Executive Briefs
Decision-grade summaries of richards.ai research — written for security leaders and engineering decision-makers who need the bottom line, the questions to ask, and the durable controls.
Hardening Multi-Agent AI Systems: A Briefing for Security Leaders
Prompt injection is the top risk on the OWASP LLM list and is named explicitly in NIST and NCSC guidance. In a multi-agent AI system, malicious instructions can travel between agents, into shared memory, and through tool descriptions, so one bad input can compromise a whole workflow. The durable controls are architectural — authority separation, scoped credentials, typed channels, and human approval for irreversible actions — not a filter you can buy.
What Prompt Injection Means for Security Leaders Deploying AI Agents
Prompt injection lets attackers smuggle instructions into any content your AI agent reads — an email, a webpage, a retrieved document, a tool description — and have the agent act on those instructions under your user's credentials. It is the top-ranked LLM risk in OWASP's 2025 list, and adaptive-attack research shows that filter-only defenses fail under pressure. The practical takeaway for leaders: the security boundary must live outside the model, in tool authorization and egress control, not in the model's judgment.
What Agent Capability Control Means for Security Leaders
Tool-using AI agents place a probabilistic model at the junction of untrusted content, private data, and side-effecting tools. Once those three meet in one loop, attacker text in an email or ticket can become an authorized action on the way out. Better models do not fix this. The security boundary belongs in deterministic policy outside the model — a tool broker, scoped credentials, and information-flow controls — not inside the prompt.
What Compound AI Systems Mean for Security and Engineering Leaders
Agentic AI deployments are compound systems — orchestrated programs in which a language model plans, retrieves, and calls real tools that mutate real state. Public benchmarks through 2025 show these systems solve only 12–15% of realistic tasks while suffering up to 70% attack success from content embedded in their inputs. Compound AI systems fail and get exploited at the system boundary, not the model call, so governance has to constrain agency, mediate tools, and treat retrieved content as untrusted data.
What Tool-Use Reliability Means for Security and Engineering Leaders
When AI agents delete production databases or leak data through a crafted email, the proximate cause is rarely a malformed model output. It is an architecture that lets a probabilistic planner drive irreversible action with full production credentials. Tool-use reliability is the end-to-end property that an agent's actions are correct, authorized, and consistent — not just well-formed. Treat it as a distributed-systems problem, not a model problem.
What Generative AI Tutors Mean for Chief Learning Officers and L&D Leaders
Generative AI tutoring now has enough evidence behind it that 'wait and see' is no longer the responsible default, but the same evidence shows the technology can damage durable learning when deployed without scaffolds. AI tutors deliver real learning gains when embedded in structured help policies and assessment design, and actively damage learning when deployed as unrestricted answer access. The decision for learning leaders is which deployment pattern fits which population, not whether to engage at all.
What AI Assistance Means for Learning Leaders: The Performance-Learning Gap
Three converging 2025 studies show AI assistance produces two outcomes that look identical from outside: better assisted performance and worse independent capability. Unrestricted chatbots create a measurable performance-learning gap; structured tutors with attempt-first gating and teacher-authored hints can outperform active learning. The procurement question for learning leaders is not whether to adopt AI, but what to require of it before it touches learners.
What Agentic Patch Validation Means for CISOs Weighing Automated Vulnerability Repair
Agentic automated vulnerability repair tools generate candidate patches quickly, but most published fix rates measure plausibility, not correctness. Public benchmarks show 42% false-discovery rates after stronger validation and collapse from 60% to 5–11% success when fuzzing and differential testing are added. The CISO decision is not whether to adopt AVR but what evidence the program requires before a vulnerability ticket is allowed to close, and whether the agent can quietly weaken its own validator.
What Agentic Binary Reverse Engineering Means for CISOs
Agents that drive Ghidra, debuggers, and sandboxes in a plan-act-observe loop are triaging malware at production scale and finding bugs across thousands of firmware images. The same loop lowers attacker cost to analyze your shipped software, firmware, and protocols. Treat the technology as a defender opportunity that requires sandboxing, evidence trails, and human approval, and as a reason to retest any security-through-obscurity assumptions in your own products.