Frontier AI models are reaching a point where no vulnerability will go undiscovered. Whether the code was written by a human or an agent, these models can autonomously find and exploit flaws at a speed and scale no security team can match manually. Fortunately, these models are in the hands of defenders, giving us the first mover advantage, but we have to adapt.
The only viable response is to get ahead of it: complete visibility across every layer of the stack, attack surface reduction that moves at machine speed, and security embedded directly into the workflows where code is written and shipped.
Wiz Code Week was the first step in that direction. Alongside limited edition giveaways, our team was busy shipping new capabilities to help secure AI-driven development. In this post we recap what we launched to give Application Security teams the visibility and controls to reduce risk, while giving developers the context and guardrails to build fast with AI, securely.
Visibility Across AI, From Code to Cloud
Security starts with visibility. But AI-driven development is making that harder. Developers are rapidly adopting models, frameworks and extensions to write and build software, creating a blind spot for security teams. At the same time, AI agents are provisioning infrastructure through code faster than platform teams can govern it, with no single source of truth across repositories, state files, and cloud environments.
To address this, we introduced an AI-BOM which automatically inventories AI frameworks, models, and IDE extensions including Gemini Code Assist, GitHub Copilot, and Cursor, giving security teams a living map of how AI tools interact with their data.
To support platform and DevOps teams, the IaC Inventory provides a unified view of how code becomes cloud. It connects every IaC module to every deployment it creates and every live resource it manages, surfacing drift and blast radius instantly. Together they give security and platform teams a complete picture of what AI is introducing into their environment and what it's building.
Security Guardrails Directly Inside Agent First Workflows
Shift left has been an AppSec goal for over a decade, but tools failed to deliver due to findings lacking actionable context. New breakthroughs in code-to-cloud mapping and the adoption of standards like MCP servers are fundamentally changing this. These advancements enable security and runtime signals to flow directly back from the cloud and runtime to the developer environment and the IDE, making findings actionable right where code is now being written by agents.
At Google Cloud Next, we announced Wiz Code plugins for AI native IDEs like Claude Code and Cursor, embedding security directly into agentic development workflows. Using pre-commit hooks, teams can catch hardcoded secrets, IaC misconfigurations, vulnerabilities, and weaknesses before code reaches source control. This reduces the volume of insecure code for AppSec teams to triage. These same guardrails extend to AI-specific risks. With new SAST rules mapped to the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic Applications, teams can identify issues like prompt injection, insecure model outputs, and unsafe agent behavior at the moment they’re introduced.
Finally, Wiz Skills help developers remediate security findings faster. They allow coding agents to pull active issues from the Wiz Security Graph and apply fixes natively in the IDE as a simple command. Remediations are powered by the Wiz Green Agent, which uses full code-to-cloud context to generate precise fixes grounded in actual code, so developers can burn down existing security debt at machine speed.
Pipeline Security: Secure the Systems that Build your Software
Code is only one part of the attack surface. CI/CD pipelines are the foundation of the SDLC and a common target for threat actors. In the past few months, we’ve seen several supply chain incidents where threat actors gained an initial foothold through insecure pipeline controls. AI agents only increase that risk. They operate inside CI workflows, executing commands and committing code with elevated privileges.
Wiz models CI/CD pipelines as first-class assets on the Security Graph, extending risk prioritization beyond traditional vulnerabilities. Dangerous trigger configurations, excessive permissions, and prompt injection risks from AI agents are surfaced automatically as findings. And with the CI-BOM, teams can inventory every third-party action across the organization. If a specific action is compromised, teams can immediately understand impact and respond.
Secure Code at Pace of AI
AI has changed every layer of the development lifecycle, from the tools developers use to the infrastructure and pipelines that support them. But, the same AI reshaping how software gets built can also reshape how security teams manage risk.
Wiz Code serves as the security fabric for AI-native development, securing the entire lifecycle from prompt to production so developers can address risks at inception and code with confidence. By grounding every control in context from the Security Graph, teams focus on what's actually exploitable, fix issues where they're introduced, and keep pace with how modern software is built.
It's never been a more exciting time to be in software security and we're excited for what comes next.
To see how Wiz can help you secure AI driven development across the entire software supply chain, schedule a demo.
