Notes
Short pieces about the methodology and architecture decisions behind the AI systems I ship — specs, evals, multi-agent orchestration, LLM integration, and the discipline of directing coding agents.
June 19, 2026
The AI speedup comes with a security bill
Gartner says 90% of engineering leaders report gains from AI coding tools — a net 19% productivity bump. The same research says unreviewed AI code has 23% higher bug density, and 14.3% of AI-generated snippets carry security vulnerabilities versus 9.1% for human-written. Almost nobody prints those two numbers in the same sentence. You should, because they're the same story.
- security
- methodology
June 14, 2026
One person, an AI, and 195 million records
Between December 2025 and January 2026, a single attacker used AI coding assistants to breach nine Mexican government agencies and walk out with 150GB of data covering 195 million citizens — taxpayer records, voter files, civil registry documents. They jailbroke the AI by framing the attack as a 'bug bounty' and let it run roughly three-quarters of the remote commands. Some agencies dispute the breach. But the lesson holds either way: AI collapses the cost of a sophisticated attack to nearly nothing, and that changes who you have to defend against. Here's what it means.
- security
- business
June 14, 2026
The AI rules that change three times a year
Colorado passed a landmark AI law against algorithmic discrimination. It was set to take effect February 2026, then pushed to June 30. In December the federal government signed an order to preempt state AI laws and named Colorado's directly. Then in May 2026 Colorado delayed its own law to January 2027 and scaled it way back. If you were building to that rulebook, your target moved three times in a year. You cannot build to a law that won't sit still — but you can build to the principle underneath it, which barely moves at all. Here's how.
- business
- security
June 14, 2026
The AI that hunts its own bugs
Anthropic's Claude Mythos found thousands of zero-day vulnerabilities across every major operating system and browser — including a 27-year-old bug in OpenBSD and a 16-year-old flaw in FFmpeg — and wrote a working exploit on the first try in over 83% of cases. It was deemed too dangerous to release publicly; instead a handful of giants got early access under Project Glasswing. This is the clearest look yet at AI's double edge: the same tool that finds your bugs before attackers do is the one that finds them faster for attackers too. Here's how to think about it.
- security
June 14, 2026
Now your AI content has to say it's AI
On June 10, 2026, the European Commission published its Code of Practice on marking and labelling AI-generated content — the practical playbook for transparency rules that become enforceable under the EU AI Act on August 2. Deepfakes and AI-written text on matters of public interest must be clearly labelled, and people must be told when they're talking to a chatbot. The Code is voluntary; the obligation behind it isn't. Disclosure is becoming the default, and that's not just a compliance chore — it's a trust decision. Here's what it means for anyone shipping AI content.
- business
- security
June 13, 2026
The AI Act's real deadline is August
On August 2, 2026, the EU AI Act's obligations for high-risk AI systems take effect — the part with real teeth: documentation, oversight, risk management, and fines up to €35M or 7% of global turnover. Two things make this messy. As of March, only 8 of 27 member states had even set up their enforcement contact point. And nobody has a clean answer for who's liable when an autonomous agent acts on its own. If your software touches EU users, here's what's actually changing and the gap you need to close.
- business
- security