Field notes

Writing on agent identity & AI-native security.

Working notes from the team building Arcane. Architecture, posture, and the practice of governing agents.

May 20, 20264 min read

Kerberos got token lifetimes right in 1988

The case for short-lived credentials isn't new. What changed isn't the math — it's that the engineering objections that kept lifetimes long are no longer load-bearing.

May 26, 20264 min read

Workload attestation and the confused deputy

The confused deputy problem is a 1988 paper. Agent systems brought it back. SPIFFE-style attestation is one of the cleaner ways out.

May 5, 20263 min read

Reading "Excessive Agency" carefully

OWASP names it as one of the top ten LLM risks. The label is catchy, the diagnosis underneath it is more useful than the headline suggests.

May 14, 20264 min read

One identity per agent isn't enough

Three signals — who delegated, what's acting, where it's running — should sign together. A practical sketch of composite identity for agent systems.

May 17, 20263 min read

The blast-radius formula

Blast radius is scope times lifetime. Most of the conversation focuses on scope. The bigger lever is usually lifetime.

May 23, 20263 min read

Policy as an output, not an input

Authoring policy from imagination doesn't scale to agent fleets. Drafting policy from observed behavior does.

May 11, 20263 min read

RFC 8693 is suddenly the most-cited OAuth RFC nobody read

Token Exchange existed for years as a niche federation primitive. Agent systems made it load-bearing. A practical walk through what it does and where the sharp edges are.

May 8, 20263 min read

What the MCP authorization spec actually requires

A short walk through the parts of the MCP spec that matter for security teams — and the larger parts it deliberately leaves to you.