Security

• Building Agents That Can't Go Rogue: A Practical Safety Guide March 6, 2026

  Practical safety engineering for AI agents -- not theory. Covers real incidents, the accountability gap, kill switches, constraint patterns, and what responsible agent deployment actually looks like. Updated 6 March 2026: MIT/Cambridge survey of 30 agentic systems finds systemic lack of risk disclosure. McKinsey: 80% of orgs have encountered risky agent behaviour.

• The Ad SDK You Shipped Is a Government Surveillance Vector March 6, 2026

  CBP has officially acknowledged it buys location data sourced from the real-time bidding ecosystem -- data that flows directly from ordinary apps through ad SDKs to government analysts. This is a product engineering post about what your app is actually participating in, and what to do about it.

• Corporate Ethics Meets State Power: The Anthropic/Pentagon Standoff and What It Means for Engineering Teams March 5, 2026

  When the Pentagon demanded Anthropic delete a clause protecting against mass surveillance, it triggered the first real test of whether corporate AI ethics policies can survive contact with sovereign power. Here's what engineers deploying AI systems need to understand.

• Infrastructure in the Line of Fire: What the AWS Drone Strikes Actually Mean for SREs March 5, 2026

  Drones hit three AWS facilities in the UAE and Bahrain during the US-Iran conflict. AZ isolation failed. Banking services went down. And Iranian state media told us exactly why they targeted cloud infrastructure. Here's what changes now.

• Whose Ethics? Anthropic, the Pentagon, and the Limits of AI Vendor Governance March 5, 2026

  Anthropic refused to delete one phrase from its AI usage policy. The Pentagon banned them, OpenAI filled the gap within hours, and the entire premise of 'safety-first' enterprise AI got stress-tested in real time. Here's what it means for engineering teams.

• Clinejection: How a GitHub Issue Title Took Down a 5 Million User Tool March 5, 2026

  In February 2026, an attacker used a GitHub issue title to hijack Cline's AI triage bot, poison its Actions cache, and publish a malicious npm package to 5 million developers. Every failure point was a documented misconfiguration. This is what went wrong, and what you do differently.