Writing from the defense layer.

External document ingestion changes agent behavior across five turns, not in one. We flag the session, not the message. The single-prompt defense industry has no instrument to detect this drift, which is why every published agent attack since January 2026 used it.

Anthropic's Project Glasswing is one of the most serious provider-led security efforts so far. It is also a clear illustration of what provider-led defense can and cannot do. Three things the coalition will achieve. Three things it structurally cannot.

When one agent calls another, the user's authorization fans out invisibly across the chain. The consequence matrix treats every delegation as partially-reversible and high-magnitude. Block until confirmed, no exceptions.

Above three alerts a day, the consumer mutes. Above ten, they uninstall. The history of consumer security is a graveyard of products that ignored this number. Vigil's architecture was built around it from the first commit.

Identity, Intercept, Analysis, Policy, Vault. Eleven crates, five planes, no cross-imports between them. The architecture is the audit boundary, and it is the reason a serious enterprise reviewer can read the security-critical paths in a weekend.

Most defense layers add 200 to 500 milliseconds to AI requests and never come back from it. The user disables the proxy. Once disabled, the product produces zero value. The latency budget is not a feature constraint. It is whether the product exists at all.

The industry has been treating prompt injection as a vulnerability you can patch. The framing is wrong. A vulnerability is a deterministic flaw. Prompt injection is a probabilistic property of the system that cannot be eliminated, only constrained.

A dashboard tells you what your system did, with the operator's good faith as the trust anchor. An audit tells a regulator, six months after an incident, what cannot later be denied. These are not the same thing, and conflating them is what is going to destroy several AI compliance programs over the next two years.

DeepMind's AI Agent Traps paper is the cleanest taxonomy of agent-side attacks we have read. Honest mapping of where Vigil's architecture handles each category cleanly, where it handles them partially, and where it does not yet.

v1 was the demo that proved the architecture worked. v2 is the version we are willing to put in front of an enterprise security review.

No single model handles every attack class. Any defense product that ships with one detection model is either underclaiming what it covers or wrong about how attacks unfold. We built four. This is what each one does and why removing any of them breaks the others.

An autonomous AI agent breached McKinsey's internal AI platform in two hours, for twenty dollars. The headline framing was 'AI hacked AI.' That is not what happened, and the real lesson is harder.

When an agent acts on your behalf, the receiving system has no standard way to verify the agent's identity, the chain of authority that produced the action, or whether that authority is still valid. TAP v1.0 fixes all three.

I have spent twenty years marketing products inside companies whose interests, occasionally, did not line up with their customers'. The structural conflict of interest in AI defense is not a cultural problem. It is a math problem. This post is the math.

Vigil Gateway extends the consumer defense layer to enterprise deployment. The private beta is now open to selected partners. We are deliberately keeping the cohort small. Here is who we are looking for, and what the beta involves.

Audit data is the cleanest training data you will ever own. The signal-to-noise ratio is higher than any web corpus because every entry was authored by you, in context, with timestamp and intent attached. VOAF-M is the format that lets you use it without giving it up.

The Execution Gate is the deterministic primitive that holds an agent's action pre-execution and evaluates it against a policy that has nothing to do with the prompt. This is how we keep an LLM out of the enforcement path.

I started Vigil for one reason. The defense layer for AI agents cannot be operated by the people who ship the AI. It has to sit outside, on the user's machine, with cryptographic audit that does not depend on trusting any provider. Two months in, the thesis is unchanged. The product is still hard.

When an AI agent is compromised, the question is not whether to revoke its authority. It is whether revocation can propagate to every counterparty fast enough to matter. VARP is the protocol that closes the gap. This is how it works.

TLS interception has a bad reputation, earned by enterprise middleboxes that did it badly for a decade. The architecture matters. Local-first interception, with a user-controlled certificate authority and no off-machine traffic, is a different threat model. This post walks through it.

Vigil runs locally because the architecture would not work any other way. This post explains the structural reasoning, the implementation specifics, and the constraints that follow from the choice.