Blog
Long-form writing across product paths, concepts, and course series. A post can connect to GuardClaw, Felt Weather, Pantry, Askwell, and Take Interest at the same time when the underlying idea carries across them.
The modular AI studio
A plain guide to running a one-person creative studio by directing a focused stack of AI tools instead of doing every production job yourself.
What Felt Weather Uses, in Plain Words
Felt Weather 1.4 opens with a short list of what the app uses and a switch that stays off until you turn it on. Here is that list, explained like a person would.
The loop that makes learning compound
Learning compounds when each attempt leaves behind evidence that shapes the next branch.
The learner should leave with proof
A course should give people more than confidence. It should leave them with artifacts that show what changed.
A course can be a workshop
The strongest courses feel less like a shelf of lessons and more like a place where real work gets shaped.
Private practice makes better public work
People need a safe practice space before their best learning can become visible work.
Teach the skill by naming the failure
A learner improves faster when a course names the failure pattern before asking for the next attempt.
How Anyone Can Start
Starting a company is not a tech skill. Here is how anyone can stand one up and verify the basics.
C-Corp or LLC: How to Think About the Choice
A plain-language look at the two most common ways founders form a company, what actually separates them, and how to pick without getting stuck.
Compliance Basics for Good Standing
A plain recurring-filings checklist so a healthy company does not quietly slip out of good standing.
The Early Paperwork That Catches You Later
A short tour of the first filings every new company faces, which ones are quick, and the one with a real deadline you do not want to miss.
Insurance for a New Company
Insurance feels like a problem for later, until it is not. A plain starting point for thinking about coverage when your company is brand new.
The best course has a memory
A learning product earns trust when it remembers the learner's attempts, patterns, and next branch.
Where to Start From Scratch
The order of operations for starting a company, from the first real decision to the paperwork that waits for you.
Why Founders Pick Delaware
Everyone says form in Delaware. Here is the plain reason so many startups do, and the honest cases where your home state is the better call.
Feedback needs evidence
The best feedback responds to a real attempt, names the visible pattern, and gives one next move.
Make the next attempt obvious
A learner should never finish a practice loop wondering what to try next.
A lesson should end with a move
The best ending for a lesson is a concrete action the learner can take while the idea is still fresh.
The proof record is the syllabus
A strong learning path can be organized around the work a learner proves, not only the lessons they consume.
Practice starts with one attempt
The smallest useful learning loop is a prompt, an attempt, a review, and one sharper repeat.
Progress needs more than a bar
A progress bar can show exposure. Skill needs evidence that practice changed.
The course should remember what you proved
Memory in a learning product should protect context and keep practice from turning into another feed.
Learning needs proof
A course is only useful when it helps someone produce evidence that a skill moved from exposure to practice.
The Local LLM Ceiling
What local models can and cannot do today, how to route work by sensitivity, and what makes local AI actually private.
Grade your last three sales conversations
A 30-minute exercise: grade your last three sales calls with five questions, then use the low scores as next month's practice list.
Your next customer is an agent
AI agents are becoming buyers. Here is what it takes to be a business an agent can find, trust, and pay.
The call that looked like a sale and was a pitch
A worked example of a sales call that looked right from the outside, scored 2 out of 5 on the self-grade, and lost the buyer.
The Five-Question Sales Self-Grade
After any sales conversation, score yourself against five honest questions. Whether you closed isn't on the list. Whether the buyer is measurably better off is.
From 4.7 to 4.8 in Six Weeks
Claude Opus 4.8 arrived about six weeks after 4.7. Here is what rapid model movement means for a small team building on it.
Opus 4.8: the model that flags its own mistakes
Claude Opus 4.8 is less likely to miss flaws in its own code. That matters for any system trusted with context.
Opus 4.8 vs GPT-5.5: the honest read
Claude Opus 4.8 and GPT-5.5 trade wins by benchmark. Here is the mixed scorecard and why context systems need a careful read.
Did I Learn Something Specific?
The hardest post-call self-grade question is about learning. If the seller learned nothing specific, the call was a pitch, not a sale.
The three questions on the table in every sale
Every sales conversation has three buyer questions underneath it. Naming them changes how you spend the hour.
Closing is one minute
Closing is the smallest part of sales. The real work happens before it, where the buyer's question gets answered or does not.
Capital Raising as a Sales Discipline
Fundraising borrows muscles from customer sales, then breaks the analogy in places that catch first-time founders. A map and self-grade rubric.
Enterprise sales from inside the buyer
What a 14-month enterprise deal looks like from inside the buyer's organization, plus a stakeholder check to run before meetings.
Personal sales (when you are the product)
What changes when the buyer is hiring a specific person instead of a firm: pricing, scope, and the polite decline that keeps trust.
Sales, defined honestly
A working definition of sales, how it differs from marketing and persuasion, and a five-question rubric for your next sales call.
The first ten decisions
Ten early founder decisions, from co-founder to first no, that compound long after the first six months.
The founder is the product
Before a team, traction, or a strong deck, the founder is what investors, hires, and first customers buy.
The honest no for founders
Four founder noes that compound: wrong investors, customers, features, and hires. Each includes a script and self-grade rubric.
The Kinds of Sales
A taxonomy of sales by buyer decision shape, with a diagnostic for spotting which kind you are in before you pitch.
The pipeline and the math (made intuitive)
Stages from stranger to closed deal, buyer state at each step, and one worked conversion-math example.
The Skills Every Sale Needs
Seven sales sub-skills, each with a solo practice rig, self-grade move, and common beginner failure.
What a startup actually is
A working definition of a startup, how it differs from nearby company types, and a five-question rubric to test yours.
What you don't have to do
Most startup musts are myths. Here is what is actually universal early, and what is optional or distracting.
Getting Started with GuardClaw
A step-by-step walkthrough of setting up GuardClaw, your first security layer for AI agents. From install to your first security report in five minutes.
GuardClaw and GDPR: What Maps Where
When your AI agent processes personal data, GDPR applies. Here's how GuardClaw's controls map to the requirements that matter most.
GuardClaw and SOC 2: A Control Mapping
Map GuardClaw security controls to SOC 2 criteria, including what evidence to show your auditor.
GuardClaw and the EU AI Act
What the EU AI Act's August 2026 enforcement date means for AI agent deployments and GuardClaw controls.
How GuardClaw Is Different
There are other approaches to AI agent security. Here's where GuardClaw fits, what trade-offs we made, and why we made them.
Rolling Out GuardClaw Across a Team
How to deploy GuardClaw for a development team, shared workspaces, consistent policies, and a single dashboard for everyone's agent activity.
Setting Up Alerts and Monitoring
How to get notified when GuardClaw catches something important, without watching the dashboard all day.
Setting Up GuardClaw for Claude Code
A step-by-step guide to integrating GuardClaw with Claude Code using hooks. Every tool call gets checked before execution.
Setting Up GuardClaw for Cursor
How to add GuardClaw's security layer to Cursor's AI agent. Same protection, different integration path.
The Detection Engine: How It Works
How GuardClaw checks 1,000+ patterns in under a millisecond with tiered filters, RE2 regex, and anomaly detection.
Watching Your Agents Work
How GuardClaw wraps agent commands, intercepts threats, and builds a tamper-evident audit trail.
What Happens When Agents Outnumber People?
Machine identities already outnumber humans. AI agents widen the gap and force governance to change.
What the Receipt Chain Proves
GuardClaw's receipt chain is a tamper-evident audit trail for everything your AI agents do. Here's how it works, what it proves, and why auditors care.
What to Do When GuardClaw Blocks Something
Your agent hit a denial. Is it a real threat or a false positive? Here's how to read the denial, investigate, and decide what to do next.
Writing Your First Security Policy
How to write a GuardClaw policy, understand the defaults, and adjust rules without breaking your workflow.
Your Security Dashboard
The GuardClaw dashboard shows threat stats, audit trails, and compliance alignment in one place. Here's how to read it and what the numbers mean.
What New Hires and AI Agents Have in Common
Your company has an onboarding process for people. It probably doesn't have one for agents. The same trust-building patterns apply to both.
The Friday Agent Permission Audit [Checklist]
A 90-minute permission audit you can run before the weekend. Nine checks, one agent at a time, measurable results by Monday.
Three Layers of Agent Permission Scoping
Agent permissions need identity, scope, and context. Here is how to build those three layers.
Least Privilege Wasn't Built for Agents
The principle of least privilege assumes a human on the other end. When the user makes 10,000 decisions per hour, the implementation needs to change.
Why Your Agent Has More Access Than You
70% of security leaders say AI agents have more system access than humans in the same role. Here's how the default got this backwards.
4.5x More Incidents Start with One Setting
Teleport's 2026 research found that over-privileged AI agents experience 4.5x more security incidents. One default setting explains most of the gap.
NIST Wants Agents Governed Like Employees [2026]
NIST's AI Agent Standards Initiative signals a future where agents need identity, accountability, and lifecycle management, just like the people who build them.
We Trust Systems We Can't Inspect Every Day
From plumbing to power grids to AI agents, humans routinely trust invisible infrastructure. That trust works until it doesn't.
Agent Supply Chain Security in 5 Steps [2026]
A five-step checklist for securing your AI agent's supply chain, from skill vetting to dependency pinning to runtime monitoring.
Audit Your Agent's Trust Boundaries This Week
A practical guide to mapping and testing every trust assumption your AI agents make, from network access to credential scope to tool permissions.
70% of Enterprises Can't See Their Own Agents
Nearly 70% of enterprises run AI agents in production. Most can't tell you how many they have, what they access, or who owns them. That's identity dark matter.
820 Malicious Agent Skills and Nobody Noticed
Koi Security found 820+ malicious skills on ClawHub, up from 324 weeks earlier. Agent marketplaces are the new attack vector builders aren't watching.
The Localhost Assumption That Opened Control
The OpenClaw ClawJacked vulnerability shows how a single implicit trust assumption in an AI agent framework let any website take over a developer's machine.
EU AI Act Checklist Before August 2
The EU AI Act high-risk deadline hits August 2. Five compliance actions you can start this week, with a printable checklist.
Microsoft Recommendation Poisoning Attack
Microsoft discovered that summarize buttons can be weaponized. Recommendation poisoning is the supply chain attack nobody planned for.
NIST's AI Agent Security RFI
The NIST AI Agent Standards RFI just closed. Here's what it asked, what it signals, and what to prepare before April.
One Firebase Misconfig Leaked 300M Chat Messages
An AI chat app with 50M users left a Firebase database open. A researcher found 300 million messages from 25 million people.
Prompt Injection Just Got Classified as Malware
Researchers want prompt injection reclassified as malware. A $40K bounty from UK AISI, OpenAI, and Anthropic is testing why.
How Fast Can an Attacker Hijack Your Agent?
CrowdStrike says attack timelines are under 72 minutes. Your agent verification loop probably takes longer than that.
88% of Agents Shipped Without Security Review
Gravitee's 2026 data: only 14% of orgs got full security approval before deploying agents. Here's what the other 88% have in common.
The Builder's Responsibility
AI builders are making foundation decisions now. The choices around agent safety will shape autonomous systems for decades.
What We Got Wrong (And Changed)
A plain look at what we got wrong, what changed, and why showing the work builds more trust than pretending.
Score Yourself: The Operator Readiness Assessment
A 15-minute self-assessment across five dimensions helps teams see where their agent security posture is weak and what to fix next.
The 30-Day Agent Security Checklist
Four weeks to map agents, lock high-risk actions, rotate secrets, and run one recovery drill.
Why AI Does Not Make Security Decisions
Why TAKE INTEREST does not use AI for deny/allow enforcement, even when models help with detection and triage.
Seven Layers of Defense for AI Agents
Most agent security stops at input filtering and output checks. Here is what real defense in depth looks like for agent systems.
Security Is a Primitive, Not a Feature
Security is load-bearing architecture, not a later feature. Three primitives every agent system needs before first deploy.
Build Like You'll Get It Wrong
Good engineering assumes failure. Recovery paths, checks, and repair loops beat pretending production will stay clean.
Zero Trust Was Built for Humans
Zero trust still matters for AI agents, but the implementation changes when agents operate quickly and chain tools autonomously.
Prompt Injection Is the Easy Problem
Prompt injection gets the headlines, but six other AI agent attack vectors often cause more damage and get less defense investment.
The Identity Problem (Yours and Your Agent's)
Non-human identities outnumber people in enterprise systems, but many teams still manage agent credentials like shared passwords.
Designed to Work Together From Day One
Why disconnected AI tools create hidden risk, and how integrated decision-plus-execution systems reduce failure.
Innovation and Security Are One Product Decision
Treating security as a launch blocker is expensive. Treating security as architecture accelerates real shipping.
Why We Built GuardClaw
AI agents moved from demos to operators. The threat model changed faster than most teams' defenses.
Your AI Agent Has No Seatbelt
AI agents are moving into production faster than safety standards. Runtime security controls need to arrive before the first serious incident.
The full archive: 97 posts, newest first.