Citizen Coders

Citizen Coders — surfaced by the Mythos-ready briefing (April 2026) — names the proliferation of coding agents to non-developer users. Using a coding agent in 2026 is “now easier than using Excel; all you need is English.” The structural consequence: code, infrastructure, and dependencies enter the organization through users who were never previously in scope for software-engineering security controls, fragmenting central IT visibility and creating new inventory + supply-chain gaps.

Why It Matters

The Mythos-era organizational threat surface is bigger than what the security team can inventory — and it is getting bigger faster as coding agents proliferate to non-developers. The Mythos-ready briefing surfaces this in two places:

“Shadow IT will fragment central control as coding agents proliferate to Citizen Coders, employees develop their own infrastructure, and threat intelligence is lagging behind vulnerability discovery and exploitation.” — §IV The Mythos-ready Security Program

“The proliferation of coding agents to non-developer users further fragments central IT visibility.” — Risk Register #6 (Incomplete Asset and Exposure Inventory)

Relationship to Existing Wiki Concepts

• Sibling to Shadow AI and Shadow Automation: Shadow AI is unauthorized AI tool usage by end users (Samsung-leak class); Shadow Automation is ungoverned agents accessing repos / prod / credentials at developer pace (a Knostic framing); Citizen Coders is the further generalization — non-developers writing software with agentic assistance, often without the security team’s knowledge that software is being written at all.
• Adjacent to Vibe Coding (Karpathy-coined, formalized in PwC’s 2026 Agentic SDLC report): vibe coding is the method (natural-language intent rather than exact specifications); Citizen Coders is the user class doing it.
• Operational consequence for Harness Config as Supply-Chain Artifact: every Citizen Coder’s .claude/ (or equivalent) tree is a supply-chain artifact the enterprise has no visibility into. The fragmentation is exactly what AgentShield-style audit was designed to surface — but only on harnesses the security team knows exist.
• Operational consequence for Supply Chain Security for Agents: Citizen Coders install MCP servers, skills, and IDE extensions on a long tail of endpoints the security team does not centrally provision.

Operational Response

From the Mythos-ready playbook’s Priority Actions:

• PA 2 — Require AI Agent Adoption. Formalize agent usage as part of all security functions, with mandatory security controls and oversight in place. The same framing extends to non-security functions: usage cannot be optional if security wants to maintain visibility.
• PA 7 — Inventory and Reduce Attack Surface. Use agents themselves to accelerate inventory across the full organization, including infrastructure assembled by non-developers.
• PA 3 — Defend Your Agents. “Define scope boundaries, blast-radius limits, escalation logic, and human override mechanisms” applies to Citizen Coder agents as much as to security-owned agents.

See Also

• Mythos-ready briefing — naming source.
• Shadow AI · Shadow Automation · Vibe Coding — adjacent concepts.
• PwC Middle East 2026 Agentic SDLC report — Pioneer-tier adoption data point (38% of regional teams already augmenting ≥6 of 7 SDLC stages); broader empirical context for the shift Citizen Coders represents at the user-class level.