I actually think this is the wrong approach to agent authorization. Here's why:
If you have to explicitly configure each agent's permissions, you've lost. Because you're only going to have patience to configure so many agent permissions. So in this route you can only have a certain relatively small number of agents before configuration fatigue prevents you from making more.
I don't think that's what we want. I don't think that's what's good for AI safety.
What we want is an enormous number of very fine-grained agents. Each task is a new agent. And each task has exactly the permissions needed for that task, no more, no less.
There's really only one known way to make that manageable: Capability-based security.
The basic idea is, when you give the agent a task, you naturally give it the capabilities it needs to perform that task.
Like say you want an agent to review a Google Doc. Today, with a lot of AI assistants "Hey go review the document titled Foo Spec". The agent has permissions to all your docs, so it goes and finds the right one and opens it.
That's wrong.
You should say "Hey, go review this document: <url>"
And then here's the key part: The harness should see that you're pasting a URL, and should infer that you want to give the agent access to that document. Only that document. No other document.
Importantly, you didn't really have to do anything unusual to configure this. You just pasted the URL of the thing you wanted the agent to access. Which you probably would have done anyway.
Sure, it's not always that easy. Maybe you commonly run agents that need access to 10 different things, and it's tedious to paste those 10 URLs every time. So you create some sort of a bundle that you give them.
And of course, the agent should be able to ask for extra things it needs.
But we need to get away from this idea that the agent always starts out with access to everything, even when it doesn't need most of it.
Also, I tend to think all agent authority has to derive from a human -- contrary to what is argued here. Every "autonomous agent" has to report to someone, and uses a subset of that person's authority. This is needed for accountability -- because agents are not accountable. If you see "Claude deleted the database", what are you supposed to do about that? You need to see "Claude acting on behalf of Bob deleted the database".
To be clear, I totally agree that it's problematic when Alice configures an agent with her own credentials and then Bob tells the agent to do something with those credentials. Then you'll see "Claude acting on behalf of Alice", but actually Claude was acting on behalf of Bob. The answer is that Bob should not be able to command Alice's agent. Bob has his own agent, which may have all the same context, but operates with Bob's credentials.
But if Alice sets up an agent for her team, Bob maybe doesn't want to spend time configuring his own version of it with all the same credentials, that's tedious. This has to be automated. I think capabilities make this easier. Alice gave a set of capabilities to her agent. The harness should be able to look at that list, and recreate the same list using Bob's credentials, without Bob having to do much except click "OK".
I realize there's a lot of hand-waving here -- this is a complicated topic. I'll drop some code next week. If you're attending AI Engineer in SF, come to my talk on Tuesday, where I will also only be able to scratch the surface in 20 minutes...
https://t.co/uEct4veukj
One of the most privileged perspective things I have in my career, is working at a place for 10 years. Instead of blaming a rando doing something years ago, increasingly it was me.
A younger, naïve, idealistic me who thought some other sucker would be maintaining this by now.
@ZackKorman Defenders and threat actors have access to the same tools (always have), but one is unfettered to use them, the other is constrained by business realities.
Pentesting is easy. Remediation is hard.
There’s plenty of guides and tutorials and heck even automated scripts to “pwn” stuff.
Theres no tutorials for navigating your orgs relationship complexities & getting the org to understand this stuff is important and you need to prioritize getting it fixed
Re: Mythos
SATAN, patch-diffing, metasploit, all had ppl screaming about an impending apocalypse.
Impactful, but not world ending.
Mainly they remind me of 2 diff quotes:
1) “when the tide goes out.. you discover who's been swimming naked” - Buffet
2) “your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” - Brian Snow
Let me explain these AI layoffs.
The issue is the vast difference in quality of employee between the top 10% and everyone else.
AI can’t come anywhere close (today) to replacing the top performers at a big company.
But they’re spending millions a year on tens of thousands of employees in the bottom 75% of the quality scale.
And AI is now getting good enough to replace THEM. Not directly, yet, but by having top performers do more of their work with AI.
So it’s not that AI is better than top performers. It’s not.
The issue is 90% of employees aren’t in the top 10%. And companies no longer want to pay millions a year for mediocre employees.
They’d rather fire everyone but the best, and have them become 10 or 100x what they were by wielding AI.
This is why you see some people thriving right now and most people are panicking. It’s because most people are in the 90% that companies no longer want.
The solution is to become one of the top 10% type people that companies still desperately need. Or to do your own thing once you get there because you no longer need a company.
But this explains why some are thriving right now while most aren’t.
It’s less about AI and more about the difference between top performers and everyone else.
AI doesn't change fundamentals. What it will do is provide tremendous advantage to those with strong fundamentals and rapidly expose entities that don't.
Have been having many conversations about cyber risk over the past few weeks and with the Mythos announcement, it seems worth sharing my quick takes:
- Over the short term, cyber risk >> bio risk. I am more concerned about a model as good as the best hackers than I am a model as good as the best biologist (because e.g. bio already has a lot of safeguards, there are lots of challenges to accessing resources for bioweapons, etc).
- I am hopeful that long-term, we can reach an equilibrium where software is audited regularly by these models, with lots of pre-deployment testing and patching.
- But that equilibrium is a while off. Short-term, we should expect the offensive/defensive asymmetry to hold (attackers can use frontier models immediately against existing vulnerable infrastructure, while defenders need time to actually patch and rebuild).
- The scaling properties also seem initially unfavourable although not in the limit (i.e., the relative upside to offenders or defenders of having access to a given model).
- We should be very worried about supply chain attacks (e.g. of a similar form to how people used the Anthropic-internal reference in the Claude Code leak). The attack surface is huge and under-audited.
- There is an overemphasis on purely technical risks. Many of the most effective and catastrophic cyber attacks involve a social engineering component which seems easier with AI. Systems can be totally robust but humans are a huge point of failure that is less obviously mitigated by these models.
- Much of the bottleneck on defensive cyber is organisational, not technical (users failing to update, testing and deployment taking time, change management, etc). This matters because it means AI-found vulnerabilities and patches still hit human bottlenecks that attackers don't face.
- I am very glad that staged deployments are happening.
These are the most salient from my conversations over the past few days. I don't think they're particularly novel, interesting, etc and although I have some cyber security experience, it's limited so treat all of the above as somewhat low confidence.
If your response to a highly competent, but imperfect and resource sensitive, vulnerability hunting tool is to conclude this favours *defence*, you and your networks are ngmi.
One does not bug hunt their way to a defendable network. AI does not change that.
This is 100% right.
We have this collective hallucination that enterprises are clean digital organizations... they are not.
They are years of duct tape with mainframes talking to spreadsheets talking to someone's email inbox.
If I remember my history class correctly, electricity existed for 30 years before factories were redesigned to use it. They literally kept the old steam engine layout and just swapped in electric motors. It took a generational turnover before someone said "wait, we can redesign the entire floor plan now."
I think this is exactly where we are with AI.
this is just one data point: but X has the tendency to over-dramatize "vendor 1 is dead" and "vendor 2 is everywhere" feelings
Turns out large companies look for more than indie hackers do when it comes to AI coding tools. Anthropic built a superb coding tool... but not necessarily enterprise-like features that larger co's want and need
I am not sure "Forward Deployed AI Engineers" are going to deliver on what a lot of companies are hoping for. They are useful, yes, but AI applications are far less of a technical issue, and much more about rethinking the deep expertise & structure of your organization around AI.
Very little about software engineering has changed over past last three months.
A great deal has changed about coding, not unlike when we saw the rise of high order programming languages and compilers, the difference today being that the number of developers is far larger and distribution channels are such that the velocity and breadth of change is far greater.
The entire history of software engineering is one of raising the level of abstraction.
If you pay attention he said AI will write all the code (which is happening at Anthropic) and never said they won’t need software engineers.
Turns out software engineers prompting the AI results in much better software, and software engineering is a lot more than writing code!
"The only people truly working "in person" at any of these companies are the 10 or 15 sitting within earshot.
Past a certain size, every company is already remote."
Did malware write this?
But seriously *do not do this* on a machine that touches any information you don’t want hacked/leaked, any software you don’t want remote exploited, any tasks that you don’t want compromised…
I think relatively few people should have the threat model “Adversary is US government and they will have physical control of my person and laptop while also respecting rules” but if that is you, don’t use biometrics, because they do not have testimonial privilege.