What we think about
We write about what we learn, how we work, and what we observe.
23 posts found in security
What the Arup deepfake call actually broke
The Arup deepfake video call is usually framed as a detection failure. It was a protocol failure. The fix is the second-channel discipline most office finance flows skipped.
Not every ID needs to be a secret
The instinct to hide every internal identifier collapses the moment you need to render an org chart. We thought about which IDs leak something and which do not.
Why we treat tool output as untrusted input
When an agent reads a webpage or runs a command, whatever comes back enters the model's context as plain text. The model cannot tell instructions from data.
Authorization belongs in the runtime, not the prompt
Telling an agent what it is allowed to do is not the same as preventing it from doing the rest. The instruction is a suggestion. The runtime is the enforcer.
Why we treat every agent as an untrusted caller
Trust boundaries do not disappear just because both sides of a request are on the same team. If anything, internal trust is harder to get right.