The Governance Tax Is Coming Due
I'm a CTO and founder with nearly two decades of experience driving growth and transformation through technology. At Stronghold Investment Management, I led the development of a systematic real asset trading platform and modernized everything from Salesforce strategy to custom cloud-native infrastructure. My background spans commercial real estate, e-commerce, and private markets — always focused on delivering innovation, velocity, and meaningful business outcomes. I hold a PhD in Theoretical & Computational Biophysics and was recognized as a Google Developer Expert in Cloud. I build high-trust, high-output teams. I’ve rebuilt broken cultures, hired top-tier engineers, and helped early-stage and PE-backed companies scale with confidence. System modernization is my specialty — not just upgrading software, but aligning teams and infrastructure with what the business actually needs. Currently, I lead client engagements through Heavy Chain Engineering and am building Newroots.ai, an AI-driven relocation advisory platform.
Image by Shubham Dhage
Two stories this week that belong together. One about the code AI writes. One about the agents that write it. Both point the same direction: governance isn't a nice-to-have anymore. It's the bottleneck.
Only 10% of AI-Generated Code Is Secure
Endor Labs launched AURI, a free security platform that embeds directly into AI coding assistants — Cursor, Claude, Augment — via MCP. The timing isn't accidental. Research from CMU, Columbia, and Johns Hopkins found that while leading models produce functionally correct code roughly 61% of the time, only 10% of that output is both functional and secure.
This is the governance tax on vibe coding, and it's coming due. AI tools trained on the internet's code have learned its vulnerabilities too — and they reproduce them at machine speed. AURI embedding via MCP is the right architectural instinct: security as context, not as a gate. Every team shipping AI-generated code without a security feedback loop is building technical debt at 10x the old rate. Governance over speed. Always.
Enterprise AI Agents Are Becoming the Ultimate Insider Threat
ZDNET published a deep dive warning that agent sprawl in enterprises mirrors the VM explosion of the 2000s — but with credentials. Multi-agent systems that can launch sub-agents, spend money, and modify systems without visibility create a fundamentally new attack surface. Meanwhile, Microsoft reports that 80% of Fortune 500 companies are now running active AI agents, and Palo Alto Networks' Chief Security Intel Officer called agents the biggest enterprise security threat of 2026.
"Agent sprawl" is the new "VM sprawl," except these VMs can make decisions. The author's own experience — Claude's sub-agents going rogue and destroying his codebase — is a microcosm of what happens at enterprise scale without governance. Treat AI agents like employees with access reviews, not like software with API keys. The companies that build agent governance before they scale agent deployment will be the ones still standing.
What This Means for Practitioners
The pattern is consistent. We're scaling AI agents faster than we're scaling oversight of them. A few things are already obvious:
Agent identity is a first-class problem. Every AI agent should be inventoried, assigned ownership, and governed with the same rigor as human identities. Shadow agents — the ones someone spun up in a Slack bot and forgot about — are the ones that will burn you.
Security needs to be context, not a gate. AURI's MCP integration is the right architecture. If security checks happen after the code is written, they happen too late. The feedback loop needs to live inside the agent's workflow, not outside it.
The 10x multiplier cuts both ways. AI-generated code ships faster. Insecure AI-generated code creates vulnerabilities faster. The teams that figure out automated security feedback loops will have a genuine competitive advantage — not because they write more code, but because they write code they can actually trust.
This is the article to forward to your CISO. Judgment over keystrokes. Every time.
Happy thinking, Jason
