In cybersecurity, we’ve spent decades scanning code.
But the next decade will be defined by observing the developer.

AI is rewriting the software development lifecycle, enabling unprecedented speed—and unprecedented risk. As human and machine developers work side by side, a new blind spot is emerging: context.
Who wrote this? Why? Was it safe? Was it authorized?

Most cybersecurity tools treat code as a static artifact.
But real software risk starts earlier—at the moment of authorship.

To secure software—we must secure the developer.

The Fifth Pillar of Security: Developers

Developers are no longer just implementers of logic.
They are the architects of modern digital infrastructure—working with AI agents, LLMs, and automated tools that accelerate delivery but also increase complexity and risk.

Yet in most security stacks, developers remain invisible.

• SBOMs show what’s in the code—but not who put it there.
• Scanners detect misconfigurations—but not misaligned access or AI-authored mistakes.
• DevSecOps automates enforcement—but often without context on the human (or nonhuman) actor involved.

The result? Security leaders are flying blind.

A wave of recent incidents confirms this. From prompt injection vulnerabilities in GitLab Duo that allowed attackers to exfiltrate source code, to widespread developer resistance undermining shift-left strategies, it’s clear: security solutions that ignore developer context aren’t just outdated—they’re dangerous.

What’s missing is a system of record that ties developer identity, behavior, and context to software creation—from commit to deployment. That means visibility into how code is authored, how AI is used, and how security posture evolves over time. 

This is the core of what Archipelo calls Developer Security Posture Management (DevSPM).

DevSPM: Observability at the Developer Layer

DevSPM introduces a new paradigm: security rooted in authorship.

• Observe developer and AI activity across the SDLC
• Detect anomalies in behavior, identity, and contribution
• Map security policy to the actor—not just the artifact
• Flag untrusted developer actions before code is committed

By giving security teams visibility into who changed what, when, and why, DevSPM closes the accountability gap in modern software development.

This isn’t just about hygiene.
It’s about catching risks that scanners can’t—like unauthorized AI-generated code or secrets exposed via hidden prompts, as seen in the GitLab Duo exploit.

From Reaction to Prevention

Traditional security starts at the perimeter.
DevSPM starts at the source.

With DevSPM:

• Risk is identified before the code is pushed
• Insider threats and unauthorized AI usage are surfaced
• Developers become partners—not bottlenecks—in security

Organizations have tried to shift left—only to drown in false positives and DevSecOps fatigue. The 2025 shift-left report confirms the growing tension: security adoption is high, but execution is failing.

DevSPM doesn’t shift left. It shifts deeper—embedding observability into developer actions and decision-making, not just artifacts.

This is not about slowing teams down. 

This isn’t about slowing anyone down.
It’s about empowering velocity through visibility.
When developers understand their security impact—and security teams understand developer risk—organizations move faster, and safer.

We see this kind of alignment in high-performance fields like professional sports, where every move is tracked, analyzed, and refined—not to punish, but to improve.
So why, in software—a domain that powers our infrastructure, economy, and lives—do we still tolerate blind spots?

Archipelo: Pioneering Developer Security

Archipelo created the DevSPM category to solve a critical problem:
Software is scaling faster than security can follow—and AI is accelerating the gap.

As highlighted in the KuppingerCole EIC Summit 2025, traditional IAM and AppSec tools are no longer equipped to manage non-human identities, secrets sprawl, or the unpredictable nature of AI-generated contributions.

DevSPM treats AI agents as first-class actors in the security model—monitoring authorship, behavior anomalies, and risk posture in real time.

Prompt injection. Secrets sprawl. Shadow AI.
These aren’t edge cases—they are the new normal of software creation.

That’s why Archipelo built DevSPM with capabilities like:

• DevSIEM for security telemetry tied to developer events
• DevDR for developer-centric incident response
• AI Code Usage & Risk Monitoring to observe how AI tools are used, misused, or misunderstood

We don’t just log events.
We observe the developer—human or AI.

By integrating developer identity, behavior, and risk into the security stack, Archipelo gives enterprises a new foundation for trust—rooted in the people and systems building the future.

Because the most powerful shift in cybersecurity isn’t just about what we secure.
It’s about who.

Ready to See DevSPM in Action?

Discover how Archipelo gives you real-time visibility into human and AI developer risk—before code is committed.

Book a live demo with our DevSPM experts today.

Co-Author: Kacper Skawinski