field notes

Field notes.

Working notes from the problems we’re in the middle of. Agentic AI for corporate use cases, written by the people doing the build, not the people selling the deck.

No vendor pitches. No conference keynote framing. Every citation a real link you can click. Every claim something we’ve seen, shipped, or broken ourselves.

filter
Isometric illustration of an AI agent at the centre, wired out to its tools, memory and permission gates.

The Jammed-In Agent

A new generation of agents has pushed the field forward on planning, durable execution and procedural memory. The context layer underneath most of them is still held together with glue. This is a walk through what the 2026 agents got right, where their architecture still falls short, and what properly engineered agents look like.

17 Apr 2026 14 min read
Isometric illustration of an app's UI surface lit with vulnerability alerts as attacks stream in.

The Vibe-Coded Attack Surface

Autonomous agents are already topping HackerOne leaderboards. AI app builders are already shipping the same authentication bug across hundreds of live apps at once. When the attacker cost curve crosses the builder cost curve, the middle of the market gets reshaped in a quarter.

17 Apr 2026 14 min read
Isometric illustration of an invoice flowing through approval checks into finance and banking systems.

The Forty-Dollar Invoice

Most CFOs count the labour line on their AP stack. That is the smallest number. The real cost is rework, late-payment penalties, missed early-payment discounts, duplicate payments, invoice fraud, and Month 13 cleanup. Agentic AP does not just reduce labour. It collapses the whole stack. But only if deployed with a real threat model.

16 Apr 2026 13 min read
Isometric illustration of a query passing through a retrieval scanner into a large document corpus.

The RAG Demo Tax

RAG demos work because they sit on small, clean corpora with one user and a generous latency budget. Production RAG is a different engineering problem. Teams discover this around month four, when accuracy quietly collapses. Here is why, and what the teams who get it right actually build.

15 Apr 2026 13 min read
Isometric threat-model diagram showing untrusted content crossing a boundary toward guarded tool access.

Prompt Injection Is Not a Sidebar

Most enterprise LLM deployments treat prompt injection as something to put a filter in front of. That framing is backwards. For any LLM that reads untrusted content or holds a tool, prompt injection is the core threat model. There is no filter solution. The durable defences are architectural.

14 Apr 2026 13 min read