AppSec
Start with control that fails or holds
The fastest route is a measured case study plus one implementation/discovery collection or one benchmark collection. That gives you runtime evidence plus a sharper way to compare control quality.
CAISI
Independent research and operating notes on AI Software Delivery Control.
CAISI / Field Notes
Field notes for governing AI-assisted software delivery
This is the interpretation layer beside CAISI research. Start with the rollout pressure on the table: coding agents, audit evidence, unknown MCP or tool reach, long-lived credentials, selective approvals, or CI/CD workflows that now act with inherited authority.
Start by audience
CISO / Security leadership
Start with approval, ownership, and auditability
The sprawl collection is the cleanest entry point if you need a governance-first reading on visible adoption, approval opacity, and evidence quality. The governed adoption collection is the follow-on if you need a leadership operating model for saying yes without losing control.
Engineering / Platform
Start with the operating model
The framework series explains the repo, workflow, and proof patterns. The governed adoption collection is the follow-on if you need the leadership layer around standards, sanctioned paths, and staged rollout.
GRC / Audit
Start with proof that can be reconstructed
The audit route is strongest when it starts with proof packets, approval records, validation outcomes, and re-review triggers before a broad rollout creates evidence gaps.
Start with the most common questions
Guide
Rolling out coding agents? Start with security review
A first-review path for teams approving coding agents without slowing every prompt or local suggestion.
Reference
Audit evidence for AI-assisted SDLC
A proof-packet model for reconstructing AI-assisted delivery actions during audit or review.
Reference
Approve actions, not prompts
A practical approval model for risky actions at the execution boundary.
Reference
What is an Agent Action BOM?
The first practical inventory for what AI-assisted engineering workflows can touch, change, approve, and prove.
Guide
How to secure AI coding agents in CI/CD
A concrete control path for PRs, GitHub Actions, CI/CD, credentials, workflow changes, and proof trails.
Reference
MCP tool risk in AI engineering workflows
A practical page for evaluating tool reach, invocation context, credentials, approval triggers, and proof.
Reference
Long-lived credentials in AI agent workflows
A practical page for reducing standing-token and inherited-identity risk across agents, CI/CD, tools, and release paths.
Field note
AI coding agents are moving from suggestions to actions
Why the missing artifact is an Agent Action BOM, not another generic AI inventory.
Field note
From AI content risk to AI authority risk
Why OAuth grants, tokens, and connected-tool permissions need to be reviewed as action authority, not only data access.
Field note
When agent social engineering becomes action hijacking
What OpenClaw incidents, malicious skills, and exposed agent infrastructure show about authority-bearing workflows.
Framework
The Agentic AI Stack: where control actually belongs
An OSI-inspired model for separating compute, models, memory, orchestration, tools, authority, control, and domain action.
Field note
Why AI coding tools change the SDLC risk model
Why the risk is not only generated code, but delivery authority across PRs, CI/CD, credentials, tools, and release paths.
Field note
The question security will be asked about AI-assisted engineering
Which workflow acted, with what authority, who approved it, and what proof remains?
Field note
MCP is not the whole problem
MCP matters, but CI/CD, scripts, credentials, repo automations, package paths, and releases matter too.
Field note
Why NHI tools do not fully answer AI software delivery risk
Identity is an input. The action path is the control question.
Collections by reader intent
Framework essays
AI Engineering Operating Notes
Repo contracts, orchestration, isolation, evaluation, proof, and maturity.
Executive adoption
From AI Pilots to Governed Adoption
Platform standards, sanctioned pathways, approval discipline, and rollout sequencing.
Reports
OpenClaw / Sprawl
Interpretation layers for the two published research reports.
Evaluation
How to Evaluate Agentic Control
Scenario, efficacy, proof, and pilot language for evaluation-grade review.
Methods archive
Wrkr / Gait
Implementation context for discovery, MCP reach, policy before action, signed traces, and CI regressions.
Frameworks and reference pages
Hub
CAISI Frameworks
Durable artifacts for inventory, approval, proof, CI/CD control, maturity, and stack-level reasoning.
Field guide
AI Agent Governance
A practical entry point to CAISI's main concepts, control layers, and role-based starting paths.
Reference
Agent Action BOM
Plain-language definition of the artifact CAISI uses to map action exposure across software delivery.
Reference
Securing AI coding agents in CI/CD
Practical checklist for GitHub Actions, CI/CD, credentials, approval, and proof.
Glossary
AI Agent Governance Glossary
Plain-language definitions for write paths, execution boundaries, proof packets, approval mediation, and related terms.
Author
David Ahmann
Profile page for the CAISI author behind the operating notes, benchmark language, and implementation essays.
Research, field notes, and frameworks together
Primary artifacts
Open the research hub
Use the research hub when you want the measured report, the artifact links, and the exact scope of the claim before reading interpretation or a framework.
Reusable artifacts
Open the frameworks hub
Frameworks turn current field notes into artifacts teams can use during rollout, audit, platform standardization, and review.