Blog
What your agents actually cost, and how to control every tool call they make — permissions, allowlists, audit trails, real metered data, and the occasional incident post-mortem.
/ START HERE
COST · METERED DATA
What 210,000 Agent Tool Calls Actually Cost
Real metered data, not estimates. The tools are nearly free — the bill is the agentic loop, and one model on it drove 80% of the spend.
CATEGORY · WHAT IT IS
Your AI agents need a control plane, not another gateway
API gateways proxy traffic. LLM gateways proxy prompts. Neither governs what an autonomous agent does with your tools. Why the control plane is different.
IDENTITY · THE THREE-PARTY PROBLEM
Your AI Agent Calls Your API. Whose Permissions Is It Using?
Agents call your backend on behalf of users, but your systems can't verify who initiated the request. The identity gap, and the real risk.
RISK · IN THREE STEPS
Stop your AI agent from deleting your production database
If your agent has destructive credentials, it can use them — and recovery is rarely possible. How to put a control plane between its decision and prod.
/ ALL POSTS
Which Claude Code Tools Should You Deny (or Gate Behind Approval) Out of the Box?
One Claude Code session declares 76 tools. The core coding loop isn't the risk — the never-invoked tail is: tools that send, schedule, publish, and spawn. A default posture, argued from blast radius, not asserted.
Jul 5, 2026
AI Agent Tool Allowlists: Deny by Default, Scope per Task, Audit Everything
One Claude Code session declares 76 tools; 64 of them never fire. A tool allowlist is the list of calls your agent may make — everything else denied. How to set one in Claude Code, Codex CLI, and MCP, and where client-side lists stop holding.
Jul 5, 2026
Claude Code's Deny List Can Be Bypassed. Here's What a Real Enforcement Boundary Looks Like.
Deny rules match command strings inside the client — compound commands, substitution, and one documented flag all route around them. Where client-side permissions honestly stop, and what enforcement outside the agent process looks like.
Jul 5, 2026
Claude Code Cost Tracking: Token Counters Tell You What You Spent, Not Where It Went
A real working day of Claude Code: 276 model calls, 1,697 tool calls, $148.16 at API rates — 100% of it loop tax. Why /cost, ccusage, and proxy totals can't show you that, and what per-action attribution looks like.
Jul 5, 2026
Control and Optimize Your Agents, Down to Each Tool Call
You ship an agent and see one answer. Inside, it made 200 tool calls across a dozen model turns, and it cost something different every run. Here's how to see that, control it, and make it cheaper — one tool call at a time.
Jun 30, 2026
Session X-Ray: Debugging a Single Agent Run, Call by Call
The Agent X-ray shows you an agent across all its runs. The Session X-ray opens one run — every call in order, the loop tax inside it, and the single step that cost you. Here's how to read one.
Jun 30, 2026
We Benchmarked 14 Models on Real Agent Runs
Isolated tool-call skill barely predicts whether a model can run an agent. We tested 14 models two ways — and cheap models aren't worse, they're erratic on the loop.
Jun 28, 2026
Full scorecard: seven frameworks, 48 scenarios, one open benchmark
Seven frameworks benchmarked: CrewAI, LangGraph, Claude Code, OpenAI Agents SDK, Anthropic Agent SDK, Cursor, Codex CLI. Native vs ACP. Three score tiers.
Apr 20, 2026
What Is an Agent Harness? (And Why Every Harness Needs a Control Plane)
The model is the smallest part of your agent. Everything around it — the loop, the tools, the memory, the budget — is the harness, and it's where reliability, cost, and risk actually live. Here's what an agent harness is, why harness engineering became a discipline, and the one thing every harness in production still needs.
Jun 30, 2026
We had a Claude agent build a governed AI agent. It picked Microsoft.
We let a fresh AI agent — no prior knowledge of any vendor — build a governed Slack summarizer end-to-end in Python. It searched the web, picked a vendor, ran pip install, wrote 338 lines, verified the audit chain. It picked Microsoft Agent Governance Toolkit. The full discovery path, both code samples, and an honest comparison.
May 1, 2026
Anthropic Agent SDK: Auditable Logging and Governance in TypeScript
The complete TypeScript reference for adding auditable logging, per-user identity, and policy enforcement to Anthropic's Agent SDK and Claude Agent SDK loops.
Apr 27, 2026
The Loop Tax: Why AI Agents Are So Expensive
An agent doesn't make one model call — it makes a chain, re-reading context every turn. That loop is ~89% of the bill. The mechanic, and three levers to cut it.
Jun 26, 2026
How to Govern AI Agent Tool Calls (Before They Run)
Your framework gatekeeps the server, not the call. How to authorize, scope, and audit every agent tool call per user — deterministically, before it executes.
Jun 28, 2026
Agent Access Control: Least-Privilege Scoped Tools
The fastest way to make an agent ungovernable is to give it broad tools. Why least-privilege, scoped tools are the foundation of access control for AI agents.
Jun 28, 2026
Per-User Auth for AutoGen Agents
AutoGen punts authentication to your application code. How to thread the end user's verified identity through to every tool call — with policy and audit per user.
Jun 28, 2026
Cost Per Customer in CrewAI Agents
CrewAI cost tooling stops at the LLM call. How to attribute agent spend per customer, per agent, and split the loop tax from the real work.
Jun 28, 2026
Seven agent frameworks, one backend, governance diverges on 9 of 48 tests
Seven frameworks, one backend, 48 governance scenarios. Scores ranged 37-46. Variance is architectural: where a framework lets you observe tool calls.
Apr 21, 2026
Claude Code's --dangerously-skip-permissions disables every governance hook
Claude Code's --dangerously-skip-permissions silently disables every PreToolUse and PostToolUse hook, including ACP's. How to detect it server-side.
Apr 20, 2026
AI control plane: a buyer's guide
What an AI control plane actually is, the four vendor categories competing for that name, the questions that separate them, and a 14-day evaluation framework you can run before you sign anything.
Apr 30, 2026
CSA Defines the Agentic Control Plane. Here's What We Built.
Cloud Security Alliance just published the Agentic Control Plane framework. We've been building the infrastructure. What's real vs. still theoretical.
Mar 23, 2026
Agentic Data Plane vs Agentic Control Plane
Agentic data plane vs agentic control plane — what each layer does, why you need both, and how they work together to govern AI agents in production.
Feb 23, 2026
What Is an MCP Control Plane?
An MCP control plane adds identity verification, policy enforcement, and audit logging to Model Context Protocol servers — the missing governance layer.
Feb 26, 2026
Why Your API Gateway Can't Control AI Agents
Kong, Apigee, and AWS API Gateway route and rate-limit requests. They can't tell which user an agent acts for, which tool call is destructive, or what a session costs. What agent traffic needs that gateways weren't built for.
Dec 10, 2025
Why Not Just Use OPA and a Service Mesh?
Do OPA, Istio, API gateways, and IAM already solve AI agent governance? Where existing infrastructure fits, where it breaks, and what's still missing.
Mar 25, 2026
When AI Agents Take Real Actions, Who Controls What They're Allowed to Do?
Chatbots read and write text; agents call APIs, change records, and move money. Why every team shipping agents ends up needing per-action permissions, audit trails, and cost limits — the control-plane argument.
Oct 15, 2025
Building the same agent fifteen ways: what each framework taught us about governance
Fifteen frameworks and clients, one agent task. The friction points were different in every runtime — and the patterns that emerge tell you what governance actually has to do, regardless of which framework your team picks.
Apr 24, 2026
If You Can't Tell Who an Agent Request Is For, Nothing Else Works
Permissions, rate limits, and audit logs all fail the same way for AI agents: the request arrives without the user. Why identity is the problem to solve first — before access control, before audit.
Nov 5, 2025
ACP and Okta for AI Agents: composition, not collision
Okta for AI Agents launched today as the identity-perimeter layer for AI agents. ACP runs at the tool-call layer. The two compose into a complete control plane — here's how the layers fit.
Apr 30, 2026
Okta for AI Agents: a technical read on the launch
Okta launched Okta for AI Agents to GA on April 30, 2026. Walking through the architecture, the MCP Bridge approach, the five-question framing, and which agent-governance use cases the launch addresses cleanly.
Apr 30, 2026
ACP and Bedrock AgentCore: how the two layers compose
AWS shipped a real governance product for Bedrock-hosted agents. ACP runs everywhere else. The honest read on when to use which, and why most enterprises will need both.
Apr 30, 2026
OpenAI on Bedrock: what the partnership covers, and what's beyond it
OpenAI models are now on Amazon Bedrock — including GPT-5.5. The deal extends meaningful governance to AWS-hosted agents and surfaces three architectural areas where complementary intercept points are still useful.
Apr 30, 2026
ACP and Microsoft Foundry Agent Service: governance beyond the Azure boundary
Microsoft Foundry ships the most coherent enterprise governance story among the three hyperscalers. Here's where it covers, where it stops, and how ACP composes for everything outside Azure.
Apr 30, 2026
Microsoft open-sourced an Agent Governance Toolkit. Here's what it covers and what it doesn't
April 2026: Microsoft released an open-source policy engine for AI agents — sub-millisecond enforcement, stateless, self-hostable. Read the strengths and the scope honestly.
Apr 30, 2026
ACP and Vertex AI Agent Builder: same ADK code, two governance scopes
Google's Vertex AI Agent Builder gives ADK agents per-agent IAM identities, Cloud API Registry tool governance, and managed Agent Engine. Here's where it covers and how ACP plugs in beyond Google Cloud.
Apr 30, 2026
Gemini Enterprise Agent Platform: Google's hosted-agent answer, and where it composes
April 23, 2026: Google announced the Gemini Enterprise Agent Platform — bundling Vertex Agent Builder, Agents CLI, Agent Runtime, Cloud Run, and GKE Autopilot. Here's what's in it and how it composes with complementary intercept layers.
Apr 30, 2026
SOC 2 and HIPAA for AI agents: the compliance playbook
A control-by-control mapping from SOC 2 trust services criteria and the HIPAA Security Rule to the AI agent governance controls that satisfy them. With evidence-collection guidance, common audit-failure modes, and a one-page checklist.
Apr 30, 2026
Ten questions every CISO should ask about AI agent audit trails
Every governance vendor claims audit trails. Most produce something between an unstructured request log and a real, identity-attributed, tamper-evident record of agent decisions. Here are the ten questions that separate them.
Apr 27, 2026
AI Agent Audit Trails: What CISOs Actually Need to Know
"Which employee accessed patient records through the AI assistant last Tuesday?" Your gateway logs and SIEM can't answer that. What an agent audit trail needs that generic API logs don't have.
Mar 1, 2026
How to Make AI Agents Pass a Compliance Audit (HIPAA, SOC 2, GDPR)
Most AI agents run on shared API keys with no per-user access control and no identity-attributed audit trail — failing every major compliance framework. What auditors actually ask for, and how to produce it.
Jan 22, 2026
EU AI Act Article 14 and AI Agents: Mapping Human Oversight to Delegation Chains
EU AI Act Article 14 requires demonstrable human oversight from Aug 2, 2026. How ADCS delegation chains map to 14(4)(a)-(e) with auditor-ready artifacts.
Apr 16, 2026
NIST Just Defined Identity for AI Agents. Here's What Changes.
NIST's AI Agent Standards Initiative is the first federal move on identity and authorization for autonomous agents. The architectural asks are clear.
Mar 15, 2026
How an Agentic Control Plane Addresses Every OWASP Agentic Top 10 Risk
A risk-by-risk mapping of OWASP's Agentic Top 10 to specific control plane capabilities — from the governance layer, not the model or app layer.
Mar 25, 2026
AI Agent Identity: The Problem No One Has Solved Yet
Okta, AD, and OAuth authenticate humans at login. An agent acts for a user across thousands of tool calls after login — and your IAM stack has no concept of it. Why proving who an agent acts for needs a different layer.
Mar 4, 2026
Your Backend Can't Tell Which User an AI Agent Is Acting For
I built an MCP server, connected it to real customer data, then read my backend logs: every request was the same service account. How agent requests lose the user — and how to bind identity to every call.
Mar 10, 2026
Per-Call Permissions for AI Agents: Why RBAC Breaks at Agent Speed
Your RBAC assigns roles at login. Your agent makes 47 tool calls in 90 seconds. Why agents need deny-by-default permissions checked on every tool call — and what that looks like in practice.
Mar 20, 2026
Point-in-Time Audits Can't Keep Up With AI Agents. Check Every Tool Call Instead.
Your SOC 2 audit covered 90 days; your agents made 2.3 million tool calls in that window. Why annual evidence breaks for agents, and what checking identity, permissions, and budget on every call looks like.
Mar 18, 2026
The MCP Security Checklist for Enterprise Teams
A 10-point security checklist for teams deploying MCP servers in production. Covers identity, auth, PII, rate limits, audit trails, and more.
Mar 22, 2026
Stop your AI agent from running `rm -rf` on your filesystem — in three steps
Cursor and Claude Code agents have wiped home directories mid-session. The fix isn't smarter prompting — it's a control plane between the agent's tool call and your filesystem. Here's the exact configuration.
Apr 26, 2026
Stop your AI agent from leaking secrets in your `.env` file — in three steps
AI coding agents read your .env files by default. They quote secrets back into commits, paste them into chat logs, and surface them in tool outputs. Here's how to gate that without breaking your agent's actual job.
Apr 26, 2026
Stop your AI agent from leaking PII through tool calls — in three steps
Your AI agent runs SELECT email FROM users and gets back a list of customer emails. Now those emails are in the LLM's context, your conversation logs, and any downstream tool the agent calls afterward. The fix isn't smarter prompting — it's tool-output PII redaction at the gateway.
May 1, 2026
Stop your AI agent from rewriting your git history — in three steps
Claude Code, Cline, and Cursor agents have force-pushed over teammates' work, reset uncommitted changes, and stripped commits from production branches. The model can't see what you'd lose. A control plane between the agent and your git remote can.
Apr 26, 2026
Stop your AI agent from being weaponized by a malicious package — in three steps
The Nx s1ngularity attack used local Claude, Gemini, and Q CLIs to recon for SSH keys, .env files, and GitHub tokens. 2,349 secrets were exfiltrated. The control plane your AI agent needs is the same one that catches this — but you have to install it before the next compromise lands.
Apr 26, 2026
Stop your AI agent from touching files outside your project — in three steps
Cursor and GitHub Copilot agents have wandered into Documents folders, root drives, and home directories — deleting files that had nothing to do with the project they were working on. The control-plane fix is workspace-scoping at the hook layer.
Apr 26, 2026
Stop your AI agent from dropping a Kubernetes namespace — in three steps
An autonomous agent with kubectl access can `kubectl delete namespace prod` in one tool call. The OS doesn't ask twice. The control plane between the agent's intent and your cluster has to.
Apr 26, 2026
Stop your AI agent from escalating IAM permissions — in three steps
If your agent can call `iam:CreatePolicy`, `iam:AttachRolePolicy`, or `gcloud projects add-iam-policy-binding`, it can grant itself anything the underlying credential allows. The blast radius of one bad tool call is your entire cloud account.
Apr 26, 2026
Stop your AI agent from making payments without approval — in three steps
Agentic commerce SDKs from Stripe, Visa, and Mastercard give your AI agent the ability to charge cards, transfer funds, and authorize subscriptions. One bad tool call is one real-world transaction. Here's how to put approval in the loop where it matters.
Apr 26, 2026
Stop your AI agent from burning through your API budget — in three steps
Cursor agents have looped overnight and burned $135 of credits in a week. Codex sub-agents have run $350 over plan. A leaked GCP key produced an $18,000 bill. The fix isn't smarter prompting — it's a control plane with rate limits and budget caps.
Apr 26, 2026
Your API Keys Already Give Agents Production Access
Every API key in your env vars lets an agent act with full access and no user identity. Most teams don't notice until something breaks in production.
Mar 14, 2026
I Audited 7,522 AI Agent Skills. Here's What I Found.
A first-hand static analysis of every skill on ClawHub — the real numbers on credential leaks, prompt injection, and what registry moderation actually catches.
Mar 25, 2026
WebMCP Ships Without Agent Identity. Here's Why That Matters.
W3C WebMCP gives browsers a native API for AI agents to call site tools — but ships with no agent identity, scoped permissions, or delegation context.
Mar 19, 2026
Codex CLI Hooks: PreToolUse & PostToolUse Reference
How Codex CLI hooks work: enable the codex_hooks flag, what PreToolUse covers (Bash only, by design), why only deny is operational, and how to govern apply_patch and MCP calls.
Apr 30, 2026
Introducing ADCS — an open spec for agent-to-agent delegation chains
ADCS v0.1: an open JSON spec for agent delegation chains — scope intersection, budget propagation, cycle prevention, identity, audit. Ref impl shipping.
Apr 16, 2026
Recommended governance deployment patterns — pick the one that scores highest for your stack
AgentGovBench scores across seven frameworks, translated into a customer-facing recommendation for deploying governed AI agents by stack, score, and reach.
Apr 20, 2026
How we think about testing AI agent governance
AgentGovBench is an open, NIST-mapped benchmark for AI agent governance. We ran it against ACP. What broke, what shipped, how to run it on your deployment.
Apr 20, 2026
Reproduce AgentGovBench on your stack — full setup guide
Step-by-step guide to running the AgentGovBench scorecard against your own ACP deployment: required env, Firebase setup, common issues, reading results.
Apr 20, 2026
How AgentGovBench's 48 scenarios map to NIST AI RMF 1.0
AgentGovBench scenarios cite specific NIST AI RMF 1.0 controls — MAP, MEASURE, MANAGE, GOVERN. The full mapping for procurement teams citing controls.
Apr 20, 2026
Build a governed GitHub PR reviewer in Python (with subagent delegation)
A Python AI agent that reviews pull requests, spawns a security-scanner and a test-runner as scope-narrowed subagents, and ships an audit chain back to the human reviewer. Full working code. ~210 lines.
May 1, 2026
Build a governed multi-step research agent (delegation chain across 4 hops)
A Python research agent that decomposes a question, spawns parallel search subagents, then a synthesizer subagent — with a 4-deep delegation chain that traces every tool call back to the human asker. ~230 lines.
May 1, 2026
Log and Control Every Claude Code Tool Call in 60 Seconds
One command puts a hook on every Claude Code tool call. Bash, Read, Write, Edit, WebFetch — logged, checked against your allow/deny rules, visible in a dashboard.
Apr 6, 2026
Allow, Deny, and Audit Every Tool Call in the Anthropic Agent SDK
Anthropic's Agent SDK makes multi-skill agents easy to ship — and trusts them completely. How to scope permissions and get an audit trail on every skill, tool call, and sub-agent hop.
Apr 10, 2026
Add Per-User Permissions and Audit to LangGraph in 3 Minutes
Wrap your LangGraph tools with one decorator and bind the user's JWT — every tool call across every node is permission-checked, identity-attributed, and logged. Three minutes from `pip install` to running.
Apr 12, 2026
Governed Google ADK in 3 minutes
Add ACP governance to a Google Agent Development Kit (ADK) agent in three minutes. One @governed decorator, one set_context call, every tool call audited and policy-checked. Works with direct Gemini and Vertex AI.
Apr 27, 2026
Does the Anthropic Agent SDK Have Governance?
The Anthropic Agent SDK ships no per-user identity, policy, or audit. Here's the governance gap — and how to close it with one wrapper around your handlers.
Apr 20, 2026
CrewAI's task handoffs lose the audit trail — here's the gap and the fix
CrewAI's Hierarchical Process delegates manager-to-worker without carrying the chain. Even with @governed, audit logs show worker as top-level. The fix.
Apr 20, 2026
LangGraph's StateGraph checkpoints don't replay through governance
LangGraph checkpoint replays skip the governance pipeline — policy changes between original run and replay are silently ignored. The failure mode and fix.
Apr 20, 2026
How to Connect Salesforce to Claude Desktop in 5 Minutes
Step-by-step guide to connecting Salesforce CRM data to Claude Desktop using ACP's MCP gateway. Query contacts, deals, and reports from your AI assistant.
Mar 21, 2026
How to Trigger a Governed AI Agent from n8n, Zapier, or Any Webhook
Step-by-step guide to invoking AI agents via HTTP from workflow automation tools. Every tool call is identity-verified, rate-limited, and audit-logged.
Mar 24, 2026
How to Rate-Limit an MCP Server (Per-User, Per-Tool, Per-Agent)
MCP servers are rate-limit-blind — they see the LLM runtime's service account, not the user. How to add per-user, per-tool, per-agent limits in MCP.
Apr 16, 2026
Governing CrewAI A2A Delegation: a production setup guide
CrewAI shipped a first-class A2A delegation primitive. Full walkthrough: install, configure, govern, audit CrewAI A2A crews with scope and budget caps.
Apr 16, 2026
How to Add Per-User Authentication to a LangGraph Agent
LangGraph agents run on a shared API key by default — every tool call looks the same. Add per-user auth, identity-attributed audit, and rate limits.
Apr 16, 2026
MCP Re-Auth: What ChatGPT Actually Needs When Tokens Expire
ChatGPT won't re-trigger OAuth on HTTP 401 or JSON-RPC errors — it needs a JSON-RPC success envelope with _meta. The signal, and how a gateway emits it.
Mar 16, 2026
Can You Prove What Your AI Agent Did? I Checked 8,216 MCP Servers.
74.9% of MCP servers have no mention of audit logging. The MCP spec defines zero audit primitives. Here's why that's a compliance problem.
Mar 30, 2026
MCP Servers Proxy Paid APIs With No Rate Limits. I Calculated the Blast Radius.
180 MCP servers proxy calls to paid APIs like OpenAI and Stripe. 85% document no rate limits. An agent retry loop can cost $1,080/hour.
Mar 31, 2026
8,216 MCP Servers, 7,840 Tools, Zero Input Validation
Analysis of 8,216 MCP servers: 2,432 expose high-risk inputs — SQL, file paths, shell commands — with zero validation constraints in the tool schema.
Mar 29, 2026
4 Security Vulnerabilities Hiding in Your MCP Server's Tool Schema
Real CVEs trace back to unconstrained tool schemas. From 8,216 MCP servers: the JSON patterns behind path traversal, SSRF, injection, and how to fix each.
Apr 2, 2026
I Classified 8,000+ MCP Servers by Auth Appropriateness. Most Get It Wrong.
A static analysis of 8,216 MCP servers across 4 registries. 50.6% have no auth. But the real question is: do they have the right auth for what they do?
Mar 28, 2026
MCP Gateway Comparison (2026): Composio vs ACP vs DIY
An honest comparison of MCP gateway options. When to use ACP Cloud, Composio, or build your own with open-source tools.
Apr 1, 2026
MCP Moves the Tool Calls. Nothing in It Decides What's Allowed.
MCP defines how agents call tools. It doesn't say who may call what, with which permissions, or leave an audit trail. What the protocol covers — and the allow/deny layer you still have to add yourself.
Mar 17, 2026
PII in Prompts: What You're Probably Leaking
Users paste PII into your AI app. It goes straight to the LLM. That's a compliance problem.
Nov 19, 2025
Your Agent's Bottleneck Is Almost Never the Model
We metered a few hundred real agent runs to study where cost and reliability actually come from. The recurring answer: not the model — the harness around it. An intro to a series of measured findings.
Jul 10, 2026
One Sentence in Our System Prompt Doubled the Agent's Bill
A live spend counter we injected to keep agents on budget was silently disabling prompt caching — and more than doubling the cost of exactly the agents it was meant to protect. Metered before/after inside.
Jul 10, 2026
Your Agent's Last Move Should Be a Tool Call, Not Text
28% of our agent runs silently returned nothing. The fix wasn't a retry — it was a design rule: agents should deliver results through a tool call, never a free-text turn. Measured data inside.
Jul 10, 2026
Don't Give Up on Cheap Models — Give Up on Fragile Loops
Gemini Flash looked like an unreliable agent orchestrator — it delivered less than half the time. One trace showed why, and one small loop change made it deliver 100% of the time at the same quality as a model 14× more expensive per successful result.
Jul 10, 2026
Why Not Just Use Your Database's Permissions?
Row-level security and database grants already exist — so why do AI agents need a control plane? Where native permissions hold, where they go blind, and what's genuinely missing.
Jul 8, 2026
Inside the ACP Console: My Own Agents, Real Data, Every Screen
The hardest thing to convey about a control plane is what you actually see once agents run through it. So here's my own workspace — the agents behind Calafia, running for real — walked screen by screen. Every number is real.
Jul 2, 2026
Microsoft's Agent Governance Toolkit Validates the Control Plane — and Leaves Out the Meter
We read the AGT source. What Microsoft got right about governing agent actions, what a library structurally can't do, and why splitting governance from cost is the wrong lesson to take.
Jul 1, 2026
When to Use an Agentic Control Plane (and When to Reach for a Sandbox)
A control plane is a reference monitor — it only holds on a boundary it can completely mediate. Here's honestly where ACP fits, where a sandbox is the right answer, and how they compose.
Jun 28, 2026
What our scheduled agents can't do — and why that's the point
An agent that builds agents ships them to run unattended, taking real actions while no one watches. The control that makes that safe isn't a smarter prompt — it's a deterministic, tier-aware default-deny that decides every tool call before it runs.
Jun 21, 2026
One step is 90% of our agent's model bill — on purpose
We metered every tool call our agent builder makes. A single step accounts for 90% of the model spend. That's not a leak — it's the result of routing each step to the model it actually needs, which you can only do when cost is attributed per call.
Jun 21, 2026
Our agent got quietly worse, and nothing errored
An agent that crashes is the easy case. An agent that silently produces worse output — same inputs, no exception, no alert — is the hard one. How our agent builder's own audit log caught it running the wrong model on the paths nobody watches.
Jun 21, 2026
Hermes Agent is now the easiest coding agent to govern with ACP
Nous Research's Hermes Agent ships native pre/post tool-call hooks that cover every tool — terminal, file, web, browser, vision, custom skills. No feature flag, no Bash-only gap, no MCP supplement required. Here's what the new hermes-acp plugin does and why Hermes turned out to be the cleanest integration we've built.
May 26, 2026
Build a governed SQL agent that scrubs PII from query results (Python, runnable)
A Python AI agent that runs natural-language queries against a Postgres warehouse, with tool-output PII scrubbing happening at the governance layer — not in agent code. The agent never sees raw customer data. ~180 lines.
May 1, 2026
Build a governed customer-support email triage agent (with human-in-the-loop on sensitive sends)
A Python agent that classifies incoming support email, drafts replies, and asks for human approval before any reply that mentions refunds, account closure, or escalations is sent. The 'ask' decision flow, in working code. ~190 lines.
May 1, 2026
Decorator, proxy, hook — three patterns for agent governance, three different scorecards
Why CrewAI + ACP scores 40/48 but Claude Code + ACP scores 43/48 on the same backend. Three integration patterns, three scorecards — where each wins.
Apr 20, 2026
OpenAI Frontier Gets the Problem Right — and Puts the Controls in the Wrong Place
Frontier names the real bottleneck: agent identity, permissions, audit. But putting those controls inside the model vendor is banks auditing themselves. Where the control layer has to live, and why.
Feb 12, 2026