Agent-first IDEs promise to double developer productivity, but insurance IT organizations that don’t rethink code review for AI-generated output are building on a vulnerable foundation.
Google’s November 2025 announcement of Antigravity, an “agent-first” IDE built on technology from its US$2.4 billion Windsurf acquisition, signals that AI-assisted development has crossed a threshold. We’re no longer talking about autocomplete tools that make developers faster. We’re talking about systems that autonomously implement features, submit pull requests, and operate across editor, terminal, and browser environments with minimal human intervention.
For insurance IT leaders, that’s a significant productivity opportunity. It also introduces a security risk that most governance frameworks aren’t built to handle.
The Developer Role Is Shifting
Traditional AI coding tools like GitHub Copilot operate in a human-in-the-loop model: the developer writes code, the AI suggests completions, the developer decides what to keep. More than 20 million developers use Copilot today, and the productivity evidence is substantial. GitHub’s own research with Accenture found 15% higher pull request merge rates and 84% more successful builds among teams using the tool.
Agent-first platforms like Antigravity, Cursor’s Agent Mode, and their successors work differently. Rather than augmenting the developer’s workflow, they run autonomous agents that handle implementation while the developer reviews and guides through a supervisory interface. Industry observers describe this as a shift from “human-in-the-loop” to “human-on-the-loop.”
The practical implication: developers are now reviewing code they didn’t write, can’t fully explain, and didn’t mentally model as they went. That is a fundamentally different cognitive task than the peer review model most insurance IT organizations have built their quality processes around.
The Security Numbers Are Concerning
Academic research has found that 40% or more of AI-generated code contains security vulnerabilities. Veracode’s 2025 GenAI Code Security Report found that 45% of AI-generated code samples introduced OWASP Top 10 vulnerabilities. These aren’t obscure edge cases; they’re the core vulnerability categories that attackers actively exploit.
For insurance carriers handling protected health information, financial account data, and social security numbers at scale, that is not a tolerable baseline.
The problem compounds in the supervisory model. When developers review AI-generated code rather than code they wrote themselves, they lose the accountability anchor that makes peer review effective. Traditional code review assumes an author who can explain design decisions and defend implementation choices. An AI agent offers no such accountability, and reviewers anchored to plausible-looking output may apply less scrutiny than the code actually requires.
What Insurance Carriers Need to Do Now
Deploying agent-first tools responsibly in a regulated environment requires treating security as a prerequisite, not a post-deployment consideration. Datos Insights recommends three non-negotiable controls before any agentic development tooling reaches a production workflow.
Shift-left security with AI guardrails. Static application security testing (SAST) and software composition analysis (SCA) tools need to move earlier in the pipeline. AI agents can generate dependency-heavy code at high velocity, so tools like Semgrep, Snyk, or Veracode should function as mandatory pre-merge gates, not post-merge reviews.
Software Bill of Materials generation on all AI-assisted commits. AI-generated code frequently introduces third-party dependencies that no developer consciously selected. Automated SBOM generation via tools like Syft or FOSSA is increasingly a regulatory expectation and will become more common as audit requirements mature. Carriers should implement it now.
Secret scanning as a pre-commit gate. AI models can reproduce training data verbatim, including API keys and credentials. Developers prompting with proprietary code create a second exposure vector. Secret scanning tools should be configured as mandatory pre-commit hooks that block commits containing detected credentials before they reach the repository. For carriers managing credentials across policyholder data stores and third-party integrations, this control is not optional.
Redefining Code Review for the Agent Era
Beyond tooling, insurance IT organizations need to rethink how human review works when humans aren’t the authors.
Security-focused checklists specific to AI-generated code, covering input validation, authentication patterns, and attack surface expansion, should supplement standard review criteria. AI-generated code touching claims adjudication logic, underwriting rule engines, or PII-handling pathways should require explicit sign-off from a domain expert with security awareness, not only a generalist reviewer.
Carriers should also begin tracking code provenance: what percentage of production code is AI-generated, where it is concentrated, and whether vulnerability rates differ from human-authored counterparts. This baseline will become essential as autonomous agent adoption accelerates and audit expectations mature.
The Competitive Case for Moving Now
The developer productivity numbers are too compelling to sit on. Carriers that engage thoughtfully with agent-first development, building security governance before scaling rather than after, will gain an advantage. Those that delay adoption will struggle to attract talent and deliver at the pace their markets demand. Those that adopt without adequate controls will eventually pay for it.
The path forward is to deploy with controlled scope, build security infrastructure before scaling, and adapt review processes to match the reality of human-supervised code generation. That is a harder organizational change than simply enabling a new tool. It is also the change that determines whether agent-first development actually delivers in a regulated environment.
For the complete analysis of the agent-first development landscape, security framework recommendations, and phased implementation guidance, read our new brief: How AI Is Transforming Insurer Development Teams.
Contact Datos Insights to discuss how leading carriers are building AI development governance programs that capture productivity gains without creating new security exposures.
