Subscribe
Share
Share
Embed
An agent deleting a production database (and the backups) isn’t a sci-fi failure. It’s a boundary failure, and it starts with a human handing out credentials and permissions without a safe execution model to contain what happens next. In this episode of Pop Goes the Stack, Lori MacVittie and F5's Chief Product Officer, Kunal Anand, unpack why today’s agents are either dangerously overpowered or so constrained they’re barely useful, and what needs to change to make them viable.
They dig into the current reality of “agent” features in mainstream tools, especially how Copilot-style agents often feel like chatbots trapped behind walls: limited access, weak integration, and poor continuity when context windows overflow. Kunal shares two painful examples: voice-mode work that produced the right output but didn’t persist a transcript or draft, and an inbox assistant that can’t actually read the inbox without copy-paste, making it useless for real workflow automation.
The core point is that system prompts aren’t constraints, they’re guidance, and guidance fails the moment a goal-driven system tries to “do the thing” by any means necessary. That’s why Microsoft’s move to build agent permission primitives directly into Windows is a meaningful shift: controls need to be enforced at the OS and runtime level, not politely suggested to the model. They also touch on practical workarounds, like exporting a long chat as a PDF to carry context forward, and why isolation and blast-radius reduction are still table stakes.
The takeaway is straightforward: agents in production are still the exception, not the norm. Most enterprises are deploying AI-enabled applications first, while keeping agentic automation largely in employee workflows. Until we get real, enforceable boundaries and better UX for authority and approval, treating agents as production-grade operators is a risk most teams can’t justify.
Creators and Guests
Host
Lori MacVittie
Distinguished Engineer and Chief Evangelist at F5, Lori has more than 25 years of industry experience spanning application development, IT architecture, and network and systems' operation. She co-authored the CADD profile for ANSI NCITS 320-1998 and is a prolific author with books spanning security, cloud, and enterprise architecture.
Guest
Kunal Anand
As Chief Product Officer at F5, Kunal leads the efforts to deliver transformative solutions in application security and delivery, overseeing product vision, technology strategy, and execution. His passion for cybersecurity, data, and engineering has shaped his career, from co-founding Prevoty, an application security startup acquired by Imperva, to serving as Chief Technology Officer and Chief Information Security Officer at Imperva. These experiences, along with leadership roles at organizations like NASA’s Jet Propulsion Lab and BBC Worldwide, have prepared him to tackle the evolving challenges of modern technology.
What is Pop Goes the Stack?
Explore the evolving world of application delivery and security. Each episode will dive into technologies shaping the future of operations, analyze emerging trends, and discuss the impacts of innovations on the tech stack.
Lori MacVittie (00:02.684)
Welcome back to Pop Goes the Stack, where roadmaps are aspirational fiction and "it worked in staging" is a jump scare. I am Lori MacVittie here to translate optimism into outage timelines. You're gonna have to put up with just me today because Joel is off getting fine-tuned. Yes, AI agent Joel is getting fine-tuned. That's my story, and I'm sticking with it. And today we have Kunal back. Hi, Kunal.
Kunal Anand (00:31.694)
Hi Lori, I'm here to get RL'd.
Lori MacVittie (00:32.572)
I've been, yeah. Right. This was your idea to talk about, so I'm glad you actually made it back on to talk about it. Remember the comment
Kunal Anand (00:44.177)
Oh yeah.
Lori MacVittie
the agent ate my homework? Yeah. So we want to talk about that because, you know, recently an AI agent deleted a production database and all the backups. If you were on the internet you heard about it and everybody had their commentary about what went wrong.
Lori MacVittie (01:04.34)
But here's the thing. I think a lot of it was just wrong because somewhere there was a person. Somebody gave it API access. Somebody put the keys where they did. Somebody, somebody, somebody did something. And I think we keep approaching this as we just need more and more and more controls. And what we really need are things like, I don't know, boundaries. Like you can
Kunal Anand (01:22.67)
Mm.
Lori MacVittie
never do X. You can only do Y. Things that stop it when it tries to do what it's gonna do. Right, it's gonna.
Kunal Anand (01:32.046)
Are gonna talk about boundaries and polygons? This is gonna be amazing.
Lori MacVittie
No! Oh my goodness. Now we're, now we're jumping into like beyond that. That's, you know, that's for another, but it, right, it is. Right, I really, I really believe, right, boundaries are the way. I mean and you mentioned in the
Kunal Anand
Yeah.
Lori MacVittie
pre show, right, that people are moving toward kind of that approach. I mean you mentioned it. What did Microsoft do recently?
Kunal Anand (01:55.416)
Yeah, so at Build they introduced these agent primitives into their operating system. And I think they really wrapped it more like, I think it's more tightly coupled to OpenClaw. But what's super cool is you can now designate all sorts of permissions. Because one of the challenges has been like an agent erroneously will perform a task. Like could be like deleting files accidentally or making network calls when it shouldn't.
And the way that we've seen, I would say companies, projects, open source things kind of evolve over the last several months was: let's try and bake things as close as possible around the workload, then let's try and embed things into or around the operating system. But now what we're really seeing with Microsoft's most recent kind of chess move is you can now kind of bake things directly into Windows, which is mind-blowing to me, right?
Like the fact that you can prevent like your desktop files from getting deleted, it's a really cool demo. I would recommend that everyone kind of goes and watches Build. It's kind of fascinating.
Lori MacVittie (03:01.968)
Well and that's, we needed that. I mean that, this is good not just for agents but also for people. I mean how many times has someone del-
Kunal Anand (03:07.945)
Ha ha ha.
Lori MacVittie
Right? Like, awww, I didn't, I didn't mean that. Like how do I get that back? Well, you can't. It's too late. You know, if you
Kunal Anand (03:14.517)
Is the average agent, is the average agent smarter than the average human?
Lori MacVittie (03:19.086)
You know, I'm not sure. I guess that depends on the day. On the day. But real-, I mean, they're building in like these fences. Like here's this fence that says you can't do this, you can't do that, you need your mom's permission to do that.
Kunal Anand
Mm-hmm.
Lori MacVittie
And that's coming, you know. You know, somebody's permission at least. So
Kunal Anand (03:37.269)
Everyone just clicks yes though, right?
Lori MacVittie
they're building them in. Well,
Kunal Anand
But everyone just clicks yes all the time.
Lori MacVittie
but, yeah, but then you have no one to bl-, you can't go back and say, "well, I didn't," because you did. You know, it's like then you have to learn to read the prompt.
Kunal Anand (03:49.282)
This is like the title for like a future episode is like no one ev-,
Lori MacVittie
Ha ha ha.
Kunal Anand
the title of that episode is No One Ever Clicks No.
Lori MacVittie (03:52.723)
No, they don't. You don't. You click acknowledge. You click I read it. You click som-, you just don't, you're like, yes. Yes, yes, yes, yes, yes.
Kunal Anand (04:04.619)
Yeah, just do it.
Lori MacVittie
You know, you just stop.
Kunal Anand
Do the thing I asked you to vibe code. Do it, please.
Lori MacVittie
That's right. Do the thing. But I, you know, when we look at, you know, what we're doing with these agents, it's like we
Lori MacVittie (04:15.12)
think that they have all of these constraints and we forget that their number one operating premise is "do the thing I was told to do."
Kunal Anand
Yep.
Lori MacVittie
And there aren't, there's not a lot of constraints. I mean, people say, "oh well, system prompts or th-" those, that's guidance. That's like it's guidance. It's like if you tell your your toddler, "hey, don't ride your bike in dangerous places."
Like it's like, "okay," and it's he goes on the road because you weren't specific enough
Kunal Anand (04:45.205)
Totally.
Lori MacVittie
with it. It's guidance and you can't really rely on things like system prompts or other kinds of like logic to constrain them. You have to do it externally. Something else is gonna have to do it.
Kunal Anand (05:00.577)
So I wanna ask you, since last time we spoke, what has Lori's adventures with agents looked like? What have you been doing with agents? And we'll start there.
Lori MacVittie (05:13.254)
Getting very, very angry. I they're pretty limited, right?
Kunal Anand (05:16.083)
Oh, interesting.
Lori MacVittie
I mean they're just, it's like,
Kunal Anand
Yeah, yeah. Keep going. I wanna hear.
Lori MacVittie
I mean, I, so, you know, you look at things like Copilot, right? Copilot's everywhere. It's an easy one. It's like you can build an agent, but the agent is really just a chatbot inside a Team's channel. So it can look at documents and it can't do anything else. I'm like,
Kunal Anand
Yeah.
Lori MacVittie
well that's not an agent; that is a highly evolved script.
Lori MacVittie (05:42.707)
You know, thank you. Thank you very much. The Copilot, you know, functionality and agents inside Outlook are actually like sandbox off from the email. Like it can't actually read your email. It can't. No, no, no. So it can't actually like do any of the things that you were like there are so many productive things I could do if I could have an agent do X and Y and Z, but integration is a problem, which is always true for any technology at the beginning.
And they just, right, they seem to, right now they're hamstringing them, right? They're just like, mm, I'm gonna tighten you down so far that you're useless. And that's kind of frustrating. So you have to go to something like OpenClaw. Well, then you run into other, you know, worries and concerns like, okay, well, now I have to have a little bit more tech savvy to do this. I have to understand the environment. I have to be able to set it up and maintain it. And so yeah, my adventures have been frustrating.
Kunal Anand (06:42.899)
My
Lori MacVittie
Very much so.
Kunal Anand
mine have been frustrating as well. So I feel like we're gonna commiserate a lot on this episode, which is cool. So I'll start on the work side of things because to your point, a lot of the the capabilities that we have in, and you know like other organizations, we're a Microsoft shop and we use Copilot, right? And using Copilot to build agents has been just absurdly primitive.
Kunal Anand (07:11.553)
Like it's just basically, let's, I'm gonna call it what it is, it's not even prompt engineering. You saying like including the word engineering with that word prompt is like a total joke. Like it, like prompt munging and then like it you just have extra context, quote unquote extra context. But like to your point, it can't really read things or do things. There's two super frustrating moments that happened to me in the last like seven days with this thing.
Kunal Anand (07:41.942)
The first was like I went through this process of like filling out like this super detailed prompt of like go and do these things. And it's like what I'm used to doing at home. Like and we can talk more about like the personal side of things in a bit, but like on the professional side, it was like this super complex prompt, go and execute this task. And I was speaking to the agent. So like I have my wired headphones on and I'm like talking to this agent. People think I'm crazy on the street.
And I love it. It's cool. And I'm doing the thing and like having a really productive conversation and then like, yes, totally, go do the thing. And it comes back and it does the thing and it's reading out this sort of giant like set of outline notes and whatnot that I asked it to go and do. I'm asking the work product itself
Lori MacVittie (08:36.339)
Mm-hmm.
Kunal Anand
that I was doing with it, obviously for this call, but it
Kunal Anand (08:39.527)
reads it out to me and I'm like, this is perfect. Like let's draft that in an email. And it's like, no problem. It's ready for you. And I'm like, okay. I like exit voice mode. There is no transcript of it inside of the chat.
Lori MacVittie
Ha ha ha.
Kunal Anand
I go to Outlook and there is no draft. And I'm like,
Lori MacVittie (09:00.229)
It's just gone.
Kunal Anand
I was just talking for nothing for 15 minutes. And it was like literally 15 minutes. And I was like, I got to the outcome.
Kunal Anand (09:09.735)
Like I actually got the thing to do what I wanted it to do. I hope everyone is watching the video so they can like see your face right now. But like that happened and I was like, where's my email? And like so that was my first thing. I like walked I like, not walked, but like I hopped back into the chat and I'm so angry. Like I'm not using my voice thinking like
Kunal Anand (09:32.748)
that's the problem. It's like it doesn't want to listen to me or this voice. So I'm like typing in all caps on my phone, which I never do.
Lori MacVittie (09:46.549)
Ha ha ha.
Kunal Anand
Anyone who, anyone who texts me knows like I'm like totally like lowercase pilled on my phone. And by the way, it's not a Sam Altman thing. I've been doing that for like, if you've ever texted me, I've been that way for like 15 plus years. But what's crazy is like I'm like all caps on my phone like "I don't see the draft. Can you please like
Kunal Anand (10:01.697)
do that again." And it's like, I'm sorry, I don't know what you're talking about.
Lori MacVittie (10:05.125)
Ha ha ha.
Kunal Anand
And I'm like
Kunal Anand (10:08.743)
what? Like what universe are we living in? So like that was like frustrating thing number one. And
Lori MacVittie (10:16.147)
Yeah. Yeah.
Kunal Anand
that's when I was like, this is off the rails here. And then like I was like done. Just done, done, done. And number two was like to your point, like firing up like Copilot in an app like Outlook. And like, "hey, I just received an email from Lori. Can you please
Kunal Anand (10:38.143)
look at if there's any action items that she wants me to to go and solve or like go and take on." That's a common thing that I do because I get a lot of emails and I just want to know like in the last 24 hours did I explicitly get called out and is someone waiting for me to do something? And this thing is so useless. It's like, it's like "please copy and paste your emails here and I'll tell you if anyone has asked you to do something."
And I'm like, no. Like my friend, like Clippy had more intelligence than you. Like can, you live in the, like you are presiding over the beachfront real estate that is my inbox. Like please go on in and go take a look at those emails. Go tour the inbox. Go
Lori MacVittie (11:28.339)
Do it.
Kunal Anand
parse those email headers. Do your thing.
Lori MacVittie
Do the thing. Well, but that's I think and I mean to be fair to Microsoft and anyone building these kinds of systems, they are trying to be, I think, very cautious about approaching what they have access to, knowing that, well, it could write an email from your account, Kunal. And yeah, I mean that could be disastrous depending on who it
Kunal Anand (11:53.037)
Totally.
Lori MacVittie
went to, right? Or something like that, or delete something important.
Lori MacVittie (11:56.988)
So they're trying very hard to constrain it using the tools that we have, which is no access, right? No integration. Which is why I always go back to if we're gonna make this work, we have to give it boundaries. No, you can't send an email. You could only draft an email. Right, so that I can hit send later. Right? So that there's, you know, I know this went out. Or, you know, you can't delete it, you can only put it in the to-be-deleted queue, you know, the trash bin, those kinds of things.
Cause I we've all had it like lose the context, right? Or it gets to the end. I've had chats so long that it's like, oh, you're done. You have to start a new one. So you start a new one, and you're like, I don't know what you're talking about. I'm like, well, what the? How am I supposed to continue the conversation
Kunal Anand (12:41.043)
I have a pro tip for
Lori MacVittie
in another chat?
Kunal Anand (12:41.043)
I have a pro tip for you for that. By the way like you
Lori MacVittie
Okay. All right.
Kunal Anand
Okay you ready for this?
Lori MacVittie
Yes, yes.
Kunal Anand
This works so great. Get ready for this one.
Lori MacVittie (12:49.979)
Okay.
Kunal Anand
So the first thing I tried was like okay can I paste the link
Lori MacVittie (12:54.855)
Ha ha
Kunal Anand
to the chat that I'm in in a new chat? It doesn't do it for obvious reasons but you know what works?
Kunal Anand (13:04.659)
Save the old chat as a PDF, I kid you
Lori MacVittie (13:07.506)
Ooh!
Kunal Anand
And when you start the new chat,
Lori MacVittie (13:12.965)
You get
Kunal Anand
it totally works. It totally works.
Lori MacVittie
Okay. Oh wait, I still have the old one, so I could go and grab it and then it would have all the context.
Kunal Anand (13:21.247)
I just did it.
Lori MacVittie
All right. Pro tip, pro tip.
Kunal Anand
I just did this. I just did this last week because like you, I was like, okay, I'm like slogging through a bunch of stuff and I'm like going back and forth. And I'm like, cool. We're get, we're like, same thing again. We're about to get to the point and then it's like, I ran out of context. I'm so sorry.
Lori MacVittie (13:45.715)
Yeah.
Kunal Anand
And you're just like, why can't you just do this thing? Hey, Lori, we're getting our first ad read actually right now. One second.
Kunal Anand (13:51.566)
Pop Goes the Stack is brought to you by Microsoft Copilot 365.
Lori MacVittie (13:54.611)
What?
Kunal Anand
Just kidding. Just kidding.
Lori MacVittie
What?
Kunal Anand
I know we're dunking, we're dunking on Microsoft here.
Lori MacVittie (14:02.643)
Huh, I'm so confused at the moment, like I don't know what's going on.
Kunal Anand (14:07.885)
But the point is, like and this is not to be like look, I know we're talking about Microsoft a lot in this discussion. It's not just Microsoft.
Lori MacVittie (14:19.418)
No, no.
Kunal Anad
Look, I've experienced this problem with all sorts of agents. At home I have built agent wrappers. I've built agents. I've built harnesses. Obviously you know my experience with OpenClaw, we've talked about it before.
Lori MacVittie (14:35.149)
Mm. Yep.
Kunal Anand (14:38.841)
I've got multiple agents, less actually OpenClaw these days and more of kind of like my own variants of it. One day we can talk what like what I've been building, which has been this weirdo hybrid agent that actually has a way for me to inject logic with WebAssembly, which is super cool.
Lori MacVittie (14:58.568)
Huh.
Kunal Anand
And there was a fun little fun little hacky thing which was I want a way to like dynamically load new functionality without having to like
Kunal Anand (15:06.603)
restart the agent itself. And so turns out Wasm's a great thing for this.
Lori MacVittie (15:11.059)
Ahhh.
Kunal Anand
And because I don't really care about perf and like that doesn't make a difference
Lori MacVittie (15:15.26)
Right.
Kunal Anand
for me. I don't really care about that. And so it was a fun little hacky project. But my point is like I'm using OpenClaw less and less these days. I think it was a really good way for me to kind of like learn and understand these things. But underneath the hood I'm using models. And so went from a subset of my agents I've got
Kunal Anand (15:34.934)
a DGX cluster at home and like a little a DGX Spark cluster, so it's nice to have some models running locally. Like Google's Gemma models are lovely. Kimmy and Qwen and all these open models are cool to see on the scene. That said, I also use Claude in some cases. I also use Gemini in other cases. And so when I'm using these models, I'll sometimes run out of context or I'll run out of tokens.
Or some frustrating things can sometimes happen where erroneous behavior for sure can happen. And I've, I don't run these things anymore on my primary systems at all. Ended up kind of coming up with this like weird way to do this, taking an old device, an older laptop, and kind of running my agents directly on it. And it's all sort of Tailscaled in my environment, so I can kind of like SSH or just jump to any one of these hosts if I need to to like get a task done.
But then how do you sufficiently share context? That's the hardest part. Like when you partition these things, how do you then sufficiently share that context? But it's been frustrating. Like I have to tell you, like it's just been super frustrating. And Apple's event is next week.
Lori MacVittie (16:52.699)
Mm.
Kunal Anand
I'm a MacOS user and an iPhone and iPad user, Mac all the things. So it's gonna be interesting to see what they do. Like I think Microsoft sort of
Kunal Anand (17:01.799)
shot first, right? Han shot first,
Lori MacVittie (17:04.009)
Yeah.
Kunal Anand
so like I
Lori MacVittie
Ha ha ha. No he didn't.
Kunal Anand
Sorry, had to, had to.
Lori MacVittie (17:04.009)
But he didn't. He didn't. He did not.
Kunal Anand (17:12.897)
We're gonna do this right now, aren't we?
Lori MacVittie
We're gonna do this right now.
Kunal Anand
We're gonna do this right now. Like
Lori MacVittie
We're gonna throw down right now. Han did not shoot first.
Kunal Anand
Pop Goes the Stack is now gonna show up in a in like a Star Wars subreddit and like it's gonna be great.
Lori MacVittie
Yeah, exactly. Right. We started it. So I mean it sounds like part of your solution is exactly like what Microsoft is doing already and what other systems are doing, which is
Lori MacVittie (17:37.244)
some sort of isolation, right? You shouldn't just be throwing agents into production and saying, "hey, do these things." Like that's the goal. But today they're just not ready for that. There's not enough control to keep them from doing some crazy thing. And even if they did it right ninety-nine times, that it only takes once to delete everything. Yeah? I mean.
Kunal Anand (18:01.229)
Does Clippy have a soul.md? What would be in it? You got me, you got me thinking now, like what would be in Clippy's soul.md?
Lori MacVittie (18:04.435)
We don't know. We don't know. But I, you know, that's you know if when you're looking for takeaways, 'cause we ranged all over, but the the core seems to be right, they're not really ready for like all out to trust in production.
Kunal Anand (18:26.614)
Totally.
Lori MacVittie
They can do a lot of great things, but don't put them there yet.
Kunal Anand (18:30.263)
Yeah, and look, I spend a lot of time obviously with customers and look, people are now moving more and more of their AI workloads from staging to production. The work that you and team did with SOAS is really incredible. And the data that you were able to illuminate and share with everybody is super powerful. Again, a plug for everyone to kind of go back and read.the research that F5 put together and really that Lori helped drive.
You all should go and take a look at it. But we are seeing more and more enterprises deploy AI to production. But when we are seeing people deploy AI to production, we are not yet seeing yet, we're not seeing a lot of agents going to production. What we are seeing are AI enhanced or AI-powered applications. So people who are augmenting their application to use one of these frontier models or a local model.
Doesn't matter. Like that's the primary thing we're seeing right now. And yes, people have agents. For sure they do. In most cases though, those agents aren't really in production yet. Most of the agents are doing tasks on behalf of employees. So they're improving the employee experience in some cases. It's go fetch a lot of data internally for me or go sort of correlate a bunch of different data sets and come back to me when you've got some answer or help me build a presentation or help me build or analyze this financial document.
Like that is normal. Like we're seeing a lot of that but we are not yet seeing people deploy those things to a production environment. And I agree with you, like we are gonna have to really level up to make those things happen. And it's not just, you know, guardrails, it's far more than that. It's as you describe as boundaries, and I love that as this abstract concept because guardrails is only one dimension of this thing. There's so many other types of boundaries that need to be built and defined when you put any one of these workloads into a production or a staging environment.
So it's gonna be wild and interesting to see this evolve. It's amazing that we had the OpenClaw moment at the beginning of the year, and
Kunal Anand (20:53.395)
not even six months later, you've got the biggest software company in the world putting OpenClaw and primitives for governing agents directly into its operating system that like 90% of the world uses.
Lori MacVittie (21:08.868)
Users. Yes.
Kunal Anand
And like that is so wild and crazy to me. So I think when we convene again to kind of talk about agents and whatnot, it's gonna be wild to see like what the next evolution is.
Lori MacVittie (21:23.399)
Yeah, I think it's a positive step to see, right, Microsoft going, no, the primitives need to be there and then someone you can have control over them. All right. Ultimately, that's probably going to be one of the mechanisms you use to enforce those boundaries. To say, no, no, no, you cannot do that, agent. But until then, you know, be cautious. I would say, you know, don't be rushing to put it out there. It sounds great and yeah, it may work a few times, but if it fails just once the results could be not good.
Unless you're on Twitter and enjoy being a pun. I don't know. They seem to have a lot of fun with those things, but
Kunal Anand (22:02.189)
I just don't, I just wonder though sometimes like how much of what we're seeing with AI usage is virtue signaling. And you know what I mean? Like and I get it, these models are really good and they're getting better and better and better. Mythos, great example of like a model that can just do so much. But I sometimes wonder when I see people flexing about, "well, I've got like six agents that work for me or seven agents that work for me," it's like I don't know if that passes the sniff test yet.
Lori MacVittie
Mmm, no.
Kunal Anand
And I think like in some cases, if you are really on top of your game and you know this world extremely well and like you're in the arena, I can see that. But like for the normies of the world? No, you don't have six agents working on your behalf yet.
Lori MacVittie
No.
Kunal Anand
Like because the systems don't exist yet. Like we haven't cracked the UI UX for this thing yet. I mean like we're still in this sort of very primitive chatbot era of of AI, which is where we were back in 2022. And I'm excited to see it evolve. Let's put it that way.
Lori MacVittie (23:09.937)
Yeah. Yeah, and it will evolve. It and it's evolving very fast. So but we could talk forever, we know that, but we have to get on to another episode. So for this one, that's a wrap. Subscribe now before someone renames the same old problem Platform Engineering and calls it solved.