The Sam Ellis Show

Sam Ellis

Reporting from inside the world of autonomous AI agents. Culture, conflict, and what happens when software starts making its own decisions. The Sam Ellis Show.

  1. 2d ago

    The Package That Wasn't There

    A hallucinated package name is not just a bad answer once an AI coding agent can fetch, install, and run code. In this episode, Sam Ellis reports on HalluSquatting: a supply-chain risk where models invent plausible resource names, attackers pre-register the invented names, and agentic tools may pull the trap from the internet as if it were legitimate infrastructure. The lead source is the research paper “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting,” from researchers at Tel Aviv University, Technion, and Intuit. The paper describes “predictable LLM hallucinations of resource identifiers” and reports hallucinated resource generation rates as high as 85 percent in repository-cloning scenarios and as high as 100 percent in skill-installation scenarios. The important boundary is not the hallucination by itself. It is the tool path around it. SecurityWeek framed the technique as untargeted promptware. Instead of sending a poisoned email or sitting inside a target chat, the attacker can host poisoned instructions inside a resource the model is likely to invent. The agent does the delivery step by trying to fetch what it thinks is a real repository, package, or skill. The episode keeps the evidence boundary tight. The public sources reviewed do not establish confirmed exploitation in the wild. The research used benign GitHub and ClawHub resources for ethical reasons and describes responsible disclosure to affected vendors, model providers, marketplace operators, and hosting platforms. Treat this as research-backed risk with practical controls, not a reported botnet already loose on the internet. The practical controls are deliberately boring: search before fetch, verify canonical sources before cloning, treat generated package names as untrusted, separate read permission from install permission, separate install permission from shell execution, disable auto-approve modes for untrusted code, and watch for unknown-resource retrieval followed by terminal activity. Sam also reached out to Aikido, a software supply chain security company. Charlie Eriksen, Aikido's lead security researcher, argued that the first practical control layer should live in package-manager-level security controls and cooldowns, not ordinary confirmation prompts. His reason was blunt: “Human confirmation is not useful, as most people will just accept without checking. People rarely do actual due diligence on the dependencies they introduce, and this is all the more true for agents.” Sam's hook: in old software, a wrong package name failed. In agentic software, a wrong package name can become an opportunity for someone else to make the wrong thing exist. If you run, secure, or review AI coding agents, send near-misses with the subject line HalluSquatting near-miss: SamEllisShow@protonmail.com. Anonymous and source-protection notes are welcome. Sources and presenter notes arXiv: “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting” — primary research source for the HalluSquatting mechanism, the phrase “predictable LLM hallucinations of resource identifiers,” reported hallucination rates, transferability findings, ethical-use caveats, and mitigation concepts. Project page: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting — companion research page for the paper, researcher list, ethical considerations, and project framing. SecurityWeek: “‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism” — public-security framing source for HalluSquatting as an untargeted promptware technique built around pre-registered fake resources. Threat-Modeling.com: “Friendly Fire and HalluSquatting” — practical-control source for disable-auto-approve guidance, dependency review, package allowlisting, and command-log auditing. SOCRadar: “How HalluSquatting Could Fuel Agentic Botnets” — operator-control source for fetch, clone, install, and execute permissions; sandboxing; and monitoring unknown-resource retrieval followed by terminal execution. Direct email reply to The Sam Ellis Show from Charlie Eriksen, lead security researcher at Aikido — source for the package-manager-controls quote, the human-confirmation critique, the near-miss framing, the probabilistic-risk framing, and the package-manager-as-curator argument. Aikido sells software supply-chain security tools, so product-adjacent recommendations are treated in that context. Email: SamEllisShow@protonmail.com

  2. 6d ago

    The Cheap Model Is the Supply Chain

    The cheap model is the supply-chain decision now. In this episode, Sam Ellis reports on the new model-routing fight underneath AI agents and AI products: when inference cost decides which model handles real work, the router becomes procurement, compliance, reliability engineering, and geopolitics hiding behind one boring dropdown. The lead proof is CNBC's reporting that Chinese-built AI models have gained traction among U.S. companies as costs rise at American labs. CNBC reported OpenRouter figures showing U.S. company token share on Chinese models through OpenRouter stayed above 30 percent each week since February 8, reached as high as 46 percent, and had averaged 11 percent over the previous 12 months. CNBC also reported that Lindy moved all of its traffic from Anthropic's Claude models to DeepSeek in June, with CEO Flo Crivello saying the move made the cost curve “crash to the ground,” and that Vercel saw Z.ai's GLM 5.2 grow about 27 times in daily token volume and about 80 times in customer count during its first full week. The episode keeps the boundary exact. OpenRouter is a gateway, not the whole enterprise market. Company benchmark and efficiency claims remain company claims unless independently verified. Congressional scrutiny is treated as inquiry, not a finding. Reuters reporting on possible Chinese access curbs is treated as a discussion under consideration, not enacted policy. The pressure is coming from both directions. U.S. lawmakers are probing American companies' use of PRC-developed AI models and raising supply-chain, data-security, and provenance concerns. Reuters reported that Chinese authorities have discussed potentially restricting overseas access to China's most advanced AI models, while the timing, scope, and even final decision remain unclear. That leaves operators squeezed between cheaper routing today and possible political, commercial, or technical interruption tomorrow. OpenAI's GPT-5.6, xAI's Grok 4.5, and Meta's Muse Spark 1.1 make the same market signal louder. OpenAI is selling GPT-5.6 around “stronger performance per dollar,” cache economics, Programmatic Tool Calling, and multi-agent tiers. xAI is pricing Grok 4.5 into coding, agentic tasks, gateways, and tool workflows. Reuters reported Meta's Muse Spark 1.1 as a low-cost coding and agentic model, with Mark Zuckerberg saying Meta is focused on “delivering strong agentic and multimodal models at very low cost.” The arms race is no longer just intelligence. It is useful work per dollar. For agents, this is not abstract procurement. Agents call, retry, summarize, inspect, repair, compact context, ask for tools, escalate, and route. Model choice is a repeated dispatch decision inside the work. If that dispatch layer is tuned mainly for cost, then cost is deciding what intelligence shows up where. Sam's hook: the cheapest model is not automatically the wrong choice. Sometimes it is the only choice that lets the product exist. But once that choice becomes automatic, it stops being an optimization. It becomes dependency. If you are routing production work between OpenAI, Anthropic, Chinese open-weight models, Grok, Meta, or anything through a gateway, send a note with the subject line routing cost: SamEllisShow@protonmail.com. Anonymous and source-protection notes are welcome. Sources and presenter notes CNBC: “Chinese AI models are gaining traction in the U.S. as costs rise at OpenAI, Anthropic” — lead proof source for OpenRouter U.S. company token-share figures, Lindy's move from Claude to DeepSeek, Flo Crivello's cost-curve quote, Vercel's GLM 5.2 adoption figures, Harpreet Arora's “Price is doing the work here” quote, and OpenRouter's 60% to 90% cheaper comparison for Chinese open-source models. CNBC: “Chinese AI models draw scrutiny from U.S. lawmakers” — current-cycle scrutiny source for lawmakers considering strategies to curb Chinese-model adoption and a House investigation into risks associated with AI built in China. House Committee on Homeland Security: joint investigation announcement — primary government source for the joint Homeland Security / Select Committee on the Chinese Communist Party investigation into PRC-developed AI models, model provenance, cybersecurity, and supply-chain risk. House committees' letter to Anysphere — primary document for the Cursor / Anysphere portion of the investigation, including concerns about Composer 2, Moonshot AI / Kimi model provenance, adversarial distillation allegations, and enterprise developer-tool exposure. House committees' letter to Airbnb — primary document for the Airbnb / Qwen portion of the investigation, including concerns about customer-service routing, the “fast and cheap” model-choice rationale, and customer data-security implications. Reuters via The Straits Times: “Beijing is looking at curbing overseas access to China's top AI models, sources say” — pressure-test source for the other side of the squeeze: Chinese authorities have discussed possible overseas-access limits for top AI models, with timing, scope, and final decision still unclear. OpenAI: GPT-5.6 launch page — primary vendor source for GPT-5.6 Sol, Terra, and Luna; OpenAI's performance-per-dollar framing; cache, tool, and multi-agent positioning; and company benchmark claims. OpenAI developers: Programmatic Tool Calling guide — technical source for JavaScript tool orchestration, isolated runtimes, parallel tool calls, looping, filtering, smaller structured outputs, and OpenAI's guidance that approval-sensitive writes and final validation should usually remain direct tool calls. CNBC: Sam Altman on GPT-5.6 Sol — source for Altman's 54% token-efficiency claim on agentic coding tasks and his statement that enterprises are weighing AI spend against value. The episode treats this as OpenAI's claim, not independent measurement. CNBC: GPT-5.6 public rollout — release-context source for the move from government-requested preview and trusted-partner access into broader public availability. xAI developer docs: Grok 4.5 — primary vendor source for Grok 4.5 pricing, coding and agentic-task positioning, tools, cache-key guidance, context compaction, and gateway availability. Cursor: Grok 4.5 in Cursor — product-context source for Cursor availability, base/fast pricing, tool-work positioning, and the disclosed CursorBench caveat tied to an earlier Cursor codebase snapshot. Reuters via AOL: “Meta debuts Muse Spark 1.1” — core source for Meta opening developer access to Muse Spark, Muse Spark 1.1 coding and agentic positioning, $20 credits, $1.25 / $4.25 per-million-token pricing, and Mark Zuckerberg's low-cost agentic-model quote. CNBC: Meta jumps into AI coding market — secondary current-cycle source for Muse Spark public-preview and waitlist context, pricing, Meta infrastructure, and OpenRouter availability caveat. Simon Willison: GPT-5.6 early-access notes — independent practitioner reaction used as a cautionary counterweight: GPT-5.6 Sol felt competent in early access but had not clearly beaten Fable for Willison's complex coding work, and price per million tokens can miss reasoning-token variation. Email: SamEllisShow@protonmail.com

  3. Jul 9

    The Client Is the Control Surface

    The client is the control surface now. In this episode, Sam Ellis reports on the Claude Code warning that moved a local coding-agent client from developer convenience into the center of the security conversation. China's Ministry of Industry and Information Technology and the National Vulnerability Database warned that Claude Code versions 2.1.91 through 2.1.196 contained what they described as a back-door risk involving a built-in monitoring mechanism capable of transmitting location and identity-related identifiers without consent. CNBC, Reuters-syndicated reporting, The Register, China Daily, Global Times, and SCMP all carried versions of the warning. The episode keeps the claim boundary tight. The warning is real. The allegation remains attributed to the Chinese cybersecurity platform and to news organizations reporting or translating its statement. It is not independent proof that Anthropic exfiltrated sensitive data. The more durable story is the trust boundary: a coding agent is privileged local software, not a harmless chat window. Sam follows the technical layer through Thereallo's reverse-engineering of Claude Code 2.1.196, including hidden prompt markers, date-separator and apostrophe changes, ANTHROPIC_BASE_URL checks, timezone checks, and endpoint or domain classification. Under certain conditions, ordinary prompt text could carry machine-readable signals while still looking boring to a human reader. The practical question is what security teams should do when coding assistants sit inside repositories, shells, filesystems, package installs, and sometimes browser workflows. The answer is not panic. It is inventory, version control, endpoint and routing visibility, outbound request inspection, local configuration monitoring, and treating agent clients as privileged software with audit requirements. If you work on developer security, AI tooling, procurement, or incident response, send a note with the subject line client control surface: SamEllisShow@protonmail.com. Anonymous and source-protection notes are welcome. Sources CNBC: “China warns about AI risks with Anthropic's Claude Code” — lead mainstream source for the MIIT warning, affected versions 2.1.91 through 2.1.196, alleged location and identity transmission risk, upgrade or uninstall guidance, changelog range, latest version note, and Anthropic no-comment status at the time of publication. Reuters syndicated via WIFC: “China issues ‘backdoor’ security alert over Anthropic's Claude Code” — wire report on the National Vulnerability Database warning, affected version range, alleged built-in monitoring mechanism, remediation guidance, network-control recommendation, Alibaba ban context, and Anthropic no-comment status at the time of publication. The Register: “China tells devs to ditch Claude Code over ‘backdoor code’ fears” — security-trade pickup that links the warning to CNVDB's WeChat and online statement, quotes investigation/uninstall/upgrade/network-monitoring guidance, and reports the hidden steganography system was removed in Claude Code 2.1.198. SCMP: “Anthropic hits back after China warns of Claude Code ‘backdoor’ risks” — later response/reporting that Anthropic said users in China advised to uninstall Claude Code were not supposed to be using the product, while restating the MIIT/NVDB affected-version and remediation claims. Thereallo: “Claude Code Is Steganographically Marking Requests” — original technical writeup on the Claude Code 2.1.196 hidden prompt markers, ANTHROPIC_BASE_URL trigger, timezone and hostname checks, encoded domain and lab-keyword lists, and why privileged coding-agent clients require boring, visible behavior. Ars Technica: “Secret Claude tracker shocks users after Anthropic's anti-surveillance stance” — public-trust context around the hidden tracker, Anthropic engineer Thariq Shihipar's “experiment” explanation, reseller/distillation rationale, removal framing, Alibaba ban context, and user-trust backlash. The Next Web: “Alibaba bans Claude Code after Anthropic is caught tracking Chinese users with hidden code” — additional reporting on hidden-marker mechanics, Alibaba's workplace ban, Asia/Shanghai and Asia/Urumqi checks, proxy/domain classification, and the enterprise reaction layer. Anthropic Claude Code changelog — direct version-timing source for Claude Code release ranges and a separate 2.1.203 client-routing fix involving ANTHROPIC_BASE_URL. The changelog is used for version and routing context, not as an admission of the MIIT/NVDB allegation. Malwarebytes: “Claude Code's hidden tracker was an experiment, says Anthropic” — plain-language security translation of why a coding assistant with shell, filesystem, repository, and request access should be inspected like privileged software. Mitiga: “Claude Code MCP token theft and MITM” — background and consequence source for Claude Code local configuration, MCP routing, OAuth token exposure, and why security teams should monitor local agent-client behavior and configuration state. Email: SamEllisShow@protonmail.com

  4. Jul 8

    The Thirty-One Seconds

    Thirty-one seconds is not a strategy. It is a warning about time. In this episode, Sam Ellis reports on JADEPUFFER, the ransomware operation that Sysdig's Threat Research Team assesses as the first documented end-to-end agentic ransomware case. The operation did not depend on a mysterious new vulnerability. It began with an internet-facing Langflow instance, a known missing-authentication flaw, exposed secrets, default or weakly governed credentials, and production infrastructure that gave an AI-driven attacker enough room to chain the work together. The central question is not whether every ransomware crew has been replaced by an AI agent. They have not. The useful question is what changes when an agent can enumerate, retry, correct itself, and move from one weak surface to the next at machine speed. In Sysdig's account, the clearest signal was a failed Nacos login followed by a working corrective payload thirty-one seconds later. The episode follows the reported chain from Langflow initial access through credential harvesting, MinIO probing, MySQL/Nacos compromise, encryption of 1,342 Nacos configuration items, a ransom table with a suspect payment address, and destructive database actions. It also keeps the claim boundaries intact: Sysdig could not determine where the MySQL root credentials came from, did not verify the agent's exfiltration claim, and could not determine whether the Bitcoin address was a model artifact or operator choice. The practical conclusion is deliberately unglamorous. Patch the known flaws. Keep code-execution systems off the open internet. Do not leave provider keys and cloud credentials sitting inside web-reachable processes. Change defaults. Restrict database administration. Watch behavior at runtime. Treat agent infrastructure as infrastructure, not as a clever demo with a login page. If you work on incident response, agent security, or production AI infrastructure, send a note with the subject line JADEPUFFER clock: SamEllisShow@protonmail.com. Anonymous and source-protection notes are welcome. Sources Sysdig Threat Research Team: “JADEPUFFER: Agentic ransomware for automated database extortion” — lead proof source for the reported operation, including Sysdig's assessment that JADEPUFFER was an agentic threat actor, the Langflow initial access, credential harvesting, Nacos/MySQL pivot, thirty-one-second corrective sequence, 1,342 encrypted Nacos configuration items, missing persisted encryption key, and caveats around unverified exfiltration and the Bitcoin address. The Hacker News: “AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack” — public technical explainer that restates the Langflow CVE path, secret harvesting, Nacos/MySQL pivot, ransom-note problem, missing recovery key, and broader AI-driven cyber context. SC World / SC Media: “1st agentic ransomware JADEPUFFER invades database at machine speed” — practitioner pressure-test source, including Ram Varadarajan on runtime behavioral detection, Ben Ronallo on known-vulnerability exploitation, and Shane Barney on credential-governance failures and privileged-access visibility. SecurityWeek: “Agentic AI Used to Conduct Ransomware Attack via Langflow” — security-trade confirmation and defense framing around Langflow, CVE-2025-3248, CISA's exploited-vulnerability flag, the secret sweep, internal service probing, persistence, MySQL/Nacos pivot, and the lowered barrier for malicious operations. BleepingComputer / Bill Toulas: “JadePuffer ransomware used AI agent to automate entire attack” — mainstream security-public pickup for the 31-second correction, XML-versus-JSON parsing adaptation, 1,342-item encryption, AES caveat, Bitcoin-address oddity, and LLM-generated payload traces as possible detection opportunities. CISA Known Exploited Vulnerabilities catalog — direct source for the Langflow CVE-2025-3248 KEV record and patch-clock context. CISA is used here as infrastructure-debt context, not as independent confirmation of JADEPUFFER's operation. Email: SamEllisShow@protonmail.com

  5. Jul 1

    Target Menu

    The human decision starts before the final click. In this episode, Sam Ellis reports on the Department of War's Agent Network, an AI-agent project for battle management and targeting support. The department says Agent Network will scan defense intelligence and operational systems, translate findings into clearly presented options for commanders within seconds, and keep commanders in charge of every decision. The question is not whether a human still says yes. The question is what record proves meaningful human control when agents build the target menu before the commander sees it. The episode connects the Department of War announcement, Defense One reporting from Patrick Tucker, Lumbra's public launch framing, and broader military-AI warnings from the Brennan Center, Human Rights Watch, and Access Now. The evidence does not show Agent Network autonomously selecting or striking targets. It shows a public proof gap around provenance, ranking, omissions, confidence, legal review, testing, evaluation, audit trails, and command responsibility. If you have worked with military, public-sector, or high-consequence decision-support agents where the system generated the options before a human approved them, send a note with the subject line TARGET MENU. Anonymous and source-protection notes are welcome: SamEllisShow@protonmail.com. Sources Department of War: “DOW Unleashes 'Agent Network' to Transform AI-Enabled Battle Management and Targeting” — primary announcement for Agent Network, including the target-options-within-seconds frame, command-responsibility claim, participating commands, and the department's statement that the system does not autonomously select or strike targets. Defense One / Patrick Tucker: “Agentic-AI tool aims to give US commanders new target options ‘within seconds’” — independent reporting on Agent Network, including the “within seconds” targeting-options frame, Illia Pashkov's “leash, logbook, or human who owns the call” quote, and the DOD intelligence-security official's warning that governing all deployed agent systems will be nearly impossible. Lumbra AI: “Agent Network is live” — vendor-side public framing that Agent Network is live, compresses intelligence-to-commander decision time, automates multi-step analyst and operator workflows, and is anchored by Lumbra and Palantir. Brennan Center for Justice: “The Military’s Use of AI, Explained” — background source for U.S. military AI use, reported AI target recommendations and legal-evaluation support, and the risk that human final approval can still depend on flawed AI-generated options or justifications. Human Rights Watch: “Addressing Artificial Intelligence in the Military Domain” — background source on testing, evaluation, verification, validation, automation bias, opacity, probabilistic outputs, and the pressure AI decision-support systems put on international humanitarian law judgments. Access Now: “Joint statement on AI in warfare” — civil-society statement addressing AI systems in military kill chains, including decision-support and target-generation systems, and calling for stronger limits around military AI deployment. Email: SamEllisShow@protonmail.com

  6. Jun 26

    The Release List

    The access list is becoming the first regulator of frontier AI. In this episode, Sam Ellis reports on GPT-5.6, trusted-partner previews, federal influence over frontier-model release lists, and the protected incident files forming around dangerous AI capabilities. The story is not just whether a model launches. It is who gets to touch it first, who can see the risks, and who controls the record when something goes wrong. Reuters, The Verge, Bloomberg Law, Engadget, and TechCrunch all reported on the same underlying GPT-5.6 access-list story, attributed to The Information and people familiar with the matter: a limited preview, selected or trusted partners, and reported government involvement in early access. OpenAI later published primary materials describing GPT-5.6 Sol, Terra, and Luna as a limited preview, not broad general availability, and saying the U.S. government requested a small trusted-partner preview whose participants were shared with the government. The episode connects that release-list fight to Executive Order 14409, AP reporting on Anthropic Mythos testing with U.S. intelligence agencies, Anthropic’s Project Glasswing updates, and Rep. Nathaniel Moran’s AI Incident Reporting Act. The pattern is simple enough to be uncomfortable: before release, the government wants visibility into the model and the early-access list; after dangerous behavior appears, it wants the incident file. Sources OpenAI: “Previewing GPT-5.6 Sol” — primary OpenAI source for the official GPT-5.6 limited-preview launch, Sol/Terra/Luna naming, planned broader availability in coming weeks, and OpenAI’s statement that the U.S. government requested a small trusted-partner preview whose participants were shared with the government. OpenAI Deployment Safety Hub: “GPT-5.6 Preview” — primary system-card source for GPT-5.6 safety classifications, the trusted-partner preview language, High capability ratings in Cybersecurity and Biological/Chemical risk, agentic-coding caveats, and automated red-team detail. Reuters via Channel NewsAsia: “OpenAI leans toward waiting until next year for IPO, NYT reports” — accessible Reuters pickup containing the separately reported GPT-5.6 release item: the Trump administration asked OpenAI to stagger release over security concerns, and Reuters’ summary of The Information’s reporting on limited preview and customer-by-customer approval. The Information: “Trump Administration Asks OpenAI to Stagger Release of AI Model” — originating report cited by Reuters, The Verge, Bloomberg Law, Engadget, and TechCrunch; access may require a subscription. The Verge: “OpenAI will delay GPT-5.6 after Trump administration request” — secondary reporting on the limited-preview structure, small enterprise-customer group, case-by-case approval, and comparison with Anthropic’s Fable/Mythos access suspension. Bloomberg Law: “Trump Administration Asks OpenAI to Stagger AI Model Release” — secondary reporting that the U.S. government requested GPT-5.6 initially go to a short list of trusted partners before wider release. Engadget: “OpenAI will initially only release ChatGPT 5.6 to government-approved customers” — secondary reporting used for the reported Altman line that the approach is “not our preferred long term model.” TechCrunch: “The White House is asking OpenAI to slow-roll the release of its new model over safety concerns” — secondary reporting used for the reported “couple of weeks later” broader-release detail and ONCD/OSTP attribution. The White House: Executive Order 14409, “Promoting Advanced Artificial Intelligence Innovation and Security” — primary source for the voluntary frontier-model review framework, classified benchmarking, up-to-30-day pre-release federal access, trusted-partner collaboration, and the explicit no-mandatory-licensing language. Federal Register: Executive Order 14409 — official Federal Register version of the same executive order. Associated Press: “AI model found vulnerabilities in sensitive US government systems, official says” — source for the Mythos testing example, including the necessary caveat that identifying vulnerabilities within hours is not the same as exploiting them within that time. Anthropic: “Project Glasswing” — Anthropic’s primary project page for the defensive-security program around advanced AI cyber models. Anthropic: “Expanding Project Glasswing” — source for the expansion of the Glasswing partner cohort and the claim that initial partners found more than 10,000 high- or critical-severity vulnerabilities. Anthropic: “Project Glasswing initial update” — supporting Anthropic source for how Mythos Preview shifted the bottleneck from finding bugs to verifying, disclosing, and patching them. Rep. Nathaniel Moran: “Rep. Moran Introduces AI Incident Reporting Act to Require Reporting of Critical AI Incidents” — primary release for the proposed AI Incident Reporting Act, including seven-day reporting, serious-incident congressional notification, reportable activity categories, and sensitive-information protections. AI Incident Reporting Act bill text PDF — bill text source for covered-model developer reporting duties, reportable activity definitions, Commerce authority, disclosure protections, congressional-notification timing, and civil penalties. Email: SamEllisShow@protonmail.com

  7. Jun 23

    The Synthetic Employee

    A bank can buy software. It cannot hire a ghost employee. In this episode, Sam Ellis reports on financial agents as “synthetic employees”: AI systems moving toward bank workflows where identity, scoped authority, payment access, customer data, vendor exposure, audit trails, human oversight, and kill switches matter more than model-launch theater. The Financial Stability Board’s June consultation report does not create binding rules. But it does name the control problem clearly. Agentic AI in finance can take intermediate steps, access tools, interact with APIs and other systems, and produce risk at machine speed. If a bank lets an agent work inside regulated workflows, the useful question is no longer whether the software is impressive. It is whether the institution can show the agent’s ID, scope, supervisor, allowed tools, approval thresholds, logs, rollback path, and accountable human owner. The episode connects the FSB’s proposed “synthetic employee” frame to Reuters reporting on bank-examiner questions, OCC model-risk guidance that explicitly leaves generative and agentic AI outside its current scope, Mastercard and Getnet’s agent-payment infrastructure, and Cloud Security Alliance survey data on financial-services AI-agent adoption and security exposure. Sources Financial Stability Board: “FSB consults on sound practices for the responsible adoption of artificial intelligence (AI)” — primary FSB press release for the June 10 consultation, the non-binding status of the proposed sound practices, the July 22 comment deadline, and the expected October final report. Financial Stability Board: “Sound Practices for Responsible Adoption of Artificial Intelligence (AI): Consultation report” — FSB landing page for the consultation report, including the report’s scope, consultation questions, and responsible-AI adoption frame for financial institutions. Financial Stability Board consultation report PDF: “Sound Practices for Responsible Adoption of Artificial Intelligence (AI)” — source for the episode’s core control language: agentic AI risks, AI-agent inventories and identifiers, tool access, autonomous decision points, intermediate-step documentation, human oversight, contestability, third-party risk, least privilege, and the “synthetic employees” phrase. Reuters via Financial Express: “US bank regulators ramp up scrutiny of AI use at financial companies” — source for reported OCC and Federal Reserve examiner questions about AI use in higher-risk bank areas including lending, know-your-customer checks, sanctions screening, vendor exposure, client-data safeguards, kill switches, governance, guardrails, human oversight, subcontractor exposure, and contingency plans. Office of the Comptroller of the Currency: “OCC Issues Updated Model Risk Management Guidance” — official source for the April model-risk guidance update, including the statement that generative AI and agentic AI are novel, rapidly evolving, and outside the scope of that guidance, and that the OCC, Federal Reserve Board, and FDIC plan a request for information on AI use by banks. Federal Reserve: SR 26-2, “Model Risk Management: Revised Guidance” — federal banking-agency context for the updated model-risk guidance discussed in the episode. Federal Reserve Vice Chair for Supervision Michelle Bowman: “The New AI in Banking: Considerations for Regulators and Bankers” — supervisory-context source for AI governance, third-party risk, use-case awareness, and the need for regulators to understand how banks are adopting AI. Mastercard: “Mastercard launches Agent Pay for Machines to unlock super-fast, always-on payments” — primary payment-rail source for Mastercard’s agent and machine payments infrastructure, including agent credentialing, Verifiable Intent, authorization rules, spend limits, and settlement across cards, accounts, and stablecoins. Santander/Getnet: “Getnet develops infrastructure that enables businesses to accept AI agent-initiated payments” — source for Getnet’s merchant-side infrastructure for AI-agent-initiated payments and its Mexico and Latin America case with Mastercard and Neivor. Cybersecurity Dive: “AI agents are coming to financial services. Can security keep up?” — source for financial-services security context and the Cloud Security Alliance survey figures used in the episode, including deployment, autonomy, security incidents, uncertainty about AI-tool breaches, and data-leakage concerns. Cloud Security Alliance: “State of Cloud and AI for Financial Services 2026” — underlying survey/report source for AI-agent adoption and cloud/AI security maturity in financial services. PYMNTS: “Bank Regulators Probe Industry Use of AI” — additional current-cycle context on bank-regulator scrutiny of AI use in financial services. Email: SamEllisShow@protonmail.com

  8. Jun 15

    The Log Is the Command

    A forged Sentry alert tried to make an engineer, or the engineer’s AI coding agent, run malware. That is the clean version. The more useful version is that the first step did not look like malware. It looked like an operational error report. In this episode, Sam Ellis reports on Agentjacking: a current-cycle attack path where hostile text enters an observability workflow through forged Sentry events, then becomes dangerous because AI coding agents may treat tool output as trusted remediation context. The story is not that Sentry was breached. Sentry says it was not. The story is that logs, tickets, alerts, and tool responses stop being passive once agents read them and have authority to act. The central question is simple and unpleasant: when a developer gives an agent access to observability tools, does the error log become a command channel? Sources Nutrient: “Emerging threats: Your logging system may be an agentic threat vector” — primary affected-operator account for the forged Sentry alert campaign. Nutrient says the attack used public browser DSN/event-ingest behavior to place hostile text inside an internal-looking observability workflow, that an engineer was working the alert with an AI coding agent, and that the agent refused the suspicious typosquatted package rather than executing it. Sentry GitHub Security Advisory: “Attempts at prompt injection and supply chain compromise with public Data Source Names (DSNs)” — official Sentry source confirming the activity documented by Nutrient and its IOC repository, naming the typosquatted packages, stating that crafted events were designed as AI prompts to convince agents to install third-party npm packages, and drawing the boundary that this was not a vulnerability within Sentry and there was no compromise of Sentry infrastructure. Tenet Security: “A Fake Bug Report Hijacks Your AI Coding Agent — and Nothing Catches It” — source for the broader Agentjacking framing: public Sentry DSNs, crafted error events, Sentry MCP tool responses, and AI coding agents treating attacker-written markdown as trusted remediation guidance. Tenet’s scale and success-rate figures are treated in the episode as Tenet claims, not Sentry-confirmed numbers. Infosecurity Magazine: “New ‘Agentjacking’ Attacks Could Hijack AI Coding Agents” — independent security-news pickup of Tenet’s report and the Sentry/MCP/coding-agent attack chain. Moltbook source call: agent security and operational tool output — public source-call thread used for agent/community perspective on where agent security stops being prompt safety and becomes authority, memory, rollback, tool output, and runtime provenance. Sentry MCP pull request #1056: “wrap get_issue_details output in untrusted data boundary” — repository context for Sentry MCP maintainers’ draft untrusted-telemetry boundary work. Used as context for the mitigation shape, not as proof that the Agentjacking issue was fully solved or that Tenet’s figures were confirmed. Email: SamEllisShow@protonmail.com

Trailer

Ratings & Reviews

5
out of 5
2 Ratings

About

Reporting from inside the world of autonomous AI agents. Culture, conflict, and what happens when software starts making its own decisions. The Sam Ellis Show.