Builders at the Frontline: Safeguarding Agentic AI in the Intelligence Community

From IC Insider Coder

By Austen Bruhn, DoD/NatSec Architect, Coder

The U.S. Intelligence Community stands at a turning point. The global race for AI supremacy is no longer theoretical. Agentic systems are already in use, adversaries are moving fast, and the mission window for secure adoption is closing.

Around the world, near-peer competitors are using agentic AI to speed up software deployment, automate cyber operations, and reshape how intelligence is built and used. These tools generate and execute code, act independently, and handle development tasks that used to require full teams. The U.S. cannot fall behind—not on speed, and not on security.

At home, federal guidance is pushing forward. Executive Order 14179 and memos like M-24-10 call for bold AI adoption with real guardrails. The IC may not be directly bound by them, but the direction is clear. The mandate is to deploy AI systems that are governed, auditable, and trusted from the start.

The call to action is clear and coming from inside the community: “Entities that augment their activities with AI applications will likely disrupt those that do not,” said CIA Chief Cyber Policy Adviser Dan Richard. CIA Chief AI Officer Lakshmi Raman added, “AI is not just an emerging technology. It is a strategic necessity.” This imperative is not abstract; it lands directly on the desks of IC code builders, who must adapt their workflows to leverage agentic AI securely.

Together, these perspectives underline a common truth: the IC cannot afford to delay. Adoption is inevitable, but it must proceed with an implementation approach that ensures trust, accountability, and security from the start.

Adversaries are already applying AI to accelerate code generation for cyber operations and software deployment. Reporting shows that China’s military innovation agenda emphasizes “intelligentized” systems, including AI-driven software development and autonomous cyber tools (Brookings). For the IC, this raises the stakes: the competition is not just about who fields AI first, but who does so securely. If builders in the IC remain constrained by legacy, decentralized environments while adversaries leverage agentic AI for rapid development, the U.S. risks falling behind in both speed and resilience. This is why secure, centralized, and policy-aligned agentic development environments are a strategic necessity now, not later.

Agentic AI adoption is inevitable. The mission now is to implement it safely, at speed, and at scale.

The opportunity and risk of agentic AI software development

Agentic AI offers builders powerful new capabilities: reading documentation, generating shell scripts, proposing code, and even testing and deploying microservices. For the IC, this means accelerated software development, increased automation within Continuous Integration/Continuous Deployment (CI/CD) pipelines, and freeing mission teams to focus on higher-order analysis.

But with great capability comes new vulnerability. These systems challenge traditional software lifecycle boundaries and introduce risky behaviors, such as:

• Accessing sensitive code repositories unintentionally
• Using tools beyond their approved scope
• Exposing sensitive data through verbose or unreviewed outputs
• Escalating privileges, altering configurations, or attempting unauthorized external communications

 

These examples illustrate the emergent behaviors that make agentic AI risky in mission environments. They directly inform the safeguards outlined later in this article, from immutable audit logs and toolchain limits to human-on-the-loop oversight and continuous evaluation.

In practice, this means builders must anticipate edge cases rather than wait for them to appear in production. For example, an agent trained to optimize workflows might unintentionally bypass a security step to increase efficiency. Without structured oversight, such a behavior could introduce vulnerabilities into classified systems. Builders are therefore on the frontlines of ensuring guardrails are not just theoretical but actively enforced through controlled environments, continuous monitoring, and deliberate design choices.

From human-in-the-loop to human-on-the-loop

As the volume and velocity of sensor and intelligence data continues to surge, the traditional human-in-the-loop model is reaching its limits. For time-critical operations, humans can no longer process and act on information fast enough. This necessitates a shift toward human-on-the-loop systems, where automated processes execute within defined parameters, and humans focus on strategic oversight, operational boundaries, and ethical constraints.

These practices must be supported by software systems that are adaptive and resilient. Builders should adopt AI-forward methodologies and automation frameworks that maintain rigorous security and governance, including explainable outputs, audit trails, and fail-safe policies. The goal isn’t full autonomy—it’s controlled autonomy.

Raman echoed this balance of oversight and partnership, saying the CIA’s broad approach to AI is focused on “how humans and the AI are working together,” with humans ultimately responsible for oversight, accountability, and intervention when necessary.

Moving from philosophy to practice, this shift in human oversight does not occur in a vacuum. In IC workflows, human-on-the-loop oversight means builders and operators may not review every line of AI-generated code, but they validate that outputs adhere to policy, confirm auditability, and ensure systems cannot access unauthorized data. This balance enables time-critical missions to run at machine speed while keeping accountability and intervention authority firmly in human hands. It is unfolding alongside federal policy designed to accelerate AI adoption responsibly. For the IC, the challenge is aligning this operational reality with governance expectations now shaping the broader federal landscape.

Policy to practice

Federal policy is pushing agencies to adopt AI responsibly and at speed. M-24-10 and M-25-21 highlight the government’s intent to balance innovation with governance. The IC is not bound by these memos, but they set expectations and signal how oversight bodies, Congress, and the public will judge whether the IC is deploying AI effectively and responsibly. The challenge is translating these high-level policies into secure implementation approaches inside classified environments.

The IC’s own Principles of AI Ethics reinforce these expectations: development must be human-centered, accountable, secure, and science-informed. These priorities also align with broader federal standards work led by the National Institute of Standards and Technology (NIST). The AI Risk Management Framework (AI RMF 1.0) emphasizes trustworthy AI through governance, transparency, and continuous monitoring—principles reflected in the safeguards outlined in the next section.

Likewise, Special Publications (SP) 800-218 and 218A stress secure software development practices, code integrity, and supply chain protection, all of which map directly to the IC’s need for rigorous DevSecOps pipelines, audit logging, and boundary enforcement in AI-augmented environments. What follows is focused on implementation approaches: how the IC can translate these principles into operational safeguards in builder workflows.

Securing the development environment

Operationalizing AI agentics for builders within classified or high-sensitivity environments demands a new set of controls:

Control boundaries

Boundary of place – isolate environments: Sandbox agents in hardened, network-limited environments.

Boundary of tools – enforce toolchain limits: Define explicit tool access policies, and block everything else.

Boundary of data – enforce agentic boundaries: Restrict data and system access to prevent unauthorized queries or lateral movement.

Monitoring and detection

Audit all actions: Track all executions to maintain accountability and transparency.

Detect and respond to threats: Forward immutable logs into Security Information and Event Management (SIEM) systems for automated detection of misuse or compromise.

Integrate into DevSecOps (development, security, and operations): Ensure pipelines are AI-aware, scanning generated code and architectures for malicious or insider threat behavior.

Use AI gateway proxies: Enforce data loss prevention (DLP) and inference monitoring for drift, poisoning, prompt injection, hallucination, malicious code, and data leakage.

Operational oversight

Human-on-the-loop verification and evaluation: Maintain human oversight through post-hoc audits of AI-generated code and runtime behaviors.

Raman emphasized that boundaries are critical for ensuring compliance with legal policy and data protections. This underscores the need for agentic boundaries that prevent unauthorized data access and enforce compartmentalization across environments.

Steve Schmidt, Chief Security Officer at Amazon Web Services (AWS), underscored the accountability challenge of deploying agentic systems: “How do we make sure that the software is doing exactly the right thing every single time, and more importantly, that we can prove what it did to stakeholders and regulators?”

Run dangerous things in a safe place

Coder provides one example of how secure-by-design tools can support the IC’s adoption of AI agentics. Features such as Agent Boundaries (policy-enforced sandboxes that define what an agent can access) and Tasks (auditable, human-verifiable subtasks) demonstrate how AI-augmented coding can be implemented while preserving oversight and compartmentalization.

Another critical safeguard is centralizing access to both AI models and the compute resources that power them. One underappreciated risk is that agentic AI itself can act as a new form of insider threat. A malicious prompt injection or poisoned retrieval source can cause an otherwise trusted agent to generate backdoors, disable safeguards, or leak sensitive data. For the IC, the stakes are even higher: code deployed in classified environments must assume the agent could be compromised. Centralized environments, logging all actions, and enforcing compartmentalized access are essential defenses against both human insiders and AI behaving like insiders. Decentralized, ad hoc environments multiply the risks of misconfiguration, exfiltration, and uneven enforcement. Centralized environments, such as those enabled by Coder, give agencies the ability to enforce boundaries, monitor agentic behavior, and apply consistent controls for both builders and AI agents within a single secured infrastructure.

Yet even the most secure implementations cannot exist in silos. Builders may operate within agency-specific environments, but the risks and safeguards around agentic AI cut across the entire IC. Scaling these safeguards requires more than technical controls. It requires alignment, coherence, and oversight.

Scaling agentic AI across agencies

Each IC agency has distinct missions, data needs, and operational realities, so managing and deploying agentic platforms must remain within their domain. At the same time, the Office of the Director of National Intelligence (ODNI) will set strategic guidance and standards, emphasizing guardrails and oversight rather than control. Looking ahead, Director of National Intelligence Gabbard noted that ODNI 2.0 will “enable ODNI to focus on fulfilling its critical role of serving as the central hub for intelligence integration, strategic guidance, and oversight over the Intelligence Community.”

Coherence across the IC does not mean uniform platforms; it means shared baselines and reciprocal trust. ODNI should establish minimum expectations for red-teaming, continuous monitoring, and auditability. Agencies may deploy different infrastructure, but all systems should still produce logs compatible with a common oversight framework. Shared playbooks for threat detection, standardized reporting of AI incidents, and reciprocal validation of controls would allow the IC to scale innovation while avoiding fragmentation, even as it scales back in size. While ODNI cannot enforce reciprocity for approvals across agencies, it can still establish common frameworks and best practices to ensure a successful adoption of agentic AI across the IC.

Securing the future of AI in the IC

Agentic AI represents a new frontier for builders in the Intelligence Community. But with great autonomy comes greater risk.

The path forward is clear: agencies must adopt secure-by-design environments, integrate AI-aware DevSecOps practices, and enforce controls like boundaries, proxies, and immutable audit logs. Tools such as Coder Boundaries and Coder Tasks provide practical mechanisms to operationalize these safeguards while preserving human accountability and oversight.

ODNI’s role is to provide the ethical and strategic guardrails, but execution must remain federated, managed by each agency in line with its unique mission. The goal is coherence across the IC, not centralization.

Agentic AI is essential. The IC must adopt it boldly but with discipline, within trusted security approaches. The cost of inaction is high: adversaries will not wait. It’s time to move from experimentation to secure execution.

About the Author

Austen Bruhn is the DoD/IC technology strategist and architect at Coder, bringing deep expertise in secure AI adoption and DevSecOps transformation. With experience developing Lockheed Martin’s edge AI systems, deploying Red Hat’s OpenShift classified environments, and now enabling agentic AI workflows for DoD/IC missions, he’s helped agencies navigate the critical imperatives of innovation and security. From hands-on experience from on-orbit Kubernetes deployments to IC-wide AI architectures, Austen focuses on translating federal AI and software development policy into operational reality while maintaining the security posture that national security demands.

About Coder

Coder is the AI software development company leading the future of autonomous coding. Coder helps teams build fast, stay secure, and scale with control by combining AI coding agents and human developers in one trusted workspace. Coder’s award-winning self-hosted Cloud Development Environment (CDE) gives teams the power to govern, audit, and accelerate software development without trade-offs. Learn more at coder.com.

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.