Writing on autonomous AI assurance.
Evidence fabric design, domain control architecture, and the governance gap enterprises are walking into.
JADEPUFFER: an assurance reading of the first agentic ransomware
Building on Sysdig's research on the first documented LLM-driven ransomware, we add the assurance lens: each attack stage mapped to specific, cited controls, with what each control does and why it matters, published as a machine-readable map you can consume.
Twelve Questions. One Decision.
Every autonomous AI action may simultaneously touch identity, delegated authority, regulated data, financial policy, external knowledge, and model behavior before producing an outcome. The decision is horizontal. Today our tooling remains vertical. That mismatch becomes more important as autonomy increases.
The seams are where agents break
Everyone is publishing security guidance for AI agents. None of it connects at the seams. Here is the crosswalk, and why I built it.
The three gaps no framework closes
Most of securing an AI agent is well-trodden ground. Three gaps are not. They are why a crosswalk needs to exist, and where I planted a flag of my own.
A control nobody can prove is not a control
Naming a control is easy. Proving it holds is the hard part. Every Apeiris control carries three proofs: is it configured, does it survive an attack, and what artifact says so on an ongoing basis.
Identity and authority: who the agent is, and what it can do
Five Security-domain identity controls (IA-01 to IA-05) that decide which agent acted and what it was allowed to do, federating with peer domains.
Environment and containment: where the agent runs, and what it can reach
Nine Security-domain containment controls (EC-01 to EC-09): sooner or later the agent will be hijacked, so bound the blast radius before it happens.
Inter-agent and tool protocols: how the agent talks to tools and to other agents
Seven Security-domain protocol controls (PT-01 to PT-07) for the wires between an agent and everything it talks to, where injection risk concentrates.
Governance and human-in-the-loop: who approves, and what is on the record
The governance layer of Apeiris Security: nine controls for the human checkpoints, records, and accountability that keep an autonomous system answerable.
Runtime supervision and detection: what the agent actually does, watched live
The runtime layer of Apeiris Security: eight controls for watching an agent as it runs, including the frontier ones nobody has fully solved yet.
Continuous assurance: proving it before it ships, and after
The assurance layer of Apeiris Security: seven controls that prove an agent is safe to run before it ships, and re-proven on every change after.
How the identity layer is being built
A June 2026 snapshot of who is building agent identity and authorization, mapped to the controls. Standards first, vendors second, no recommendations.
How the containment layer is being built
A June 2026 snapshot of who is building agent containment, mapped to the controls, with an honest map of where no product exists yet.
How the inter-agent and tool-protocol layer is being built
A June 2026 snapshot of who is building the agent protocol layer, mapped to the controls, and how much of the security is still optional.
How the governance layer is being built
A June 2026 snapshot of who is building agent governance, mapped by control. Standards and regulation first, vendors second, no recommendations.
How the runtime layer is being built
A June 2026 snapshot of who is building runtime supervision, mapped by control: three industries, no shared control plane, and the seam no one owns.
How the continuous assurance layer is being built
A June 2026 snapshot of who is building continuous assurance, mapped by control. Open tooling and standards lead the labs and vendors here.
Convergence, new energy, and the seams
The June 2026 capstone: where the field converges, where the new energy is, and the three seams between the layers that no framework closes.