--- title: "Agentic coding needs human sign-off tied to physical reality" date: 2026-05-21 canonical: https://patrickaudley.com/#post-human-signoff-for-agentic-code cross-posted-from: https://www.linkedin.com/feed/update/urn:li:activity:7463256842350022656/ source-platform: LinkedIn tags: [ai-governance, software-security, ai-coding, appsec, zero-trust, devsecops, coding-ethos] mentions: [https://patrickaudley.com/#proj-coding-ethos] author: Patrick Colm Audley author-url: https://patrickaudley.com/ license: Creative Commons BY-NC-SA CAv2.5 lang: en --- # Agentic coding needs human sign-off tied to physical reality > As AI coding agents transition from passive autocomplete tools to autonomous contributors executing entire feature branches, we are racing toward a massive security blind spot: how do we prove a real human actually reviewed and verified agent-generated code before it hits production? As AI coding agents transition from passive autocomplete tools to autonomous contributors executing entire feature branches, we are racing toward a massive security blind spot: How do we prove a real human actually reviewed and verified agent-generated code before it hits production? This is not a *new* problem, but it is definitely a more *urgent* one now. In my project, [coding-ethos](https://github.com/paudley/coding-ethos), we focus heavily on building policy-as-code guardrails for AI agents — using Common Expression Language policies, Git hooks, sandboxing, and Model Context Protocol servers to ensure autonomous agents cannot ship code that violates your team's standards, even if you are not in the loop. But even the most robust automated gates are only half the battle. The ultimate layer of defence-in-depth requires real eyes reviewing critical code. In a fully agentic workflow, traditional SSH or GPG commit signing is no longer sufficient and is often automated. If an agent process or local environment is compromised, or shifted via a sophisticated prompt injection, those stored credentials can be misdirected. Or people can just be lazy. We need a zero-trust developer confirmation model that is cryptographically tied to physical reality: **Biometrically verified:** fast, low-friction validation, such as Face ID or Touch ID, proving a living, authorized developer is actively at the glass. **Temporally verified:** ensuring human approval occurs precisely during the commit window, eliminating replay attacks. **Geophysically verified:** confirming that the developer's physical location aligns with expected telemetry and trusted boundaries. When an autonomous agent proposes a critical architectural change, the final gate should not just be a green checkmark from a CI pipeline. It needs to be an un-spoofable human assertion. I am currently designing this exact defence layer for coding-ethos, and I want to open up the floor to the network: How is your engineering team drawing the line between automated policy enforcement and hard human sign-off? As agents handle larger chunks of the codebase, how do we prevent reviewer fatigue from turning human verification into an automatic rubber stamp? Let's discuss. I am actively looking to take this specific verification framework from a design pattern into a live platform integration. If you are building a biometric fast-ID product or running an enterprise software supply-chain security platform and want to explore a trial integration with coding-ethos, [let's connect](#contact). ## Threat Modeling Autonomous Dev Agents: How do we cryptographically prove a human actually reviewed a commit? **Date:** 2026-05-21 · **Cross-posted from:** [Reddit (r/cybersecurity)](https://www.reddit.com/r/cybersecurity/comments/1tjqhnc/threat_modeling_autonomous_dev_agents_how_do_we/) · **Tags:** `FOSS Tool` Hey everyone, I’ve been spending a lot of time lately threat-modelling fully agentic coding workflows. As tools move from passive autocomplete to autonomous agents that execute entire feature branches, we are opening a massive supply-chain blind spot. I maintain an open-source project called `coding-ethos`, which focuses on building policy-as-code guardrails for AI agents (using CEL policies, Git hooks, sandboxing, and MCP servers) to ensure agents can’t ship code that violates team standards. But even with robust automated gates, I keep hitting a wall with the ultimate layer of defence-in-depth: human verification. * I have some very mathy thoughts about this, but I've kept them out of the post for now * The Threat Vector Traditional SSH or GPG commit signing is no longer sufficient. If a local environment or agent process is compromised—say, via a sophisticated prompt injection or a malicious package—those stored credentials can be hijacked by the agent to sign off on a malicious commit. If it passes the automated CI/CD tests, it merges. How do we prove that "real eyes" actually reviewed critical code before it hits production? The Proposed Defence Layer I'm working on integrating a zero-trust developer confirmation model for critical commits that is cryptographically tied to physical reality. To actually trust an agent's output, the human sign-off needs to be: Biometrically Verified: Fast, low-friction validation (e.g., WebAuthn/Passkeys via TouchID/FaceID) that proves a living, authorized developer is actively at the glass, signing the specific commit hash. Temporally Verified: Ensuring the human approval happens precisely at the moment of the commit window to eliminate replay attacks or asynchronous approvals. Geophysically Verified: Confirming the physical location/telemetry of the developer aligns with expected trusted boundaries at the time of signing. The Problem When an autonomous agent proposes a critical architectural change, a green checkmark from a CI pipeline isn't enough. It needs to be an un-spoofable human assertion, but it also can't be so high-friction that developers just blindly spam their fingerprint reader out of "reviewer fatigue." I'm currently trying to take this from a design pattern into a live architecture within `coding-ethos`, but I want a sanity check from this sub: How are your AppSec teams drawing the line between automated policy enforcement and hard human sign-off for AI-generated code? Has anyone started integrating biometric auth directly into pre-commit/pre-push git hooks for critical branch merges? What are the obvious bypasses to this triad (Biometric/Temporal/Geophysical) that I am missing in my threat model? I would love to hear your thoughts or see if anyone else is building in this exact IAM/AppSec intersection. --- *Originally published 2026-05-21 — [LinkedIn](https://www.linkedin.com/feed/update/urn:li:activity:7463256842350022656/). Canonical version at . Author: [Patrick Colm Audley](https://patrickaudley.com/). *