Review workflow changes
Workflow-file changes can expand command execution, secret access, and deployment reach.
CAISI
Independent research and operating notes on AI Software Delivery Control.
Reference / CI/CD Control
How to Secure AI Coding Agents in CI/CD
Start by mapping the action path: which agent or workflow can change code, trigger CI/CD, use credentials, call tools, deploy, or affect production-adjacent systems.
Last updated: May 5, 2026
On this page
Control model
CI/CD is where AI-assisted engineering often stops being a suggestion layer and becomes a delivery actor. A pull request can trigger tests, workflows, package publishing, deployment scripts, cloud commands, or release automation.
The practical control model is simple:
map the path -> classify the action -> control the credential -> require approval where needed -> keep proofAction paths to map
- Agent-generated or agent-modified pull requests.
- Workflow files that can change commands, permissions, or secret access.
- GitHub Actions or CI/CD jobs with inherited credentials.
- Package publish jobs.
- Deployment and release workflows.
- MCP tools or APIs callable from the workflow.
- Cloud commands, database writes, or production-adjacent jobs.
Controls that matter
Scope credentials
Avoid broad standing tokens for high-risk actions. Prefer scoped, short-lived access tied to owner, repo, branch, task, and time.
Use allow / approve / block
Allow low-risk actions, require approval for production-adjacent or credential-bearing actions, and block unacceptable actions.
Keep revocation practical
Teams need a way to disable a token, freeze a workflow, stop a release path, or roll back a risky action.
Proof trail
Logs are useful, but they are not always proof. A useful proof trail should show:
- which agent or workflow acted
- which human owner was accountable
- which credential or identity was used
- which action was requested and executed
- which target system was touched
- whether approval was required and who approved it
- what outcome was produced
Buyer questions
- Can an AI-assisted workflow modify the CI/CD file that controls its own permissions?
- Which jobs receive secrets, publish packages, deploy, or call cloud APIs?
- Which actions should require a human approval before execution, not after review?
- Can credentials be scoped to repo, branch, task, owner, and time?
- What evidence remains if a reviewer asks who approved the action and which credential was used?
Checklist
- Can you list AI-assisted workflows that can trigger CI/CD?
- Can you identify which workflow files expose secrets or deployment paths?
- Can you see which credentials each workflow uses?
- Can you separate read, write, deploy, secret access, package publish, and destructive actions?
- Can you require approval for production-adjacent actions before execution?
- Can you reconstruct the proof trail after the action?