Agentic AI and Security

I was busy last week, which means more links for today. I really like the podcast with Charity Majors about teams, and it made me rediscover her blog. Some interesting posts about security and LLMs and LLMs in general this week. Leadership Thoughts from LeadDev NYC 2025 - good high-level summary. I should have a look at the videos. Vibe Engineering: A Field Manual for AI Coding in Teams - this got updated.

This issue includes bits of AI, software development, performance, licensing, security, philosophy, something to watch and of course .NET and .NET Internals.

Links about AI Workflows, AI Integration, LLMs and Software Architecture, Prompt Engineering, Vibe Coding

An expanded version of this post has been published at https://martinfowler.com/articles/agentic-ai-security.html - with more mitigations and updated content - I’d suggest reading that article instead, I’m leaving this one up for posterity. Also I’ve given up on Discus for comments - if you want to discuss this post, please reply to My post on Mastodon or My post on Bluesky (I’m doing both as one is more free, one is more convenient for many people) This is an edited version of a post I wrote for the Liberis internal engineering blog - it is not particularly original, most of the ideas come directly from Simon Willison’s article “Lethal Trifecta for AI agents” - but I thought it was worth writing a summary for our engineers, and sharing it more widely. Bruce Schneier summarised the current Agentic AI situation in his blog: We simply don’t know how to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment—and by this I mean that it may encounter untrusted training data or input—is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there. There are many risks in this area, and it is in a state of rapid change - we need to understand the risks, keep an eye on them, and work out how to mitigate them where we can. (I’m going to shamelessly plagiarise Simon Willison’s excellent “Lethal Trifecta for AI agents” article as it is an excellent overview of the risks.) What do we mean by Agentic AI The terminology is in flux so terms are hard to pin down. I’m using “Agentic AI” with the specific meaning “LLM-based tools that can act autonomously” - tools that extend the basic LLM model with tools and agents and background processes. Increasingly this means “almost all AI based tools” - especially coding tools like Cursor, Copilot or Claude Code. (Note I’m using ‘agent’ here for an

I haven’t posted in 3 months! That’s partly because I put a lot of work into the extended version of my Agentic AI security post on martinfowler.com - and partly as since posting that I have changed jobs. After 2 years at Liberis I’ve decided to move on - on Monday I start a new position as a Principal Engineer at John Lewis Partnership! I’m quite excited about the new position - John Lewis Partnership are a fascinating organisation - employee owned and with quite a strong set of values and ethics, and their software engineering group sounds like they have a good culture - I especially like their published engineering principles. But as a result of this, most of my spare time in the last 3 months was taken up with the job process, and then winding up and handing over work at Liberis has kept me busy - as well as all the usual chaos of Christmas. I’ve still been having lots of fun playing with Agentic AI tools, keeping up with the changes, rolling my eyes at the hype. It is traditional in a new year to ruminate on the state of things - and there’s a lot to ruminate on. We seem to be in a time of huge change. AI is both a blessing and a curse. The AI hype continues - I have a whole draft blog post about “AI Hype 2.0” which I hope to write some day - but despite being annoyed at the hype, I have to admit AI tools have changed my work drastically. In October 2023 I was posting here about how Cursor was handy but couldn’t really tackle complex rust code - I don’t think I would have believed you if you’d told me that in 2 years I’d be using AI assistance for pretty well all my software development - and most of my non-development work as well. But - AI slop and misuse is a huge risk, as is the IP theft in so much creative AI use, as is the high risk of the AI bubble bursting, and the fact that horrible tech-bro fascist-leaning maniacs are profiting from all this. And they are burning fossil fuels to power the engines behind this. (see also my standard AI Disclaimer) Meanw