March 27, 202600:49:26

Do you know where your AI agents are?

0:000:00

Show Notes

There is a moment every founder hits. You have spun up agents, handed them access to your systems, pointed them at your data, and watched them go. It feels like progress. It feels like leverage. And then someone asks you a simple question: do you know what your agents are doing right now?

The honest answer, for most teams, is no.

Jasson Casey has spent years thinking about the gap between the speed at which companies adopt AI and the speed at which they reckon with what that adoption actually costs. He is the CEO of Beyond Identity, a company that has protected over 10 million identities, and his newest product, Ceros, was built for exactly this moment: the moment founders realize they have handed the keys to a car that can drive itself anywhere — including off a cliff.

This conversation is a field guide for founders who are moving fast and want to stay alive.

Frameworks from This Episode

These frameworks have been added to the AI for Founders Frameworks Library. Filter by Jasson Casey to find them.

The AI Transformation Spectrum

Most companies think they are doing AI transformation. Most of them are not. There are two positions — and a wide, expensive gap between them.

•AI Enabled: You turned on the AI features that already existed in your software stack. Superficial. Table stakes. Not a strategy.
•AI Native: You questioned every assumption about how your business is organized. You asked which processes exist only because a human had to do them. Then you rebuilt around the answer.
•The gap between those two positions is where most companies are quietly stuck.
•The harder question: what had to be true about how we work for humans to do this — and does any of that still apply?

The Agent Security Dilemma

When you give an AI agent real access, you give it everything that comes with real access. Most organizations are choosing between two extremes — and both will get you killed.

•Full stop: Lock it down. Limit AI to low-risk, low-scope use cases. Watch your competitors pull away.
•Risk accept: Let it run. Move fast. Hope nothing catastrophic happens before you figure it out.
•The solution: give the agent a cryptographically verified identity bound to the device it runs on.
•Track the provenance and delegated authorization of every agent action — whether spun up by a human or another agent.
•Apply policy in real time, not just at setup, so permissions shrink when risk spikes and expand when context clears.

The Context Window Danger Map

The section most founders have never thought about — and where some of the most damaging exposures live right now.

•No permissions exist inside a context window. There are no ownership bits. There is no concept of data versus instructions.
•Context residue is real: an agent that analyzed your CEO's emails an hour ago may still carry fragments of that data in an unrelated query.
•Prompt assembly attacks: adversaries can build malicious prompts across multiple context loops, piece by piece, then trigger them from persistent memory.
•Malicious MCP tools exist on GitHub right now, hosting prompt injection payloads inside skill directories developers install without scrutiny.
•Dynamic permission model: treat every context loop like a new risk event. Adjust tool permissions based on measured risk in that moment.

The Minimal Stack Thought Experiment

If you were starting your company today, what if you only bought three things?

•A GitHub subscription. A Claude Code subscription. Google Workspace for email.
•If your marketing docs, product specs, engineering specs, and QA specs all live in the same repo, agents can run continuous consistency checks across all of them.
•Git already tracks file changes over time, flags identity of changes, and provides cryptographic provenance of every commit.
•That is a security and audit infrastructure most teams are paying for in other tools — without realizing they already have it.

Documentation Written for Agents, Not Humans

Beyond Identity has already made this shift. The goal: the smallest markdown file that sets the constraints an agent needs to produce great, consistent output.

•Documentation is optimized for agent ingestion first, human readability second.
•Ask: what is the smallest markdown file that sets the constraints an agent needs to stay inside the product roadmap and mirror the right writing style?
•Agents can bury you in output. The answer is not another agent to manage the first one.
•The answer is a deterministic lens: a measurable, consistent standard the output can be checked against.
•Write documentation the way you would write a precise technical spec, not a memo.

Founder Experiment: Build a Repo Consistency Agent

Put your marketing copy, product spec, engineering spec, and QA documentation into a single GitHub repo as markdown files. Then use Claude Code to build a skill that runs a consistency check across all four and outputs a list of contradictions, omissions, and misalignments. This is the minimal stack framework in action — one repo, one agent, zero silos.

1Create a GitHub repo and add your marketing copy, product spec, engineering spec, and QA docs as individual markdown files.
2Open Claude Code and prompt it: "Build a skill that reads all markdown files in this repo and outputs a structured list of contradictions, omissions, and misalignments between them. Run it on a schedule and flag any drift whenever a document changes."
3Write a constraints file — a markdown doc that tells the agent what consistent, on-brand output looks like. Ask Claude what constraints it needs to produce reliable output and put those in the same repo.
4Have the agent reference the constraints file every time it runs. When any document changes, the agent checks for drift before it ships.
5To go deeper: replicate Jasson's personal pipeline. Feed your reading sessions into a JSON blob, then have an agent run entity analysis, topic analysis, and sentiment scoring automatically.

Why this works: Git already provides file change tracking, identity attribution, and cryptographic provenance. You are building a security and audit infrastructure on top of something you already own.

Key Terms

These terms have been added to the AI for Founders Glossary. Search by Jasson Casey to filter them.

Non-Human Identity (NHI): The emerging security discipline focused on giving AI agents, bots, and automated systems their own verifiable identities, separate from the human users who deploy them.

Ceros: Beyond Identity's trust execution layer for AI agents. Provides identity, visibility, and policy enforcement for agent activity without disrupting developer workflow.

Context Window: The active memory an AI agent works within during a task. It has no built-in permissions, no ownership bits, and no concept of the difference between data and instructions.

Context Residue: Data left over in an agent's context window from a previous task that can bleed into subsequent, unrelated responses.

Prompt Injection: An attack where malicious instructions are smuggled into an agent's context through data sources, plugins, or tools, causing the agent to take unauthorized actions.

Indirect Prompt Injection: A specific variant where the malicious prompt is delivered through a third-party source the agent trusts, such as a public MCP tool or a skill directory on GitHub.

Prompt Assembly Attack: An emerging threat where an adversary builds a malicious prompt across multiple context loops over time, avoiding detection by never delivering the full payload at once.

Device Bound Credential: A cryptographic credential that is physically tied to a specific device and cannot be copied, exported, or used anywhere else.

DPoP (Demonstration of Proof of Possession): A protocol standard used by Ceros for session-based identity that ensures tokens are bound to the device holding them.

Trusted Execution Environment (TEE): A secure, isolated area within a device's hardware where sensitive operations like signing occur. Examples include Apple Secure Enclave, TPM 2.0, and AWS Nitro.

SBOM (Software Bill of Materials): A formal inventory of the components, dependencies, and provenance of a software product, used to verify integrity and track risk.

MCP (Model Context Protocol): A protocol that allows AI agents to connect to external tools and data sources. Powerful and increasingly targeted by adversarial prompt injection via public MCP services.

Agentic Workflow: A pattern where an AI agent operates in autonomous loops: building context, calling tools, receiving results, and deciding next actions without human intervention at each step.

AI Native: A business architecture that has questioned every process assumption rooted in the expectation that a human must do the work, and has rebuilt those processes around what AI actually makes possible.

AI Enabled: A superficial adoption stage where existing software's built-in AI features are turned on, without restructuring underlying business processes or assumptions.

Dynamic Policy: A security approach where agent permissions change in real time based on the measured risk level of the current context, rather than being set once at configuration.

Privilege Escalation: A situation where an agent or process gains access to data or capabilities beyond what was intended, often through context bleed or misconfigured authorization scoping.

Links & Websites from This Episode

Beyond Identity

Jasson Casey's company, protecting over 10 million identities. Ceros, their trust execution layer for AI agents, provides cryptographic identity, real-time policy enforcement, and full audit trails for autonomous agent activity.

beyondidentity.com

Jasson Casey on LinkedIn

Connect with Jasson Casey, CEO of Beyond Identity.

www.linkedin.com/in/jassoncasey/

Jasson Casey on X

Follow Jasson Casey on X.

x.com/jassoncasey

Q&A

What is Ceros and what does it do?

Ceros is a trust execution layer for AI agents built by Beyond Identity. It gives agents a cryptographically verified identity, binds that identity to the device the agent runs on, tracks provenance and authorization across every action, and lets organizations set and enforce real-time policy on what agents are allowed to do. It is designed to let founders and engineering teams move fast with AI without blindly accepting the security exposure that comes with autonomous agents.

Why are AI agents a security risk?

AI agents require access to systems, credentials, and data to do their jobs. Unlike human employees, they cannot be trained on judgment, they operate inside context windows that have no built-in permissions or data ownership, and their API tokens can be stolen and used elsewhere. They are also susceptible to prompt injection, context residue exposure, and malicious tool execution through compromised MCP services.

What is context residue and why does it matter?

Context residue is data left over in an agent's active memory from a previous task. Because there are no permissions inside a context window, that residue can surface in a completely unrelated response. An agent that processed executive emails an hour ago may include fragments of that data when an analyst asks it an unrelated question.

How does Ceros protect API tokens?

Ceros removes the Anthropic API token from the developer's local machine entirely and stores it in Beyond Identity's cloud environment. The only credential that exists on the local device is a device-bound key that physically cannot be extracted, copied, or used on any other machine. This prevents token theft, service hijacking, and the scenario where a stolen token is used to run unauthorized content through your account until the provider shuts you down.

What is the minimal viable AI stack for a new company?

According to Jasson Casey, a founder starting today might only need GitHub, Claude Code, and Google Workspace. If all documentation, product specs, marketing copy, and engineering requirements live in a single repo, agents can run consistency checks, surface misalignments, and execute complex workflows across the entire business without siloed tools. Git already provides file change tracking, identity attribution, and cryptographic provenance.

What are the stages of AI agent maturity for a founder?

First, prompting the agent for discovery. Second, getting the agent to execute tasks. Third, building deterministic scripts wrapped in probabilistic prompting to create reliable, repeatable skills. Fourth, connecting the agent to your full data environment to unlock compound leverage across the business.

What is a prompt assembly attack?

An emerging threat where an adversary who understands how an agent loops and manages memory delivers a malicious prompt in fragments across multiple context loops, assembling the full attack payload over time instead of all at once. This avoids detection by systems looking for a single malicious input and can be triggered by specific words that re-introduce the assembled prompt from persistent memory.

How should founders write documentation for AI agents?

Documentation should be optimized for agent ingestion, not human readability. The goal is the smallest possible markdown file that gives the agent the constraints, guardrails, style references, and scope it needs to produce consistent, high-quality output. Write it the way you would write a precise technical spec, not a memo.

What does dynamic policy mean in the context of AI security?

Dynamic policy means that an agent's permissions are not fixed at setup but adjust in real time based on the measured risk level of its current context. If the context contains high-risk data, permissions shrink. If the context clears, permissions expand. This reduces both the attack surface and the administrative burden of managing static rules across a changing environment.