Coding Agents Are Ungovernable, We're Fixing That: Keycard acquires Anchor.dev.

Keycard acquires Anchor.dev to bring runtime security to autonomous coding agents.

AI writes nearly 100% of all code at Anthropic and OpenAI. Ramp's background agent authored 54% of PRs in a single day. Agents aren't augmenting developers anymore. They're replacing entire workflows and nobody knows how to secure them.

Today, we're announcing that Keycard has acquired Anchor.dev. Founded by Wesley Beary and Ben Burkert, the Anchor team built trusted developer infrastructure at Cloudflare, GitHub, and Heroku. Their work centered on one of the hardest problems in security: making identity primitives like X.509 certificates automatic for developers and fully governable by security teams.

The Anchor team helps bring Keycard to coding agents and their messy, distributed reality of modern software development workflows, spanning laptops, sandboxes, and production infrastructure. With Keycard, developer and security teams no longer need to trade off between coding agent capability, autonomy, and security, or struggle to provide agents with access to tools.

Coding agents crossed a real threshold last year. They went from fancy autocomplete to systems that reason across large codebases, plan multi-step changes, and ship features with little or no human involvement. Powered by frontier models like GPT 5.3 Codex and Opus 4.6, these agents are already running in production at Ramp, Stripe, Anthropic, and OpenAI. Projects like Ralph, OpenClaw, and Claude Cowork hint at where this is heading.

Agents are eating software development, and they're starting to eat software itself. But for most teams, security keeps early adoption just out of reach.

Autonomous agents don't just break existing security models. They invalidate the core assumption underneath: trust the human, trust the action. Agents aren't humans. They reason over evolving context windows, dynamically invoke tools, and run on non-deterministic models. When things go wrong, you don't get a crash. You get a quiet, high-impact mistake.

For developers, this creates a tradeoff that mirrors CAP theorem: you can only pick two of autonomy, capability, and security.

• Pick autonomy and capability without security, and you get agents running freely across repos, CI, cloud APIs, and internal tools. Without proper controls, they leak secrets, poison context, or take unintended actions. These workflows work until they don't.
• Pick security and autonomy without capability, and you get agents locked into narrow scopes, MCP-only workflows, or network-level controls. They're technically autonomous, but stripped of the tools and context they need. What you end up with is brittle, toy-grade automation.
• Pick security and capability without autonomy, and you keep a human in the loop for every tool call and decision. The agent can do almost anything, as long as someone approves it. The result is consent fatigue, slow iteration, and agents stuck at 1990s cruise control levels of autonomy.

Legacy security tools reinforce this at every layer. VPNs and firewalls operate at the network boundary. Conditional access in IdPs fires once, at login. Workload identity systems are scoped to specific clouds or protocols. None of them have anything to say about what an agent does after it starts reasoning and acting.

So agents get artificially constrained, deployments stall, and teams never get the autonomy these models are already capable of. Not because the tech isn't ready, but because the security isn't.

Keycard breaks this tradeoff by moving enforcement to the point where agents actually act: at runtime, on every tool call, at the application layer.

This is the core insight. Autonomous agents don't fail at authentication. They fail while reasoning, invoking tools, and taking actions across real systems. That's where policy has to live.

In practice, this means Keycard cryptographically attests to an agent's runtime context. Where is the agent running? How was it instantiated? What task is it working on? What tool is it calling, and did it author that tool or was the tool provided to it? Policies can evaluate all of this, not just a static identity check from when the session started.

On top of that attestation layer, teams define explicit tool-level governance. Which tools can an agent use? Under what conditions? For which tasks? Every invocation, whether it's an API call, a CLI command, or a tool the agent generated itself, gets evaluated against policy at execution time. We spent a lot of time getting this right, because the line between "agent using a tool" and "agent creating a tool" is blurrier than most security models assume.

Static secrets don't survive this model. They're too broad. Instead, Keycard issues short-lived credentials bound to the agent, the task, and the environment. Each action gets credentials scoped to that specific invocation. This was one of the reasons the Anchor acquisition made so much sense: their team has years of experience making certificate-based identity work without becoming a developer bottleneck.

Every invocation (allowed or denied) is logged with its policy decision, runtime context, and task attribution. If something goes wrong, access can be revoked instantly. No redeployment, no secret rotation. And because every action is logged against its policy, shadow access becomes visible by default.

All of this works regardless of protocol. MCP, CLI, APIs, agent-generated tools. We didn't want to build something that only worked if teams adopted a single protocol or constrained their agents to one interaction pattern.

For developers, the payoff is autonomous workflows without constant oversight. Routine actions proceed within guardrails; genuinely sensitive operations still require a human to approve. For security teams, it's actual governance: visibility into what agents are doing, control over what they're allowed to do, and the ability to intervene the moment something goes wrong.

We're excited to welcome Wesley and Ben to Keycard. Their experience building trusted, developer-first infrastructure strengthens what we've been building and accelerates where we're going.

Keycard helps companies adopt agents safely by connecting them to the infrastructure and SaaS services they already rely on. Developers build with drop-in SDKs that handle authentication and fine-grained authorization. Security teams govern agentic activity end to end, across laptops, sandboxes, and production systems, with runtime policy, auditability, and control.

Enterprise customers are already using Keycard in production. Autonomy doesn't fail because of models. It fails without runtime controls, and that's the gap Keycard is closing.