The End of Human-Scale AppSec

For decades, application security has been built around a simple assumption: humans are the primary producers of software. We train developers, review their pull requests, model threats in design meetings, and build controls around human decision-making. That assumption is rapidly breaking down.

As AI coding assistants evolve into autonomous software agents, organizations will gain access to an effectively unlimited engineering workforce capable of producing software at a speed no human team can match. The pressure to adopt these systems will be driven not by curiosity, but by competition. Companies that successfully harness agentic development will ship faster, iterate faster, and potentially outpace those that do not.

This shift forces a fundamental rethinking of application security. The future of AppSec is not securing developers—it is governing an agentic workforce. Threat modeling, code review, security testing, and change management will not disappear, but they will need to operate at machine speed and increasingly be performed by systems rather than people. In this talk, Ken Johnson, CTO of DryRun Security, explores what the next decade of application security may look like, the assumptions that will no longer hold, and why security professionals must understand these systems deeply if they hope to influence the future rather than react to it.