Snyk ships Evo ADS, a governance layer for AI coding agents

Snyk announced Evo Agentic Development Security on June 23, a product that sits inside the agent workflow and governs what AI coding assistants use, what they do, and what they produce. The new product ships generally available on June 29, the same week Snyk is sponsoring the security track at the AI Engineer World's Fair.

Evo ADS is the third module in Snyk's AI Security Platform, sitting next to Evo AI-SPM, which inventories AI assets, and Evo Continuous Offensive Security, which probes AI-generated code for exploitable bugs. Together, the three products form what Snyk calls the AI Security Fabric. The framing matters. Most security tools today were built to scan code after it is written, or to watch the network after a request is made. Evo ADS is built for a different surface, the agent execution loop itself, and the controls run before the agent can take a destructive action, not after.

The launch lands in a market that has spent the last two years racing to adopt agentic coding without a corresponding set of controls. Snyk's own telemetry, drawn from nearly 9,700 developer environments, shows how far that gap has opened. Forty-three percent of developers run two or more AI coding environments at the same time, and more than half have MCP servers installed. The most heavily instrumented environments had more than 80 MCP servers running in parallel. Each of those connections is a live path from an agent into a code repository, a browser, an internal tool, or a production system, and most of them sit behind no security control at all. Independent reporting on the public MCP package ecosystem found that 71% of packages have a single maintainer, which is the kind of supply chain concentration that turns a single compromised account into a fleet-wide exposure.

The supply chain AI agents actually pull from

The risk Snyk is targeting is not the code an agent writes. It is the supply chain the agent reaches into before it writes a line. The new module calls out three layers of the agentic development lifecycle and adds a control to each one.

The first layer is the agent supply chain itself. Evo ADS discovers every MCP server, agent skill, and external tool the developer's environment has installed, then assesses each one for prompt injection, malicious code patterns, and risky transitive dependencies. The product frames this as a vet step that runs before the agent touches anything. Snyk's own data makes the case for the vet step. Among developers with MCP servers installed, 1 in 12 has at least one high or critical finding. Among developers with agent skills installed, the numbers are sharper. Nearly 1 in 4 has at least one skill installed, and the average is 18 per developer. More than 1 in 10 of those skills reference external dependencies or externally hosted instructions, which means the agent is making runtime decisions based on code or prompts the security team has never reviewed.

The second layer is agent behavior. Evo ADS runs a real-time policy engine that watches what the agent is doing, blocks destructive actions before they execute, and gates which systems the agent can reach and which workflows it can run. The product framing is that gateways can route and log agent calls, but they cannot tell whether the call the agent is about to make is dangerous. Snyk's argument is that this is a job for an independent enforcement layer, not for the platform the agent is running on.

The third layer is the output. Evo ADS scans and fixes AI-generated vulnerabilities at the moment the code is created, not in a post-merge review. The pitch is the same as the supply chain pitch in a different direction. If the security check happens after the agent has already opened the pull request, the team is in a position where they are reviewing AI-generated code in bulk, with a fraction of the context the agent had when it wrote the line. Putting the check inside the loop means the agent gets immediate feedback on what it is generating, and the diff that lands for human review is closer to a clean change.

How Snyk's design partners run Evo ADS in production

Snyk built Evo ADS with input from a small group of design partners that already had agentic coding in production. The most public reference is Relay Network, the identity and compliance platform, whose engineering teams run GitHub Copilot, Codex, and Windsurf side by side and are moving to Claude Code as their primary assistant. Relay Network embedded Snyk directly into the AI-assisted workflow to enforce security on every line of generated code as it is created.

The Relay Network case is also a clear-eyed read on the threat. Brendan Putek, director of DevOps at Relay Network, told Snyk that the company is seeing supply chain attacks, malicious skills, and compromised MCP servers riding in on the agent's own toolchain, plus agents taking actions with no guardrails between intent and execution. The blast radius is not bounded, he said, and the industry is early in the curve. The architecture Relay Network landed on with Snyk is controls inside the agent workflow that govern what an agent uses, what it executes, and what it generates. That is a more conservative posture than the one most agent-first startups are running, and it is consistent with what enterprise security teams have been asking for since the first agentic coding rollout hit a production repository.

Accenture's Oliver Neuberger, who leads the cybersecurity practice for EMEA and the UK, framed the same shift in a different register. Agentic development security is a fundamental change in how developers think about code, he said, and the potential is enormous, but the impact demands mindful development and the right guardrails so enterprises can deploy with confidence. The Accenture framing lines up with the pitch Snyk's CTO is making. Manoj Nair, Snyk's chief technology and innovation officer, said the gap Evo ADS closes is straightforward. Most organizations do not have an inventory of what their developers' machines are running, and the question is no longer whether a team is using AI agents, it is whether they have a governance layer, and right now for most organizations the answer is no.

What is actually shipping on June 29

Evo ADS will be generally available on June 29, 2026. The launch is timed to run alongside the AI Engineer World's Fair, where Snyk is the exclusive sponsor of the first security track the event has ever run. The product is positioned as part of the broader AI Security Platform, which already includes Evo AI-SPM, the AI asset governance module, and Evo Continuous Offensive Security, the offensive testing module. The three together are what Snyk is calling the AI Security Fabric, an independent validator for AI-generated code, AI agents, and AI-native applications.

The positioning has commercial implications. Evo ADS is the first product from a major application security vendor that prices the surface at the agent execution loop, not at the code or at the network. Snyk is selling this as the answer to a question enterprise CISOs have been asking for two years, which is where the boundary should sit between a developer using AI to write code faster and a security team that has to sign off on what the AI wrote. The Snyk answer is that the boundary has to be enforced inside the agent, not after the agent. The MCP and skills control layer, in particular, is a category that did not exist 18 months ago and is now the most concrete piece of agent-runtime governance on the market.

The launch also has implications for the way security teams will write policy in 2026. Most enterprise agent policies today are written at the level of which models are approved, which data sources an agent can read, and which actions require human approval. Evo ADS pushes the policy layer one level deeper. The product is asking teams to write policy about which MCP servers are trusted, which skills are allowed to ship in a developer's environment, and what an agent is permitted to do at runtime when no human is watching. That is a much more granular policy surface, and the organizations that adopt it will be the ones that decide what a coding agent is allowed to do in a production-adjacent repository before an incident forces the question.

The wider AI coding market is moving in the same direction at a faster clip than most enterprise security programs are ready for. Snyk's data on the average developer's environment, 18 skills installed, 80-plus MCP servers in the most heavily instrumented teams, is the kind of number that turns into a board-level conversation the next time an agent exfiltrates a credential through a compromised tool. Evo ADS is the product Snyk is selling into that conversation, and the June 29 availability is the first time a major application security vendor has put a real control plane on the table for the agent execution loop. The security track at the AI Engineer World's Fair is the venue, and the customer question is whether the rest of the agent security category can keep up.

For security leaders mapping this against their existing governance program, the enterprise AI governance checklist for 2026 covers the broader rollout questions Evo ADS does not address, including model approval, data source gating, and the human-in-the-loop policies that have to run alongside any agent-runtime control.