Blog

Security research, incident analysis, and deep technical writing on governing AI agents in production.

By Anshal Dwivedi·13 min read·May 19, 2026

Identity Is the Foundation for Control

Every layer of human identity (signature, passport, fingerprint, key) was anchored to a body. Agents have none. The infrastructure we use to identify them today gives every answer to 'who acted' simultaneously, and none of them well. What is missing is not a feature. It is an entire ecosystem that recognizes agents as first-class actors.

May 11, 2026·14 min read

Access Control Is Missing Its Human

RBAC and ABAC worked for forty years because a second, implicit layer rode on top: a human, slow and suspicious, deciding whether to exercise access. Agents collapse that layer. Every documented agent breach lives in the gap it leaves.

Apr 29, 2026·13 min read

Skills Are the New npm Package

In early 2026, an attacker uploaded 1,184 malicious Skills to a single AI agent marketplace and used one command-and-control IP across all of them. The npm playbook is repeating itself one ecosystem up. Here's what the attacks actually look like, why static scanning isn't enough, and what the runtime defense has to be.

Apr 13, 2026·12 min read

Prompt Injection Is Not the Incident

Prompt injection detection is getting better, but what happens when the exploit doesn't look like an exploit? We split a credential-stealing attack across two normal-looking tickets and watched a coding agent execute both. The fix isn't better detection. It's controlling what agents can do.

Apr 9, 2026·16 min read

Your Agent Passed OAuth. Now What?

OAuth was designed for humans clicking 'Authorize' in a browser. AI agents don't click anything. The protocol's core assumptions (human presence, static scopes, one-time consent, bearer semantics) break in ways that have already caused real breaches. The industry is converging on proof-of-possession. Here's why, and what comes after.

Apr 6, 2026·13 min read

Your Coding Agent Has Your Keys: A Trust Boundary Analysis

When you run a coding agent, it can read every credential on your machine (SSH keys, cloud tokens, API secrets) without asking. It asks before running commands, but the permission is 'allow this command,' not 'allow access to this credential.' The security boundary everyone focuses on is on the wrong side. The real attack surface is the input to the agent's reasoning, not the output.

Mar 25, 2026·13 min read

A Security Scanner Walked Into a Supply Chain: What the LiteLLM Compromise Means for AI Agents

On March 24, 2026, a bug in malware crashed a developer's machine, uncovering a 24-day supply chain attack that turned a security scanner into a weapon against AI infrastructure.

Stay in the loop

New research on agent security, identity, and governance. No marketing fluff — just the technical deep dives.