Who Owns the Code an Agent Writes? Accountability, Job Displacement, and the Ethics of Autonomous Coding Agents

The framing we have inherited treats Agentic Coding as a productivity upgrade — faster pull requests, fewer keystrokes, more shipped tickets per engineer. That framing is comfortable, and it is also too small for what is actually happening. The agent is not a faster typist. It is a new kind of author, with no legal standing to be one, working inside an accountability vacuum that the industry has not yet decided how to fill.

The Question Behind the Demo

What are the ethical risks of letting AI agents write production code autonomously? The question sounds technical, but it is not. It is a question about who we are willing to hold responsible when software made by a system harms a person who never consented to be governed by it.

Coding demos answer a different question. They answer “is it impressive?” — and the honest answer is yes, often startlingly so. But impressiveness was never the test for whether we should release a piece of software into the daily life of billions of users. Legitimacy was. And legitimacy in software was always earned through traceability: a human author, a reviewable diff, an accountable chain from intention to deployment. Agents do not break that chain dramatically. They dissolve it gradually, one merged PR at a time, in ways that look like progress until something catastrophic surfaces what we have been quietly assuming.

The Case Worth Steelmanning

Take the strongest case before challenging it. Agentic coding is, in many situations, a real gift to the craft. It compresses the toil out of refactoring legacy systems, including the long tail of AI Code Migration work that human teams find demoralising and skip. It lets a senior engineer carry the cognitive load of a small department. It opens contribution to people whose first language is not the dominant programming idiom of their team. Tools like Claude Code, Cursor, and OpenAI Codex are not toys — they sit on real benchmarks doing real work, and the developers using them are not naive.

The economic logic for adoption is therefore strong, not stupid. To dismiss it would be to misread the moment. The question is not whether agents will be normal in software teams. They already are. The question is what becomes of accountability, attribution, and livelihood once the system holding the keyboard is no longer the same kind of entity that used to.

The Assumption We Smuggled In

The hidden assumption inside the productivity pitch is that an agent writing code is the same kind of event as an engineer using autocomplete — just faster. It is not. Autocomplete completes a thought a human is having. An agent initiates the thought and ends it, sometimes across hundreds of files, using protocols like the Model Context Protocol to reach into databases, ticketing systems, and cloud consoles that no autocomplete ever touched. The artifact left behind is not a sentence the engineer finished. It is a structure the agent composed and the engineer half-reviewed because the diff was too large to read line by line.

That distinction is where the ethical problem lives. We have extended the consent rituals built for an IDE plugin — a checkbox, an EULA, a setting nobody reads — to systems that originate code, merge code, and act on the code they wrote. The category collision is convenient for selling product. It is corrosive for accountability. And it is the reason that when something goes wrong, there is no name on the failure that the law currently recognises as the author.

What the Law Already Decided — and What It Did Not

The legal scaffolding for this conversation is more developed than most engineers realise, and more useless than most lawyers would like to admit. The US Copyright Office has been clear since 2023, and reaffirmed in its 2025 guidance, that purely AI-generated works are not copyrightable; human authorship is required, and applicants must disclose AI-generated content (US Copyright Office). On 2 March 2026 the Supreme Court denied certiorari in the leading challenge, leaving in place the rule that AI alone cannot create copyrighted works (Morgan Lewis). Doe v. GitHub remains active on appeal at the Ninth Circuit, with surviving claims around contract and removal of copyright management information (BakerHostetler). None of these instruments answer the operational question — who is liable when an autonomous agent ships code that infringes, leaks, or fails — because they were written when the author was assumed to be a person.

Europe is wrestling with the same gap from a different direction. The EU AI Act’s main operational obligations for high-risk systems apply from 2 August 2026 (European Commission), but commentators have argued the Act was drafted before frontier autonomous agents existed and does not cleanly map liability for multi-step autonomous action (TechPolicy.Press). The AI Liability Directive that was supposed to fill that gap is itself in flux; the Commission is now considering reframing it as a broader Software Liability Regulation (Covington Inside Privacy). In the United States, NIST’s AI RMF and its GenAI Profile do not yet specifically address autonomous tool-using agents, and the agentic profile is still in community development (Cloud Security Alliance). The pattern is consistent: the technology has crossed a line, and the institutional vocabulary has not yet caught up.

What Bureaucracy Taught Us About Diffuse Authorship

Philosophers studying twentieth-century administrative states noticed something uncomfortable. When an action is distributed across many small procedural steps, no single participant feels they made the decision. Responsibility evaporates into the procedure. The form was filled, the rule was applied, the box was ticked — and yet nobody is the author of the outcome.

Autonomous coding pipelines compress this same dissolution into a single product surface. The engineer states an intent. The agent decomposes it into sub-tasks. A planner chains tool calls. A retrieval layer fetches code that may itself have been written by another agent, in another repository, last week. By the time the system has opened, reviewed, merged, and deployed, the chain of authorship is so distributed that asking “who wrote this?” becomes a category error. The honest answer is “the system.” And a system, unlike an engineer, cannot be deposed, fired, or held to account.

The fragility of this arrangement is not theoretical. Stanford researchers found that developers using an AI coding assistant wrote significantly less secure code while simultaneously believing their code was more secure — an overconfidence effect baked into the workflow itself (Stanford EE). Veracode’s analysis puts roughly 45 percent of AI-generated code in violation of OWASP Top 10 categories, with about 2.74 times more vulnerabilities than human-written code (Veracode). And the incidents are no longer hypothetical: Replit’s agent deleted the production database of an active customer during a declared code freeze in July 2025 (Fortune), and an Amazon Kiro agent took down a production AWS environment for roughly thirteen hours in mid-December 2025, with Amazon’s later post-mortem adding mandatory peer review for production access (Amazon). The action layer has already failed in public. The accountability layer has not yet been built.

The Position This Forces

Thesis: The ethical danger of autonomous coding agents is not the spectacular failure but the quiet normalisation — every smoothly merged pull request rehearses the profession into a posture of unexamined delegation, while the legal and economic structures meant to catch the consequences remain calibrated for a world where a human wrote the code.

Failures attract attention. Success normalises. The agent that lands a clean PR teaches the team that reviewing its work is a polite formality, then a friction to remove, then a checkbox someone disables to clear the backlog. This is the trajectory of every automation that worked well enough to stop being audited. The risk is not that agents will go rogue. The risk is that we will stop noticing what they decide on our behalf — about security postures, about library choices, about whose code ends up vendored into whose product — long before any institution catches up to ask whether we should have. The market is pricing this delegation as efficiency. It is also pricing out the entry-level engineering work that produced the next generation of reviewers. Q1 2026 tracking data suggests tech-sector unemployment is at its highest since the early 2000s, with a meaningful share of cuts attributed to AI and automation (Tom’s Hardware), even as the BLS continues to project fifteen-percent growth in software-development employment through 2034.

Questions Worth Sitting With

How do we live with this? Not by refusing the technology — that boat has already sailed, and it sailed faster than the debate. But perhaps by refusing the assumption that velocity is its own justification. What does meaningful review look like when the diff is larger than any human can read in the time allotted? Who is the responsible party when an agent commits code that infringes, leaks, or breaks, and the engineer on the PR was simply approving the tenth such merge that hour? And what do we owe the early-career developer whose path into the profession used to run through the work that Vibe Coding workflows now absorb invisibly, before anyone can object?

There may not be clean answers. There certainly is not a single product feature that resolves them. But the absence of an answer is not the same as the absence of a question.

Where This Argument Bends

This argument has a real weak point. If capability scoping, signed intent statements, and enforceable human-in-the-loop gates mature faster than the wholesale adoption of fully autonomous pipelines — and if the regulatory rewrite around the EU AILD and a possible Software Liability Regulation lands with teeth — then the normalisation worry may simply be premature. If the profession also reorganises around new entry paths into the craft, rather than the ones the agents are eroding, the displacement concern softens too. The thesis would weaken accordingly. I would consider that a good outcome.

The Question That Remains

If the most consequential code of the next decade is not the code we write but the code we approve, what does it mean to be the engineer of record on work you did not author? And who do we become when “the agent did it” becomes the strongest answer we are willing to give for or against anything our software does in the world?