Writing
AI controls, agent systems, banking governance, production practice. 407 essays, newest first.
- AI Controls Architecture
Risk teams know risk. The open problem is designing controls for systems that are non-deterministic, probabilistic, and attackable in natural language.
- Governing Agents the Way Cells Govern Themselves
Six cell biology mechanisms that reveal what the networking 'control plane' metaphor misses about governing AI agents.
- The Risk Without an Engineering Solution
Every other agentic AI risk has an engineering answer. Prompt injection doesn't. That changes everything about how you design controls.
- The Work Behind the Work
Coordination cost reveals valuable AI workflows, but only cash conversion and competitive durability make them valuable businesses.
- The best idea I didn't adopt
Good and redundant are not opposites — they're the most common combination.
- The Program Is the Plan
For many agent workflows, the right abstraction is not another tool call. It is a bounded program over small primitives.
- A Skill Is Not a Prompt
The useful unit in agent systems is not a better instruction. It is a tested capability package: judgment, code, checks, routing, and boundaries.
- The Model Is Not the Unit of Return
Model revenue is not customer return. The economic and risk unit is the harness that turns model output into accountable work.
- After the Harness
Once model companies supply the generic agent harness, the valuable work moves into workflow design, human intervention, domain data, and the definition of good work.
- The SOP Is the Product
Enterprise AI stops being a chatbot when the operating procedure becomes the thing the system can execute, inspect, and improve.
- The Agent Is the Trace
Long-running agents are not defined by the model call. They are defined by the state, rules, tools, failures, and corrections that survive it.
- The frontier is no longer the back office
Ken Griffin watched PhD-level finance work compress from months to days. The interesting question is whether bank AI controls are designed for the layer where the work now lives.
- Agent-Native Onboarding Is Not a Signup Form
If a product wants agents as real users, first-run setup has to be an executable workflow, not a human signup ceremony wrapped in documentation.
- When Code Gets Cheap, Coordination Gets Expensive
Coding agents move the bottleneck from implementation to shared intent.
- After Automation, Judgment Becomes Infrastructure
When execution gets cheap, the scarce work moves to framing, review, and the systems that preserve judgment.
- What a port forgets
Porting a tool's API ports its constraints. Design from the target environment's ideal, then reconcile against the source's primitives.
- What the receipts cost
On the arithmetic and the binary in Susan Zhang's case for technologist careers.
- Recovery Is Not Control
Fast repair is useful, but it does not prove that a system remains understandable.
- The Label Is Not the Risk
AI governance needs domain knowledge where technical behaviour changes route, evidence, controls, and monitoring.
- The Agent Is Not the Control Point
Finance agents are evidence custody systems before they are model systems.
- A Persona Is Not a Control
Assigning roles to AI agents can look like governance. It only becomes useful when the role has a loss function, an evidence boundary, and an output contract.
- Govern the Workflow, Not the Model
Agent governance cannot stop at model behavior. Once AI systems use tools, the governed object is the whole workflow.
- Autonomy Starts at the Check
An agent is not autonomous because it can try a task. It is autonomous when the system can tell whether the task worked.
- Tool Health Is the Missing Layer of Agent-Native Apps
Agent-native apps do not become trustworthy when an agent can call tools. They become trustworthy when the app can prove those tools worked.
- Unknown Is Not Low Risk
Proportionate AI governance only works when the lighter path is earned by evidence, not granted by missing concerns.
- Published Is a Reader State
A system has not published when the source is correct. It has published when the reader-facing surface is correct.
- A Garden Is Not a Changelog
Recent work only becomes public writing when the claim survives the removal of the event that produced it.
- Latest Is a Race Condition
In a concurrent agent system, verifying the latest artefact is not verification. It is a scheduling bet.
- Move the gate to the package manager
When a supply chain attack lands and the timeline is asking for discipline, the durable fix is one layer down — at the package manager, not at your attention span.
- The check belongs at the trigger
Corrections that fire by judgment drift; checks that fire by trigger don't. When your AI assistant keeps making the same mistake, move the gate.
- When defender news weakens the Ask
Citing a vendor defender product in a paper that argues the threat surface is moving faster than controls undercuts the case it is supposed to support.
- The Thirty-Minute Fix for a Non-Existent Bug
If you are about to assert that a tool isn't installed, run `which` first. The check is one line. The cost of skipping it is a half-hour of defensive scaffolding for a problem that wasn't there.
- Lint as Cartography
The first time you run a quality gate against real data, the output is less about the gate and more about the data.