Back to blog

AI Agents Are Getting Autonomous — Here's How to Not Lose Control

aisoftware-engineeringproductivityopiniondeveloper-tools
AI Agents Are Getting Autonomous — Here's How to Not Lose Control

At QCon London 2026, Birgitta Böckeler from Thoughtworks gave a talk titled State of Play: AI Coding Assistants — a one-year retrospective since QCon 2025, when "vibe coding" was only two months old and Claude Code hadn't shipped yet.

A lot has changed. But the core tension hasn't: AI agents are getting more autonomous, and most teams aren't ready for that.

Here's what stood out.


The New Layer: Context Engineering

When AI tools first showed up in developer workflows, the main skill was writing prompts. Then came prompt engineering — structuring those prompts carefully. Now there's something broader: context engineering.

The shift is about recognizing that the quality of AI output isn't just a function of what you say in a prompt. It's a function of everything the agent can see — and everything it can't.

Context engineering means actively managing that information surface:

  • Rules files (CLAUDE.md, AGENTS.md): reusable instructions that persist across sessions, so you don't repeat yourself every time
  • Skills: modular instruction sets loaded lazily — only when needed — to avoid bloating the context window with irrelevant guidance
  • Subagents: the main agent can spawn child agents for research or parallel code review, so different agents handle different scopes without interfering
  • MCP servers and CLI tools: giving the agent real tools to act with, not just knowledge to reason from

The mental model is: you're not just prompting the AI, you're curating its operating environment. Bad context → bad output, no matter how good the model is.


More Autonomy, More Risk

Here's where the talk gets uncomfortable.

As agents become more autonomous — able to browse the web, read files, call APIs, write and execute code — the blast radius of a mistake (or a manipulation) grows proportionally.

Prompt Injection

When an agent can read untrusted content from the environment (a web page, a document, a user input), that content can contain instructions designed to hijack the agent's behavior. The agent follows the injected instruction instead of your original intent.

Simon Willison describes a Lethal Trifecta: when an agent has access to untrusted content and private data and the ability to communicate outward, you have a serious problem. Any one of these alone is manageable. All three together is a significant security risk — especially in open-source projects where secrets can leak.

The Cost Problem

Autonomy also has a dollars-and-cents dimension. In 2024, running AI-generated code cost roughly 12 cents per 100 lines. Today, some developers report spending $380 per day on AI tooling — equivalent to ~$91,200 per year. That's close to a full developer salary.

At that cost, "just let the AI figure it out" isn't a productivity strategy. It's an uncontrolled spend line that needs its own governance.


Harness Engineering: Building the Safety Net

The answer Böckeler proposes isn't to slow down or avoid autonomous agents. It's to build a harness — a deterministic safety net around the AI that catches mistakes before they land in production.

The harness has two sides:

Feedforward: Help the AI get it right the first time

  • Conventions documents
  • How-to guides and runbooks
  • CLI scripts and wrapper tools the agent can call
  • Clear coding standards the AI can reference before generating

The goal: reduce the error rate at the source. The better the feedforward, the less correction you need downstream.

Feedback: Catch mistakes automatically

  • Static analysis
  • Structural tests (tools like ArchUnit or dependency-cruiser)
  • Linters configured to fail loudly
  • Customized error messages that tell the agent what to do next, not just that something broke

This is the key insight: deterministic CPU-based tools (linters, type checkers, test runners) combined with probabilistic GPU-based AI inference creates a system that's more reliable than either alone. The AI can reason about ambiguity; the deterministic tools catch the errors that are unambiguous.


The Goldilocks Speed Problem

There's a pressure in AI-assisted development to move faster — faster than is actually safe.

Böckeler calls this the Goldilocks Speed question: how fast is fast enough, and how fast is too fast? When organizations push for maximum speed, developers skip review. Code quality degrades. Incidents happen.

Amazon had a well-publicized case where AI-generated code made it to production and caused an incident. The fix was simple: add a senior engineer review gateway before anything AI-generated ships.

That's not anti-AI. That's engineering.

The point isn't to slow AI down to human speed. It's to match the speed of AI generation with appropriate quality gates — not no gates.


The Question Every Team Should Answer

Before handing autonomous agents real authority in your system, Böckeler suggests asking:

How good are our automated safety nets right now?

Not "are we planning to build them?" — are they in place, tested, and actually catching things?

If your CI pipeline can't reliably catch a bad merge today, giving an autonomous agent write access tomorrow is going to surface that gap in the worst possible way.

The good news: improving your safety nets is valuable regardless of AI. Better tests, better linters, better architecture guardrails — these make your codebase better for humans too. And if you're going to use AI to help you build them, that's one of the highest-leverage things you could ask it to do.


What This Means in Practice


Summary and Key Takeaways

✅ Context engineering means actively managing what the agent sees — rules files, skills, subagents, and tools
✅ More autonomy = larger blast radius; prompt injection and secret leakage are real risks, not theoretical
✅ The Lethal Trifecta: untrusted content + private data + outbound communication = high security risk
✅ AI costs can reach $380/day — autonomy without cost governance is a liability
✅ Harness engineering = feedforward (help AI get it right) + feedback (catch mistakes deterministically)
✅ Deterministic tools (linters, type checkers, tests) combined with AI inference are more reliable than either alone
✅ Match generation speed with appropriate quality gates — the answer isn't no gates, it's right-sized gates


Final Thought

The framing that keeps showing up in this space — across research on how professional developers actually work, across talks like this one — is the same: AI agents are powerful junior collaborators, not autonomous senior engineers.

A junior collaborator who has access to production databases, can send emails on your behalf, and can push to main — without any guardrails — is a liability, not an asset.

The organizations doing this well aren't the ones moving the fastest. They're the ones who built the safety net first, then let the AI run inside it.

That's the engineering. The AI just makes it worth doing faster.

📬 Subscribe to Newsletter

Get the latest blog posts delivered to your inbox every week. No spam, unsubscribe anytime.

We respect your privacy. Unsubscribe at any time.

💬 Comments

Sign in to leave a comment

We'll never post without your permission.