GitLab’s recent C-suite survey found that 89% of executives anticipate that agentic AI will be the definitive software development standard within three years. This adoption trajectory collides with the stark reality that 85% of these executives also recognize that agentic AI will generate unprecedented security challenges.CISOs are pressed to find the balance between two objectives that often feel like they’re at odds. They cannot prevent AI adoption for software development at their organizations, but they must minimize the technology’s potential security risks. As 91% of executives report they plan to increase AI spending in software development over the next 18 months, this pressure on security will continue to rise.Governance Is Lagging Behind AI AdoptionMost security leaders are painfully aware of the top agentic AI risks cited by respondents: cybersecurity threats (52%), data privacy and security (51%) and maintaining governance (45%). The landscape and even definitions of these risks are evolving and deeply intertwined.Establishing a governance model for AI is required for organizations to evolve their security strategy alongside emerging AI risks. However, doing so is not straightforward, with AI spanning many technology and security domains from data governance to identity and access management. Nevertheless, almost half of those surveyed admitted their organization has not implemented regulatory-aligned governance (47%) nor internal policies (48%) for AI.The lag in AI governance stems from legitimate industrywide challenges, making it difficult for leaders to identify the most effective places to invest their time and effort. The nondeterministic nature of agents causes them to behave in unexpected ways, which has been proven to disrupt existing security boundaries. Furthermore, security complexity is increasing with the introduction of universal protocols, such as Model Context Protocol (MCP) and Agent2Agent, which simplify data access and enhance agent interoperability to build ecosystems.But these challenges cannot stop security leaders from prioritizing AI governance. If you’re awaiting comprehensive best practices for this dynamic technology, you’ll be playing a perpetual game of catch-up. Any organization that avoids AI adoption altogether will still be exposed to AI risk through vendors and shadow AI usage in their environment.3 Ways To Start Establishing AI GovernanceCISOs can start to plan for agentic security risks by establishing AI observability capable of tracking, auditing and attributing agentic behaviors across environments. Here are a few areas to focus on first:1. Attribute Agent Activity to Human Operators As AI systems proliferate, tracking and securing these nonhuman identities becomes just as important as managing human user access. One way to achieve this is through composite identities, which link an AI agent’s identity with that of the human user directing it. So, when an AI agent attempts to access a resource, you can authenticate and authorize the agent and clearly attribute activity to the responsible human user.2. Track Agent Behavior Across the OrganizationOperations, development and security teams need ways to monitor the activities of AI agents across multiple workflows, processes and systems. It’s not enough to know what an agent is doing in your codebase. You also need to be able to monitor its activity in both staging and production environments, as well as in the associated databases and any applications it accesses.3. Invest in Upskilling TeamsA culture of security now requires AI literacy. Forty-three percent of survey respondents acknowledged a widening AI skills gap, which is likely to grow unless technical leaders prioritize upskilling teams to understand model behavior, prompt engineering and how to critically evaluate model inputs and outputs.Understanding where models are performant versus where their use is suboptimal helps teams avoid unnecessary security risk and technical debt. For example, a model trained on antipatterns will perform well at detecting those patterns, but will not be effective against logic bugs it has never encountered before. Teams should also recognize that no model can replace human ingenuity. If the model performs suboptimally in an area a security engineer or developer is less familiar with, they will not be able to identify the security gaps the model has left behind.CISOs should consider dedicating a portion of learning and development budgets to continuous technical education. This fosters AI security expertise in-house, allowing newly minted AI champions to educate their peers and reinforce best practices.When Used Right, AI Benefits Software SecurityOrganizations that deploy AI strategically see measurably stronger security outcomes than those with ad hoc implementations. Survey results support this conclusion, with 45% of executive respondents identifying security as the top potential use case for AI in software development.AI’s value for security reaches its peak when organizations position it as a complement to human expertise rather than a replacement. This approach enables AI to help democratize security knowledge across development teams by delivering routine security automation, intelligent coding recommendations and valuable security context embedded directly within developer workflows. Organizations implementing these capabilities report improved security outcomes, reduced risk and stronger collaboration between development and security teams.If organizations want a competitive advantage, they won’t avoid AI altogether nor adopt it without proper consideration. Instead, they will establish foundational security controls at the start of implementation. Even imperfect initial measures will make it much easier for security teams to navigate changes in the risk landscape.If the predictions of the executives within the survey are proven correct, we’re already on the three-year countdown toward an agentic future for software. Leaders who direct their teams toward appropriate AI use will achieve benefits that extend beyond risk reduction. They will produce quality, secure software faster.The post CISOs: Prepare for Software’s Agentic Future Today appeared first on The New Stack.