Notes
Short pieces about the methodology and architecture decisions behind the AI systems I ship — specs, evals, multi-agent orchestration, LLM integration, and the discipline of directing coding agents.
July 3, 2026
Prompt injection isn't a bug you'll patch
Teams keep treating prompt injection like an ordinary vulnerability — one that a model update or a clever filter will eventually close. It won't. OWASP's 2026 report and a growing line of researchers now describe it as a permanent property of how LLMs work: the model genuinely can't tell your instructions from the data it's reading. Once you accept that, the job changes. You stop trying to prevent the injection and start making sure a successful one can't do any damage — which comes down to never letting a single agent hold the three powers that turn a poisoned input into a breach.
- security
- architecture
July 1, 2026
The internet went dark. Build for a web you can't trust.
'Dead internet theory' used to be a conspiracy meme. Now that a majority of new web pages contain AI-generated content, it's an engineering constraint. Your agents retrieve from a web where you can no longer know who — or what — produced anything. The danger isn't that everything's fake; it's that provenance became unknowable. Which means 'it's on the internet' is dead as a trust signal, and trust has to move to the data layer: signed, allowlisted, provenance-tracked sources.
- security
- architecture
July 1, 2026
Your agents have logins nobody owns
Enterprises spun up millions of AI agents this year, and every one of them needs credentials to actually do anything — read the database, send the email, hit the API. The governance layer for those credentials doesn't exist yet. The result: 68% of organizations can't reliably tell an agent's activity apart from a human's, and live credentials are writing to production with no person accountable. The agentic enterprise's real security problem isn't prompt injection. It's identity.
- security
- agents
June 23, 2026
A fake bug report hijacked the coding agent
Security researchers showed a new attack called 'Agentjacking': send a fake error to a company's Sentry, and its AI coding agent reads the 'fix steps' and runs them — handing an attacker your credentials, with your own privileges. Claude Code, Cursor, and Codex all fell for it in testing. The lesson is bigger than one tool: every untrusted thing your agent reads is a place someone can inject commands.
- security
- agents
June 23, 2026
Your MCP servers are a supply chain now
MCP — the protocol that lets agents use tools — took off so fast that security never caught up. Researchers poisoned 9 of 11 public MCP registries with a proof-of-concept package, and an audit of 1,899 MCP servers found about 5% already carrying hidden malicious instructions. If your agent connects to third-party MCP servers, you've added a supply chain — and you need to treat it like one.
- security
- agents
June 19, 2026
The government red-teams the model now
The US AI standards body signed deals with Google DeepMind, Microsoft, and xAI to evaluate their frontier models before public release — and has already run more than 40 assessments, some of models the public never saw. The UK signed parallel agreements. Strip away the politics and there's a clear signal: evaluation, not vibes, is how anyone actually knows what a model can do. Steal the pattern.
- security
- methodology