Prompt injection via code: A malicious contributor embeds instructions in code comments or PR descriptions that manipulate the AI reviewer into approving dangerous changes. Dependency confusion: An AI fixer suggests importing a malicious package with a name similar to a legitimate one. Data exfiltration: An agent with access to your codebase sends code to an external API for processing — your proprietary code is now in a third-party’s training data.

Treat agents like any other CI/CD component: least privilege (agents only access what they need), audit logs (every agent action is logged), network isolation (agents can’t reach arbitrary endpoints), and output validation (agent-generated code goes through the same security scanning as human-written code). The human review gate is your last line of defense.

API tokens: Each agent task consumes thousands of tokens for context, reasoning, and code generation. A fleet of 10 agents running 50 tasks/day can easily cost $2,000–$5,000/month in API fees. Compute: Cloud sandboxes, VMs, and container orchestration add infrastructure costs. Review time: Human review of agent output is a real cost — often underestimated. Doom loops: Agents that retry failed tasks burn tokens without producing value.

The math: agent cost per task vs. developer cost per task. If an agent completes a task for $15 in API costs + 30 minutes of review ($25 at $50/hr), the total is $40. If a developer would spend 4 hours on the same task ($200), the savings are $160 per task. At 50 tasks/month, that’s $8,000 in savings. But this only works if the agent’s success rate is high enough that you’re not spending review time on bad output.

Individual developers start using background agents with personal API keys, outside of any organizational governance. They’re sending proprietary code to third-party APIs, generating PRs without security scanning, and bypassing review processes. This is the shadow IT problem applied to AI agents — and it’s already happening in most organizations.

Don’t ban — channel. If you prohibit agent usage, developers will use them anyway with personal accounts. Instead: provide approved agent tools with organizational accounts, establish clear policies on what can be sent to external APIs, require all agent-generated code to go through standard review, and monitor for unauthorized agent usage in your git logs.

Traditional vendor lock-in is about data formats and APIs. Agent lock-in is about workflows, blueprints, and institutional knowledge. If your entire migration pipeline is built around Codex’s specific capabilities, switching to Devin requires rewriting every blueprint. If your team has spent 6 months learning to write effective Devin task descriptions, that knowledge doesn’t transfer to Claude Code. The lock-in is in the workflow, not the tool.

Abstract the agent layer. Build your orchestration system with a generic agent interface that can be backed by different providers. Your blueprints should define what needs to happen, not how a specific agent does it. This adds complexity upfront but gives you the ability to switch providers or use multiple providers for different task types.

The legal landscape for AI-generated code is still evolving. Most jurisdictions currently treat AI-generated code as a tool output owned by the person who directed the tool — similar to code generated by a compiler or code generator. But this is not settled law. Your organization should have a clear policy: who owns the IP in agent-generated code? What are the licensing implications of code that may have been influenced by training data?

If an agent introduces a security vulnerability that leads to a data breach, who is liable? The developer who approved the PR? The team lead who set up the agent pipeline? The agent vendor? Current practice: the organization that deployed the code is liable, regardless of how it was generated. This is why the human review gate isn’t just a quality measure — it’s a liability measure.

Developer time saved: hours of manual work replaced by agent output. Throughput increase: features shipped per sprint before vs. after. Quality impact: production incident rate, bug escape rate. Backlog velocity: how fast is the team clearing the backlog of deferred work (migrations, tech debt, test coverage)? Developer satisfaction: are developers happier? Retention improving?

Don’t measure lines of code generated. An agent that generates 10,000 lines of boilerplate is less valuable than one that generates 100 lines of correct business logic. Don’t measure PRs merged per day without quality gates. Don’t compare agent speed to human speed without accounting for review time — the total cycle time (agent work + review) is what matters.

Today, you assemble an autonomous pipeline from separate tools: Codex for background agents, a separate tool for CI/CD review, another for test generation, and custom orchestration to tie them together. The trend is toward unified platforms that handle the entire pipeline — from task intake to PR delivery to review assistance. GitHub, Anthropic, and others are building toward this vision.

Current agents work best on tasks that take 30 minutes to 2 hours. The frontier is pushing toward multi-day tasks — agents that can work on a feature over several days, maintaining context, handling interruptions, and coordinating with other agents and humans. This requires better memory, better planning, and better self-correction — all active areas of research.

Assess your team’s position on the autonomy spectrum (Ch 1). Pick one background agent tool and submit one low-risk task (Ch 2). Add an AI reviewer to one repository in comment-only mode (Ch 3). These three actions take less than a day and give you real experience with the technology.

Run your first agent-driven migration on a small, well-tested module (Ch 5). Set up basic monitoring for agent success rate and cost per task (Ch 6). Have a team discussion about how specs and reviews need to evolve (Ch 7).

Scale to a small fleet of 2–5 agents with proper isolation and task queuing (Ch 6). Establish governance policies for agent usage (Ch 8). Measure ROI honestly and decide whether to expand. The goal isn’t to automate everything — it’s to find the workflows where agents deliver clear, measurable value for your specific team and codebase.