Field notes from the AI-first frontier — long-form essays on AI security, agentic systems, coding agents, and the architecture of the next software platform. Mirrored from polleoai.substack.com.
One morning, `claude --resume` printed its banner and hung. `df -h` showed five gigabytes free out of nine hundred and twenty-six. The disk was effectively full and I hadn't been watching. Backup tarballs I'd forgotten, session logs from every project I'd ever worked in, plugin caches downloading themselves invisibly. The body the harness builds keeps everything you ever asked the brain to do. Tame the brain. Keep the body lean.
One morning, every `kb add` command on my personal knowledge base failed with *"Prompt is too long."* The Gryphon meter showed zero percent. I hadn't typed anything different. What had changed was the model dropdown — a quiet swap from the wider-context family down to the narrower one — and the auto-loaded files I'd been adding over the previous year suddenly had nowhere to hide. The harness has weight the chat never shows you. Tame the brain. Weigh the body.
Five disciplines a trustworthy AI agent harness must do: (1) two independent trust decisions for convenience and danger, not one; (2) quarantine content before it reaches the model; (3) capability-scoped tool execution; (4) audit-by-default; (5) hardened against classic OWASP vulnerabilities — the harness is still software. At Polleo we ship Gryphon, the harness-protection layer for AI agents in an Obsidian vault. Model robustness is the labs' job. Harness security is ours.
A pattern is forming in 2025–2026 agentic-system incident reports: the model isn't being jailbroken — the harness around it is. The body is the failure boundary. Six classes of compromise — direct injection, configuration as instruction surface, memory poisoning, vulnerable agent-written code, privilege amplification, supply-chain — and on top, the harness is still software. SQL injection, path traversal, OWASP Top Ten amplified by a model in the loop. Tame the brain. Protect the body.
A 2026 frontier model with no tools, no memory, no permissions, no orchestration is a brain in a jar — staggering knowledge, zero agency. The brain has crossed the bar. What makes it useful is the harness wrapped around it: the body. Almost all the engineering work in AI has moved to harness work — tools, memory, permissions, sandboxing, evaluation. The model is becoming a commodity. The harness is the product. Train the brain. Engineer the body.
Part IV extends Part III's economic argument: detection compounds catastrophically against machine-speed offense; prevention compounds favorably. But prevention architecture cannot be specified before the attack-surface map exists. The Rogue One framing carries the piece: a small, fast, AI-augmented offensive team goes in first to produce a reachability graph, not a vulnerability list. Same team, same map, two completely different outcomes — chosen by the org chart. Build the wall. Send Rogue One first.
Detection-first cybersecurity is becoming non-viable — not slow, not inadequate, non-viable. When autonomous offense generates thousands of exploit paths per hour, the input rate exceeds the processing rate by orders of magnitude and the loop cannot close. The 2013 pivot to detection was an economic decision. AI inverts every term in that equation. Prevention pays a fixed cost to remove an entire branch of the threat tree; detection scales linearly with attack volume. The order finally matches the threat shape.
An agent's WebFetch is an instruction surface, not a passive read. The defense against a hostile webpage isn't "tell the model to be careful" — it's a structural property. Gryphon v1.3 ships a six-layer scrub of fetched HTML: strip `<script>`, strip `<iframe>`, strip `<style>` and `<noscript>`, catch-all tag strip, invisible-Unicode strip on URL/command preview, framing wrapper. Each layer fail-closed at its own boundary. Welcome the messenger. Demand the scrub.
Polleo just shipped Gryphon, an Obsidian plugin that brings the AI inside your vault. Bringing the AI inside is the easy half. The hard half is the vigilant guardian between the AI and everything in there. Today's permission systems are one-dimensional — Prompt/Safe/YOLO points on a line. Fine for a coding agent in a scratch dir. Wrong for a vault. Gryphon adds a second dimension: an independent guardrail that holds regardless of convenience. Welcome the AI. Demand the vigilant guardian.
Every assumption "Assume Breach and Detect" depended on is now broken — from two independent paths. Path one: AI compresses the classic attack lifecycle from months to hours; Claude Opus 4.6 already finds 500+ high-severity vulnerabilities decades of human review missed. Path two: autonomous agents bypass exploitation entirely — they already have broad execution privileges, so an attacker only needs to poison the agent's intent. The prevention gap the industry spent a decade building has been weaponized.
For a decade, the industry shifted from prevention to "Assume Breach and Detect." Exploitation was hard, mitigations kept raising the bar, and detection generated visible MTTD/MTTR metrics boards could read. Vendors built businesses around alert-and-respond. R&D migrated away from exploit prevention; the gap became structurally invisible. The model depended on one assumption: exploitation would stay hard and attackers slow enough to catch. That assumption held for a decade. It no longer holds.
Five terminals open, two Claude Code agents, a SaaS compile, two test runs, a Substack draft on the side — moving faster than ever and unable to hold a single complete thought. AI doesn't just accelerate execution; it makes the interruption pattern external and random. Each cycle forces a cognitive cache miss. At the org level, fewer engineers maintain larger systems and no one holds the whole model. AI didn't remove cognitive limits — it exposed them.
Production systems are shaped by hidden dependencies, legacy scars, and defensive patterns born from past outages — context AI coding agents lack. Throwing an agent at a real codebase isn't a coding problem; it's an architecture problem. Organizations that treat coding agents as autonomous engineers will hit operational failures. Those that treat them as fast implementers guided by strong human architectural oversight will unlock massive productivity gains. The bottleneck moved from writing code to designing what the code lives inside.
Software automation has followed the same core pattern for decades: event → process → output. What changed each generation was the intelligence in the middle. Early systems were hardcoded scripts. Cloud and APIs made automation distributed and composable, but decision logic remained static. LLMs introduced dynamic reasoning — agents that interpret context, plan actions, and coordinate at runtime. The emerging architecture mirrors an operating system: foundation models as kernel, agents as processes, tool calls as system calls.
Traditional supply chain attacks are bad. Agentic supply chains are worse in kind: dependencies discovered at runtime, no fixed bill of materials, configuration as the new attack surface, and privilege amplifying every compromise. The model interprets text as intent — RCE no longer needs a precision payload. A single quiet directive in a tool response is enough. SBOMs fail when code is generated at runtime. The next leap is architectures that stay secure when context is rewritten.
Why does my coding agent crash mid-session? Why does code quality silently degrade the longer I work? Root cause: context. Cursor's unbounded-growth approach hit a billion tokens in five days and crashed at 10GB+ RAM. Claude Code's aggressive compaction silently loses necessary history — three weeks of mobile work compacted away, the agent reimplemented the entire map stack from scratch. Models crossed the threshold from helpful to indispensable. The next leap belongs to whoever gives them perfect memory.
Eight months of vibe coding under one rule — write zero lines yourself — surface a structural leap, not incremental. Models like Opus 4.6 and Codex 5.3 deliver complete, production-ready modules in a single shot, as long as scope stays inside a single coherent concern. The failure mode has flipped from "the code does not work" to "the code works for the obvious paths but misses interactions I implicitly assumed were handled." Combinatorial state is the next frontier.
The SaaSpocalypse debate misses what's actually shifting. Autonomy — the time an AI system sustains useful work without human correction — is roughly doubling every seven months. The coding-agent failure mode has flipped from "cannot complete the task" to "completes it, but needs precise constraints." The dynamic mirrors AlphaGo's flip on human Go. SaaS's economic center of gravity moves toward orchestration, trust, and control; per-seat pricing reshapes to per-invocation; the future is already writing the code.