For years, the challenge in software security and governance hasn’t been knowing what to do, but instead scaling that knowledge across fast-moving teams. At Sonatype, we invested heavily in solving that through contextual policy. Not just rules, but rules that understood intent. Rules that prioritized based on usage, risk, and relevance, and turned raw security data into actionable, in-context decisions.
Why? Developers were drowning. And without smart, contextualized guardrails, security at scale was dead on arrival. But now, we’ve hit an inflection point.
We Built Guardrails for Humans. Now There Are No Humans.
The rise of Agentic AI, or autonomous systems capable of coding, testing, building, and deploying software, means we are rapidly entering a world where there’s no human in the loop. These agents don’t file tickets, wait for approvals, or post in Slack asking, “Is this license okay?” They just go. Fast.
This is both the power and peril of agentic systems. While humans might have absorbed tribal knowledge about what’s acceptable (“we never ship GPL to customers” or “ignore CVE-2022-XXXXX if it’s unreachable”), agents don’t operate on lore or Slack threads. They don’t benefit from mentorship or instinct. Agentic tools operate purely on what is explicitly encoded in the systems that guide them.
And that brings us back to policy.
In the Agentic World, If It’s Not in Policy, It Doesn’t Exist
Contextual policy, as we’ve built it at Sonatype, was always about more than checklists. It was about encoding real-world, real-time judgment into a system that could make the right decision, even without human intervention.
That used to mean helping a developer prioritize the one vulnerability out of 50 that actually mattered. Or flagging a license violation that was relevant in this deployment context, not just in general. It meant empowering humans with smart, (Read more...)
