AI's True Danger, Browser as OS, and the Embeddings You Never Understood
Published on 03.05.2026
The True Danger of AI
TLDR: The real danger of AI isn't some Terminator scenario. It's quieter and harder to fight: the slow erosion of human purpose as work, dignity, and even birth rates decline in an increasingly automated world.
Summary: Han Be, an engineering physics professor who also writes science fiction, argues that the conversation about AI risk is pointing at the wrong target. Everyone keeps debating Skynet, rogue superintelligence, killer robots. That's the dramatic version, and it sells books. The actual threat is mundane and already happening. When automation absorbs enough work, it doesn't just take jobs, it takes identity. A lot of people define themselves through what they do, through the competence they build over years. Strip that away and you don't get a utopia of leisure. You get a population struggling to find meaning.
The piece connects this to fertility decline, which is already accelerating in highly developed economies, and to a broader collapse of what the author calls "human purpose." This isn't hypothetical doom. Countries with the most automation penetration are seeing birth rates fall fastest. Whether AI is a direct cause or just correlated with the kinds of social dislocation that suppress reproduction is genuinely hard to untangle, but the author treats it as directional evidence rather than proof.
I think the article gets something important right: most AI safety discourse is still stuck in science fiction mode. The unsexy version of AI risk, the one where nothing explodes but people just gradually become economically irrelevant and culturally adrift, is harder to dramatize and therefore under-discussed. Where the piece is weaker is in its implied frame that this is somehow unique to AI. Industrial revolutions have always displaced labor and disrupted meaning structures. What's different this time may be the speed and breadth of displacement, but the author doesn't really make that case rigorously. And the fertility link, while interesting, is correlation piled on correlation.
What the author avoids thinking about: whether universal basic income or other redistribution mechanisms could actually preserve purpose and dignity, or whether the problem is really about economic security versus meaning. Those are different problems with different solutions, and conflating them weakens the analysis.
Key takeaways:
- The real AI risk is a gradual erosion of human purpose and meaning, not a robot uprising
- Automation's social costs, including fertility decline and identity loss, deserve as much attention as safety alignment debates
- The speed of AI-driven displacement may be categorically different from past technological transitions
Why do I care: As architects building systems, we tend to focus on what we can ship. This piece is a reminder that the aggregate effect of thousands of productivity tools on human social fabric is a legitimate engineering ethics question. If the systems we build genuinely displace the kind of skilled work that gives people meaning, that's on us too, not just on policy makers.
ML Internals: The Week I Stopped Treating Embeddings as a Black Box
TLDR: Kshitij Patil spent a week going deep on embeddings and tokenization, and the key insight is that the model itself is actually the least interesting part of an ML system. The infrastructure around it, how you chunk, embed, retrieve, and rerank, is where the real engineering lives.
Summary: This is the kind of article I find genuinely useful because it treats ML system-building like actual engineering rather than magic. Patil walks through what embeddings actually are at a mechanical level: they are dense numerical representations of meaning, produced by encoder models, living in a high-dimensional space where proximity corresponds to semantic similarity. If you have only consumed embeddings as an API call you make before stuffing things into a vector database, this piece is worth your time.
The tokenization section is particularly good. Most developers interact with tokenization as a billing artifact, the thing that determines how much an API call costs. Patil explains what's actually happening: text is broken into subword units, mapped to integer IDs, and those IDs are what the model actually processes. Different tokenizers make different tradeoffs. Understanding this matters when you're debugging why your model handles certain inputs badly.
The broader point is about system thinking. Patil argues that obsessing over which model to use while ignoring chunking strategy, embedding model selection, similarity metrics, and retrieval quality is like obsessing over which database engine to use while writing terrible queries. The model is one component. Treat it that way.
My pushback: the article stays fairly conceptual and doesn't get into the genuinely hard parts, like how to handle embedding model drift when you upgrade your encoder and suddenly your entire vector store is semantically inconsistent with new queries. That's a real production problem. The article hints at the complexity without confronting it.
Key takeaways:
- Embeddings convert semantic meaning into geometry, and understanding that geometry matters for debugging retrieval quality
- Tokenization is not just a billing detail; it shapes what the model can and cannot process well
- The embedding pipeline surrounding a model is usually more influential on system quality than the model choice itself
Why do I care: For anyone building RAG systems or semantic search, this is foundational. The debugging skills you need to improve retrieval quality are different from the skills you need to write good prompts. Understanding the internals at this level is what separates systems that work from systems that almost work.
ML Internals: The Week I Stopped Treating Embeddings as a Black Box
How to Structure API Documentation
TLDR: Ileolami breaks down the components of API documentation that developers actually use, covering quickstarts, authentication guides, reference docs, and more, with practical guidance on what goes where and why.
Summary: Good API documentation is one of those things that seems obvious until you try to write it, at which point it becomes apparent that most people have never thought systematically about what documentation is actually for. This piece is a structured attempt to fix that. The core insight is that different documentation types serve different reader states. A quickstart is for someone who wants to know if your API is worth investing time in. A reference is for someone already committed who needs precise details. An authentication guide is for someone actively blocked. These are different readers with different needs, and mixing them in a single undifferentiated blob is how you get documentation that fails all of them.
The article emphasizes practical examples throughout. Ileolami argues that abstract API docs without concrete request and response examples are nearly useless, and the data bears this out. A stat cited in related HackerNoon content found that 54% of developers identify lack of documentation as the top obstacle to consuming APIs. That's not a small problem.
The piece is squarely in tutorial territory, aimed at developers writing their first API docs rather than teams optimizing mature developer experience programs. It covers the basics well without going deep on developer portal design, versioning strategy, or how to structure changelogs. Those gaps are appropriate for the audience, but worth noting if you're looking for strategic guidance rather than a getting-started framework.
What's missing from the conversation: the article doesn't address the ongoing tension between hand-written docs and auto-generated reference docs from OpenAPI specs. That tradeoff, maintainability versus accuracy, is one of the most consequential documentation decisions an API team makes.
Key takeaways:
- API documentation should be structured around reader intent, not document type conventions
- Quickstart, authentication, reference, and conceptual guides serve different user states and should be kept distinct
- Concrete request and response examples are not optional; they are the core value of good reference documentation
Why do I care: As developers building SDKs and APIs, the quality of our documentation is as much a product decision as any feature. Poorly documented APIs don't get adopted regardless of technical quality. This is a good baseline framework for teams who haven't thought structurally about their docs yet.
How to Structure API Documentation
AI Built the Cyberpunk Future We Were Warned About
TLDR: Tim King, who uses AI tools professionally every day, makes the uncomfortable case that the future cyberpunk fiction warned us about has already arrived, not with a bang, but through mundane tools automating judgment, enabling surveillance, and concentrating power.
Summary: There's a certain irony in an automation strategist arguing that maybe we shouldn't have built all this automation. King doesn't actually reach that conclusion, but he gets uncomfortable enough along the way to make the piece genuinely interesting. The cyberpunk genre, from Neuromancer to Blade Runner, imagined a world where powerful technology serves concentrated power, where the gap between those who control systems and those controlled by them becomes absolute. King's thesis is that we built that world on purpose while insisting we were doing something else.
The piece covers autonomous weapons, AI-assisted hiring systems that silently discriminate, surveillance infrastructure that would have been unimaginable a decade ago, and the concentration of AI capability in a handful of companies. None of this is original observation. What King adds is the perspective of someone who is genuinely embedded in the technology, not a critic watching from outside. He uses AI tools. He builds with them. The discomfort is firsthand.
The argument has real weaknesses worth calling out. King describes dystopian outcomes but never seriously engages with the question of what the counterfactual looks like. Did not building these tools lead to better outcomes, or just different distributions of power? The article also slides between "AI did this" and "powerful institutions did this using AI," which are meaningfully different claims. The technology amplifies existing power structures, but the power structures existed before the technology.
Key takeaways:
- AI's social impact is already playing out through mundane systems: hiring, surveillance, and weapons, not dramatic sci-fi scenarios
- Technology built by people embedded in existing power structures tends to amplify those structures rather than disrupting them
- The gap between those who control AI systems and those subject to them is a more immediate concern than general intelligence risk
Why do I care: For architects building enterprise systems, this is a useful reality check. The decisions we make about what data to collect, how to use AI in automated pipelines, and who has visibility into those decisions have real social consequences. That's not a reason to stop building, but it's a reason to think harder about what we're building.
AI Built the Cyberpunk Future We Were Warned About
The Browser Is Becoming an AI Operating System
TLDR: Samiran Mondal argues that browsers are transforming from passive content renderers into active intelligence layers that understand context, execute tasks, and mediate between users and the web.
Summary: The browser has already been the most important operating system on the planet for about fifteen years, it just didn't feel that way because it was mostly loading documents. What's changing now is that AI capabilities are being baked directly into the browser layer, either through extensions, native browser features, or model providers building browser-aware products. Chrome's built-in AI APIs, the various agent-browser frameworks, and tools like Operator from OpenAI are all pushing in the same direction: the browser becoming a context-aware execution environment, not just a display surface.
Mondal's piece traces this trajectory from static page loading through AJAX and the modern web app era to the current moment where browsers are starting to understand what's on the screen and take action based on that understanding. The vision is genuinely interesting. A browser that can fill out forms, navigate complex workflows, summarize pages in context, and coordinate multi-step tasks across multiple sites is a qualitatively different thing from the browser as we've known it.
The piece is stronger on describing the trajectory than on analyzing the implications. Who controls an AI operating system layer that sits between every user and the web is a massive question. Currently that looks like it's going to be Google, Microsoft, and Apple, with maybe one or two independent players. The concentration of that kind of ambient intelligence in existing browser monopolies should concern everyone who cares about web openness.
There's also a question the article doesn't ask: as browsers become more autonomous, what happens to the open standards ecosystem that made the web interoperable? Agent browsers interacting with sites through machine interfaces rather than human-readable HTML might not care about HTML at all, which has enormous implications for web architecture.
Key takeaways:
- Browsers are evolving from document renderers to AI execution environments that can understand and act on web content
- Native AI APIs in browsers, combined with agent frameworks, are accelerating this shift beyond what extensions alone could achieve
- The concentration of AI browser capabilities in existing monopolies raises serious questions about web openness and control
Why do I care: If the browser becomes the primary AI operating system, the implications for web development are enormous. Our assumptions about how users interact with interfaces, what accessibility means, and how applications should be structured may all need revisiting. This is worth watching closely.
The Browser Is Becoming an AI Operating System
AI Agents Are Replacing Teamwork and That's a Bigger Problem Than You Think
TLDR: Robert Moskal argues that as AI agents handle more software development tasks autonomously, the collaborative practices that create organizational alignment and shared understanding, standups, code reviews, pair programming, are getting quietly abandoned.
Summary: Moskal has been in digital transformation for long enough to have watched a lot of productivity improvements hollow out the organizational practices they replaced. His argument here is specific and worth taking seriously: AI agents are genuinely accelerating individual developer output, but the collaborative friction that felt like inefficiency was actually doing important work. Code review wasn't just quality assurance. It was knowledge transfer. Standups weren't just status reporting. They were a forcing function for team alignment. When an AI agent handles a task from spec to pull request, those intermediate touchpoints disappear.
The piece is short, which means it gestures at the problem more than it solves it. But the observation is sharp. There's a real risk that teams optimizing for individual velocity, where each developer or team lead has an AI agent handling implementation, end up with codebases and systems where knowledge is concentrated in individual heads and never gets distributed through the team. The codebase becomes a product of individual conversations with AI assistants rather than a shared artifact of collective understanding.
What Moskal is avoiding thinking about: whether the problem is actually about AI agents or about how organizations have always struggled to maintain collective knowledge as they scale. Remote work created similar pressures. So did microservices architectures that siloed ownership. AI agents may be accelerating an existing dysfunction rather than introducing a new one. The remedies are probably similar: intentional rituals for knowledge sharing that don't assume incidental colocation.
Key takeaways:
- AI agents can eliminate the collaborative friction that, while feeling inefficient, was doing organizational work in knowledge distribution
- Code review and collaborative debugging served purposes beyond quality assurance that need to be explicitly preserved in agentic workflows
- Teams need to be intentional about maintaining shared understanding as AI handles more implementation work
Why do I care: This is exactly the kind of second-order effect that architecture teams need to think about. If the way we build software changes fundamentally through AI agents, the governance structures and review processes we have need to change too. Keeping the old processes and just adding AI agents on top is probably the worst of both worlds.
AI Agents Are Replacing Teamwork And That's a Bigger Problem Than You Think
Medical AI Can Diagnose. But Can It Explain?
TLDR: Marat Davudov, a London-based data scientist at Sky, makes the case that medical AI achieving diagnostic accuracy comparable to physicians is not enough for clinical adoption. Without interpretability, clinicians cannot integrate AI findings into their reasoning process.
Summary: The gap between benchmark performance and clinical deployment is one of the most persistent problems in applied ML, and medicine is where it matters most. Davudov's piece starts from a premise that's easy to accept: if an AI model achieves ninety percent accuracy on a diagnostic task and a physician achieves ninety percent, accuracy parity is not sufficient for the AI to be useful in a clinical workflow. The physician who reaches a diagnosis through a reasoning process can explain that process, can be questioned, can update their view when new information arrives. An AI model that produces a probability score cannot do those things without additional interpretability infrastructure.
The article covers the main interpretability approaches that are being applied to medical AI: attention visualization, saliency maps that highlight which regions of an image influenced a prediction, and LIME-style local approximations that explain individual predictions in terms a human can inspect. Each of these has real limitations. Attention weights don't necessarily correspond to human-interpretable reasoning. Saliency maps can highlight pixels that are statistically correlated with the outcome without being causally related to it.
The harder problem Davudov identifies is workflow integration. Even if you produce an interpretable explanation, a radiologist seeing five hundred images a day cannot stop and evaluate an AI's reasoning on each one. The explanation has to be useful at the speed of clinical practice, not just theoretically informative. That's a human-computer interaction problem as much as a machine learning problem, and it's genuinely unsolved.
What's missing: the article doesn't engage with the regulatory dimension. The FDA and equivalent agencies are increasingly requiring some form of interpretability for cleared medical AI devices, which is creating a compliance-driven demand for explainability that may not align well with what's actually clinically useful.
Key takeaways:
- Diagnostic accuracy parity with physicians is necessary but not sufficient for clinical AI deployment
- Interpretability in medical AI must operate at the speed and granularity of clinical workflows, not just in isolation
- Current interpretability methods like attention visualization and saliency maps have fundamental limitations that practitioners should understand
Why do I care: The interpretability problem in medicine is a sharper version of a problem that exists in every high-stakes AI deployment. Understanding the constraints and tradeoffs that practitioners are navigating in medicine gives useful intuitions for thinking about interpretability in other regulated domains.
Medical AI Can Diagnose. But Can It Explain?
The Eternal Junior: Why AI Computes but Does Not Think
TLDR: Michal Kadak, writing from his path from junior developer to Group Product Manager, argues that AI is permanently stuck at a certain level of capability because it pattern-matches on existing data rather than reasoning from first principles.
Summary: This piece is going to be polarizing depending on how seriously you take the distinction between "computing" and "thinking." Kadak's core claim is that large language models are sophisticated autocomplete, not genuine reasoning systems, and that this distinction matters practically for how we should trust and deploy them. The "eternal junior" framing is clever: a junior developer can execute well-specified tasks competently and even impressively, but lacks the judgment to know when the task itself is wrong, when context changes the requirements, or when to push back.
I find this framing useful but also somewhat evasive. "Thinking" is not a well-defined category, and a lot of the things we consider distinctively human about cognition turn out, on examination, to be pattern recognition operating on richer representations. Whether AI systems can "really" reason or whether they're "just" doing very sophisticated pattern matching is a question that starts to feel like it's about definitions more than capabilities.
What's more useful from Kadak's piece is the practical point: AI systems fail in ways that junior developers don't, specifically because they can be confidently wrong in ways that look like expertise. A junior developer who doesn't know something usually knows they don't know it. An AI system generates fluent, authoritative-sounding text regardless of whether it has reliable information. That asymmetry is real and important.
The article also makes a point about philosophical grounding that I think is correct: current AI systems don't have a world model in the sense of understanding causality. They have statistical regularities. That matters for certain tasks and doesn't matter for others.
Key takeaways:
- AI systems fail in qualitatively different ways from human experts, particularly in their confidence calibration relative to actual capability
- The distinction between pattern matching and reasoning matters practically for knowing which tasks to trust AI systems with
- AI is well suited for tasks where pattern matching over large corpora is exactly what you need, and poorly suited for tasks requiring novel causal reasoning
Why do I care: For developers using AI coding assistants, understanding where the "eternal junior" failure mode kicks in is directly applicable. The junior metaphor maps cleanly to code generation tasks: AI handles well-specified, pattern-matching-friendly tasks well, and handles novel architectural reasoning poorly.
The Eternal Junior: Why AI Computes but Does Not Think
The Case for Local AI Has Never Been Stronger
TLDR: Thomas Cherickal argues that a confluence of hardware improvements, open model quality, and privacy concerns make running AI models locally more compelling in 2026 than ever before.
Summary: The gap between local and cloud AI has been closing faster than most people predicted. A year ago, running a capable code assistant locally meant accepting significantly degraded quality compared to GPT-4 class models. That's still true at the frontier, but the frontier has moved. Models like GLM-5.1, Kimi-K2.6, and MiniMax-M2.7 are delivering genuine capability on consumer hardware, and the M-series Mac minis provide a cost-effective local inference platform that didn't exist in this form even eighteen months ago.
Cherickal's piece catalogs the practical case: data sovereignty, which matters enormously in regulated industries; latency, since local inference eliminates network round trips for interactive use cases; cost predictability, since you pay for hardware once rather than per token indefinitely; and independence from API availability and rate limits. These are real advantages that cloud-first AI deployments don't address well.
The article leans toward the enthusiast end of the spectrum, with tool lists that include models most readers won't run. The practical reality for most developers is still that the frontier models in the cloud are substantially more capable for complex tasks, and "local is strong enough" depends heavily on what you're doing with it. Writing unit tests locally is totally viable. Complex architectural reasoning with a local model is still a compromise.
What's being avoided: the energy consumption of local inference on high-end hardware is not trivially lower than cloud inference, and the "private by default" argument breaks down when local models are still downloading data or using cloud-based retrieval in their pipelines.
Key takeaways:
- Local AI model quality has improved dramatically, making local inference viable for a much wider range of tasks in 2026
- Data sovereignty, latency, and cost predictability are genuine advantages of local AI that cloud deployments don't address
- The frontier capability gap still exists, and local models remain a compromise for complex reasoning tasks
Why do I care: For enterprise development, the data sovereignty argument is increasingly a compliance requirement, not a preference. Understanding what's now viable locally is essential for architects designing AI-integrated systems in regulated industries.
The Case for Local AI Has Never Been Stronger
Vibe Coding is Gambling
TLDR: Nikolay Girchev, a product and architecture lead with banking and enterprise experience, makes the case that "vibe coding," generating code from natural language prompts without deep understanding of what's being produced, is a bet that only pays off under narrow conditions.
Summary: The term "vibe coding," attributed to Andrej Karpathy, has become shorthand for a style of AI-assisted development where the developer prompts their way to working code without necessarily understanding the implementation. Girchev's argument is not that this is always wrong, but that the gambling metaphor is apt: sometimes you win, often you don't, and the variance is much higher than it looks from the outside because the losses are hidden in production debt.
The piece draws on Girchev's background in banking and government systems, domains where correctness is not negotiable and where technical debt has regulatory as well as technical consequences. In those contexts, vibe coding is obviously inadequate. But Girchev pushes further, arguing that even in domains where it seems to work, developers who don't understand the code they're shipping are accumulating a kind of epistemic debt: they cannot debug it, cannot extend it confidently, and cannot reason about its security properties.
This is a point I find compelling. The most insidious version of the vibe coding failure mode is not the code that breaks immediately. It's the code that works fine until a specific edge case, which the developer cannot diagnose because they never understood the implementation. Stack traces in systems where you don't know the code are nearly impossible to interpret.
The counterargument Girchev doesn't fully address: experienced developers using AI assistance aren't vibe coding, they're using AI to handle well-understood boilerplate while retaining judgment about architecture and logic. The problem is less with AI assistance and more with developers treating AI output as oracle rather than draft.
Key takeaways:
- Vibe coding works in constrained, low-stakes contexts but creates epistemic debt that makes debugging and extension very difficult
- The hidden cost of vibe coding is not failed builds but production failures in edge cases that the developer cannot diagnose
- AI-assisted coding and vibe coding are different: the former requires retained understanding, the latter deliberately avoids it
Why do I care: As teams integrate AI coding tools, the organizational question of what "using AI assistance" means versus "outsourcing understanding to AI" is genuinely important. Codebases built by developers who don't understand their own code are a serious long-term risk.
Why Is LinkedIn Scanning My Browser?
TLDR: An investigator discovered that LinkedIn appears to be scanning browser tabs beyond its own domain, raising significant questions about GDPR compliance and the Digital Markets Act.
Summary: The story starts with a straightforward observation: LinkedIn's JavaScript was found to be accessing information about the user's browser environment in ways that appear to go beyond what's needed for the platform to function. The author, going by Elhadj_C, dug into what LinkedIn was actually collecting and found evidence of browser fingerprinting techniques that can identify users across sessions and correlate behavior across sites.
This matters for several reasons that the article covers well. Browser fingerprinting is legally murky under GDPR because it can constitute personal data processing without explicit consent, especially when it's used for cross-site tracking. The Digital Markets Act, which applies to large platforms in the EU, has specific provisions about gatekeepers using data collected in one context to benefit their services in another. LinkedIn, as part of Microsoft, is the kind of large platform these rules target.
The article is strongest as investigative journalism and weakest on the technical side. Browser fingerprinting is a well-understood technique and the piece doesn't explain the specific methods LinkedIn appears to be using with enough precision to evaluate the severity of the issue. There's also a question of whether what LinkedIn is doing differs meaningfully from what dozens of other platforms do with analytics and session management code.
What the piece is avoiding: whether this is actually unusual behavior for a large platform. The answer is probably "no," which makes LinkedIn's specific case less interesting and the broader industry practice more damning. The story might be less "LinkedIn is doing something bad" and more "this is standard practice and standard practice is not compliant."
Key takeaways:
- LinkedIn appears to collect browser data that goes beyond platform functionality, potentially including cross-context behavioral tracking
- Browser fingerprinting without explicit consent is legally problematic under GDPR and potentially under the Digital Markets Act
- Large platform data practices warrant scrutiny that smaller actors don't typically receive due to the scale of impact
Why do I care: For anyone building web applications, understanding the legal and ethical constraints around browser-side data collection is increasingly important. What was standard analytics practice five years ago may now constitute a compliance violation, and the enforcement climate is changing.
Why Is LinkedIn Scanning My Browser?
Why AI Chips Take So Long to Ship
TLDR: Muthukumaran Vaithianathan, a staff engineer at Samsung Semiconductors, explains the semiconductor pipeline constraints that make AI chip shortages so persistent and so hard to fix quickly.
Summary: If you've wondered why Nvidia's GPU allocations are rationed years in advance despite massive announced investments in manufacturing capacity, this article is worth reading. Vaithianathan writes from inside the semiconductor industry and explains the physical and organizational constraints that make chip production fundamentally different from software deployment. You can't just spin up more chip capacity in response to demand. You're constrained by TSMC's fabrication capacity, by High Bandwidth Memory supply from Hynix and Samsung, by advanced packaging capacity, and by the eighteen-month to twenty-four-month lead time between design tape-out and volume production.
The memory wall problem gets particularly good treatment. AI chips are often compute-bound in theory but memory-bandwidth-bound in practice. HBM memory stacks are physically complex to manufacture, require specialized bonding processes, and are produced by a small number of suppliers. Even if TSMC could produce more logic dies tomorrow, the complete AI accelerator package would still be constrained by HBM supply.
The piece is technically solid and benefits from Vaithianathan's direct industry experience. Where it's less strong is in the forward-looking analysis. The article describes why shortages happen without addressing whether the structural constraints are changing. The answer is that they are, slowly: new TSMC fabs coming online, Samsung and Intel gaining advanced packaging capability, and chiplet architectures that allow more flexible assembly of heterogeneous components all improve the situation over a multi-year horizon.
Key takeaways:
- AI chip production is constrained by multiple bottlenecks: logic fabrication, HBM memory supply, and advanced packaging capacity
- The eighteen to twenty-four month fabrication cycle means chip supply cannot respond quickly to demand spikes
- Structural changes to the semiconductor supply chain are underway but operate on multi-year timescales
Why do I care: For teams planning AI infrastructure, understanding supply constraints is directly relevant to hardware procurement and cloud migration decisions. The chip shortage is not an accident. It's a predictable consequence of structural manufacturing constraints that are only slowly being addressed.
Why AI Chips Take So Long to Ship
How to Survive the Agentic AI Era
TLDR: Mert Satilmaz, an engineering lead specializing in vulnerability management and cloud security, argues that the shift to agentic AI systems creates new attack surfaces and trust boundaries that security practices have not kept up with.
Summary: Agentic AI systems, those that take multi-step actions, use tools, and interact with external services, are architecturally different from the AI systems that most security frameworks were designed for. A language model that answers questions is a relatively contained risk. An agent that can browse the web, execute code, query databases, and send emails is a different category of system, and the security implications are not just incremental extensions of existing concerns.
Satilmaz focuses on the trust boundary problem. When an agent calls an API, that agent is acting with some set of credentials and permissions. When it browses the web, it's exposing itself to adversarial content that might attempt prompt injection to redirect its behavior. When it executes code, it has compute access that needs to be sandboxed. These are all solvable problems in principle, but the solutions require thinking about agents as principals in a security model, not just as users.
The piece covers prompt injection in enough detail to be useful: the idea that malicious content in the environment can override the agent's original instructions is a real attack vector and one that most current agentic systems are not adequately defended against. The parallel to SQL injection from twenty years ago is apt. We knew SQL injection was possible, it took years of breaches to make parameterized queries standard practice.
What's missing is concrete guidance on what "surviving" the agentic era actually looks like in practice. The article diagnoses the problem well but the recommendations stay fairly high level.
Key takeaways:
- Agentic AI systems create new trust boundary problems that existing security frameworks don't address
- Prompt injection is a real attack vector for agents operating in adversarial environments, analogous to SQL injection in scope
- Agents should be treated as principals in security models with scoped permissions, not as users with full operator trust
Why do I care: For teams deploying AI agents in enterprise environments, this is not theoretical risk management. Agents operating with production credentials against real systems need to be designed with security as a first-class concern. This is an area where most teams are behind where they need to be.
How to Survive the Agentic AI Era
Data Poisoning Attacks on AI Models (2026)
TLDR: Sid Kalla surveys the current state of data poisoning attacks on AI models, explaining how malicious training data can embed backdoors or biases into models that surface under specific triggering conditions.
Summary: Data poisoning is the adversarial machine learning attack that gets the least mainstream attention relative to its potential impact. Jailbreaking gets covered every time someone makes a chatbot say something inappropriate. Data poisoning is quieter and potentially more dangerous. The basic idea is simple: if you can influence the training data for a model, you can influence the model's behavior in ways that may not be detectable without knowing what to look for.
The article distinguishes between targeted and indiscriminate poisoning attacks. Indiscriminate attacks try to degrade overall model performance, making the model less useful generally. Targeted or backdoor attacks embed specific triggers: under normal operation the model behaves correctly, but when presented with a specific input pattern, it behaves in whatever way the attacker specified. This could be a content moderation model that fails to flag specific types of content, a fraud detection model that approves certain transaction patterns, or a code generation model that introduces specific vulnerabilities.
The 2026 context matters here. As organizations increasingly fine-tune models on their own data, including data that may have been sourced from the internet, the attack surface for data poisoning is expanding. The datasets used for fine-tuning are rarely audited with the rigor applied to pre-training data.
The piece is accurate but stays at a survey level. The actual mechanics of how detection and mitigation work, differential privacy, certified defenses, data sanitization pipelines, deserve more treatment. Still useful as an orientation to the threat landscape.
Key takeaways:
- Data poisoning attacks can embed backdoor behaviors into models that activate under specific triggering conditions without degrading overall performance
- Fine-tuning pipelines using unaudited external data are particularly vulnerable to targeted poisoning attacks
- Detection and mitigation remain research-grade problems; most production model pipelines don't have adequate defenses
Why do I care: For teams fine-tuning models on user-generated or third-party data, data poisoning is a real supply chain security concern, not a theoretical one. The auditing and provenance tracking we apply to training data needs to match the security requirements of the systems those models power.