We are building data breach machines and nobody cares

I read a blog post this week that I have not been able to stop thinking about.

The argument is straightforward. AI agents are just loops: make API calls, run the output, repeat until the task is complete. Add planning, ReAct patterns, multi-agent orchestration, and external memory management, and you have a more sophisticated loop. But fundamentally, it is a non-deterministic system being given direct access to deterministic infrastructure: databases, shells, email, file systems. And the industry is racing to deploy this combination without anything resembling a security standard, because the standards do not exist yet, and also because nobody in the room seems particularly motivated to slow down long enough for them to be written.

The author’s read on the Thoughtworks report is the bit that landed hardest. A report that declares security a “non-negotiable baseline” immediately after admitting the security session had low attendance. The three priorities offered as solutions are variously: a platitude that predates recorded history, an appeal to coalition standards that will arrive after the architecture has already changed twice, and AI-enabled defence mechanisms that the author correctly identifies as “terrifying and incredibly stupid.” Using a non-deterministic system to defend against another non-deterministic system gives you two hallucination risks instead of one, and the prompt injection gets to the security layer.

I work in IT infrastructure. I spend a meaningful amount of time thinking about how data moves through systems, who has access to it, and what happens when something goes wrong. The self-hosting project that takes up most of my writing is, at its root, a response to exactly the problem this article is describing: other people’s data handling cannot be trusted, so you move your data to infrastructure you own and operate yourself.

I am aware that self-hosting is not a solution to the problem at scale. I am one person with a rack in my house. The problem the article is describing is systemic: companies with millions of users’ data are connecting agentic workloads to their databases and telling themselves the security will sort itself out later, when there is time, after the technology is working and reliable.

There is never time. Security is always the thing sorted out later.

The Castlevania metaphor is doing a lot of work in the article but it is a good one. The Belmont clan cannot win the war because Dracula is immortal. They can only win every battle forever. That is the honest framing of what defensive security actually is: not a problem you solve once but a practice you maintain continuously against an adversary that regenerates.

What strikes me is that the Hacker News thread attached to this article illustrates the author’s point almost perfectly. The top comments are a mix of people who understand the stakes, people who think reputational damage will eventually force companies to care (it will not, see: Equifax, still in business), and people making jokes about “data breeches” and USB underpants. The discourse around the problem has the same energy as the attendance at the Thoughtworks security session.

I do not have a solution. The article does not really offer one either, beyond: use the boring tools you already have, anomaly detection, circuit breakers, short-lived credentials, and stop waiting for the AI-native security layer that will not arrive in time. The Belmont approach. Whips are not cool anymore but they work.

What I find myself sitting with is the gap between the scale of the problem and the level of collective attention directed at it. We are at the browser wars moment for agentic AI, the author says, and the DOM has not been standardised yet. Companies are deploying anyway, because the competitive pressure to do so is higher than the pressure to wait. The standards will come eventually. The first wave of agentic attacks will come sooner.

I am glad I own my own infrastructure. I am also aware that the vast majority of people have no such option and no meaningful visibility into how the systems handling their data are built.

That is a problem that cannot be solved by one person with a rack in their house.