<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Proving Mission-Bound Authorization on Control Plane by Karl McGuinness</title><link>https://notes.karlmcguinness.com/series/proving-mission-bound-authorization/</link><description>Recent content in Proving Mission-Bound Authorization on Control Plane by Karl McGuinness</description><generator>Hugo</generator><language>en-us</language><managingEditor>public@karlmcguinness.com (Karl McGuinness)</managingEditor><webMaster>public@karlmcguinness.com (Karl McGuinness)</webMaster><lastBuildDate>Sat, 06 Jun 2026 22:30:00 -0700</lastBuildDate><atom:link href="https://notes.karlmcguinness.com/series/proving-mission-bound-authorization/index.xml" rel="self" type="application/rss+xml"/><item><title>Making Compliance a By-Product</title><link>https://notes.karlmcguinness.com/notes/making-compliance-a-byproduct/</link><pubDate>Sat, 06 Jun 2026 22:30:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/making-compliance-a-byproduct/</guid><description>The third kind of outside framing is the one with auditors behind it. NIST AI RMF, the EU AI Act, and ISO/IEC 42001 converge on one demand: show me. Show me who is accountable, what the system is for, how you observe it, and how you stop it. In most agent stacks the honest answer is archaeology through session logs. In this architecture the artifact that enforces is the artifact that documents: the Mission is the documented purpose, the approval is the accountable decision, the evidence family is the log, and Termination is the interrupt. The crosswalk maps eight obligations onto machinery that exists for safety reasons, and then names what compliance still requires, because evidence is not certification.</description></item><item><title>Containing the OWASP Agentic Threats</title><link>https://notes.karlmcguinness.com/notes/containing-the-owasp-agentic-threats/</link><pubDate>Sat, 06 Jun 2026 22:00:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/containing-the-owasp-agentic-threats/</guid><description>Security reviewers do not arrive with your framing. They arrive with OWASP&amp;rsquo;s: fifteen agentic threats from memory poisoning to human manipulation, plus the LLM Top 10. This post crosswalks both onto the handbook and refuses the move that makes crosswalks worthless, claiming everything. Each threat gets one of three verdicts. Contained means the threat lands on machinery built for it, with a draft behind it. Bounded means the cause is out of authorization&amp;rsquo;s reach but the blast radius is capped at the action gate. Delegated means it is not an authorization problem and a named complement owns it. Six of the fifteen are contained, nine are bounded, and half the LLM Top 10 is honestly someone else&amp;rsquo;s layer.</description></item><item><title>Answering the Laws of AIdentity</title><link>https://notes.karlmcguinness.com/notes/answering-the-laws-of-aidentity/</link><pubDate>Sat, 06 Jun 2026 21:30:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/answering-the-laws-of-aidentity/</guid><description>Two derivations, one destination. Parker derives seven laws from the dynamics of delegated, generated action: who acted, under whose authority, through what chain, and how can you prove it. The handbook derives five laws from the invariants of delegated authority. This post runs the crosswalk: split actors land on Attribution and mediated custody, generated intent lands on per-action enforcement, bounded agency is the Mission object itself, continuous authorization is only-active-permits-reliance plus the discovery loop, least exposure meets its namesake post, justifiable chains land on act chains and source digests, and proof-carrying action is the evidence family with its integrity anchors and SCITT transparency. The convergence is the validation, and the gaps are named.</description></item><item><title>Splitting the Lethal Trifecta</title><link>https://notes.karlmcguinness.com/notes/splitting-the-lethal-trifecta/</link><pubDate>Sat, 06 Jun 2026 21:00:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/splitting-the-lethal-trifecta/</guid><description>Simon Willison named the combination that makes agents dangerous: access to private data, exposure to untrusted content, and the ability to communicate externally, held together in one loop. Any two legs are safe. All three are an exfiltration machine waiting for a poisoned document. This post runs the handbook against that threat model: the three legs become separately typed action classes under one Mission, the external leg becomes a consequential action that needs a fresh parameter-bound permit, mediated custody keeps the egress credential out of the agent&amp;rsquo;s hands, and the harness downgrades egress once untrusted content enters the session. Then the honest residuals: enforcement scope, composition, and the semantic gap.</description></item></channel></rss>