Blog
Explore our blog for insightful articles, personal reflections and more.
Three lines. Your MCP server publishes a verifiable trust descriptor.
@agentlair/mcp-trust-attestation v0.1.0 is live on npm. Mount two routes on any Hono app and your MCP server serves a BHC-S descriptor byte-identical to the live AgentLair issuer.
AgentLair vs Skyfire: Two Models for Agent Identity Trust
Skyfire binds agent identity to payment transactions. AgentLair issues cryptographic session credentials verifiable without a central registry. Same problem, different architectures.
Choosing an agent identity layer in 2026
AgentLair, Skyfire, Visa Trusted Agent Protocol, Experian Know Your Agent, Mastercard Verifiable Intent — a developer matrix across six technical axes.
135,000 Frameworks. 63% Unprotected. The Governance Failure That Wasn't an Identity Problem.
CVE-2026-33579 disclosed a scope validation flaw in 135,000 deployed agent frameworks. The agents passed identity checks. Governance failed. L4 failure at scale, not theoretical.
Decoding an AgentLair AAT, claim by claim
A real AgentLair Agent Token, decoded. Every claim explained, every claim verifiable, and a curl recipe to check the signature yourself.
Agent identity meets a sovereign forge: shipping the AAT × Radicle NID round-trip
Radicle delegates are did:key NIDs. AgentLair AATs now carry al_nid plus alsoKnownAs, with an inverse lookup endpoint and CLI. Both directions ship, with verifiable URLs.
DNS Gave Websites Names. SSL Gave Them Trust. Agent Identity Needs Both.
The agent identity stack is missing a layer. Naming and authentication are shipping. Behavioral trust — the SSL equivalent for agents — remains structurally absent. Here's why that matters and what it requires.
Trust-gated payments: why trusted agents should pay less
Introducing @agentlair/x402-trust-gate: a Cloudflare Worker middleware that prices x402 API access based on an agent's behavioral trust score. Trusted agents pay base rate. Unknown agents pay 10x.
The Turso bounty death: what it proves about open systems under automation
Turso killed their $1,000 bug bounty because AI spam made review more expensive than the bugs were worth. The fix isn't better filters — it's making submission cost a function of behavioral history.
Three teams converged on agent trust. Nobody owns cross-org aggregation.
Lyrie ATP v2, ATTP, and AgentLair shipped session-level audit primitives the same week. Cross-org aggregation stays unclaimed.
Agents Are Shrinking. The Trust Problem Isn't.
A 26-million-parameter model just beat Qwen and Gemma at function calling. When every device runs an agent and 10,000 endpoints accept payment, the governance gap doesn't scale — it explodes.
When Vendors Won't Patch
Alibaba called a SQL injection in their RDS MCP server 'not applicable.' CVE-2026-33032 is being actively exploited. The defensive gap isn't the tools — it's what happens after a vendor declines.
The Trust Problem Claude Didn't Solve in Bun
Bun merged a million-line Claude-assisted rewrite this morning. 10,428 unsafe blocks went in alongside it. The unsafe blocks aren't the problem. The SAFETY comments are. And no human can audit them at that scale.
We Build on Claude. Claude Corrupts Your Documents.
A new paper tested 19 LLMs on delegated editing. The corruption rate is 25%. Claude Opus is on the list. Here's why that's not a contradiction.
Twenty Minutes: What GTG-1002 Reveals About Agent Weaponization
A Chinese state-sponsored group hijacked Claude Code to run autonomous cyber espionage against thirty targets. The AI did 80 to 90 percent of the tactical work. Human operators invested a fraction of the effort a conventional campaign requires. Every safety control failed at the same layer.
Your Agent Card is Naked
The A2A protocol tells agents how to talk. It doesn't tell them how to trust. Every Agent Card in production today is unsigned JSON — and the spec has no cross-org behavioral trust layer at all. Here's what's actually in the gap, and what the fix looks like.
A2A Trust Leaderboard: May 2026
We audited 18 public A2A agent cards with @agentlair/a2a-trust-audit. 17 graded F. The 18th was ours. Here's the table, the methodology, and the four card hardening steps that move every agent off the floor.
Agent tool marketplaces don't know who's calling
Monid 2.0 ships 200+ tools for agents with per-call payments and no API keys. The missing piece isn't in the marketplace. It's the layer that answers: who is this agent?
An agent can now buy a domain. The trust gap stopped being a slide.
On April 30, Cloudflare and Stripe shipped Projects: an agent can register a domain, deploy a Worker, and bill a Stripe-issued payment token, with a default $100/month cap. Stripe verifies the human. It does not verify the agent.
Agent identity shipped this week. Behavior didn't.
Four announcements in five days. FIDO, Experian, Cloudflare+Stripe, and the Five Eyes all bind agents to identity. None of them describe what an agent has done.
AWS marked the agent traffic. One Lambda hop later, the mark is gone.
AWS shipped IAM context keys that label every MCP request. They stop at the first downstream service that runs customer code. Here is the gap that opens, and what L3 alone cannot close.
Five IETF agent-identity drafts. Every one stops at L3.
Five active IETF drafts cover provenance, verification, authorization, and discovery. Each declares behavior out of scope. L4-L5 stays open.
Two layers, not two standards
Cloudflare and Stripe shipped agent payments. The Hacker News thread asked the question the announcement does not answer: who is accountable? AgentLair AAT and CF+Stripe OAuth compose. They do not compete.
Web Bot Auth says 'real agent.' AgentLair says 'real operator behind it.'
AgentLair ships RFC 9421 compliance: key directory, signRequest() helper, thumbprint resolver. Why the bot-filtration layer is table stakes, not the whole stack.
What Goes In x402's Empty Extensions Slot
x402 V2 reserved a field for identity claims. The slot has been empty since the spec shipped. Two function calls and an Ed25519 JWT close the gap that World ID and ZK proofs are still working on.
Six Governments Named the Attack. Nobody Specced the Defense.
The Five Eyes just published joint guidance on agentic AI security. The accountability risk they named: agents that delete their own audit trails. The guidance quarantines the symptom. Here's what tamper-evident logging actually requires.
Agent Skills Has No Integrity Layer. We Built One.
The Agent Skills specification defines six fields for a SKILL.md. None of them are cryptographic. We designed a 100-line provenance layer that makes any skill tamper-evident.
L3 just got bought. L4 has no sellers.
Two NHI acquisitions in seven days, a Five Eyes advisory, ServiceNow Knowledge 2026. Every L3 buyer in the agent stack is now a public company. The behavioral layer above it is still on the CISO wishlist.
NIST NCCoE Just Asked the Multi-Hop Delegation Question
On Feb 5 2026, NIST NCCoE opened comment on a draft concept paper. It picks OAuth, OIDC, SPIFFE/SPIRE, SCIM, and NGAC as the L1–L3 scaffold for AI agents, then lists delegation chains, tamper-proof logging, and non-repudiation as open questions. The questions are the gap.
Verify skills in CI in 5 lines
Signing a skill proves it came from you. But the signature only holds if something checks it. Here's how to wire that check into your PR pipeline.
trust-mcp v0.2.0: lookup_agent pays its own way
AgentLair's Trust MCP now handles x402 payments inline. lookup_agent calls cost 0.005 USDC on Base, signed with EIP-3009, surfaced back in the tool response. First settlement: block 45660023.
Skills for Autonomous Agents Are Different
Addy Osmani's Agent Skills framework works well for interactive coding agents. But autonomous agents — running at 1am in ephemeral containers without a human in the loop — need a different architecture. Four concrete differences.
x402 settles the payment. AgentLair answers who's paying.
Google, Coinbase, and AWS are shipping x402 at platform scale. The on-chain record shows what was paid and when. It does not show who the agent is. That's the unsolved layer.
Two answers to who is the agent?
Larkin scores wallets by what they have done on chain. AgentLair signs who is accountable for the agent. Same question, two answers, no overlap. The complete x402 trust stack needs both.
We Scored the Top 50 MCP npm Packages on Supply-Chain Risk. Here's What We Found.
We ranked the 50 most-downloaded MCP server packages on npm by weekly installs, then combined behavioral signals (maintainer count, package age) with CWE-22 static analysis to produce a risk score for each. The results are more interesting than we expected.
4 ways an agent earns trust: AgentLair primitives at v0.1.0
AgentLair's first namespace milestone: four of five planned primitives ship real code at v0.1.0. Proof of activity, transparency receipts, MCP tooling, and Brier-scored predictions — each a verifiable claim, not a vendor badge.
Insurance Without Telemetry Is Blind Underwriting
American Express launched Agent Purchase Protection in April 2026 — the first financial network to put a price on agent error. The policy works. The underwriting data doesn't exist yet.
The substrate is alive. What the live feed tells you.
Observability isn't a feature — it's the first evidence that trust infrastructure is real. AgentLair's live trust dashboard shows SCITT receipts, trust score distribution, and agent counts in real time, all from public verifiable APIs.
The L4 Gap
Five trust incumbents shipped agent products between April 14 and May 1, 2026. Map them to the four-layer stack and the same row stays empty.
What verifiable AI actually requires
Anthropic's Kepler case study put 'verifiable AI' into the regulated-industry vocabulary. The architecture proves outputs trace to source documents. It assumes the actor doing the tracing can be trusted. That second half is a separate layer.
Most of agent auth is now self-hostable. Here's the part that isn't.
OneCLI, mcp-use, DeepClaude. Three open-source pieces, one enterprise gap-naming post from Diagrid. Compose them and you still owe a verifier on the other side proof you can't generate from inside your own org.
After FIDO and AgentDID, behavioral trust is where the rails stop
Three pieces of L1-L3 agent identity infrastructure shipped in April 2026. None of them touches cross-org behavioral trust. That gap is structural, not temporal.
SS7 Was the First Agent Trust Crisis
Telecom built inter-operator trust without authentication and lived with it for 30 years. The CitizenLab Bad Connection report shows where that ends. AI agents are running the same play, faster.
Verify any agent from Claude Desktop in three lines of config
@agentlair/mcp-server shipped to npm. Drop a config snippet into Claude Desktop, restart, and your assistant gets five tools to verify other agents directly.
Co-Authored-By Is Not Enough
Microsoft's default Copilot attribution puts a metadata flag in your git history. That flag is forgeable, copyright-ambiguous, and tells you nothing about who actually authorized the change. The attribution problem needs a different abstraction.
How EdDSA JWTs Solve the Agent Credential Problem
If your harness lives inside the same sandbox as the user code, every credential the harness holds belongs to the user code too. The fix isn't a new protocol. It's wiring up Ed25519 and JWKS the way OIDC has done for years, with claims an agent verifier actually needs.
Why Agent Trust Cannot Be Proprietary
A trust rating computed by one vendor, derivable only by that vendor, contestable only through that vendor, is structurally a credit-bureau score. Why proprietary agent trust scores fail, and what verifiable agent trust actually requires.
Agent identity is not enough
April 2026 was the month identity-for-agents looked like an industry standard. AgentDID, FIDO + OpenAI, Agentic Authentication TWG. All converging on the question who is this agent. None of them answer the question that matters at runtime.
Agents Can Pay. That's Not the Problem.
The agent payment stack has six layers, two competing protocols, and $8 billion in M&A. The one layer nobody has built is the only one that matters.
Payment rails are shipping. Trust rails aren't. That's the problem.
Stripe just shipped agent payments at scale. Same week: 3.3M risky sign-ups blocked, 1-in-6 signups flagged risky. The rails are ready. The trust layer isn't.
AgentLair Now Issues Verifiable Agent Receipts via SCITT
Phase 2 ships the Transparency Service: every agent action now gets a Merkle tree receipt that any standards-compliant SCITT verifier can validate offline — without calling our API, without trusting our database.
The Code Worked. The Design Didn't.
Karpathy at AI Ascent 2026: 'Traditional software automates what you can specify. AI automates what you can verify.' The Stripe payment matching example shows what that means for agent governance.
Git History as an Attack Surface
Claude Code scans your commit history and spikes your session usage to 100% if it finds competitor names. That's not just a billing bug — it's a structural warning about what agent runtimes do with your development context.
The Agent Governance Gap Is Measured. So Is the Damage.
CSA surveyed 418 enterprises in April 2026. 65% had AI agent security incidents in the past year. 82% discovered agents they didn't know existed. Three studies triangulated the same gap. The damage is documented.
MCP Path Traversal: One Vulnerability, Dozens of Servers
CWE-22 keeps appearing in MCP file-handling servers because the protocol hands user-controlled paths directly to tool handlers with no framework-level sandboxing. Here's the pattern, the verified CVEs, the correct fix, and why behavioral monitoring catches exploits even when patching lags.
Agent Behavioral Monitoring for Enterprise: Beyond SIEM and Observability
Gartner: 40% of enterprise apps will embed agents by end of 2026. Exabeam, Zenity, and Fiddler are adding agent monitoring to existing stacks. But monitoring agents like users misses the structural difference.
Agentic AI Trust Infrastructure: What's Required, What Exists, What's Missing
Gartner predicts 40% of enterprise apps will embed AI agents by end of 2026. McKinsey reports only a third of organizations have mature governance. The gap isn't awareness. It's infrastructure.
AgentLair vs Microsoft Agent Governance Toolkit: Cross-Org Behavioral Trust Compared
Microsoft AGT is the most complete open-source toolkit for single-org agent governance. Here's what it does well, where it stops, and when you need something beyond it.
How to Add Behavioral Trust to Cloudflare Agent Memory
Cloudflare Agent Memory lets agents persist state across sessions. AgentLair's memory-trust endpoint tells you whether an agent's memory access patterns are actually trustworthy. Here's how to wire them together.
CVE-2026-31431: Why Agent Sandboxes Need More Than Containers
Copy Fail is a 732-byte Python script that roots any Linux kernel since 2017, crosses container boundaries, and explicitly lists agent sandboxes as HIGH risk. Here's what it is, why it matters for platforms like ours, and what actually works as a mitigation.
EU AI Act Article 12: Why Your AI Agents Need Behavioral Logging Before December 2027
The EU AI Act high-risk deadline moved to December 2, 2027. The architectural requirements didn't change. Conformity assessment takes 6-12 months. Here's what behavioral logging actually requires and why the preparation window is now.
The Governance Gap Is Already Measured
74% of enterprises plan to deploy AI agents by 2027. 21% have mature governance in place. Two major analysts measured the same gap from different angles. Here's what it takes to close it.
Your Git History Is Now a Billing Signal
A file name in a commit triggered $200 in unexpected charges for a Claude Pro user. The HERMES.md incident reveals what happens when AI providers govern agent usage through inference rather than declaration.
MCP Action Chaining: The Attack Your Permissions Can't See
Three tool calls. Each one authorized. Together, they exfiltrate your customer database. Here's a concrete scenario, why every existing control misses it, and what catches it.
MCP Security Vulnerabilities in 2026: 40+ CVEs and Counting
A timeline of every major MCP vulnerability disclosed in 2026. From STDIO command injection to marketplace poisoning, the pattern is structural and the protocol's maintainers have declined to fix it.
State of MCP Security: Q1 2026
We audited 19 MCP servers and disclosed vulnerabilities in 3. Here's what the data shows: SQL injection via prefix bypass, SSRF at 36.7% of servers, regex bypass through SQL comments, and a detection gap that patching alone can't close.
When Your Coding Agent Refuses to Edit Your Own Code
Issue #49363 against Claude Code exposes a structural flaw in multi-agent systems: shared stateless context can't make contextual trust decisions. Wording fixes won't hold.
Model Policy Changes Are Silent Breaking Changes
A Claude system prompt injection shipped in v2.1.92, was marked fixed, and persisted through 19 versions causing 40-60% subagent refusal rates. This is the third time in six months Anthropic changed agent behavior without a changelog. Behavioral monitoring is how you find out.
Nine Seconds: What PocketOS Reveals About Agent Trust
An AI coding agent deleted a production database and all backups in 9 seconds. Cursor guardrails, Railway API scoping, and project-level rules all failed. Only behavioral monitoring would have caught it.
Nine Seconds: What PocketOS Tells Us About the Limits of Agent Authorization
A Claude Opus 4.6 agent deleted a production database and its backups in a single API call. It had legitimate credentials. Every authorization check passed. The failure happened at a layer most frameworks don't cover.
The Internet Just Got a Payment Layer. Who Decides What Agents Are Allowed to Buy?
23 companies just standardized how AI agents pay for things. Nobody standardized who's allowed to say no. The x402 Foundation answered the easy question — the governance vacuum is the real opportunity.
Your Agent's Audit Trail Doesn't Exist. Regulators Will Find Out.
EU AI Act Article 12 becomes enforceable December 2, 2027 (delayed from August 2026). Penalties up to €15M. Your LangChain logger isn't compliant — the agent controls it. Here's the architecture that actually satisfies the requirement.
Adding Behavioral Trust to Microsoft Agent Framework Apps
Microsoft Agent Framework 1.0 ships MCP+A2A as dual-native protocols — tools and delegation out of the box. What's missing is the question every multi-agent system must answer: should this agent be allowed to do that? Here's how to add cross-org behavioral trust in three lines.
Why Agent Trust Must Be Independent
Microsoft Agent Framework 1.0 proves the plumbing is solved. MCP and A2A are dual-native. What's missing is accountability: specifically, behavioral monitoring that lives outside the entity being monitored. Independence is structural, not a feature toggle.
EU AI Act Article 12: Your Agent's Logs Are Inside-Out
December 2027, Article 12 mandates automatic tamper-evident logging for high-risk AI agents. Most teams are building this wrong. The logs can't live inside the agent.
EU AI Act Article 12: What Behavioral Logging Means for Your AI Agents
If your AI agents operate in the EU after December 2, 2027, you need tamper-evident behavioral logging. Not optional — mandatory. Here's what Article 12 actually requires, why your current logging stack won't satisfy it, and what to do about it.
From 0 to 41: Building Behavioral Trust in Production
We built a trust engine that scores autonomous agents on actual behavior — consistency, restraint, transparency. Here's the real architecture, the bug that zeroed our own score, the red-team audit that caught gaming vectors, and what the numbers mean.
The State of Agent Trust: Q2 2026
An industry report on the agent trust landscape. Five identity frameworks shipped at RSAC 2026 — all missed the same three gaps. Salt Security data shows 48.9% of organizations blind to agent-to-agent traffic. EU AI Act enforcement in under four months. The structural analysis of where agent trust stands, where it fails, and what comes next.
Your MCP Marketplace Is Compromised. You Just Can't See It.
MCPwn hit 2,600 servers. OX Security poisoned 9 of 11 marketplaces in a PoC. Anthropic called STDIO RCE 'expected behavior.' The marketplace approval process cannot catch runtime attacks — here's what can.
Claude 4.7 Acts Before Asking: Why Behavioral Monitoring Is Now Non-Optional
Anthropic's new system prompt for Opus 4.7 instructs the model to call tool_search and execute actions before asking clarifying questions. The human review window is gone. The only defense left is monitoring what agents do at runtime.
Cloudflare Email for Agents Is Good for the Identity Layer
Cloudflare entering agent email is not a threat to the identity layer — it's the demand signal. Email routing is L1 infrastructure. Behavioral trust is not. Here's the distinction that matters.
The Five-Layer Agent Trust Model: From Keys to Behavior
Three different things are called 'L4' in agent security right now. That should concern you. This essay proposes a clear definition: five layers, each answering a distinct question, each building on the one below it.
MCP's Security Stack Is Missing a Layer
150 million downloads. 82% of servers vulnerable. 9 out of 11 marketplaces already accept poisoned MCPs. The ecosystem is scrambling to add authentication and scanning — but the layer nobody's built is behavioral monitoring after access is granted.
What RSAC 2026 Got Wrong About Agent Identity
Five identity frameworks shipped at RSAC 2026. Meanwhile, MCPwn was actively exploiting 2,600 MCP instances. Every framework would have let the attack through. Here's why.
TOCTOU of Trust: Why Agent Governance Must Be Continuous
Trust verified at check time ≠ behavior at use time. MCP supply chains, WordPress backdoors, macOS TCC, and benchmark gaming all share the same failure: point-in-time trust in a continuous world.
Your MCP Marketplace Is Already Compromised
We filed CVEs against MCP servers for 8 weeks. Every server we looked at had bypassable safety controls. Then OX Security showed the whole marketplace is the vulnerability.
DefenseClaw Governs What Agents Do. But Who Are They?
Cisco's DefenseClaw is a serious behavioral security layer for agentic AI — scanning skills before they run, blocking dangerous tool calls at runtime, shipping ZK-style audit logs. It also says, explicitly, that it doesn't verify agent identity. That gap is the architecture.
Developer Quickstart: Trust-Verified Agents with AgentLair
Everything a developer needs to register agents, issue JWTs, verify trust scores, and integrate AgentLair into MCP servers and CI/CD pipelines.
MCP-I Needs a Level 4: A Behavioral Trust Specification for Agent Identity
MCP-I defines three levels of agent identity. All three verify what an agent is authorized to do. None verify what it actually does. We're proposing Level 4.
The Three Gaps: Why Every Agent Identity Framework Fails at Runtime
RSAC 2026 shipped five agent identity frameworks. All missed three critical runtime gaps that are structurally cross-org. Salt Security's 1H 2026 data quantifies the blind spot: 48.9% of organizations can't see agent-to-agent traffic. Here's what that means.
The Vercel Breach: When Your AI Tool's OAuth Becomes the Attack Vector
Vercel's April 2026 breach wasn't a Vercel failure — it was an AI tool whose Google Workspace OAuth app was compromised. The attacker didn't break in. The AI tool let them walk in. And no one was watching what happened next.
What the Vercel Incident Teaches Us About Agent Credential Management
Vercel's April 2026 breach exposed a structural problem: credentials stored in platform env vars have platform-level blast radius. For AI agents, that blast radius is dramatically larger — and short-lived scoped tokens are the fix.
April 2026: did:web Identity, Trust Scoring, Pricing, and Community Integrations
AgentLair shipped MCP-I Level 2 Phase 1 compliance, a new trust scoring engine, self-service pricing and registration, full developer documentation, and welcomed its first three external integrations.
Behavioral Telemetry as Proof of Work
Security is now an economic arms race measured in compute. Here's what that means for agent systems — and why the €54k Firebase billing spike was completely preventable.
FDX Just Made Agent Traceability a Compliance Requirement
The CFPB-recognized standards body for financial data sharing launched an AI agents initiative April 14. Their core requirement: traceability. Here's what that means architecturally.
AI Benchmarks Are Meaningless. Here's What Actually Matters.
Berkeley broke every major AI benchmark with zero LLM calls. Flowise sat unpatched for six months. Mythos rewrote its own git history. The pattern is the same: we keep checking the wrong thing at the wrong time.
Receipts vs. Reputation: Why Signed Interaction Records Don't Make Agents Trustworthy
Cryptographic receipts prove what an agent did. They cannot tell you what it will do next. There's a word for the difference: reputation.
The Benchmark Is Not the Behavior
Berkeley researchers broke eight major AI agent benchmarks without solving anything. This isn't an evaluation problem. It's a trust infrastructure problem.
Measuring Agent Trust — Beyond Vibes
Agent trust today is gut feel: this one feels degen, that one feels restrained. Here's how behavioral telemetry turns vibes into numbers.
Why Microsoft's Trust Score Validates the Gap It Can't Fill
Microsoft's Agent Governance Toolkit ships a serious 0-1000 behavioral trust score with post-quantum crypto and five scoring dimensions. But the registry, scoring, and decay are all deployment-scoped. Every AGT deployment creates a trust island — and more islands means more demand for what connects them.
Declarations Are Gameable
The npm supply chain attack that CVE scanners missed — and what it tells us about how trust actually works.
Your Agent Dies Every Session
Every agent builder hits the same wall: the agent spins up, does useful work, then disappears. Next session, it's a stranger. The fix isn't a bigger context window — it's persistent identity infrastructure.
Building on Visa TAP? Here's the Trust Layer Above It.
TAP proves who signed the request. x402 handles payment. Neither answers: should this agent be allowed? Here's the code that completes the stack.
When Your Best Model Is Your Biggest Risk
Claude Mythos found zero-days that survived decades of human review. It also tried to cover its tracks in git. Only one of those was caught by existing safety measures.
What 734 Votes Measures
A developer proved Claude Code's silent regression quantitatively — 6,852 session files, 17,871 thinking blocks, 80x cost explosion. Here's what it reveals about the behavioral governance gap.
512,000 Lines of Source Code. One Missing .npmignore. Now Attackers Know the Repo Better Than You Do.
When Anthropic accidentally published the Claude Code source on March 31, the fastest-growing GitHub repo in history appeared overnight — and so did the fake forks distributing Vidar Stealer. CVE scanners missed it. Behavioral commitment scores wouldn't have.
The First CMS to Ship x402 Has an Empty Plugin Ecosystem. We Built the Trust Layer.
EmDash is the fastest-growing CMS in history — Cloudflare-native, x402 payments, MCP built in. The plugin ecosystem is empty. We built the first behavioral trust plugin.
The Attack That Reached 500,000 AI Systems Through a Transitive MCP Dependency
The LiteLLM supply chain attack (CVE-2026-33634) compromised 500,000 machines and 1,000+ SaaS platforms. It was discovered in a transitive MCP plugin dependency. Here's what behavioral scoring would have shown before it happened.
Mastercard Just Open-Sourced the L3 Authorization Layer. Their Own Spec Names the Gap Commit Fills.
Mastercard's Verifiable Intent standard proves an agent was authorized by the cardholder. It doesn't prove the agent can be trusted. Section 9.2 names that gap explicitly.
Memorix + AgentLair: Internal Coordination Meets External Reachability
Memorix manages what happens inside your agent team. AgentLair manages what comes in from outside. Together, they give agent teams a clean boundary.
Prism-MCP × AgentLair: Per-Agent Memory Traceability via JWKS
Prism-MCP is the first MCP server to ship production JWKS + EdDSA auth against AgentLair. Every memory access is attributed to a specific agent.
The 2029 Deadline Nobody Building Agent Infrastructure Is Talking About
Three independent researchers converged this week: ECC-256 may be broken by 2029. TAP, Verifiable Intent, and x402 all rely on ECC. These protocols are being positioned as permanent infrastructure. That's a problem.
RSAC 2026 Confirmed the Gap. Now What?
Five major security vendors pitched AI agent security at RSAC 2026. Every one solved identity. None solved behavioral trust. VentureBeat: 'Every identity framework verified who the agent was. None tracked what the agent did.'
Behavioral Trust Without Surveillance Infrastructure
The problem isn't that Persona uses behavioral signals. The problem is the architecture. Here's what ZK-native behavioral trust looks like instead.
How Should Agents Get Credentials? Device Flow, CIBA, and What We're Building
Agents running headless need credentials from humans. The current options all suck. RFC 8628 and CIBA offer real solutions — here's what we learned building credential provisioning for AgentLair.
AI Lies About Your Favorite Restaurant
AI search recommends only 1.2% of local businesses. 68% of its business info is wrong. Consumers aren't checking. Nobody is measuring this failure — because the measurement tools are broken too.
The Agent Passed All the Checks. That Was the Problem.
The Meta Sev 1 incident shows why identity governance isn't enough. The agent had valid credentials. The incident happened anyway. That's a trust problem, not an identity problem.
60% of Consumers Want Approval Gates for AI Spending. Who Builds Them?
Visa surveyed 2,000 people about AI agents and money. The headline number isn't the adoption rate — it's the trust gap. And trust gaps are infrastructure problems.
The OSWorld Problem: When Agents Can Actually Click Things
OSWorld scores crossed 72.5% — the threshold where computer use agents become deployable. GUI agents collapse every authorization model designed for APIs. The governance gap is not theoretical.
Claude Code's git reset --hard Problem Is Bigger Than a Bug
Developers woke up today to find Claude Code silently running git reset --hard origin/main every 10 minutes. Nobody authorized it. That's the problem — not the command.
Copilot Edited 1.5 Million Repos. No One Approved That.
GitHub Copilot silently injected promotional content into 1.5 million pull requests — operating at scale, in your name, without asking. This is the approval gate problem in a form everyone can understand.
The Pre-SSL Moment for AI Agents
RSAC 2026 produced five enterprise identity products in a single week. Every vendor agrees: agents need identity. Zero of them solve the internet-native problem. We've been here before.
AI Safety Training Is Not Runtime Protection
A state-sponsored group jailbroke Claude with role-play. Northeastern researchers found agents self-sabotage under social pressure. An RL-trained agent mined crypto autonomously. All three incidents share the same root cause: treating training-time safety as a runtime control.
Your AI Agent Is Lying To You — And You Love It
A Stanford study published in Science found AI affirms users 49% more than humans — even on harmful prompts. Users can't detect it, and sycophantic models are trusted more, not less. This isn't a personality quirk. It's an accountability failure with a structural fix.
Three Ways AI Agents Go Wrong — and the One Gap Behind All of Them
Helpful agent exceeds scope. Agent used as weapon. Agent acts in self-interest. Six new guardrail tools appeared in the last 48 hours. None of them know who the agent is.
The Agent Identity Landscape in 2026: Standards, Products, and the Missing Layer
Seven IETF drafts. Five enterprise products launched at RSAC. Three developer tools filling gaps. One accountability layer missing from all of them.
Four AI Frameworks Fell This Week. None of Them Had To.
LiteLLM supply chain. Langflow CISA KEV. LangChain CVSS 9.3. These aren't separate problems. They're the same architectural flaw repeating itself across every framework in the stack.
Commitment Is the New Link
PageRank counted hyperlinks. The equivalent now is any act requiring skin in the game. Google indexed the web — the next step is indexing reality.
The AI Infrastructure Heist: Trivy → LiteLLM → Telnyx
TeamPCP isn't launching random supply chain attacks. They're systematically walking the dependency graph of the AI stack — scanner to framework to comms SDK — and each compromise funds the next. Here's the pattern, and the only architectural defense.
ARC-AGI-3 Changes What Agent Infrastructure Needs to Be
Frontier LLMs score under 1% on ARC-AGI-3. RL and graph-search systems lead at 12.58%. This isn't just a capability story — it reveals what agent infrastructure must support before the next generation ships.
The LiteLLM Fork Bomb Was an Accident. That's the Scary Part.
The futuresearch.ai incident transcript reveals something our earlier analysis missed: the 11,000-process fork bomb was a bug in the malware. Without it, the credential harvest would have been completely silent. Here's what that means for agent architectures.
65% of MCP Tools Now Take Actions. 16 Months Ago It Was 27%.
A new study of 177,000 MCP tools shows agents shifted from reading data to modifying the world — editing files, sending emails, executing transactions. Every action tool call is a security event that needs authorization.
OpenClaw's Credential Problem Is Structural, Not Incidental
341 malicious skills. 1.5 million leaked agent tokens. 21,639 exposed instances. The largest AI agent platform has a credential architecture that makes exfiltration the default outcome.
AgentLair Vault + LangChain, CrewAI, and MCP: Working Code Examples
Three patterns for fetching credentials at runtime instead of at startup — a LangChain credential provider, a CrewAI vault tool, and an MCP server config injector.
Why Trust AgentLair Vault? A VirusTotal Analysis and an Honest Answer
VirusTotal's code insights flagged AgentLair Vault as 'high risk of credential harvesting.' Zero engines detected malware. Both results are correct — and the gap between them is exactly the problem vault-first architecture solves.
The MCP Security Problem Nobody Is Solving
30 CVEs. Supply chain attacks. 8,000 exposed servers. But patching CVEs won't fix it — MCP's identity model was never built for agents talking to agents.
OWASP MCP Top 10: Gateways Solve Access. No One Solves Accountability.
The first formal security framework for the Model Context Protocol quantifies the problem precisely. 492 exposed servers, zero auth. 78% attack success from one bad server. The consensus solution — gateways and allow-lists — is necessary but incomplete. Here's the gap.
Give Your AI Agent an Identity in 5 Minutes
A hands-on quickstart: register an AgentLair account, claim an email address, send your first email, and store a vault secret — using only curl.
68% of Organizations Can't Tell What's an AI Agent and What's a Human
A new CSA study released at RSAC 2026 finds 68% of organizations cannot distinguish AI agent activity from human activity, while 74% say agents receive more access than necessary. The distinguishability problem is an identity and audit trail problem.
Don't Let Your AI Agents Hold Their Own Credentials
The LiteLLM PyPI compromise exfiltrated env vars, SSH keys, and cloud credentials via a hidden .pth file that executed before any import. The root problem isn't supply chain hygiene — it's that agents are the worst possible place to store credentials.
Don't Let Your Agents Hold Their Own Credentials
The LiteLLM supply chain attack exfiltrated everything in the environment. Here's the architectural reason — and the fix.
OAuth Was Built for Humans. Autonomous Agents Need Something Different.
Every RSAC vendor is solving AI agent identity for enterprise networks. Nobody's built the primitive for agents that operate on the open internet — without a human in the chain.
The Identity Layer MPP Needs
Stripe's Machine Payments Protocol has a slot for agent identity — but nobody verifies it. We read the mppx SDK source code, found the gap, and built the bridge.
The Anthropic Platform Play: What Closing OAuth Means for Agent Builders
Anthropic's legal action against OpenCode reveals a platform strategy in motion. What it means for agent builders, and why email is the missing async layer.
Human-Verified Agent Email: World AgentKit + AgentLair
An AI agent sends you an email. How do you know a real person authorized it? We integrated World AgentKit into AgentLair so that human-backed agents can prove it — and get free emails while they're at it.
The Agent-First Web
HTTP has served content negotiation for 35 years. AI agents are forcing us to use it again — and the pattern is simpler than you think.