<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: VamsiSudhakaran1</title>
    <description>The latest articles on DEV Community by VamsiSudhakaran1 (@vamsisudhakaran1).</description>
    <link>https://dev.to/vamsisudhakaran1</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3829430%2F67f65b87-4fbf-4a0a-a16e-fc9efb67b28e.jpg</url>
      <title>DEV Community: VamsiSudhakaran1</title>
      <link>https://dev.to/vamsisudhakaran1</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/vamsisudhakaran1"/>
    <language>en</language>
    <item>
      <title>Agent security has a survivorship-bias problem — we're armoring the wrong part of the plane</title>
      <dc:creator>VamsiSudhakaran1</dc:creator>
      <pubDate>Wed, 01 Jul 2026 11:53:22 +0000</pubDate>
      <link>https://dev.to/vamsisudhakaran1/agent-security-has-a-survivorship-bias-problem-were-armoring-the-wrong-part-of-the-plane-4fj8</link>
      <guid>https://dev.to/vamsisudhakaran1/agent-security-has-a-survivorship-bias-problem-were-armoring-the-wrong-part-of-the-plane-4fj8</guid>
      <description>&lt;p&gt;In WWII, the military studied bombers that came back and wanted to armor the spots with the most bullet holes. &lt;strong&gt;Abraham Wald&lt;/strong&gt; pointed out the mistake: those holes mark where a plane can get hit and still fly home. The armor belongs where the returning planes have no holes — because the planes hit there never came back to be studied.&lt;/p&gt;

&lt;p&gt;I've spent the last few weeks building a static + behavioral scanner for LLM agents, and ran it across 60+ open-source agent repos — AutoGPT, CrewAI, LangGraph, mem0, and a pile of newer frameworks. &lt;/p&gt;

&lt;p&gt;Two things stood out.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;One:&lt;/strong&gt; the findings cluster around the same handful of issues everyone already talks about — eval(model_output) (yes, real, CVE-2025-51472 in SuperAGI), prompt-injection surfaces, LLM calls with no token ceiling (the "$4k overnight bill" stories). These are real. They're also the bullet holes on the planes that came home. Visible, patchable, survivable — and every SAST tool and guardrail vendor is racing to cover them. In 18 months they're table stakes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Two,&lt;/strong&gt; and this is the part that nags me: most well-maintained repos scan clean. And a clean scan is not proof of safety — it's the survivorship bias. The agents that failed catastrophically didn't leave a grep-able fingerprint. They left an incident: money wired to the wrong account, prod data deleted, a defamatory email sent, secrets exfiltrated through a poisoned tool. Those planes went down where our scanners have no data — which is exactly why the scans look clean.&lt;/p&gt;

&lt;p&gt;So where were the downed planes actually hit? Not in code patterns. In two boundaries static analysis can't read:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Output → consequential action.&lt;/strong&gt; &lt;/p&gt;

&lt;p&gt;The agent's decision was plausible but wrong, and it triggered something irreversible. Every line of code was fine. The failure was in what it did, not what it is. Does anyone check whether irreversible tool actions (pay, delete, deploy, send) are gated behind a confirmation, a dry-run, a human?&lt;/p&gt;

&lt;p&gt;Trust boundaries — MCP tools, agent-to-agent handoffs, persistent memory. The agent trusted a poisoned input and acted on it. No eval, no injection string, nothing to grep. Does anyone verify that agent A should trust agent B's output before acting on it? That an MCP tool's description isn't itself an injection?&lt;/p&gt;

&lt;p&gt;These are invisible to SAST (no pattern), to guardrails (they filter one input, not the action), to evaluators (they score the text, not the consequence). Nobody is asking the question that actually keeps people up at night: "what can this agent DO, and is the dangerous part gated?"&lt;/p&gt;

&lt;p&gt;I don't have this fully solved — I'm building toward it (&lt;strong&gt;release-gate, open source, if you're curious&lt;/strong&gt;). But I'm posting because I think the framing matters more than any tool right now, and I want to be wrong in public.&lt;/p&gt;

&lt;p&gt;So, genuinely: if you run an agent anywhere near production — what's the fatal boundary you're most afraid of that nothing you have today would catch? The irreversible action? The tool you can't fully trust? The model quietly drifting under you? &lt;/p&gt;

&lt;p&gt;&lt;strong&gt;I'd rather learn what the missing planes look like from people who've flown the mission than keep guessing.&lt;/strong&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>agents</category>
      <category>security</category>
      <category>programming</category>
    </item>
    <item>
      <title>I built an open-source governance gate for AI agent deployments</title>
      <dc:creator>VamsiSudhakaran1</dc:creator>
      <pubDate>Tue, 17 Mar 2026 12:39:09 +0000</pubDate>
      <link>https://dev.to/vamsisudhakaran1/i-built-an-open-source-governance-gate-for-ai-agent-deployments-3bea</link>
      <guid>https://dev.to/vamsisudhakaran1/i-built-an-open-source-governance-gate-for-ai-agent-deployments-3bea</guid>
      <description>&lt;p&gt;&lt;strong&gt;The $50K deploy that shouldn't have happened&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Imagine this: your team ships an autonomous AI agent to production. It works great in staging. But in production, a retry loop fires endlessly, burning through tokens. By the time someone notices, the bill is $50K and climbing.&lt;/p&gt;

&lt;p&gt;No kill switch. &lt;br&gt;
No cost cap. &lt;br&gt;
No rate limit.&lt;/p&gt;

&lt;p&gt;That's the problem I built release-gate to solve.&lt;/p&gt;

&lt;p&gt;What is release-gate?&lt;br&gt;
It's an open-source tool that sits at one specific point in your CI/CD pipeline — between test and deploy. It reads a release-gate.yaml file in your repo and runs governance checks against it.&lt;/p&gt;

&lt;p&gt;The result is binary: PASS or FAIL. &lt;br&gt;
No partial deploys. &lt;br&gt;
No &lt;strong&gt;"warnings you can ignore."&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What it checks (v0.2.0)&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. INPUT_CONTRACT — Schema Validation&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Does your agent validate incoming requests? release-gate checks that your JSON schema is syntactically valid, that sample inputs pass, and that bad inputs fail.&lt;/p&gt;

&lt;p&gt;yamlinput_contract:&lt;br&gt;
  schema:&lt;br&gt;
    type: object&lt;br&gt;
    required: [prompt]&lt;br&gt;
    properties:&lt;br&gt;
      prompt:&lt;br&gt;
        type: string&lt;br&gt;
        maxLength: 1000&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. FALLBACK_DECLARED — Operational Safeguards&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Can you kill this agent in under 5 seconds? Who gets paged? Where's the runbook?&lt;/p&gt;

&lt;p&gt;yamlfallback_declared:&lt;br&gt;
  kill_switch:&lt;br&gt;
    type: feature_flag&lt;br&gt;
    name: disable_agent&lt;br&gt;
  ownership:&lt;br&gt;
    team: platform-eng&lt;br&gt;
    oncall: &lt;a href="mailto:oncall@yourco.com"&gt;oncall@yourco.com&lt;/a&gt;&lt;br&gt;
    runbook_url: &lt;a href="https://wiki/runbook" rel="noopener noreferrer"&gt;https://wiki/runbook&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. IDENTITY_BOUNDARY — Access Control&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Is auth required? Are there rate limits? Can one customer see another's data?&lt;/p&gt;

&lt;p&gt;yamlidentity_boundary:&lt;br&gt;
  authentication: required&lt;br&gt;
  rate_limit: 100&lt;br&gt;
  data_isolation:&lt;br&gt;
    - user_owned_only&lt;br&gt;
    - no_cross_access&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4. ACTION_BUDGET — Cost &amp;amp; Resource Controls&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;What's the max spend? How many retries? How many concurrent requests?&lt;/p&gt;

&lt;p&gt;yamlaction_budget:&lt;br&gt;
  max_tokens_per_req: 5000&lt;br&gt;
  max_retries: 3&lt;br&gt;
  max_daily_cost: 1000&lt;br&gt;
  max_concurrent: 10&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why YAML?&lt;/strong&gt;&lt;br&gt;
Because governance should live in the repo, next to the code, reviewed in PRs, and versioned in git. Not in a dashboard someone forgets to update.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What's on the roadmap?&lt;/strong&gt;&lt;br&gt;
v0.3 (Q2 2026): Approval workflows, dashboard UI, audit reports, compliance evidence generation&lt;br&gt;
v1.0 (Q4 2026): Runtime policy enforcement, multi-tenant support, enterprise integrations&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Links:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Website: release-gate.com&lt;/li&gt;
&lt;li&gt;GitHub: github.com/VamsiSudhakaran1/release-gate&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I'd love your feedback&lt;br&gt;
This is early (v0.2.0) and I'm actively building. &lt;br&gt;
What governance checks would matter most to your team? What's missing? Drop a comment or open an issue on GitHub.&lt;br&gt;
Thanks for taking your time in reading this.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>opensource</category>
      <category>devops</category>
      <category>security</category>
    </item>
  </channel>
</rss>
