Coding Agents: How AI Agents Are Rewriting the Developer's Job

Portrait of Emily Wise
Emily Wise
Cover Image

Key Takeaways

  • Coding agents plan, act, and verify, not just autocomplete. Unlike traditional AI code completion, coding agents pursue a goal across multiple steps: reading files, running commands, and checking their own output before finishing.
  • Agentic coding is not vibe coding. Vibe coding accepts AI output with little review; agentic coding pairs autonomous execution with structured oversight, testing, and human checkpoints.
  • Adoption has moved from experiment to default. The large majority of professional developers now use AI coding tools regularly, and a growing share have adopted autonomous coding agents specifically.
  • The tools sit on a spectrum, not one category. Coding agents range from IDE-integrated assistants to terminal-based agents to fully autonomous software engineering platforms.
  • Faster code is not automatically safer code. Higher throughput from coding agents has coincided with new categories of risk, from excessive permissions to compromised dependencies, that most organizations have not yet built controls for.

Coding agents have moved from a curiosity in developer circles to a fixture of how software gets built. Where AI once suggested the next line of code, it now plans a task, writes the code, runs it, reads the error, and tries again, largely on its own. That shift, from a tool that completes to an agent that acts, is what people mean when they talk about agentic coding.

For engineering leaders and security teams alike, understanding this shift matters more than debating the label. Coding agents are already touching production repositories, CI/CD pipelines, and sensitive internal systems. Enterprises that treat coding agents as just a faster version of autocomplete miss most of what has actually changed, and most of what they need to govern.

Before addressing the risk of coding agents, it is worth being precise about what agentic coding actually is: how it works, how it differs from the “vibe coding” that came before it, where the tools stand today, and what principles separate agents that ship reliable code from agents that create new liabilities.

What Is Agentic Coding?

Agentic coding is the practice of directing an AI system, a coding agent, to complete a software task from start to finish rather than suggesting one line at a time. The agent does not just predict text; it takes actions. It can open files, edit them, run a build, execute tests, read the results, and decide what to do next, often across dozens of steps before it hands the work back to a person.

That is the core distinction from earlier AI coding tools. Code completion, the ghost text that appears as you type, is reactive: it waits for you to keep typing and offers a plausible next token. A coding agent is proactive: give it a goal, such as fixing a bug or migrating an API, and it plans a path to that goal, executes it in a real environment, and checks its own work along the way.

This shift from suggestion to execution is why agentic coding tools need far more access than a completion plugin ever did. A ghost-text suggestion touches nothing until a developer accepts it. A coding agent can run shell commands, install packages, and push commits, which is exactly what makes it useful, and exactly what makes it something security teams now have to actively govern.

Understanding the agentic loop

Every coding agent, regardless of vendor, runs some version of the same cycle: plan, act, observe, adjust.

  • Plan: The agent breaks the task into a sequence of steps based on the goal and what it already knows about the codebase.
  • Act: It calls a tool: reading a file, writing code, running a command, or querying an API.
  • Observe: It reads the result, such as a passing test or a compiler error, and updates its understanding.
  • Adjust: It revises the plan based on what it just learned, then loops back to acting again.

Consider a coding agent asked to fix a failing test in a payment-processing service. It reads the test failure, opens the relevant files, proposes a change, and reruns the suite. If the test still fails, it revises its approach and tries again, sometimes five to 10 iterations before it stops. That loop, not any single suggestion, is what makes the agent “agentic”: it keeps working toward the goal without a person approving every intermediate step.

Vibe Coding vs. Agentic Coding: What's the Difference?

The two terms get used interchangeably, but they describe different things.

Vibe coding, a term the researcher Andrej Karpathy , describes a workflow where a developer accepts AI-generated code without reviewing it closely, pastes error messages back to the model, and lets the codebase grow beyond their own understanding. Karpathy was explicit that this approach was meant for low-stakes, throwaway projects, not production software.

Agentic coding borrows the same underlying capability, an AI system that writes and runs code, but pairs it with the structure production software actually needs: scoped tasks, automated verification, and a human checkpoint before anything ships. The agent still acts autonomously inside a task, but the task itself, and the review around it, are deliberately bounded.

The two differ along a few consistent lines:

  • Review model: Vibe-coded diffs are often unreviewed; agentic coding pairs execution with tests, linters, and human review before anything merges.
  • Scope: Vibe coding is open-ended and improvisational; agentic coding works against a bounded, defined task.
  • Risk posture: What is acceptable for a weekend project is not acceptable for a shared production repository, which is exactly why the same AI capability needs different guardrails depending on which one it is doing.

The distinction matters for a business audience because the two workflows carry very different risk profiles inside a company. A developer vibe coding a personal tool on their own machine is a different risk than a coding agent with commit access to a shared repository. Treating both the same, either by banning agents outright or by giving every agent the free rein a hobbyist would take with a weekend project, misses what each is actually for.

The Evolution Spectrum: From Autocomplete to Autonomous Agents

Agentic coding did not appear all at once. It sits at one end of a spectrum that most engineering organizations are moving along gradually, not a single new category that replaced everything before it.

  • Code completion: Inline suggestions as you type, the original ghost-text experience. The developer stays in full control of every keystroke.
  • Chat-assisted coding: A developer pastes code into a chat interface, asks questions, and copies answers back manually. Useful, but every step still requires a human hand.
  • In-editor agent mode: The AI can edit multiple files and run commands inside the IDE, usually with the developer approving each batch of changes before it continues.
  • Terminal and CLI agents: Tools that operate from the command line across an entire repository, planning and executing multi-step tasks with less per-step approval.
  • Autonomous software engineering agents: Given a ticket or issue, the agent plans the implementation, writes the code, runs tests, and opens a pull request largely unsupervised.

Where an organization sits on this spectrum is a strategic choice, not a fixed default. A found that just over half of engineers now use AI agents regularly, with the heaviest use concentrated among staff and senior engineers, the people most likely to already have the judgment to supervise an agent's output. Moving further along the spectrum without that judgment in place is where the risk accumulates.

Core Principles of Effective Agentic Coding

Not every coding agent implementation works equally well, and the difference usually comes down to a small set of principles.

Scoped, well-defined tasks: Agents perform best against a specific, bounded goal, such as adding input validation to one endpoint, not an open-ended instruction like improving the codebase. Vague goals produce vague, hard-to-verify results.

Tool access with guardrails: An agent needs real tools, such as a file system, a terminal, and a test runner, to be useful, but each tool should be scoped to what the task requires. An agent fixing a documentation typo does not need production database credentials.

Built-in verification: The best agentic workflows run tests, linters, and type checks automatically as part of the loop, rather than declaring a task finished the moment code compiles.

Context that stays relevant: Coding agents work from whatever context they’re given: files, prior commits, documentation. Too little context produces guesses; too much dilutes focus and inflates cost.

A human checkpoint before anything ships. Even the most capable agent should hand off to a person before code merges into a shared branch, particularly for anything touching authentication, payments, or customer data.

These principles echo a pattern familiar from more broadly: least privilege, verification before trust, and human oversight at the points that matter most. Coding agents are new, but the discipline required to run them safely is not.

The market has moved fast enough that “which tool” is now a question with a real spectrum of answers rather than one or two obvious choices.

Category

Examples

Typical Fit

IDE-integrated assistants

GitHub Copilot, Cursor, Windsurf

Day-to-day development inside an editor

Terminal and CLI agents

Claude Code, OpenAI Codex CLI, Google Jules

Multi-file, multi-step tasks across a repo

Autonomous SWE platforms

Devin, Replit Agent

Ticket-to-pull-request workflows with less supervision

Open frameworks

Aider, OpenCode, Kilo Code

Teams that want to swap models or self-host

Adoption has shifted quickly within this landscape. A found that a terminal-based coding agent released in mid-2025 became the most-used tool among professional engineers within roughly eight months, overtaking incumbents that had a multiyear head start. GitHub Copilot still has the broadest reach of any single tool, but many developers now run it alongside a dedicated agent rather than as their primary way of writing code.

No single tool fits every use case, and most engineering organizations end up running a small stack: an IDE-integrated assistant for everyday completion, plus a more autonomous agent for larger, self-contained tasks.

Agentic Coding in the Enterprise

Outside of individual developer workflows, coding agents are showing up in a handful of recurring enterprise use cases.

Modernizing legacy code

Migrating thousands of files off a deprecated framework version or language runtime is exactly the kind of large, mechanical, well-specified task coding agents handle well: a bounded transformation applied consistently across a codebase, with tests to confirm nothing broke along the way.

Closing test-coverage gaps

Legacy modules that never got proper test coverage are a common target. A coding agent can read existing code, infer expected behavior, and generate a test suite far faster than a developer working through the backlog manually.

Accelerating engineer onboarding

New hires use coding agents to navigate unfamiliar codebases, asking questions a senior teammate might not have time to answer and getting a working first change out faster.

Automating routine maintenance

Dependency upgrades, boilerplate CRUD generation, and repetitive refactors are well-suited to agent-driven automation, freeing developer time for the architectural and product decisions that still require human judgment.

The enterprise pattern to watch, though, is how these tools get adopted. A found that a meaningful share of developers access popular AI coding tools through personal accounts rather than company-approved channels, a pattern often called . That gap between where coding agents are actually deployed and where security teams have visibility is the starting point for the rest of this series.

Best Practices for Adopting Coding Agents, and Why Security Comes Next

Organizations getting real value from coding agents tend to follow a similar rollout pattern: start with low-risk repositories, scope permissions tightly, require automated tests and human review before merge, and log what the agent actually did, not just what it was asked to do. It’s the same discipline good engineering teams already apply to human contributors, extended to a contributor that can work at machine speed.

But, speed is exactly where the new risk shows up. Research on AI-assisted development has found that AI adoption correlates with higher throughput but somewhat lower delivery stability: . At the platform level, , published in December 2025 with input from security teams across the industry, introduced the principle of least agency: give an agent only the autonomy required for a specific, bounded task, and nothing more. That framework names risks including excessive permissions, compromised tools and dependencies, and code execution without adequate sandboxing, all of which map directly onto the coding agents already running inside CI/CD pipelines and developer environments today.

Agentic coding is a new way to build software, and it needs a new layer of security to match. Understanding what coding agents are and how they work is the foundation.

Get the full breakdown of where those risks show up and how to close them before they reach production. to see what a governance model built for agentic development actually requires.

FAQs About Agentic Coding

What is agentic coding?

Agentic coding is the use of AI coding agents, systems that plan, execute, and verify multistep programming tasks with limited human intervention, to write, test, and modify software. It differs from code completion in that the AI takes real actions in a development environment rather than only suggesting text.

How does agentic coding differ from vibe coding?

Vibe coding describes accepting AI-generated code with little or no review, originally intended for low-stakes personal projects. Agentic coding applies the same underlying AI capability inside a structured workflow: scoped tasks, automated testing, and human review before code ships.

What is the agentic loop?

The agentic loop is the plan, act, observe, and adjust cycle that coding agents run repeatedly: breaking a task into steps, taking an action, reading the result, and revising the approach until the goal is met or the agent hands off to a person.

Which coding agents are most widely used today?

The landscape spans IDE-integrated assistants like GitHub Copilot and Cursor, terminal-based agents like Claude Code and OpenAI's Codex CLI, and more autonomous platforms like Devin and Replit Agent. Most engineering teams run more than one, matched to different task types.

What security risks are introduced when developers use AI coding assistants in their workflows?

Coding agents can be granted more system access than they need, pull in unvetted third-party tools and dependencies, or execute generated code without adequate sandboxing. Each of those expands what an attacker, or a simple misconfiguration, can reach.

How can AI coding agents inadvertently introduce vulnerabilities into production code?

An agent optimizing for a passing test or a working feature does not automatically optimize for secure code. Without verification steps that specifically check for insecure patterns, an agent can ship a working but exploitable change with the same confidence as a fully secure one.

How should organizations scope the permissions and access of AI coding agents in dev environments?

The starting principle is least agency: grant an agent only the tools and access required for its specific task, not standing access to production systems, credentials, or repositories outside its scope, and revisit that scope as the agent's role expands.

How are organizations balancing developer productivity with security when using AI coding tools?

Most are choosing a gated rollout over an outright ban: approved tools and repositories to start, mandatory automated testing and human review before merge, and logging of agent actions, so productivity gains do not come at the cost of visibility.

All Academy Posts

Secure Your Agents

We’d love to chat with you about how your team can secure and govern AI Agents everywhere.

Get a Demo