Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Prompt injection in AI coding agents is a documented, actively researched attack class with proof-of-concept exploits in the wild, but confirmed exploitation of production pipelines remains unverified — placing likelihood at moderate rather than high. Impact is high because a successful attack targets the software supply chain at the build layer, creating pathways to credential theft, malicious code injection into production artifacts, and CI/CD pipeline compromise — consequences that extend far beyond the initial agent session.
Treatment rationale: The threat targets a controllable attack surface — AI agent permissions, audit logging, and pipeline integration scope — all of which can be reduced through the vendor-shipped controls (Claude Code v2.1.201 manual-first approvals, Copilot enterprise audit logging) and internal governance, making mitigation both actionable and proportionate to the risk level.
Third-Party / Supply-Chain Risk
Both Anthropic Claude Code and GitHub Copilot are third-party SaaS/agent platforms integrated directly into internal development pipelines; per NIST SP 800-161, these represent external system dependencies where the organization has limited visibility into the agent's reasoning layer and must trust vendor-defined permission enforcement boundaries. Organizations running multi-tenant shared development environments (e.g., shared CI/CD runners, shared repositories) face lateral exposure if one agent session is manipulated. Vendor patch cadence and permission model changes are outside direct organizational control.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per incident, reflecting pipeline remediation, incident response, potential software recall or patching of shipped artifacts, and reputational impact with enterprise customers
Frequency: For an organization actively using AI coding agents in CI/CD without current mitigating controls, illustrative frequency is 1 event per 3–5 years given current exploitation status; organizations already deploying vendor-shipped controls reduce this materially
Annualized: Illustrative ALE: approximately $100K–$1.7M annualized, derived from mid-range loss magnitude (~$2.75M) multiplied by illustrative frequency (0.2–0.33 events/year) — treat as order-of-magnitude framing only
Basis: Loss magnitude driven by: CI/CD pipeline compromise incident response costs (forensics, rebuild, validation), potential cost of auditing and remediating shipped code artifacts that may contain injected logic, and reputational/contractual exposure with enterprise software customers. Frequency calibrated to documented-but-unconfirmed exploitation status and the fact that mitigating controls now exist from both vendors. No third-party actuarial data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If AI agent manipulation results in unauthorized access to application secrets or credential stores, this may constitute a security incident triggering cyber insurance notice obligations — verify with broker before assuming coverage applies.
• Introduction of malicious code into production software artifacts via a compromised AI coding agent may invoke software supply-chain liability clauses in customer contracts or vendor agreements — verify with counsel.
• If compromised CI/CD pipelines expose customer data or regulated information, breach-notification obligations under applicable privacy frameworks may be triggered — verify with counsel as to jurisdiction, data types, and applicable deadlines.