-deterministic AI agents. CodeIntegrity has raised USD 5 million (approx. RM23,000,000) to build a security layer that sits between agents and enterprise systems. Rather than trusting model prompts or secondary “judge” models, CodeIntegrity inserts a permanent runtime control layer that acts like both translator and filter, enforcing deterministic rules on top of unpredictable behavior. It can limit which APIs, files, and data sources an agent can touch, regardless of how a prompt is worded. This approach treats agent behavior as untrusted by default, similar to how firewalls treat external traffic. For security and platform teams, the appeal is clear: they gain explicit policy enforcement and auditability for every action an agent takes, which complements secrets management, code scanning, and pipeline hardening already present in DevSecOps environments.
Treating AI agents as a distinct security domain
The common thread across GitLab’s product updates and CodeIntegrity’s runtime controls is a shift in mindset: AI agents are not just another library or plugin; they are a new security domain. Traditional controls for source code, human developers, and CI/CD pipelines are necessary but no longer sufficient. Organizations need integrated security solutions that combine secrets management, agent-aware workflows, and runtime guardrails tailored to non-deterministic behavior and prompt injection vulnerabilities. That means defining strict tool and data boundaries, recording every agent action, and assuming that prompts can be adversarial even when they originate inside trusted repositories or tickets. As enterprise AI guardrails mature, DevSecOps teams that adopt these layered defenses will be better positioned to use agents for real work without turning their pipelines and production environments into an open playground for unpredictable behavior and attackers.