Security's shift left model assumed only developers made consequential technical decisions. That assumption is dead. Here's what needs to change.
For two decades, application security has been on a mission: move security earlier in the software development lifecycle. We called it shift left. We embedded SAST and SCA into CI/CD. We stood up secure coding training programs. We built champions networks inside engineering orgs. We measured mean time to remediate and bragged about it on conference panels.
‍
And it worked. Not perfectly, but materially. The developers building your customer-facing applications today think about authentication, input validation, and secrets management in ways their predecessors didn't. The discipline took root.
‍
Then the ground shifted underneath us.
‍
‍
Here's the uncomfortable truth: shift left was built on an assumption that no longer holds. The assumption was that the people making consequential technical decisions, the ones who could introduce real risk into your environment, lived inside a definable engineering organization. You could find them. You could train them. You could put guardrails around their tools.
‍
That assumption is dead.
‍
Your finance analyst is building a Zapier workflow that pipes customer PII through three SaaS apps and an LLM to auto-categorize expense reports. Your sales ops manager spun up a Lovable app to track partner deals, complete with a public URL and a Supabase backend they configured by clicking “accept defaults.” A product manager in your marketing org just connected an AI agent to your CRM, your inbox, and a calendar, then handed it credentials and walked away.
‍
None of these people went through your AppSec training. They never met your security champion. They have no idea what OWASP is, and frankly, they shouldn't have to. They're solving real business problems with tools that were explicitly designed to remove the friction of needing to know.
‍
The shift-left investment assumed a chokepoint. Code went through a pipeline. Pipelines had gates. Gates had owners. Owners could be held accountable.
‍
Vibe-coded apps and self-service agentic platforms have no chokepoint. The “build” step is a chat prompt. The “deploy” step is a toggle. The “integrate with production data” step is an OAuth consent screen that most people click through faster than they read a cookie banner.
‍
You can't shift left on something that has no left. There's no pipeline to instrument. The person writing the code is the person deploying the code is the person granting the credentials is the person who will never tell you any of this happened.
‍
If you spend any time looking at the data, you'll see the pattern. The risk isn't that someone built an app with a vulnerable dependency. The risk is that thousands of people across your company are making technical decisions, granting permissions, connecting data sources, exposing endpoints, and they have no mental model for what they're actually doing.
‍
This is fundamentally a human problem. The tools got easier. The people didn't get more knowledgeable. The gap between “what's possible in three clicks” and “what's understood by the person doing the clicking” has never been wider, and it's growing every quarter.
‍
You can't solve this with another scanner. You can't solve it with a policy doc that no one reads. You probably can't even solve it with training, because the population you'd need to train is now your entire workforce, and the half-life of any specific lesson is shorter than the gap between releases of the tools they're using.
‍
Shifting everywhere isn't a slogan. It's a recognition that security has to meet people where they already are, in the moment they're making the decision, with context that's relevant to what they're actually doing.
‍
Here's what that looks like in practice:
‍
Discovery has to be continuous and exhaustive, not periodic and sampled. If you don't know that someone in finance just connected an AI agent to your accounting system, nothing else you do matters. The first job is visibility into what's actually happening across your workforce, not what your CMDB thinks is happening.
‍
The intervention has to happen at the point of risk, not in a quarterly review. When someone grants an OAuth scope that exposes your customer database to a third-party AI, the conversation needs to happen then, with them, in a channel they actually use. Not three months later in an audit finding.
‍
Education has to be embedded, not scheduled. Nobody is going to sit through a 45-minute video on agent security. But they will read a two-sentence Slack message that explains why the thing they just did matters, if it shows up at the right moment.
‍
Accountability has to extend beyond engineering. The marketing team that connects an AI tool to your customer list owns that decision. The finance team that automates invoice approval through a no-code platform owns that decision. Security's job isn't to make those decisions for them. It's to make sure they understand they're making a decision at all.
‍
This is harder than shift left was, and shift left wasn't easy. We spent twenty years convincing developers that security was their job too. We now have to do something similar with every person in the company who can click “connect” on an integration, which is to say, all of them.
‍
The good news is we've done the hard version of this before. The bad news is we have to do it again, faster, with a population that's roughly 50 times larger and significantly less technically trained.
‍
The orgs that figure this out won't be the ones with the most sophisticated AppSec programs. They'll be the ones that accepted, early, that the definition of “the security perimeter” now includes a person in HR building a workflow at 4pm on a Tuesday because their boss asked for it.
‍
That's where the work is now. Shift everywhere, or get out of the way.
