This is something that has bothered me for quite a while, and I don't see a lot of people talk about it: Agents, in most cases, impersonate the human operator, by design, with no way to enforce, disclose, or control it. I believe this is causing an illusion of human in the loop, and is not intentional, and should be discussed. For example: All commits, pushes, PRs, and PR comments are all going to appear as the developer whether they wrote them or not. (You may have Co-authored-by, but not every
The content identifies a specific, overlooked security and process risk in the SDLC: the lack of identity provenance when agents use human OAuth tokens.