Security people need to be builders in the AI era, not just gatekeepers.
Right now, everyone in your org is building with AI. Your engineers are running Copilot. Your executives are running board prep through OpenClaw - 250 thousand stars on GitHub, a local autonomous agent that connects to Slack, email, every messaging app, running on their own API keys. Your marketing team is automating campaigns.
The risk is not that people are using AI. The risk is that security isn't building.
This isn't a new motion for us. AppSec has always been about partnering with builders. We sit in design reviews. We threat model their architectures. We shift left alongside engineering teams.
But partnering with builders isn't enough anymore. We need to be building alongside them. Because when your developers are shipping AI agents, the security team that's never built one is going to miss things that only show up when you've done it yourself.
Last week at Mercor, I built three AI services. Index. Observe. Remediate.
But the feature list isn't what matters. The architecture decision is what matters.
Can read - but can't write.
Can detect - but can't act.
Can act - but only on what Observe flagged.
They talk to each other through A2A. No single agent goes from discovery to action alone. This is separation of duties - applied to agents.
We have spent twenty years learning that separation of duties matters for humans. It matters even more for agents - because agents don't get tired, and they don't second-guess themselves before they act.
I built that in a week. One security person, one week. The builder gap is closable. But building doesn't mean building everything. It means being technical enough to know what to build, what to buy, and how to tell the difference.
Three things I look for.
Did this company re-architect around AI, or did they bolt a chatbot onto an existing dashboard? If AI is a feature, it's sparkle wash. If AI is the architecture, that's product conviction.
If they're early stage, get in as a design partner. Your threat model becomes their roadmap. If they're later stage, push onto the Customer Advisory Board. The roadmap matters more than the current feature set.
Companies like Endor Labs didn't add AI to an existing SCA scanner. They rethought what software composition analysis looks like when AI is doing the dependency resolution.
In six months, half the AI security companies on this expo floor won't exist. The ones that will are the ones that rebuilt from the ground up. Look for product conviction - not product demos.
A live debate on the benefits - and risks - of AI in security.
Travis McPeak
Head of Security, Cursor
Nick Reva
Director, Engineering Security, DoorDash
Aaron Brown
Head of Security, Mercor
Mike G.
Security, Cockroach Labs
Builders, not gatekeepers.
That's how security stays relevant in the AI era.