AI Security and Agent Experience: What DevCon’s Best Minds Are Thinking About

The questions coming out of AI Native DevCon London weren’t about whether AI agents would change software development. They were about how fast, how deeply, and whether the industry had any hope of keeping up.

Two back-to-back panels captured the tension well. A security roundtable with Joseph Katsioloudes from GitHub, Liran Tal from Snyk, and John Groetzinger from Cisco examined the threat landscape for AI-native systems. A web AI conversation with Dana Lawson from Netlify, Maximiliano Firtman from codemia, and James Moss from Tessl explored what building for an agent-first web actually requires. Neither group had tidy answers. That was, in a way, the point.

The AI Security Readiness Gap

To make sense of where we are with AI agent security, it helps to plot two things on the same axis: deployment ambition and readiness maturity. Right now, the gap between those two is striking.

Groetzinger referenced Cisco data showing that 83% of enterprises plan to deploy AI agents, but only 29% feel ready to do so securely. "Sometimes they don’t even have traditional security controls in their pipeline," he observed — meaning the readiness gap isn’t about AI-specific defences; it’s about not having the basics in place at all.

The new threat vectors compound this. Liran Tal argued that prompt injection — the ability for malicious content in the environment to redirect an agent’s behaviour — is the most interesting risk AI introduces, and probably the hardest to eliminate. His reasoning was counterintuitive: constraining inputs too aggressively would prevent people from using AI the way they actually want to, through natural language. "I believe that it’s a risk that we have to accept," he explained.

Accept the risk, then design around it. Tal’s approach leans on output filtering, sandboxing, and applying least-privilege principles to agents the same way you’d apply them to human employees. A second LLM checking the work of the first — a technique Microsoft and GitHub have used in production — adds another layer. The goal isn’t to make agents invulnerable; it’s to limit what a compromised agent can actually do.

MCP Security and the Supply Chain Problem

Katsioloudes introduced a more structural concern: the security of the MCP ecosystem itself. When MCP first arrived, the instinct was to move fast. Developers would run uvx or npx and pull MCP servers at latest — which means a single compromised package, or a rug-pull on a popular server, could reach a large number of systems instantly.

"We kind of like haven’t learned to instil the right practices when we’re consuming MCPs," he noted, drawing a direct line to early npm culture. The muscle memory exists — the security community knows what it should be doing — but the awareness hasn’t caught up with adoption speed. The supply chain problem that made npm packages a recurring concern in the 2010s is playing out again, this time with MCP servers and AI skills.

Groetzinger’s take at Cisco was pragmatic: restrict access where you can, get observability across what your teams are actually running, and use that visibility to respond when something goes wrong. "There’s a new problem every week, a different tool, a different thing," he acknowledged. The answer is governance and pattern observation, not a one-time security audit.

Agent Experience: Designing at Machine Scale

On the web AI side, Dana Lawson introduced a concept Netlify has been developing: agent experience, or AX. To make sense of it, she drew a contrast with CLI design. CLIs were built for sequential human interaction — one command, one output, human eyes parsing the result. Agents don’t work that way. They run in parallel, they call multiple systems simultaneously, and they read output differently from how a person would.

"Writing intent with specs and making it human readable as well as machine readable" — that’s how Lawson characterised the shift. It’s not just about adding an API layer; it’s about rethinking how systems express their purpose and constraints in language that an agent can understand and act on.

Maximiliano Firtman extended this into the question of web standards. Models don’t know about the last year of web evolution — they were trained before it happened. Skills fill that gap, teaching a model which APIs now exist, how browser compatibility has shifted, what the baseline is for a given platform. The implication: skills aren’t just useful for AI-native development; they’re necessary for web development to stay current in an agent-first world.

Fundamentals, Abstraction, and the Future of Code

Whether fundamentals still matter was a thread running through both panels, from different directions. Firtman’s answer was clear: yes, but not for the reasons developers usually cite. "You still need to have done HTTP requests," he argued. Not because you’ll be writing them by hand, but because you need to know whether what you’re asking an agent to do is even possible, and what the tradeoffs of different approaches are. Without that, agents will find solutions that technically work but perform poorly or miss the intent entirely.

James Moss reached for a self-driving car analogy. We’re at the level-four stage right now: you still have to keep your hands near the wheel, still read the generated code, still make judgement calls about quality. The full autonomy future may arrive, but the current half-state requires active human judgement, even as the work itself is increasingly agent-generated.

Lawson’s most direct provocation was about git workflows: "The dependency on the GitHub workflow is going away, because your code is just not that precious." Not because version control doesn’t matter — it does — but because the whole developer-centric workflow of branching, pull requests, and CI/CD pipelines was designed for humans to review code. As agents do more of the generating and reviewing, that workflow will need to be redesigned around what agents actually need to know: how to roll back, and how to push forward.

What Developers Should Do Now

The quickfire close of the web AI panel drew three distinct answers on what web developers should prioritise over the next twelve months. Lawson’s: embrace AI, stop obsessing about frameworks, start obsessing about workflows. Firtman’s: become a better AI user — understand how models work, what context windows do, why prompting matters, even if you never do machine learning. Moss’s: use AI to enhance your learning, not just to generate code. Treat it as an interview partner for topics you want to understand more deeply.

Taken together, they’re not competing advice — they’re a sequence. Embrace it, understand it, use it to learn more.

The conversations from AI Native DevCon London don’t point to a single clear future. They point to a period of genuine uncertainty where the community is defining the answers in real time. Worth listening to all of it.