For most of my career the interesting failures lived in infrastructure. A cache misconfigured. A credential scoped too broadly. A blast radius nobody had drawn on a whiteboard until it was already on fire. The work was rarely about the clever part; it was about the boundaries, who can reach what, under which conditions, and what happens when something goes wrong.
AI agents do not change that. They remove the human pause that used to hide it. A person investigating an incident queries the rows they need. An agent investigating the same incident pulls the whole table, because nothing told it not to, and nothing in the moment slowed it down. The exposure was always there. The agent just exercises it at full speed.
So I have started working at that boundary on purpose: where security meets infrastructure, and where the guardrails around AI have to live. Not as policy slides, but as the same boring, load-bearing plumbing I have always cared about. Scoped credentials. Rate limits. Auditable decisions. Bounded authority that someone actually designed instead of inherited by accident.
I am building toward that in the open, including an open-source AI gateway with guardrails, and I am opening up to interim CTO, consulting, and coaching work on the same theme. If your organisation is trying to let AI do real work without quietly widening every blast radius you have, that is exactly the conversation I want to have.