Claude Code Security and the Identity Reckoning: Why the Real Risk in the AI Era Isn’t Code

By Ash K
Claude Code Security and the Identity Reckoning: Why the Real Risk in the AI Era Isn’t Code

When Anthropic unveiled Claude Code Security, markets reacted instantly. A tool capable of scanning full codebases, identifying vulnerabilities, and proposing fixes directly inside developer workflows felt like a shot across the bow for traditional application security vendors. If AI writes the code and AI fixes the code, what happens to static analysis, dependency scanning, and infrastructure-as-code security?

But beneath the market tremors lies a deeper shift. According to GitGuardian’s CEO, the real security battle in the AI era is no longer about code defects. It is about identities, secrets, and the sprawling authentication fabric that powers modern AI-driven systems.

Anthropic’s Announcement: A Wake-Up Call

Anthropic’s Claude Code Security positions itself as an AI-native secure coding companion. It scans entire repositories for vulnerabilities and leverages advanced reasoning models to suggest remediation directly within development pipelines.

In a world increasingly shaped by AI-generated code, this feels like an existential question for legacy code-scanning tools. If models become better at writing secure code by default, perhaps vulnerability density drops. Perhaps static scanners become less critical.

That assumption, GitGuardian argues, is dangerously incomplete.

The Shift from Code to Identity

Eighteen months ago, GitGuardian was investing heavily in SAST, SCA, and infrastructure security initiatives. But as AI tooling began reshaping development workflows, the company made a strategic pivot. It stepped back from expanding traditional code scanning efforts and focused instead on what it saw as the larger and more durable risk: secrets sprawl and non-human identity governance.

The reasoning is blunt. AI systems do not merely generate code. They require access. They need API keys, service accounts, OAuth tokens, vault credentials, and machine identities to retrieve data and perform actions. As the number of agents increases, so does the number of credentials embedded across repositories, pipelines, and endpoints.

The problem is not that developers hardcode secrets anymore. The paradigm has shifted. AI agents now operate with broad access levels across systems, often orchestrated by users who are not traditional engineers. The more capable the agent, the more secrets it needs. And the more secrets exist, the more they leak.

Secrets Detection at Scale

GitGuardian positions itself as the market leader in secrets detection, capable of scanning data at speeds of 50 MB per second per core across more than 30 different data sources. That includes not just source code repositories, but messaging platforms, ticketing systems, container registries, and more.

Its upcoming State of Secrets Sprawl report indicates that AI-generated commits increased tenfold over the past year. Interestingly, while AI-assisted commits initially contained more exposed secrets, that number began decreasing in late 2025, likely reflecting improvements in model training.

Yet the surface area continues to expand. Even as models improve, the volume of generated code and automation continues to rise. That alone changes the math.

Remediation: Where the Hard Work Begins

Detecting a leaked secret is the easy part. Rotating it safely is another story entirely. Secret remediation is rarely automated. It involves coordination across teams, understanding infrastructure dependencies, mapping blast radius, and ensuring that production systems do not fail when credentials are revoked.

GitGuardian has spent seven years building around that reality. A leaked API key is not just a line of text. It is an operational risk. If it belongs to a payment processor, a cloud account, or a production database, rotating it improperly can break live services.

This is why the company expanded into non-human identity governance. Its NHI governance platform provides visibility into where secrets exist, how they propagate across environments, and whether they are over-permissioned, unrotated, or replicated across vaults.

You Cannot Manage What You Cannot See

One of the recurring lessons from large enterprise customers is that point solutions do not scale. Enterprises want unified orchestration: integrations, notifications, analytics, RBAC controls, and centralized dashboards.

Managing identities in the AI era is not a GitHub-only problem. It touches SaaS vendors, internal tools, shadow IT experiments, and third-party providers. The identity footprint of an organization is often far larger than leadership assumes.

Agentic Security and the Expanding Attack Surface

GitGuardian describes agents as the combination of model, context, and the ability to act. The more context and capabilities an agent has, the more powerful it becomes. But both context and action require authentication.

This is where the threat landscape evolves. Agents do not enter organizations in a perfectly controlled manner. Departments experiment. SaaS vendors integrate AI features. Developers test automation frameworks. Each new agent often brings new credentials and access tokens into the ecosystem.

Managing that sprawl becomes exponentially harder when identities are ephemeral, distributed, and often invisible to traditional asset inventories.

Endpoints: The Overlooked Frontier

GitGuardian has also shifted attention toward endpoint security, particularly developer laptops. Sophisticated attacks such as NX/s1ngularity and Shai-hulud have demonstrated how local machines can serve as stepping stones into broader enterprise infrastructure.

The company’s local scanning and identity inventory tooling allows organizations to map which machines hold which secrets. Deployed through MDM platforms, the tool surfaces over-privileged credentials and production keys residing on developer endpoints.

HoneyTokens and Proactive Detection

Beyond detection and governance, GitGuardian is expanding its HoneyTokens capabilities. These decoy credentials act as tripwires, designed to trigger alerts when used maliciously. By supporting custom providers and large-scale deployment, the company aims to provide early breach detection in environments where traditional monitoring may lag.

The Road Ahead

Anthropic’s Claude Code Security highlights how AI can reduce vulnerabilities in generated code. That is a meaningful step forward. But cleaner code does not eliminate risk.

The modern intrusion rarely begins with a buffer overflow. More often, it begins with a valid login using a leaked token or mismanaged service account. As the old saying goes, attackers do not break in. They log in.

In the AI era, that login increasingly belongs to a non-human identity. Securing those identities, mapping their reach, and ensuring secrets are governed at scale may ultimately define whether AI becomes a net-positive force for enterprise security.

Credit: This analysis is adapted from a GitGuardian executive blog post reflecting on Anthropic’s Claude Code Security announcement and the evolving identity threat landscape.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.