AI Security

Jason Clinton’s OC3 2026 talk on confidential computing and scaling laws pushed me to finally write about Anthropic’s Confidential Inference Systems paper, a joint publication with Irregular (formerly Pattern Labs), released June 2025. It’s one of the cleaner public treatments of what it actually means to make AI trust verifiable rather than asserted. It also points directly at a gap the industry hasn’t begun to close: trust in agentic systems. This post unpacks the paper’s core contributions, where its claims need qualification, and where I think the conversation has to go next: from confidential inference to attested agent identity. ...

Every security architecture problem I have ever worked on, from payments to confidential computing to AI agents, has come down to the same question: Where is the data, and what happens to it? Not “what framework are we using.” Not “are we zero trust.” Not “which compliance checkbox do we need.” Those matter eventually. But they are not where you start. You start by following the data. The questions When I was at RBC working on mobile payments, I learned this the hard way. Every time I was confused about how to approach a security problem (and there were many times), the answer was always the same: stop thinking about the system. Start thinking about the data. ...

In January, I wrote about WhatsApp’s Private Processing as a milestone for confidential computing: the first time TEEs were deployed at truly global scale to protect AI inference for billions of users. That post was about the architecture. This one is about what happened when someone tried to break it. Trail of Bits just published its pre-launch security audit of WhatsApp’s Private Processing system. They found 28 issues, including 8 high-severity findings. Meta fixed the critical issues before launch. ...

MCP servers aggregate high-value credentials behind a weak trust boundary. TEEs can close the host-level gap by combining memory isolation with attestation and measured identity.

Enterprise AI security is maturing fast. Many teams have already secured model hosting and implemented responsible AI checks. That is real progress. The next step is broader coverage: if AI can call tools, trigger workflows, and execute actions in external systems, risk extends beyond the model endpoint into the action layer. Safety and security are not interchangeable This is where executive confusion usually starts. AI Safety (Responsible AI) AI Security Focus: behavior and impact Focus: adversarial abuse and compromise Risks: bias, harmful outputs, policy violations Risks: prompt injection, exfiltration, privilege abuse Question: Is the system aligned and acceptable? Question: Can this system be attacked or manipulated? You need both. Treating one as a proxy for the other creates blind spots. ...

Why multi-agent systems need verifiable delegation, not just valid tokens A human prompts an agent. That agent delegates to another agent. A sub-agent calls a tool, which calls an API, which touches real data and real systems. Now the key question: Who is acting at each step, and on whose authority? Most teams answer this with one of two lines: “We use OAuth through MCP.” “Our platform handles access controls.” Both can be true. Neither is enough for multi-step agent workflows. ...

MCP is becoming the USB‑C of agent tooling—a universal interface that lets LLMs query data, call APIs, and take real‑world actions. Adoption is accelerating fast. But every convenience layer in security carries the same risk: teams connect it before they’ve defined the capability model. MCP is no exception. It creates a new trust boundary, and most deployments aren’t treating it like one. If you’re deploying MCP (or any agent tool protocol), the right mental model isn’t “prompt injection is an LLM bug we can filter.” The right mental model is: MCP is a capability system. Once you see it that way, the security work becomes familiar—permissions, isolation, auditing, and blast‑radius control. ...