What a security audit of 22,511 AI coding skills found lurking in the code

AI coding agents are becoming infrastructure, and we're not treating them that way yet. The security audit's findings suggest these systems are generating code at scale without the governance frameworks we've built for human developers. For data engineering teams, this is particularly concerning because our codebases directly touch sensitive data pipelines, warehouses, and transformation logic. I've seen teams adopt dbt Cloud and modern orchestration tools partly because they enforce lineage tracking and version control—but AI agents often bypass these safeguards. The architectural implication is clear: we need to treat AI-generated code like any third-party dependency, not as trusted output. This means implementing static analysis, code review gates, and supply chain attestation even for agent-generated transformations. The broader trend is that platform engineering teams must evolve from managing CI/CD pipelines to managing AI workflows as first-class software artifacts. My recommendation is immediate: audit your current AI tooling usage, document which systems touch production data systems, and require agent outputs to flow through your existing code governance before deployment. The window to establish these controls before they become industry standard is closing quickly.