Notes from the field.

Every hype cycle leaves a wreckage and a residue. The wreckage is the companies that never had a real use case. The residue is the practitioners who used the cycle to build durable skill. AI will be no different, and the gap between adoption speed and governance maturity is where security and audit professionals get to plant a flag.

For years I pronounced it wrong. Then I looked at what I actually do, and realized the mistake had a thesis behind it. This is the case for treating AI-assisted engineering as a campaign, not a roll of the dice.

I gave the Vivecoding talk live at IT Audit Labs. The manifesto post has the technical bones. This one has the moments the slides could not carry: the pronunciation that turned out to be a thesis, the night Bard refused to let me refactor, and the two production scars I can only laugh about now.

How I ended up running an end-to-end realtime phone agent on Workers + Twilio Media Streams + Workers AI, after trying two heavier stacks first. The architecture, the loop, and the gotchas no tutorial shows you.

108 malicious Chrome extensions hit ~20,000 users by capturing OAuth2 tokens, opening backdoor URLs, and stripping security headers, bypassing MFA, EDR, and CSP. Here's what actually defends against this.