← All posts

Problem-Aware

88 posts on problem-aware.

AI Security for Internal Copilots: The Identity, Data, and Audit Controls a Production Deployment Has To Run

Internal copilots reach across the organization with the user identity that opens the copilot session and the application identity that calls the model. The boundary between the two identities is where the security and audit obligations sit. This piece walks through the request-time data the copilot reads, the identity-aware policy decisions the deployment has to commit, the audit record format that survives EU AI Act and HIPAA review, and the architectural pattern that closes the post-authentication gap most internal copilots leave open.

internal-copilotai-securityidentity-awareaudit-logsinline-enforcementpost-authentication-gap
Read post →

AI Security for Customer Support Bots: The Inspection Layer Between the Bot and the Customer Data

Customer support bots reach customer records, payment data, account history, and PII at request time through tool calls and retrieval. The bot reads customer data into the LLM context window, the LLM reasons over it, and the bot acts on the result. The security boundary sits at the HTTP path between the bot and the upstream LLM and tool APIs. This piece walks through the data flows the bot exercises in production, the identity and authorization decisions the inspection layer commits, the audit record the customer auditor and the regulator consume, and the prompt-injection surface that retrieved customer content opens.

customer-support-botai-securityidentity-awareaudit-logsindirect-prompt-injectionpii
Read post →

AI Audit Logs: The Format Spec That Survives EU AI Act, DORA, and Fannie Mae Review

AI audit logs that survive regulatory review carry a specific set of fields the EU AI Act Article 12, DORA Article 19, Fannie Mae LL-2026-04, NIST AI RMF, and HIPAA all expect on the same record. The fields cover identity, decision provenance, model identity, policy state, and integrity metadata. The format has to support per-record retrieval and per-series replay. The write path has to sit outside the application so the application cannot modify the record. This piece walks through the field-level format specification, the integrity model, the storage characteristics, and the deployment pattern that produces records the regulator and the customer auditor will accept.

ai-audit-logsaudit-logseu-ai-actdoracomplianceinline-enforcement
Read post →

The Accountability Gap in Agentic AI Pipelines: Who Owns the Decision When the Agent Acts

Agentic AI pipelines compose multiple model calls, tool invocations, and external retrievals into a single autonomous workflow. The compositional structure produces an accountability gap: the record series the application keeps shows the workflow outcome, the record series the model provider keeps shows the inference call, and neither shows who authorized the agent to act with whose authority at the moment of action. This piece walks through where the gap appears in production pipelines, the structural reason application logs cannot close it, and the inspection-layer record series that produces a defensible answer.

agentic-aiai-agent-accountabilityaudit-logsinline-enforcementnist-ai-rmfai-security
Read post →