Articles
Essays and field notes.
What we've learned shipping agentic systems against real production databases.
-
Agent–database anti-patterns: a field guide
Eleven things we see teams do that cause production agent–database incidents, and what to do instead. Compiled from audits and incident reviews.
-
Choosing between MCP, function calling, and policy runtimes
These three terms get conflated. They solve different problems, at different layers, and you usually want at least two of them. A practical disambiguation.
-
Designing audit trails LLMs can't tamper with
When the agent has tools, the audit log becomes a target. Here's how to design one that survives a determined LLM (or a determined attacker reaching the LLM).
-
Capability-based security for AI agents
What it would mean to design agent permissions the way capability-secure operating systems were designed. A blueprint.
-
From RAG to safe writes
Most teams shipped a RAG-only agent in 2024. The next step — letting the agent change state — is a different category of engineering. Here's the path.
-
Capability tokens for AI: a primer
An old idea from operating systems is becoming load-bearing for agent security. Here's what capability tokens are, and why your agent toolkit should think in them.
-
The agent–data security gap nobody is talking about
Most AI safety attention is on the model. The next class of incidents will be at the model–database boundary, and the industry is unprepared.
-
Why text-to-SQL fails in production
It works in demos. It works on a single user's database. It does not work as the safety story for a multi-tenant SaaS agent. Here's the failure-mode catalog.
-
Spider benchmark: 0 unsafe operations vs. 23 for text-to-SQL
We replayed the entire Spider benchmark — 1,034 natural-language queries across 200 databases — through OrmAI and a strong text-to-SQL baseline. Here's what we found.