Logo
FrontierNews.ai

How Security Teams Are Locking Down Google Antigravity and Other AI Coding Agents

As AI coding agents become standard across organizations, security teams are deploying specialized controls to limit what these tools can do, even as they become essential to development workflows. Google Antigravity, Claude Code, and OpenAI Codex can now execute commands, access files, and connect to external services autonomously, creating new security challenges that traditional application controls cannot address.

Why Are AI Coding Agents a Security Risk?

Agentic AI tools operate fundamentally differently from traditional software. When a developer asks an AI assistant to build a feature, the tool might spawn a local development server, run code linters, invoke external services through MCP (Model Context Protocol) integrations, write files across multiple directories, and make outbound API calls, all without human approval at each step. This execution profile resembles a user with broad system access rather than a single-purpose application.

The risk is significant. OWASP's Top 10 for Agentic Applications identifies "Excessive Agency" as a key vulnerability, while Anthropic's Zero Trust for AI Agents framework advocates restricting not just what agents can access, but what they can do, where they can write, and what they can reach on the network. Without deliberate policies, organizations face an uncomfortable choice: block the tool entirely or grant permissions so broad they undermine security controls.

How Are Security Teams Controlling These Tools?

ThreatLocker, a security platform, has published a set of community policies that apply two complementary controls to major AI coding tools. Allowlisting ensures only explicitly permitted executables can run, regardless of what an AI tool requests. Ringfencing adds a second layer by implementing capability restrictions, controlling which files applications can access, which other applications they can interact with, and which network destinations they can reach.

These controls work without modifying the AI tool itself. Rather than relying solely on the tool's built-in safeguards, organizations enforce security policies through the platform, reducing the impact of compromised agents or overly permissive configurations.

Steps to Secure AI Coding Agents in Your Environment

  • Deploy Allowlisting: Restrict execution to only approved applications and tools, preventing unauthorized processes from running even if an AI agent requests them.
  • Implement Ringfencing for File Access: Define which directories and files each AI tool can read or write to, limiting access to application configuration directories and project folders only.
  • Control Network Destinations: Restrict internet access to required services and supporting infrastructure, using parent domains to automatically include subdomains (for example, googleapis.com covers storage.googleapis.com).
  • Monitor and Audit: Run policies in monitor-only mode initially to identify the specific subdomains and resources your environment requires before enforcing restrictions.

What Do Specific AI Tools Require?

Google Antigravity, Google's entry into agentic AI coding built on the Gemini platform, ships as an Electron application with a companion IDE and command-line interface (agy). The security policy for Antigravity permits Git, Git Bash, GitHub CLI, GitHub Desktop, Node.js, Python, and Docker Desktop. File access exceptions cover three directories: the.gemini directory for conversation history and state, the antigravity-updater directory for staged updates, and the Roaming Antigravity directory for app cache and session data.

Internet access for Antigravity is restricted to Google and supporting infrastructure, including gemini.google.com, googleapis.com, antigravity-unleash.goog, github.com, githubusercontent.com, googleusercontent.com, gstatic.com, and run.app. Claude Code, Anthropic's agentic coding tool that runs both as a command-line process and within the Claude desktop app with a graphical interface, follows a similar pattern but permits access to Anthropic's services and Claude-specific infrastructure.

OpenAI Codex, a cloud-connected coding assistant with deep Visual Studio Code integration, requires access to openai.com, chatgpt.com, github.com, and githubusercontent.com, along with known OpenAI subdomains like api.openai.com, auth.openai.com, and cdn.openai.com.

What About External Integrations?

MCP (Model Context Protocol) is an open standard that allows AI to connect to external services including databases, cloud platforms, code repositories, and communication tools. Agentic AI tools with MCP support will attempt to launch MCP server processes when a connected integration is invoked. Security policies now cover 19 MCP server integrations, including tools for sequential thinking, context management, cloud services, and database connections.

The shift toward controlled AI agents reflects a broader maturation in how organizations deploy frontier AI tools. Rather than treating these systems as black boxes, security teams are now building policies that enforce least-agency principles, ensuring that powerful autonomous tools remain contained within defined boundaries. This approach allows organizations to capture the productivity benefits of AI coding agents while maintaining the security posture required for enterprise environments.