Between 30 and 41% of the code shipping at Google, Meta, and Microsoft is now written by AI. PR throughput has gone up by an order of magnitude. The review pipeline has not. Static scanners calibrated for one engineer committing once a day now produce 112,000 findings against a backlog nobody can drain. The agent pulls a package two hours old, copies a pattern from three-year-old training data, and never learns from the last vulnerability it caused. The SDLC running in production today is not the one you secured in 2022, and bolting another scanner on the side of it will not catch you up.

This is the framework. Six controls across two halves. Close the Tap on the left, Burn the Backlog on the right. Five blocking gates across the agentic development lifecycle (ADLC): PRD generation, package install, code generation, PR, CI/CD. Skills bind the agent at the design stage. Scaffolding turns the existing backlog into rules the next session has to follow. Graph-aware scanning runs inside the session, not three sprints later in triage. Malware intel sits on the install hook and refuses the bad package before it lands in node_modules. On the right, aggregation collapses scanner sprawl into one prioritized queue with reachability and ownership attached. Agentic remediation turns twelve Log4j PRs into one.

The argument is structural, not theatrical. If attackers reason, defenders need to reason. Throwing every PR at a frontier model costs more than the breach it prevents, and the math on that is in the talk. A code graph plus a security graph plus an architecture graph compresses the search space by roughly an order of magnitude. That is what makes defensive AI affordable outside a hyperscaler budget. Same primitive the attacker uses, different output. Vendor-neutral throughout: the controls are the same whether you build on Phoenix, Snyk, Apiiro, Endor, or in-house.
Key discussion points

The ADLC, drawn end to end. Where the agent sits, where the gates belong, and why post-PR scanning is downstream of the damage. The five blocking paths, what each one costs to bypass, and why the dev workstation is now the perimeter the program has to defend.

The six controls, each with the metric that tells you it is working. Skills, Scaffolding, Graph-Aware Scanning, Malware Intel, VM Aggregation, Agentic Remediation. The number on the dashboard for each. The number that says the control is off. The number that says the rules are wrong.

Why the knowledge graph is the load-bearing part. Code graph, security graph, architecture graph. The cost of frontier-model spend at PR level without curated context, with the actual token math. Why the same graph that scans the PR also writes the remediation, and why that economics is the only thing that holds up at 400K findings.

The supply-chain layer. Five npm incidents in six weeks. Median compromise-to-impact under an hour. Trusted Publishing did not solve it. Pin-and-audit did not solve it. Where each of the five gates catches what the previous one missed, and which one your program is missing right now.

Takeaways for attendees

A drawn architecture of the agentic SDLC with six controls mapped to five blocking gates, plus the audit checklist for finding which ones your program is missing. The install order depends on the bottleneck: PR velocity, backlog size, agent adoption, supply chain. Pick the right one for your shop, not a generic checklist.

The four metrics that go on a dashboard next week. Prevention rate above 60% on AI-generated PRs by day 90. PR block rate between 5 and 15% (zero means the gate is off, above 15 means the rules are wrong). Backlog burn rate positive. Median package age under two hours at install. Including the metrics that get worse before they get better, so a red board in week six is the program working rather than failing.

The token-cost architecture that makes defensive AI tractable: agent fleets routing easy tasks to cheaper models, prompt caching, RAG against the graph instead of the whole repo, structured JSON in place of prose. Where the tokens go and where they should not.

A diagnostic for the three failure modes every program ends up in. Scanners multiplying without correlating. Backlog growing faster than burn-down. The coding agent treated as a human developer. Plus the open-source skill repository and the public reference architecture to start from on Monday.