Decoupled Logic

Yesterday I wrote about agent sprawl being the new shadow IT. Today is the implementation post. I have five agents in my .NET stack. Triage, ranking, summarization, extraction, daily orchestrator. Each one is well-scoped internally. Microsoft Agent Framework handles the agent interiors just fine. But the handoffs between them? Wide open. The triage agent classifies a work item. The ranking agent reads that classification and scores it. Nothing validates the handoff. If triage hallucinates a category the scoring model has never seen, ranking scores it with full confidence. Both agents complete successfully. The failure is invisible. Someone is going to read this and say "that is just integration middleware." And so, yeah, the pattern is old. Contract, validate, route, log. ESBs did this. RPA orchestration did this. The difference is what crosses the boundary. RPA handoffs are deterministic. Schema validation is enough. Agent handoffs are stochastic. The triage agent can return a structurally valid payload with a hallucinated category. Schema passes. Content is wrong. You need domain validation and confidence gating, not just structural checks. That has no RPA equivalent. I built it with an IBoundaryContract interface, a BoundaryGate middleware, PostgreSQL for the crossing log, and a Vue.js dashboard that shows boundary health rates. The extract-to-triage boundary was failing at 14% and I had no idea until the dashboard lit up. The plumbing is familiar. The threat model is not. Full implementation on the blog. Link in comments.

I used to think AI governance meant writing the right policies. Define acceptable use. Assign a committee. Review quarterly. None of that produces a kill switch. The EU AI Act says you need one by August 2026. Article 14 requires a real stop mechanism. Not a process that eventually leads to stopping. An actual control plane that a non-engineer can operate. 60% of organizations cannot do this today. The good news: the four containment rings map directly to the compliance requirements. If you built them for engineering reasons, you're 80% of the way there. If you didn't, you have 135 days.

Generation is cheap. Verification is not. 42% of committed code is AI-generated. 96% of developers don't fully trust it. Only 48% always verify before committing. Werner Vogels named this at re:Invent 2025: verification debt. It compounds the same way technical debt does, except it's invisible until something load-bearing breaks. The fix isn't "verify more." That's telling a drowning person to swim harder. The fix is moving verification from human effort to automated gates that scale with generation. Layer 3 of the AgenticOps model has to keep pace with Layer 2, or the governance model collapses under volume. New post breaks down the three failure stages, the gate thresholds that block promotion, and what humans actually own once the pipeline is in place.

Gartner says 40% of agentic AI projects will be canceled by 2027. The reason is not the models. GPT-5 and Claude will be more capable in 2027 than they are today. The bottleneck is governance. Or more precisely, the absence of it. 73% of organizations are deploying agentic AI right now. Only 7% govern it in real time. That 66-point gap is exactly where the cancellations will come from. There are six specific governance failures that compound into cancellation: no centralized control plane, late governance introduction, missing decision traceability, no policy-as-code enforcement, undefined human-in-the-loop thresholds, and poor tool differentiation. Every one maps to a specific layer and ring in the AgenticOps model. This post walks through the mapping and gives you a diagnostic checklist you can run against your own projects today.

Real talk: most teams build containment rings around individual agents. Good start. But when agents communicate with each other, the channel between them is a trust boundary. Most teams treat it as internal. That is the structural error OWASP called out in ASI07 and ASI08. One compromised agent does not just fail. It passes corrupted outputs to every downstream agent that trusts it. The failure propagates through the system as valid data. The fix is not exotic. Apply the same four containment rings at every agent-to-agent boundary, not just at the system perimeter. Zero-trust between internal agents. Circuit breakers on every channel. Fan-out caps to limit blast radius. Memory isolation with provenance tracking. The interior boundaries between your agents have the same attack surface as the exterior ones. New post on the mechanics and the mitigations.

| Agents don't have identities. They have inherited credentials. I've been stress-testing the AgenticOps containment model, and this is the gap that keeps coming up. 80% of organizations report risky agent behaviors in production. Not predicted. Reported. 44% authenticate agents with static API keys. 43% use username and password pairs. Only 21% maintain a real-time inventory of active agents. The containment model assumes that scoping what an agent knows is enough to limit what it can do. That assumption breaks when the agent holds credentials that authorize systems it was never meant to touch. The agent doesn't break out of the sandbox. It walks through the front door. Three fixes: per-agent identity, task-scoped just-in-time credentials, and a runtime authorization gateway. The tooling exists. OPA, service mesh patterns, ephemeral runners. The gap is applying it to agents. New post in AgenticOps Applied: Agents Don't Have Identities. They Have Inherited Credentials.

A friend sent me a post about AI sprawl. The argument: organizations are paying for the same AI value three, four, five times over. Different teams, different subscriptions, same summarization. I get it. And I think that part is a maturity problem. Everyone is experimenting. Nobody coordinated. That is normal. The duplicate subscriptions will compress as the market consolidates. But the part that will not consolidate on its own? The duplicate capabilities inside the tools. Five agents summarizing context five different ways because five people made five independent decisions about what "summarize" means. Three workflows classifying the same work items with three different confidence thresholds. The vendor landscape settles. The capability mess underneath it does not. RPA did this exact thing. Decentralized adoption, quick wins, sprawl, fragmentation, expensive consolidation. Agent sprawl follows the same path but faster, because AI agents improvise where RPA bots just broke. 69% of organizations suspect employees are already using unauthorized AI tools. Gartner says 40% of enterprise apps will embed agents by year-end. The sprawl is not coming. It is here. The fix is not governing each agent individually. Ten governed agents is not a governed system. It is ten systems sharing an org chart. The fix is governing the boundaries between agents, every handoff, every data flow, every integration point. New post on the blog.

A new survey of 225 security, IT, and risk leaders found the defining pattern of enterprise AI governance right now: organizations invested in watching their agents but not in stopping them. 63% cannot enforce purpose limitations. 60% cannot terminate a misbehaving agent. 55% cannot isolate AI systems from broader network access. But 58% have continuous monitoring and 59% have human-in-the-loop oversight. The gap between observation and containment is 15 to 20 percentage points. The security community calls it the governance-containment gap. The four containment rings from the AgenticOps model predict exactly where the failure occurs and in what order to fix it. Organizations built Ring 3 and skipped Rings 1, 2, and 4. They built the screens. They did not build the brakes. Government agencies are in the worst position: 90% lack purpose-binding controls. And 100% of organizations surveyed have agentic AI on their roadmap.

Five independent researchers named the same problem within six weeks of each other. They are calling it cognitive debt: the accumulated gap between a system's evolving structure and a team's shared understanding of how and why that system works. Unlike technical debt, cognitive debt is silent. The tests pass. Features ship. The system runs. But the shared theory of why it works the way it does is fragmenting faster than anyone expected. AI makes it exponentially worse because it generates structure faster than shared understanding can stabilize. The structural response is knowledge compression. Not documentation written after the fact. Living artifacts that capture the theory of the system as it is built. Decision logs, lifecycle maps, compressed commit histories, architecture blueprints that update when features ship. The sixth layer of the AgenticOps framework may be the most important one.

The industry converged on agentic engineering as the professional standard for AI-assisted development. Karpathy named it. Osmani wrote the guide. IBM published the definition. Willison drew the line between it and vibe coding. The practices they describe are correct. Specs before prompts. Humans own architecture. Test relentlessly. But practices live in behavior, and behavior degrades under pressure. Nothing in the model enforces the practice when the practitioner is tired, rushed, or outnumbered by deadlines. Agentic engineering covers three layers: intent, generation, evaluation. AgenticOps adds the three that turn a practice into a system: promotion, runtime governance, knowledge compression. Practice tells you what to do. Infrastructure ensures you actually do it.

In eight weeks, four companies shipped agent runtimes targeting the same architectural pattern. OpenClaw went from 9K to 68K GitHub stars. Perplexity launched Computer. Anthropic launched Dispatch. NVIDIA announced NemoClaw at GTC. Different audiences. Different tradeoffs. Same structural claim: agents need a long-running runtime with containment boundaries, not a chat window. The barrier to deploying an autonomous agent is now lower than the barrier to writing a containment policy for one. Every company needs to treat this as infrastructure, not a trend.

We deployed OpenClaw using Claude Code and a work-system that enforces stage-based governance. Two architectural spikes before any code. An epic with three features, six stories, and explicit acceptance criteria. TDD throughout. Budget daemons with three-tier enforcement. The interesting part is not the deployment. It is the separation. The agent that built the runtime never ran inside it. The system that writes the budget daemon does not have its spending governed by that daemon. That separation is not an accident. It is containment architecture.

The normal development loop is write, run, debug. AI-assisted development makes that loop worse. Generated code looks correct but hides subtle failures. Debugging stochastic output is slower than debugging code you wrote yourself. The fix is verification. Acceptance tests before implementation. Mutation testing that attacks the code. Coverage gates, complexity limits, and structural constraints. By the time the system executes, it has already survived adversarial validation. Verification beats debugging. Every time.

OpenClaw is usually described as an AI assistant, but that description misses what it actually is. It is not just a chat interface or helper sitting on top of a model. It is a harness, an agent runtime that connects a language model to tools that can read files, execute shell commands, and call APIs. The right mental model is not “install an AI assistant.” The right mental model is “deploy an autonomous process with the ability to operate on my machine.” That shift matters because it changes how you evaluate risk and how you design the system around it. Once you see it that way, the problem is no longer installation. It is containment. You are not asking how to run it. You are asking how to control it. That is where structure comes in. Three isolation layers, five containment rings, and a core principle that governs everything. The environment says “can’t,” not “shouldn’t.”

Stripe built autonomous coding agents that produce 1,300 merged pull requests per week. They didn't use AgenticOps terminology. Their architecture maps to the containment model anyway. Isolated environments. Curated tool access. Layered verification. Human promotion gates. Four containment rings, all present, none accidental. When two independent approaches arrive at the same structural patterns, those patterns are likely dictated by the problem rather than the methodology. This first post in the AgenticOps Applied series reviews the alignment and assesses where Stripe Minions sits on the AgenticOps maturity scale.

I spent twenty years trying to become a better coder. Faster frameworks, better shortcuts, more patterns drilled into muscle memory. I measured myself against the 10x myth and came up short every time. Then AI arrived. Not the theoretical AGI kind. The real kind that writes code faster and better than me. What happened next surprised me. Not because of what AI could do, but because of what it turned me into. The fifth post in the AgenticOps series is the most personal one for me so far.

You can't trust a stochastic system to respect boundaries. You can only contain it. A policy says don't do this. Infrastructure says you can't. When you're governing AI agents, you want the second one everywhere you can get it. Four rings of deterministic containment. Constrain the inputs. Constrain the environment. Validate the outputs. Gate the promotion. Each ring is deterministic. What's inside them is stochastic. That asymmetry is the whole point. And code review changes. You stop reading code line by line. You start reviewing evidence, scope, intent, and behavior. The machines verify implementation. The human verifies outcomes.