I gave a talk this past week — first time I've stood in front of a room of developers. We did a live demo end to end, building a new codebase in front of them.
Somewhere in the middle, somebody asked about security. What does the agent do when a scan flags something? I walked them through it. My process auto-fixes anything the scanner returns as critical or high in flight. Medium and low get emitted as advisories.
And as I'm saying that out loud, I can hear the gap forming. In a normal development process, an advisory has an audience. It's a polite tap on the shoulder for a human engineer: "hey, this might be worth looking at, but I'm not going to block your build over it." Mediums and lows are explicitly designed as judgment calls. The whole point of the tier is that it isn't an obligation. It's a note. But in a 100% agentic flow, there's nobody at the desk to read the note.
The advisories don't get ignored. Ignored implies somebody read them and decided to move on. They get unread. They land in a log, the agent finishes the ticket, the next ticket starts. Nothing fails. Nothing escalates. The work looks complete because, by the rules of the pipeline, it is. The slice of the process built to delegate to human judgment just quietly evaporates. That's not a security bug — it's a hole in the philosophy.
Beyond Security
Once you see it in security, you start seeing it everywhere. Code review nits. Design review suggestions. Perf hints from the profiler. Accessibility warnings the linter throws but doesn't fail on. Every traditional process is full of these "FYI" tiers, and they were always written for a human reader making a judgment call. Pure agentic flow drops that whole layer. Nothing breaks loudly. The process just degrades by the slice that was supposed to delegate, and that slice is often where the quality lives.
I went around on it for a while. Three options came up.
One: sweep at the end of each session or milestone. Let the advisories accumulate, then run a triage pass when the work's done. Downside is the agent's context on the original change is already cooling off by the time you get there.
Two: raise the bar. Treat mediums like highs and auto-fix them in flight. You give up the "judgment call" framing entirely — the agent doesn't get to decide, it just acts.
Three: spin up a cleanup ticket the orchestrator picks up later. Treat advisories like a queue, let an agent work through it.
I went with two. Auto-fix the mediums.
The reasoning is simple. If we're going to fix it, it belongs in the session. The cleanup-ticket route might feel more efficient — smaller PRs, an agent that specializes on cleanup — but it doesn't actually solve anything. A queue of advisories without a reader is just a different log file. The judgment was supposed to live with the change, not in a backlog somebody might or might not get to.
I'll probably try the cleanup variant later just to compare. For now the default is fix-it-now, in the same session that produced the advisory.
I wouldn't have surfaced any of this if I hadn't presented it, by the way. The gap was sitting in a pipeline I'd built and run dozens of times, and I missed it. It took a room of strangers asking the obvious question. Which is the other thing I kept coming back to during that talk: your experience as the developer running these agents matters more now, not less.
When you pull the human out of a process, you don't just lose hands. You lose the reader the warnings were written for. Every advisory, every FYI, every "you might want to consider" was addressed to somebody. The fix isn't to add the human back. The fix is to stop emitting advisories and decide ahead of time what the agents are required to act on. If it isn't required, it doesn't belong in the pipeline.
Which puts the weight back on you. All the judgment that used to be distributed across code reviewers, security engineers, the senior dev who notices the perf hint — all of it has to come out of the person designing the pipeline, upstream, before the agents run. Your experience as a developer is what tells you which advisories were always going to matter and which ones never did. There's no inbox catching what you miss downstream. There is no downstream.
In pure agentic flow, "advisory" is just a polite word for ignored.
Kevin Phifer is the founder of Theoretically Impossible Solutions LLC, specializing in agentic AI development and consulting. You can reach him at kevin.phifer@theoreticallyimpossible.org.