The AppSec Signal - V0.5

Service accounts, access keys, tokens, agents, and AI-driven workflows are exploding in number.

These identities are long-lived, poorly inventoried, and often invisible to traditional IAM programs.

Agentic systems dramatically worsen identity sprawl by default.

Discovery efforts routinely surface unsanctioned AI usage embedded directly in production environments.

What this means for AppSec: Identity risk is no longer just a cloud or IAM concern. AppSec teams need visibility into non-human identities at both design time and runtime, and governance must be treated as a product architecture issue rather than a policy exercise. Multiple vendors are actively addressing this gap, including startups like Keycard and Formal, as well as established players such as SailPoint and Okta, which are continuing to innovate in this space.

AI-assisted attacks are already operating continuously, not experimentally.

Many campaigns remain undetected because they do not resemble historical attacker behavior.

Automated attackers adapt faster than human-paced defenses and operate without downtime.

The narrative of fully autonomous security operations is cooling.

The real gains come from accelerating speed to context, triage, and correlation.

Even small improvements in context gathering materially improve incident response outcomes.

What this means for AppSec: The winning approach is augmentation, not replacement. Agentic systems should reduce low-judgment work, enrich signals, and help humans move faster with better information, especially during incidents and design reviews.

Manual threat modeling and design review do not scale with modern development velocity.

Generic LLMs lack the organizational, architectural, and code context needed to be useful.

Purpose-built systems that understand internal systems are gaining traction.

Attacks on developer environments and supply chains have proven highly effective.

Traditional “shift left” approaches are insufficient when developer tooling itself is compromised.

Dependency sourcing, package managers, and developer workflows are becoming security boundaries.

What this means for AppSec: Security constraints are moving into the developer experience itself. Teams should focus on hardened defaults, tighter dependency controls, and defense-in-depth mechanisms that activate before code ever reaches CI or production. Startups like Socket and Seal Security are good examples of how secure-by-default workflows are being built into everyday development practices.

Budgets are tighter and scrutiny is higher.

Security investments must map clearly to risk reduction and business outcomes.

Coverage without prioritization is losing favor.

What this means for AppSec: Context-driven prioritization matters more than ever. Teams that can tie design decisions, threat models, and controls to real exposure will outperform those chasing theoretical risk.

The software development lifecycle is fundamentally changing. The traditional linear pipeline is giving way to a more iterative model where AI agents increasingly translate product requirements into code and deploy changes directly.

As a result, the AppSec stack is evolving rapidly, and practitioners should re-evaluate the ROI and relevance of their existing tools.

2026 will likely be the year when the “wait and see” approach to AI code generation gives way to action. In our conversations with software and security leaders across organizations of all sizes, the common thread is acceptance of AI-generated code and a push to establish secure guardrails around it.

New categories such as secure design are gaining momentum and moving toward the center of AppSec strategy, driven in large part by how AI-assisted development is reshaping how software is written. In 2026, proactive security is poised to become the new front line in AppSec.