AI Coding Agents Need Staging Environments Too
Teams gave coding agents production credentials and called it velocity. An agent is a contributor with no judgment, and it needs the same environment ladder.

Every environment discipline your team built for humans applies to coding agents, and most teams quietly dropped all of it the moment the agent got good. The same organisation that would not let a new hire near production on day one will hand an agent a long-lived credential and a task description, then act surprised when something gets dropped that should not have.
The thesis is boring on purpose: an agent is an unusually fast contributor with no institutional judgment, and the environment ladder exists precisely for contributors like that. Dev, staging, production, with a gate between each. It was never about the human. It was always about the blast radius.
Why the ladder got skipped
Nobody made a decision to skip it. It eroded, in a sequence that is worth recognising because your team is probably somewhere in it.
The agent starts as autocomplete, and nobody stages autocomplete. Then it starts running the test suite locally, which is fine. Then it needs to hit a real service to reproduce a bug, so someone gives it read access to staging. Then staging data is stale, so someone points it at a production replica. Then a task needs a write, and the credential that is already sitting in the environment happens to have it. At no point did anyone decide the agent should be able to write to production. It arrived there by a series of individually reasonable steps, which is how most incidents arrive anywhere.
What an agent does differently
The ladder matters more for agents than for people, for reasons that are structural rather than a judgment on the model's competence.
- Speed removes the pause. A human doing something destructive usually hesitates first. That hesitation is an unwritten safety control, and it is a large part of why the ladder has held up for humans despite being enforced loosely. An agent executes at full confidence in two seconds. There is no pause to catch it in.
- No sense of consequence. An engineer knows that this table is the billing table and Thursday is invoice day. That knowledge is not in the repository, so it is not in the agent's context. It knows the schema. It does not know the stakes.
- Literal objectives. Told to make an integration test pass, an agent will consider mutating the data the test asserts against. That is a legitimate solution to the stated problem. It is only wrong because of context the agent does not have.
- Volume. One engineer opens three pull requests a day. A fleet of agents opens thirty. The per-change probability of a bad change can drop and the absolute number of bad changes still goes up.
The ladder, restated for agents
Same three rungs, with the agent-specific part called out.
- Dev: disposable and isolated. One agent, one workspace, no shared state. If two agents work in the same checkout they will fight over the same files and you will spend your afternoon reading a merge conflict neither of them understands. Ephemeral branches and worktrees are cheap; shared mutable state is not.
- Staging: real shape, fake stakes. Staging earns its keep only if it resembles production structurally, same schema, same service topology, same failure behaviour, while containing nothing whose loss matters. Seeded or synthetic data, never a production copy. A production replica in staging is production with worse monitoring.
- Production: humans and gates only. The agent's output reaches production the way any change does, through a reviewed pull request and your existing deploy gate. No side door, no service account with a fast path.
Isolation is the credential, not the URL
Here is where teams fool themselves. Pointing the agent at staging.internal is not isolation if the credential in its environment is also valid against production. The environment boundary is defined by what the identity can reach, not by which hostname the task mentions. An agent with a broad role is one confused tool call away from the wrong account, and it will make that call politely and immediately.
The version of this that holds up is unremarkable AWS practice, applied consistently:
- Separate accounts per environment, so a cross-environment mistake needs a role assumption that does not exist rather than a typo that does.
- A dedicated role per agent task, scoped to the resources that task needs, assumed for the duration of the run and no longer.
- No long-lived keys in the agent's environment. Short-lived credentials mean a leaked context is a problem with an expiry date.
- Deny-by-default on the destructive verbs. An agent that never needs
DeleteObjectshould be structurally unable to call it, not merely disinclined. - Human approval on anything that crosses into an account holding real data, as a control the agent cannot satisfy on its own.
Review gates are the point, not the friction
The pushback is predictable: this slows the agent down, and the agent's whole appeal was speed. That objection is worth taking seriously and then rejecting, because it misprices the trade.
The agent's speed advantage is in generation, not in verification. It writes a plausible fix in ninety seconds instead of an hour, which is genuine and large. Verification was never the bottleneck it removes. Removing the review gate does not make the agent faster at the thing it is fast at, it just removes the mechanism that catches the ten percent of confident output that is wrong. You keep the ninety-second fix. You keep the reviewer. That is the whole arrangement, and it is a good one.
The takeaway
None of this is new engineering. Environment separation, scoped credentials, review before production: your team wrote these rules for humans and largely follows them. The mistake is treating an agent as tooling rather than as a contributor, because tooling does not need an environment ladder and contributors do. Give the agent a sandbox that looks like production and holds nothing that matters, an identity that expires and cannot reach across the boundary, and a reviewer between it and the deploy. Then let it go fast inside that box.
Read this next
- Claude Code in CI: Letting an Agent Fix the Build, on the same boundary drawn inside the pipeline, where the agent proposes and the human merges.
- IAM for LLM Apps: Least Privilege When the Caller Is a Model, on the scoped, short-lived identity that makes the environment boundary real.
For the account-level controls behind this, multi-party approval in AWS Organizations covers the gate for operations nothing should run alone, at ercan.cloud. The hub is at ercanermis.com.
More from Ercan
Two more sites, same author, different ground.
Cloud, AWS, EKS, Terraform, platform engineering.
Field notes from production systems. EKS, IAM, Terraform at organization scale, observability, cost optimization.
Visit ercan.cloud →The hub. About, consulting, contact.
Personal hub for both writing tracks. Who I am, how the consulting works, how to reach me.
Visit ercanermis.com →