Software teams have always lived with a built-in tension – developers push to ship fast, while security teams pump the brakes to assess risk. Now, with AI flooding the enterprise, that friction is spiking. One recent survey found a staggering 322% jump in privilege-escalation risks tied to AI-generated code. The root problem isn’t new – people and machines are routinely overpermissioned, and fixing it is notoriously hard. But the rush to adopt LLMs and autonomous agents is exposing just how dangerous overpermissioning has become. Real progress will require engineering and security to move in lockstep, starting with a smarter, shared approach to agent and LLM authorization.

That alignment requires security and development teams to jointly express, test, enforce, and audit authorization policies in real time, across both traditional applications and dynamic AI-driven environments. Instead of working in silos, they collaborate to determine who can access what and perform which actions across systems, APIs, and agents. This is the foundation of secure-by-design coding, and it’s essential for shifting a development culture in which 80% of companies knowingly ship vulnerable code, driven in large part by overreliance on AI-generated outputs that aren’t thoroughly vetted.

The Path Forward: Developer-First Security

Bridging the gap starts with technology that brings security directly into the development workflow without slowing it down. Instead of scattered, ad-hoc security checks buried across codebases and configuration files, when security and development teams align before generating code, they can approach security strategically, using a declarative approach that allows them to define their security, compliance, and data-protection policies in a single, structured format.

These policies can cover everything from access controls and encryption standards to audit requirements and data-retention rules. They become testable, traceable artifacts: developers can validate them locally, understand how each rule applies, and roll out updates safely using regression tests and automated validation. For security teams, this provides consistent, explainable enforcement across environments, replacing one-off reviews with reliable, repeatable checks.

Expanding to AI

For AI workloads, declarative security becomes indispensable because AI systems are probabilistic, not deterministic. They don’t follow fixed input-output patterns but generate novel behaviors, decisions, and data flows in real time. That unpredictability breaks the assumptions underlying traditional, rules-based security, which depends on predefined pathways, static access lists, and periodic audits.

In AI pipelines, each model inference or agent action can trigger new data movement, API calls, or external integrations that no engineer explicitly wrote. This demands runtime, context-aware enforcement – where policies evaluate who or what is making a request, what data is being accessed, and under what justification. Declarative policy frameworks make this possible by expressing identity, data-access, encryption, and audit requirements as machine-readable logic that can be versioned, tested, and automatically applied at runtime.

This shifts security from static guardrails to a living control layer that adapts to each model’s decisions, ensuring AI applications remain compliant, traceable, and safe – even when their outputs can’t be perfectly predicted.

Bridging Speed and Safety: Core Requirements for Secure Authorization

Overcoming the long-standing divide between developers and security teams requires tools that embed protection into the workflow itself. The goal is to combine modern development speed with consistent, auditable safeguards across distributed and AI-driven systems. To confidently run agents in production, the following requirements are the “gold standard”:

1. Automated Least-Privilege Access: Agents should receive only the permissions required for each task, with access adjusting automatically as context or behavior changes. The system must recommend reductions, temporary grants, or policy updates to continuously tighten access.
2. Anomaly Detection and Real-Time Alerting: Every tool call and data access must be captured. Security teams need actionable alerts on unusual activity so they can intervene before damage occurs.
3. Permission Controls and Agent Quarantines: Teams must be able to throttle agents, revoke tools, downgrade permissions (such as shifting to read-only), or quarantine an agent entirely with a single action when behavior seems unsafe.

These requirements transform a historic point of friction into common ground. Developers gain the confidence to move fast within clear, automated guardrails. Security teams gain the assurance that every decision is transparent, consistent, and compliant—whether in traditional applications or emerging AI pipelines.The result is that speed and safety advance together, with guardrails built in, not bolted on.

The challenge is no longer just building software quickly – it’s shipping it safely, especially when LLMs and autonomous agents can access sensitive systems and data at unprecedented scale. Under deadline pressure, organizations risk developers bypassing critical security practices to meet delivery timelines. But if development and security teams can work together to build right-sized, shared controls, they’ll no longer need to.