What is ACSM? A field guide for engineering leaders

Most security tools react. ACSM — Agentic Coding Security Management — is the discipline that gets in front. Here's a working definition, the four pillars to evaluate any ACSM platform against, and where your existing toolchain (SAST, SCA, PR review) actually still fits.

Definition, in one sentence

ACSM is putting security controls in front of an AI coding agent — at prompt-time — so the agent ships secure code on the first try, not so a human catches it on the fifth.

The four pillars

Across the platforms staking a claim in this category, the consistent shape is four-pillar: a model of the repo, guardrails derived from that model, enforcement at the IDE, verification at the PR. Get any one wrong and you collapse back to SAST.

What “model” should mean

Some ACSM platforms model only the stack (“this is FastAPI + PostgreSQL”). VibeReview models the threat (“this endpoint takes untrusted input, lands in SQL, the JWT is verified by an unaudited middleware”). The threat-informed version is the only one where every downstream rule traces back to a real risk in your code.

What ACSM is not

It isn't a replacement for SAST or SCA. SAST is the periodic audit; SCA is your CVE feed. ACSM is the layer that keeps the AI from writing the bug in the first place — so the audit queue and CVE backlog stop being your delivery bottleneck.

If you're an engineering leader

Ask your AI coding stack three questions:

1. Is there a model of my repo — specifically, of the threats in my repo?
2. Do the rules ride into the IDE on every prompt, or are they bolted onto the PR?
3. When the rule fires, is it a one-line, diff-aware comment — or a full-file finding queued for triage?

If the answer to any of these is “no” or “partial,” you're paying for the bug twice.