There's No Pull Request For An Autonomous Agent

Traditional security reviews rely on a diff. Someone opens a pull request. Someone reads it. The code in production matches the code you reviewed.

Autonomous agents break this model.

An agent plans and calls tools at runtime. It does not ship actions in a commit. It decides actions while it runs. If you review only the application code, you miss the real risk.

An agent is not just code. It is a runtime configuration. This configuration includes:

• The system prompt • The harness or loop • The tool surface • Memory and identity • Network egress policies • Container images

Two agents using the same model can act differently based on these settings. The model stays fixed. The configuration changes everything.

Many teams treat system prompts as simple text box settings. They edit them in a dashboard. This is a mistake. A single line change can remove a guardrail. An editable prompt is an unreviewed code path.

Real incidents prove this:

• A bot gave illegal advice to landlords for weeks. • A support bot started swearing at customers due to a prompt update. • Malicious files used invisible characters to bypass rules.

These were not model failures. They were configuration changes that nobody reviewed.

You must treat configuration like code.

Put your system prompts and harness configs in version control. Change them only through pull requests. Use diffs to see what changed.

Use a content hash for your deployed configuration. This hash should include the prompt version, model ID, and container digest. If you change the prompt, the identity of the agent changes. You cannot swap a prompt silently.

Apply drift detection to the agent surface. Do not just monitor the host. Monitor the MCP server lists and the specific egress policies for that agent.

When logging, track these two things:

• Decision-time context size: How much information did the model have when it acted? • The parent prompt: In multi-agent systems, what did the calling agent send?

You do not need new tools. Use your existing version control and structured logging. You just need to point them at the right place.

Do you version and review your system prompts? Or can anyone with console access change them without a trace?

Source: https://dev.to/brennhill/theres-no-pull-request-to-review-for-an-autonomous-agent-so-what-do-you-review-355m

Optional learning community: https://t.me/GyaanSetuAi