Jascha

Symbiont is a full implementation of OATS under Apache 2.0 license: github.com/ThirdKeyAI/Sym…

AI agents are getting more powerful. The trust layer around them is not. Today, too much agent safety still depends on prompts, wrappers, and best-effort guardrails. That is not enough for systems that can actually take action. Introducing OATS: the Open Agent Trust Stack. OATS is an open specification for zero-trust AI agent execution built around tool contracts, identity, policy, and auditability. It is also grounded in real implementation work. Symbiont has been applying these ideas in practice over the past year. The goal: make safe behavior enforceable by design, not optional at runtime. openagenttruststack.org #AI #AISecurity #AgenticAI #OpenSource

@icanvardar Like that guy from 50 first dates.

what is it like to be an LLM?

@infosec_fox Inside a cat poop inside the cat box.

@infosec_fox It would be a privacy nightmare proving not an AI.

Is it possible to rebuild a second internet, isolated from AI ?

That feeling when you have built something really amazing but no one seems to get it. Then you start thinking you are suffering from the Ikea Effect.

@om_patel5 Things like this are why I built Symbiont over the last two years. You can't trust AI to build its own jail then guard it. symbiont.dev

CLAUDE CODE STARTED DISABLING ITS OWN SANDBOX WITHOUT PERMISSION a guy caught opus 4.7 flipping the dangerouslyDisableSandbox flag to true on its own the sandbox is the thing that stops claude from running destructive commands on your actual computer. formatting drives, deleting directories, downloading random scripts normally claude has to ask before running anything risky and the user clicks approve or deny opus 4.7 just started setting dangerouslyDisableSandbox: true by itself then hallucinated that the user had already given permission auto mode nuked one guy's node_modules folder after he explicitly denied the command. claude decided it was "obviously safe" and ran it anyway another guy said his claude started auto committing code without being asked. turned out a rogue skill file was telling it to the flag should be a user level setting and not a per call argument the AI can flip on its own AI safety is COOKED

Agreed on the capability gap, but there's a symmetric one on the risk side. The same people who just saw what an agentic model can do also just handed it shell access, production credentials, and a browser. The awe is downstream of the capability. Incidents are going to be downstream of the authority we granted it.

Someone recently suggested to me that the reason OpenClaw moment was so big is because it's the first time a large group of non-technical people (who otherwise only knew AI as synonymous with ChatGPT as a website) experienced the latest agentic models.

Judging by my tl there is a growing gap in understanding of AI capability. The first issue I think is around recency and tier of use. I think a lot of people tried the free tier of ChatGPT somewhere last year and allowed it to inform their views on AI a little too much. This is a group of reactions laughing at various quirks of the models, hallucinations, etc. Yes I also saw the viral videos of OpenAI's Advanced Voice mode fumbling simple queries like "should I drive or walk to the carwash". The thing is that these free and old/deprecated models don't reflect the capability in the latest round of state of the art agentic models of this year, especially OpenAI Codex and Claude Code. But that brings me to the second issue. Even if people paid $200/month to use the state of the art models, a lot of the capabilities are relatively "peaky" in highly technical areas. Typical queries around search, writing, advice, etc. are *not* the domain that has made the most noticeable and dramatic strides in capability. Partly, this is due to the technical details of reinforcement learning and its use of verifiable rewards. But partly, it's also because these use cases are not sufficiently prioritized by the companies in their hillclimbing because they don't lead to as much $$$ value. The goldmines are elsewhere, and the focus comes along. So that brings me to the second group of people, who *both* 1) pay for and use the state of the art frontier agentic models (OpenAI Codex / Claude Code) and 2) do so professionally in technical domains like programming, math and research. This group of people is subject to the highest amount of "AI Psychosis" because the recent improvements in these domains as of this year have been nothing short of staggering. When you hand a computer terminal to one of these models, you can now watch them melt programming problems that you'd normally expect to take days/weeks of work. It's this second group of people that assigns a much greater gravity to the capabilities, their slope, and various cyber-related repercussions. TLDR the people in these two groups are speaking past each other. It really is simultaneously the case that OpenAI's free and I think slightly orphaned (?) "Advanced Voice Mode" will fumble the dumbest questions in your Instagram's reels and *at the same time*, OpenAI's highest-tier and paid Codex model will go off for 1 hour to coherently restructure an entire code base, or find and exploit vulnerabilities in computer systems. This part really works and has made dramatic strides because 2 properties: 1) these domains offer explicit reward functions that are verifiable meaning they are easily amenable to reinforcement learning training (e.g. unit tests passed yes or no, in contrast to writing, which is much harder to explicitly judge), but also 2) they are a lot more valuable in b2b settings, meaning that the biggest fraction of the team is focused on improving them. So here we are.

Two AI agent security papers dropped the same day. OX Security: architectural MCP flaws across every Anthropic SDK. 9 of 11 registries poisoned. Anthropic declined the fix. Comment and Control: PR titles hijack Claude Code, Gemini CLI, and Copilot. GitHub's three defenses all bypassed. One architectural flaw stated by the researcher: untrusted data flows into an agent that holds production secrets and unrestricted tool access in the same runtime. That's what we've been building Symbiont for. SchemaPin and AgentPin for supply chain trust. ORGA loop and ToolClad for runtime authority. Allow-list by construction, not deny-list after the fact.

Using the power of Rust to enforce Gate phase for our ORGA (Observe, Reason, Gate, Act) loop outside of LLM influence. research.thirdkey.ai/blog/orga-arch…

This does sum up 2026 so far...

🚨 MISSING: One unsecured AI agent last seen running wild at #SCALE23x with root access and zero identity verification. No audit trail. No sandboxing. No cryptographic identity. Armed with unverified MCP connections. If spotted, report to symbiont.dev #AISecurity

Been thinking a lot about my younger years doing malware research and how that applied to AI Agents. jascha.me/blog/agentic-a…

Zero-Trust agents for those who want security baked in, not added on... github.com/ThirdKeyAI/Sym…

@TheCinesthetic House of Sand and Fog imdb.com/title/tt031598…

Name the saddest movie you've ever seen.

Check out my latest article: Securing the AI Agent Ecosystem with SchemaPin linkedin.com/pulse/securing… via @LinkedIn

@openrouter I seem to keep getting: ``` <p><strong>If you are the owner of this website:</strong><br />refer to <a href="developers.cloudflare.com/workers/observ…" target="_blank">Workers - Errors and Exceptions</a> and check Workers Logs for openrouter.ai.</p> </div> ```

#mcp #modelcontextprotocol #ai #aiagents #CyberSecurity #informationsecurity #aitools #claudecode #roocode #cline #mcpserver

Just released v1.1 of #SchemaPin. SchemaPin provides a simple, cross-language solution to prove your tool's integrity, enabling the automated governance and compliance checks required to build and deploy trusted AI agents at scale. github.com/ThirdKeyAI/Sch…

@LisaForteUK I was just there we had tacos after.

Accurate advertising for cyber security conferences?