@RobGibson20 Enterprise teams are done debating whether AI will be used in software development. It already is. The real question in 2026 is whether you can adopt AI coding at scale without turning your engineering workflow into a major security risk or high-speed data leak.
Developing threats from 2025 to 2026
A lot of talk about AI risk gets stuck on hallucinations and model behaviour. Those certainly matter, but the bigger enterprise pattern is simpler: AI introduces a new high-throughput pathway for data movement (prompts, uploads, connectors) and increasingly wraps that capability within systems that can take action (agents).
In 2026, you are not only managing what a model says. You are also managing what AI-enabled systems are allowed to touch.
The strongest evidence that governance lagged adoption in 2025 is that the mismatch shows up in the metrics. Netskope reports that genAI SaaS usage increased by 3x, and prompt volume increased by 6x. It also reports that 47% of genAI users used personal AI apps, which suggests shadow AI at enterprise scale. GenAI-related data policy incidents doubled year over year, and the average organisation saw 223 incidents per month.
Sensitive data leakage
For software teams, the biggest AI risk is usually not overly complex. It can be as simple as someone pasting the thing they should not paste. Netskope quantifies what is most frequently involved in genAI data policy violations: source code (42%), regulated data (32%), and intellectual property (16%), with passwords/keys also appearing in code and config shared for troubleshooting.
In practice, this leakage happens in normal workflows, such as debugging, refactoring, or pasting a stack trace that includes internal context. That’s why prompts and AI uploads should be treated as data egress. If you cannot answer who sent what, where it went, and under which policy, you do not have AI risk management.
AI coding should be adopted, but it should be adopted in a way that makes the safe workflow the easy workflow. If the safe path adds friction, engineers will route around it, and your organisation will end up with shadow AI, unmanaged accounts, and detection gaps.
The dangers of excessive agency
The shift from copilots to agents is where the risk model changes sharply. Now more than ever, AI systems are doing operational work such as opening pull requests, modifying configuration files, wiring integrations, triaging issues, running scripts, and sometimes even participating in deployment workflows.
OWASP names some of the key failure modes enterprises keep rediscovering, including prompt injection and excessive agency. Excessive agency is described as systems having too much functionality, permission, or autonomy, where the risk becomes more severe as agentic architectures give models more independent capability.
The UK’s NCSC cautions that prompt injection is not simply SQL injection for prompts, because LLM systems do not reliably separate instruction from data, and mitigations often require different assumptions than classic web security patterns. In this regard, for enterprise teams, agentic AI can be an amplifier of data exposure and insider risk, pointing to the need for continuous monitoring, least privilege, and agent-aware controls to contain tool misuse and unintended exfiltration.
Even if you control data movement and constrain agents, you still have to manage potentially insecure output. AI-generated code can look plausible while containing weaknesses that would not pass a careful security review. A study on Copilot-generated code in GitHub projects analysed 733 snippets and found a high likelihood of security weaknesses, including 29.5% of Python and 24.2% of JavaScript snippets affected in their dataset.
While these numbers might look alarming, that should not be interpreted as “don’t use AI.” Rather, it should be interpreted as “don’t treat AI output as automatically trusted.” AI coding adoption should be paired with code review discipline and strong guardrails from the outset.
A governed path to AI coding at scale
Cosine brings AI coding into the same governed workflow your engineering org already trusts. Instead of pushing engineers toward unmanaged copilots and personal accounts, Cosine gives teams a managed, policy-aware way to delegate real work directly from the systems they already use.
The default workflow is designed to be safe:
Work happens in an isolated, managed environment
Tasks produce auditable outcomes, where a pull request is detailed with supporting context, and a traceable decision trail
Agents are constrained by design with least-privilege access, clear approval points for higher-impact actions, and guardrails that reduce unintended access or exfiltration
Optimised for large, high-stakes repositories
Cosine lets you adopt AI coding broadly while keeping data movement, tool access, and accountability inside a system you can govern.
The key takeaway for enterprise teams
Going forward into 2026, managed adoption should be the goal for enterprise teams. When prompts and agent actions aren’t governed, organisations tend to see the same predictable outcome: shadow usage grows, controls become inconsistent, and the audit trail isn’t strong enough to stand up to scrutiny.
The best strategy is to standardise on a platform that makes the safe path the easy path. That means centralising AI coding into managed accounts and making personal-account usage the exception, not the norm. It also means treating prompts, uploads, and connectors like production data egress, with policies enforced at the platform level rather than relying on individual judgment.
Access should be least-privilege by default, higher-risk actions should go through approvals, and every meaningful action should be traceable end-to-end. At the same time, SDLC fundamentals still matter: CI, code review, and supply-chain discipline don’t go away; if anything, they become even more important as AI-generated changes scale up.
We’ve designed Cosine with risk management at the forefront of our approach. Find out more about what we’re building.
