Skip to content
セキュリティとガバナンス

Why 80% of Developers Bypass Policy, and What That Means When the Developer Is an Agent

~80% of developers bypass policy. When the developer is an agent, advisory governance becomes a threat model. Why control must move to the action layer.

Zof Reliability Team · エンジニアリング & プロダクト

2025年11月25日 · 読了時間 7 分 · 2025年11月25日 更新

Share
01

The 80% was never a discipline problem

Read the 80% bypass figure correctly and it stops being an indictment of engineers. It is a measurement of where you put your rules. A control that lives in a Confluence page, a PR-template checkbox, or a quarterly security training is advisory. Advisory rules depend on memory, goodwill, and slack in the schedule, and none of those survive contact with a deadline.

The mechanics are unglamorous. A required threat-model document that costs an afternoon loses to a feature that ships today. A "please run the full suite before merging" note loses to a green-enough local run on the Friday a sprint closes. The engineer is not being reckless. The rule was simply placed somewhere other than where the decision happens, so the decision happens without it.

There is a clean test for any control you own as a security leader. Where does it physically sit relative to the action it governs? If the answer is "in a document the engineer has to remember to open," you do not have a control. You have a suggestion with a paper trail, and a paper trail is something you read at the postmortem, not something that prevents one.

02

Why human bypass was tolerable, and why that ends with agents

The reason advisory governance held up for as long as it did is that human bypass came with built-in brakes. A skipped review or an unrun suite was absorbed by a person who roughly understood the blast radius of their own change. There was an accountable party. There was deterrence, because consequences attach to people. And there was a natural throttle: a human can only skip so many controls per day because a human can only produce so much code per day.

Every one of those brakes is gone when the developer is an agent.

  • There is no accountable party in the human sense. An agent does not feel deadline guilt, does not read your wiki, and cannot be deterred by the prospect of a difficult conversation. The control either executes or it does not.
  • The throttle is gone. Industry research now puts AI-generated code at roughly 41% of codebases, and roughly 45% of AI coding tasks introduce a critical flaw or security issue. A large and growing share of what reaches production is authored at machine speed by something that produces volume and ships defects by default.
  • The bypass becomes silent and structural. A human who skips a gate leaves a footprint a colleague might notice. An agent inheriting the same permissive environment skips at scale, continuously, with nothing watching the act of skipping itself.

Put those two figures together and the picture is stark. You have an author producing a near-majority of your code, immune to every soft control your governance program relies on, introducing a critical flaw in close to half of its tasks. The cost of poor software quality is already estimated near $2.41 trillion. You do not close that gap by asking AI-assisted developers to be more diligent about a process the machine cannot even see.

03

Advisory policy is now a threat model, not a hygiene gap

This is the reframe a CISO has to make. Unenforced policy used to be a hygiene problem, something you cleaned up over time with better culture and better tooling. With agents in the authoring loop it becomes an active part of your threat model, because the gap between written policy and enforced policy is now a gap an autonomous process operates inside continuously.

Three properties of agents make this concrete:

  • Identity. Your access model was built around named humans. An agent acting with a service identity, or worse, a borrowed human credential, inherits permissions your policy assumed a person would exercise sparingly and with judgment.
  • Blast radius opacity. A human author usually knows that a change touches the auth service or the payments path. An agent does not, unless something tells it. Policy that says "changes to auth require a security reviewer" is meaningless if nothing computes that a given change reaches auth.
  • Non-determinism. The same prompt can produce different code twice. Governance that assumes stable, reviewable, repeatable change is governing a thing that no longer behaves that way.

None of these are arguments against agents. They are arguments against running agents inside an environment where policy is documentation. A serious enterprise does not want a smarter agent operating in an ungoverned system. It wants a governed system into which any agent, capable or not, must act through the same enforced policy, approval, and evidence path.

04

Control has to move to the action layer

If the policy decision happens at the action boundary, the agent's indifference to your wiki stops mattering, because the wiki is no longer where enforcement lives. This is the core of the control-layer thesis: AI is missing a control layer, not more models. The fix for machine-speed bypass is not a stricter document. It is to make the governed path the only path code can take to production, for humans and agents alike.

That requires a few things working together, and the order matters.

First, the system needs to know what an action touches before it allows the action. A live System Graph that maps services, dependencies, and CI/CD is what lets policy be change-aware instead of blanket. It is what binds "this change reaches the payments path" to "therefore this policy applies." Enforcement is downstream of system understanding; you cannot govern what you cannot map.

Second, validation has to track the system as it moves. Static scripts rot the moment the architecture shifts, and a rotting gate is a bypassed gate, the very friction that drove the 80% figure to begin with. Testing Fleets plan, execute, and maintain validation as systems evolve, so coverage stays proportionate rather than decaying into noise people learn to ignore.

Third, there has to be an explicit authorization boundary. The governing principle is that agents propose and humans authorize. When a change falls outside policy, the control layer does not silently fix it and does not silently let it pass. It produces a proposal with evidence and routes the decision to someone with the authority to make it. This matters most on the hardest surface, remediation, where unsupervised autonomous fixing is reckless and governed remediation is the engineering. Separation of proposer and authorizer is a fifty-year-old security control; the agent era makes it load-bearing rather than retiring it.

Fourth, the loop has to emit audit-ready evidence by default: what was proposed, by which agent, under what policy, on what validation, authorized by whom. For regulated or sensitive environments, Edge Runners let this execute inside your own boundary as signed capsules, so the control layer governs without your code or topology leaving your control. That is Governance as an architectural property, not a clause in an MSA.

05

What to do Monday morning

You do not need a platform migration to start closing the gap. You need to find where your governance is advisory and make one piece of it executable.

  • Inventory your agent identities. List the service accounts and credentials any AI-assisted tool can act through, and confirm their permissions assume an agent, not a careful human.
  • Measure the bypass; do not assume it. Pull the override rate on your most "required" gate. That rate is your real policy, regardless of what the wiki says.
  • Make one control change-aware. Replace one blanket gate with a check that runs narrowly on what actually changed, using real blast radius. Proportionate enforcement is what earns compliance instead of evasion.
  • Write down the authorization boundary. Decide explicitly which classes of change can flow automatically and which require a human to authorize. Ambiguity here produces both bottlenecks and bypasses.
06

The bottom line

続きを読む

01Zof Console

姿勢、操作、次に注意が必要なことを 1 つの面で確認できます。

エンジニアリング、QA、SREの各チームが毎日開く認証済みのホーム。品質の姿勢、進行中の実行、モジュールごとのカバレッジ、そして次に注目すべきことが分かります。

運用上の KPI

実行数、カバレッジ、リスク

出荷先のあらゆる環境に対応します。

ワークスパイン

仕様・テスト・スケジュール

仕様から計画された回帰まで。

ガードレール

RBAC・SSO・監査

指定された人間に起因するすべての行為。

LIVE/console
Zof AI ホーム コマンド センターには、94% パスでの 12 件の実行、3 つの未解決の重大な問題、84% のカバレッジ、4 つのモジュール トレーサビリティ バー、仕様パイプライン、今後のスケジュール、アクティブ実行サイドバー付きの推奨される次のアクションが表示されます。
ホーム ビュー · チェックアウト サービス · ステージング · 製品からライブでキャプチャ。
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Why 80% of Developers Bypass Policy, and What That Means When the Deve