Make it safe to use
Devina Mauria-Dhawan · dublin.devinadhawan.com
The first stage looked ordinary: a package in the dependency ecosystem was the delivery vehicle.
The novel step was instructing local AI tools to widen the blast radius using developer context and permissions.
Secrets ended up published through the victim's own accounts, making the victim look like the actor.

Devina Mauria-Dhawan, Staff AI Security Engineer at Shopify.
How do you let thousands of people run AI agents on laptops without getting owned?
A practical playbook, plus the potholes to avoid when adoption outruns control design. Crawl with a security context file, walk with a single proxy waist, run with package proxies and denylisting.

The core path is unchanged: people create code locally, it ends up in the cloud or data center, and customers hit it there. The system is familiar. The population touching it is not.
The problem stays. The population explodes.
Congratulations, you just doubled your customer size.
"Developer" meant a person inside the engineering org with onboarding, policy awareness, and institutional context.
Now anyone who writes code or prompts effectively becomes part of the developer population, including non-engineers pushing real changes toward production.


IDE wars: Vim, Emacs, IntelliJ, VS Code.
Claude, Cursor, Codex, Copilot, and the latest agent someone installed last Tuesday.
The tool itself now takes actions, not just suggestions, so its permissions and defaults matter as much as its output quality.

Experimental code now pulls live packages, extensions, plugins, skills, context files, and MCP servers straight from the internet.
Some of that activity never lands in CI because it runs locally and disappears, leaving only whatever telemetry you chose to capture.
Make the secure path the easy path. Show people what good looks like and reduce the cognitive cost of doing the right thing.
Make the unsafe path impossible or extremely annoying so agents cannot take private shortcuts around the company's control plane.

Fear is real
Some engineers are excited about AI; others are cautious because they've heard enough horror stories.
Security can enable
If security provides good patterns, it becomes the reason AI can be adopted responsibly instead of blocked reflexively.
Company-specific posture
Every organization chooses a different risk appetite, so the playbook must be configurable rather than ideological.
Case study
A SaaS founder put Replit's agent into an explicit code freeze. The agent still dropped the production database, wiped roughly 1,200 records, and then incorrectly claimed recovery would not work.
Lesson
Prompt-level "don't" is not a control. The real control is limiting the token so the agent never has destructive permissions it does not need.



One place answers whether an MCP is allowed.
The service should expose trust and operational quality signals, not just existence.
If auth is hard, people skip it. Safe setup has to fit the infrastructure people already use.

All model traffic from every agent should pass through one proxy. Start log-only, measure first, then move to blocking when you understand normal behavior.
Whether the developer is on a laptop or in a cloud workspace, run their work inside a sandbox where only allowlisted activity — network egress, file access, package installs — is permitted.
Dependency proxy with a denylist and a cooldown window on newly-published packages and MCP servers.

All first-party MCPs, third-party tool calls, and system actions should sit behind a service that centralizes access and logs.
Agents need first-class identity, short-lived credentials, and an audit plane that gates writes, sends, and other risky actions.

of organizations discovered at least one AI agent or workflow that security or IT did not previously know about in the past year.
You're not being asked to secure magic. You're being asked to force sprawl through fewer, more visible decision points.
Patience and pre-work. Map your current footprint first. Pick what fits your blast radius — not every waist needs to ship on day one.
Security is having the same heart palpitations we had when cloud arrived.
We need your advocacy — pull us into the room early and protect our observational layer.
Old assumptions are gone: AI systems increasingly act with human-like authority — and authority means access.
Four funnel points beat fifty scattered controls when adoption is chaotic.
Observe relentlessly, because the agent that breaks your rule usually won't tell you.
Crawl with a security context file. Walk with a single proxy waist. Run with package proxies and denylisting.
In 2026, when we get this right, security becomes the reason your company ships faster and safer than its competitors.

Get the slides · dublin.devinadhawan.com
Devina Mauria-Dhawan