Coding agents are becoming part of the software delivery surface. They read repositories, call tools, open shells, install packages, touch credentials, and connect to services. That makes them useful. It also makes them a new class of endpoint.

The first security problem is not yet a verdict problem. It is a knowledge problem.

Before a team can decide whether an agent behaved safely, it has to answer simpler questions: which agents exist on this machine, which ones are actually observed, which Model Context Protocol (MCP) servers and tools they can reach, which files and networks they touched, and whether they are wrapped in a governance harness at all.

That is the purpose of Agentic Posture Visibility in EDAMAME. It is the deterministic, no-LLM visibility layer for coding agents. It gives the user local knowledge first, then rolls the same observations up to EDAMAME Hub so the organization can see the fleet and enforce policy.

Why visibility comes before security verdicts

Agentic security often jumps directly to the dramatic question: did the agent diverge from the user's intent, or did it behave like a compromised process? Those questions matter, and they are the job of Agentic Security: divergence scoring, attack-pattern findings, and automatic isolation when a host becomes unsafe.

But a CISO cannot start there. The practical starting point is coverage.

Is Cursor present on this workstation?
Is Claude Code running with an active observer?
Which MCP servers are configured?
Which tools, files, and destinations can this agent reach?
Is the agent confined, or can it reach too much of the host?
Is it fitted with a governance harness such as AgentField or Rippletide?

These are not model questions. They are structural questions. EDAMAME answers them without asking a language model to interpret the agent. It observes the endpoint, builds the inventory, and gives the operator a plain view of what exists and what can happen from that machine.

The local view: knowledge for the user

On a developer workstation or agent host, Agentic Posture Visibility starts with an inventory. Every supported agent appears with a status: discovered, observing, or paused. That distinction matters. An agent found on disk but not actively observed is not invisible; it is a finding.

From there, the user can inspect the agentic surface around the machine:

Agent inventory. Cursor, Claude Desktop, Claude Code, Codex, OpenClaw, and other supported agent surfaces are listed so the user knows what is present.
MCP servers and tools. EDAMAME inventories the tool surface each agent can call: local servers, transports, commands, URLs, and risk classifications.
Capability graph and trust zones. The view shows what each agent can reach, not just that it exists. This is where over-provisioned reach becomes visible.
Agent SBOM drift. The agent supply chain - plugins, skills, MCP servers, models, and tool components - is projected into a CycloneDX-style inventory and compared with the approved baseline.
Blast radius and harness coverage. EDAMAME identifies unconfined agents, sorts the host exposure by danger, and flags agents that are present without a governance harness.
Flight Recorder. The user gets a structural history of system, network, tool, file, and communication activity, so an agent run is not reduced to a vague safe or unsafe badge.

This is intentionally a user-facing feature. A developer should be able to look at the machine and understand the agentic posture before a central team asks them to fix anything. That is consistent with EDAMAME's user-up model: the endpoint is not a silent object managed from above; it is where the evidence is produced and where remediation often starts.

The fleet view: the same facts become posture checks

Local knowledge is useful to the developer. It becomes security leverage when it rolls up to the organization.

Agentic Posture Visibility converts local observations into ordinary posture checks in EDAMAME Hub. There is no separate agent-console tax and no new workflow for the CISO to learn. The same score, Security Checks catalog, endpoint detail view, Security Score events, and Engagement escalations can carry agentic posture.

Examples of checks include:

Agents without a harness. Agents are present on the host, but no governance harness or control plane is detected. Supported harnesses include Rippletide and AgentField.
Agents with high blast radius. An unconfined agent has dangerous host reach, amplified by local privileges or sensitive subprocess usage.
Agent SBOM drift. A new MCP server, tool, model, secret binding, or instruction file appears outside the approved baseline.
Unsecured agent observers. A supported agent is discovered, but observation is paused or missing.

That is the bridge from local knowledge to fleet posture. The individual user gets understanding. The security team gets coverage, exceptions, escalation, and policy.

Policy: only trusted agent hosts reach code and secrets

Once agentic posture is expressed as Hub policy, Zero Trust becomes concrete.

A simple example: only endpoints whose coding agents are fitted with an approved governance harness should be allowed to access code and secrets. If a workstation has Cursor, Claude Code, or OpenClaw present but no harness coverage, it should not keep the same reach into GitHub, the IdP, cloud consoles, package registries, internal repositories, or secret-backed services.

That policy can be written in plain operational terms:

Allow access to code and secrets only from endpoints whose agents are observed, whose blast radius is acceptable, whose agent supply chain matches the approved baseline, and whose agent is fitted with an approved harness.

EDAMAME Hub already enforces posture-gated conditional access through provider allow-lists and identity integrations. Agentic Posture Visibility extends the evidence feeding that decision. The access decision is no longer just: is the device healthy? It becomes: is the device healthy, and is the agentic surface on that device governed?

This is the useful form of Zero Trust for coding agents. It does not ask the organization to ban tools that developers already use. It says: use them, but know which ones exist, know what they can reach, require harness coverage, and remove access when the posture no longer holds.

Security is the second layer: verdict and response

Visibility is not the end of the story. It is the precondition for the security layer.

Agentic Security uses the endpoint evidence to answer a different question: did the agent's behavior diverge from its declared intent, or did it match an attack pattern such as credential harvest, token exfiltration, sensitive-file access, suspicious subprocess execution, or anomalous egress?

When a divergence verdict or attack-pattern finding lands, EDAMAME Hub can degrade the device score and isolate the compromised agent host from IdP and provider allow-lists. That response should be conservative and evidence-backed, but it should not be manual by default when the finding is critical. A compromised agent host should lose the ability to keep reaching code and secrets while a human is still opening the ticket.

This is why the two pillars should stay separate in the product and in the buyer's mind:

Agentic Posture Visibility tells you what agents exist, what they can reach, whether they are observed, whether they are fitted with a harness, and how that posture looks across the fleet.
Agentic Security tells you when the agent or host is behaving dangerously, and gives the organization a response path: isolate, escalate, inspect the evidence, and restore access when the posture is corrected.

Why this matters in 2026

The timing is not accidental. AI capabilities have reached the point where agents can do real work across the SDLC. Attackers have also operationalized the same speed: malware is cheaper to generate, package ecosystems are flooded at industrial scale, and the first move after a successful supply-chain compromise is often token or credential theft from a developer workstation or runner.

Sonatype's 2026 State of the Software Supply Chain reports more than 454,600 new malicious packages discovered in 2025 and more than 1.233 million known malicious packages overall. OWASP has also formalized the problem space with the OWASP Top 10 for Agentic Applications 2026, covering risks such as Agent Goal Hijack, Agentic Supply Chain Vulnerabilities, Unexpected Code Execution, Identity and Privilege Abuse, and Rogue Agents.

The SDLC is expanding at the same time. It is no longer only developers and CI pipelines. It is developer workstations, CI/CD runners, self-hosted agent hosts, and the coding agents that operate across them. Security has to account for every endpoint of that SDLC, including the agents themselves.

Go fast without blind trust

The point of Agentic Posture Visibility is not to slow developers down. It is to remove blind trust from the agentic workflow so teams can keep moving.

A developer should be able to see which agents are on their machine and what each can reach. A security team should be able to see the same pattern fleet-wide. A CISO should be able to define a policy like only endpoints with observed, harnessed agents can access code and secrets and have that policy enforced through the existing Zero Trust fabric.

That is the sequence EDAMAME is building:

Know locally. Inventory agents, MCP servers, tools, SBOM drift, blast radius, harness coverage, and history on the endpoint.
See fleet-wide. Roll the same observations into EDAMAME Hub as posture checks, scores, events, and escalations.
Enforce policy. Keep code and secrets reachable only from endpoints whose agentic posture satisfies the organization's trust rules.
Respond when trust breaks. Use Agentic Security to isolate compromised agent hosts when divergence or attack-pattern findings appear.

Coding agents will keep getting more capable. The answer is not to pretend they are ordinary applications, and it is not to replace human workflows with a black-box guardrail. The answer is to make every agent visible, make its reach understandable, make its posture fleet-wide, and make access conditional on that evidence.

Explore the feature

Agentic Posture Visibility: inventory, MCP servers, tools, blast radius, harness coverage, and Flight Recorder.
Agentic Security: divergence scoring, attack-pattern findings, and automatic isolation.
Read the white paper: the two-part model behind visibility and security.
Talk to our team: walk through agentic posture policy for your own SDLC.