At RSAC 2026, I sat down with Jeremy Katz, VP of Code Security at Sonar, and one theme came through clearly: the way we secure code has to change — fast.
As development shifts toward AI-assisted and agent-driven workflows, traditional checkpoints in CI/CD are no longer enough to catch risk early.
Katz pointed out that one of the biggest gaps today is what happens before code ever reaches CI.
Developers — and increasingly AI agents — are generating large volumes of code at speed, but without proper validation upfront, vulnerabilities can slip through and compound quickly.
In his view, security needs to move even earlier in the lifecycle, with real-time checks happening as code is written, not after it is committed.
Supply Chain Attacks Raise the Stakes
This shift is especially important in the context of software supply chain attacks. Katz referenced the growing number of incidents involving compromised npm packages and other open-source dependencies, where attackers inject malicious code into widely used libraries.
These attacks are particularly dangerous because they often bypass traditional defenses, entering environments through trusted channels.
Modern development increasingly relies on open-source components, making supply chain visibility and control a critical part of code security.
To address this, Sonar has introduced capabilities like automated malicious package detection in SonarQube Advanced Security, designed to serve as a guardrail for AI-driven workflows by identifying and blocking risky or ‘hallucinated’ dependencies before they enter the pipeline.
AI-Generated Code Expands Risk
What makes this problem more complex is the rise of AI-generated code.
Sonar’s research shows that coding models can produce insecure or buggy code faster than humans can realistically review it.
During our conversation, Katz stressed that while AI can accelerate development, it also amplifies risk if not properly governed.
This is where Sonar’s concept of the Agent Centric Development Cycle (AC/DC) comes into play.
Inside the Agent Centric Development Cycle (AC/DC)
AC/DC represents a shift away from traditional continuous integration toward a model designed for AI-driven development.
Instead of relying on small, frequent commits, agents often generate large, complex blocks of code in a single cycle. This changes the risk profile significantly.
Errors made early in the generation process can compound, making it harder to detect issues later.
Verification Becomes Non-Negotiable
To address this, AC/DC introduces a structured loop: Guide, Generate, Verify, and Solve.
What stood out to me is the emphasis on verification. In this new model, verification is not optional — it is foundational.
Code must be continuously checked for reliability, maintainability, and security, both during generation and before it is integrated into production environments.
Why Human Oversight Still Matters
Katz also emphasized that despite the rise of automation, the human element remains critical.
While AI can generate and even review code, it cannot fully replace human judgment, especially when it comes to understanding business logic, architectural intent, and risk tolerance.
The human-in-the-loop is still essential for ensuring that what gets shipped is not just functional, but secure and aligned with organizational standards.
Real-Time Code Security in Practice
Sonar’s approach reflects this balance between automation and oversight. For example, its tools are designed to perform real-time code analysis, scanning for vulnerabilities, exposed secrets, and insecure patterns as code is written.
The recently introduced SonarQube CLI extends this capability directly into developer workflows, enabling security checks to happen locally, within CI/CD pipelines, and even within AI coding environments.
This kind of continuous, integrated verification helps close the gap between speed and security.
Reducing Noise, Increasing Trust
Another key area we discussed was the importance of reducing noise in security tooling.
Developers are more likely to trust and act on findings when false positives are minimized.
Sonar reports a relatively low false positive rate, which helps maintain developer confidence and ensures that critical issues are not overlooked amid alert fatigue.
A New Model for Secure Software Development
Ultimately, what I took away from my conversation with Katz is that we are entering a new era of software development — one where speed alone is no longer the primary differentiator.
Instead, the ability to generate, verify, and secure code in real time will define successful organizations.
The transition to agent-driven development is not just a technical shift; it is a fundamental change in how we think about trust in software.
As Katz made clear, security cannot be an afterthought or a downstream process. It has to be embedded at every stage, starting before CI and continuing through the entire lifecycle.
For security leaders and development teams alike, the message is straightforward: if you are not verifying code as it is created, you are already behind.