The Agent Boundary
Why AI agents are not just chatbots with tools, but software systems where intent, authority, state, and execution collide.
AI agents, security, distributed systems
The Agent Boundary
Modern AI agents are distributed, permissioned, adversarial software systems. I write about where models become authority, where natural language becomes execution, and where software starts to fail.
User intent
Model
Agent loop
Boundary: instructions become authority
Tools
Memory
Identity
Network
Secrets
State
This site is not a digest of AI trends. It is a research notebook for my own argument: agentic AI security should be studied with the rigor of software engineering, smart contract security, distributed systems, privacy, and cloud infrastructure.
Planned essays
First Sequence
Prompt Injection Is a Trust Boundary Failure
A direct and indirect injection model that treats prompts, tool outputs, retrieved documents, and memory as mixed-trust inputs.
Why Self-Attention Replaced RNNs
From recurrence bottlenecks to parallel sequence modeling, attention weights, positional information, and long-range context. Read draft.
Memory Poisoning Is Persistent State Corruption
Agent memory as mutable application state, with integrity, provenance, rollback, and cross-session attack surfaces.
Research map
Subject Areas
AI Agent Security
Goal hijack, tool misuse, direct and indirect injection, memory poisoning, plan-of-thought backdoors, and excessive agency.
Transformer Foundations
Self-attention, embeddings, positional encoding, RNN limitations, retrieval behavior, and the path from prediction to action.
Smart Contracts and Agents
Shared patterns across adversarial execution, capability design, reentrancy-like loops, formal reasoning, and economic incentives.
Distributed and Cloud-Native Systems
Kubernetes isolation, AWS identity, network policy, observability, consensus, cascading failures, and multi-agent coordination.
Labs
Reproducible Failure Studies
- Prompt injection toy agent with trusted and untrusted context.
- Memory poisoning demo with snapshot, detection, and rollback.
- MCP tool metadata poisoning example.
- Kubernetes network policy lab for agent tool isolation.
- Smart contract exploit pattern compared with agent tool loops.
Writing method
Opinion First, Evidence Second
Each essay starts with my claim, not a summary of someone else's framework.
References support the argument; they do not replace the argument.
Every topic moves from intuition to mechanism, failure modes, and design implications.