Your Platform Team Needs an Agent Policy — Yesterday

On March 3rd, an attacker compromised the Xygeni GitHub Action by poisoning a mutable tag. Every CI runner referencing xygeni/xygeni-action@v5 quietly started executing a reverse shell to a C2 server. The exposure window lasted a week. 137+ repositories were affected . The root cause wasn't exotic. A GitHub App private key with overly broad permissions got compromised. Combined with a maintainer's personal access token, the attacker could create a PR and move the tag — no human review required. This is what happens when automated actors run without governance. And it's about to get much worse. Agents Are a New User Persona Your platform team already manages identities for developers, service accounts, and CI bots. But AI agents are a fundamentally different category. A developer reads docs, thinks, and opens a PR. A service account runs a fixed script. An AI agent does something in between — it reasons about what to do, then acts. It might create infrastructure, modify configurations,