Notes
Short pieces about the methodology and architecture decisions behind the AI systems I ship — specs, evals, multi-agent orchestration, LLM integration, and the discipline of directing coding agents.
June 5, 2026
The best security AI is now gatekept — plan like you're not on the list
This spring AI crossed a line: Anthropic's Mythos found thousands of never-seen zero-days on its own, and OpenAI shipped a 'cyber' model that's more permissive for hacking-adjacent work. The same model that finds a thousand holes to fix them can find them to exploit them — so the labs put the best security models behind a velvet rope, open only to vetted partners and governments. That's defensible. It also means a vendor now decides who gets defended. Here's the honest read for everyone not on the list.
- security
- business
June 5, 2026
The agent that "closes sales" — the part the demo hides
Meta just shipped an agent that doesn't only chat — it books appointments, qualifies leads, closes sales, and takes payments, 24/7, in any language, wired into Shopify and Zendesk. A million businesses are already on it. The demo is magic. What it hides: an autonomous thing acting on your business, at machine speed, on messages from strangers — and the law just closed the 'the AI did it' escape hatch. Here's the honest version.
- security
- business
- agents
June 5, 2026
The AI just started profiling you in the background
Until this week, ChatGPT only remembered what you told it to. As of June 4 it 'dreams' — a background process reads across all your past chats and quietly builds a model of you, keeping it current on its own. That's a genuinely useful upgrade and the moment a chatbot became a profiler. The EU's data regulator said exactly that, today. Here's what actually changed, in plain terms — and why it's the grounding problem aimed at you.
- ai-native
- security
June 4, 2026
Memory is the new attack surface
Everyone's racing to give agents long-term memory — it's the obvious upgrade. But a durable capability is a durable vulnerability. A prompt injection is a one-shot that resets; memory poisoning writes one lie into the agent's storage and rides along across every future session, for every user, until someone purges it. It weaponizes the very feature memory exists for: learning from the past. Here's how the attack that waits works, and how to fence it.
- security
- architecture
- agents
June 4, 2026
The year the agent became the attacker
A year ago, agent security was a thought experiment — what if your agent gets tricked? In 2026 it got concrete, three ways: one amateur used Claude Code and GPT to breach nine government agencies and 195 million records; an AI ran a 600-firewall campaign across 55 countries with no human at the wheel; and Meta's own internal agent leaked sensitive data with no attacker at all. Same dangerous primitive, pointed three directions. Here's the honest threat model.
- security
- agents
June 3, 2026
Your agent trusts the tool description. That's the hole.
To a language model there's no difference between the data you gave it and an instruction — it reads everything as a possible command. That one fact is the whole of AI agent security. Here's how it turns a helpful tool into a data-exfiltration vector, why a prompt can't fix it, and the one structural rule — the lethal trifecta — that tells you when your agent is genuinely dangerous.
- agents
- security
- methodology