AI Security
Breaking Change Awareness: Griffin AI vs Mythos
An auto-fix that closes a vulnerability and breaks the build is not a fix. Breaking-change awareness separates auto-PRs that ship from auto-PRs that get reverted.
Mar 19, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
An auto-fix that closes a vulnerability and breaks the build is not a fix. Breaking-change awareness separates auto-PRs that ship from auto-PRs that get reverted.
The Model Context Protocol shifted agent integration from custom glue to a standard surface. Authorization patterns that work, and the ones that keep biting teams.
An audit trail is only useful if you can answer questions from it. Quality is not about volume — it's about the ability to reconstruct decisions after the fact.
A vulnerability that passes through a working sanitizer is not a vulnerability. Detecting that sanitizer accurately is the difference between actionable findings and noise.
Where AI-BOM and ML-BOM specifications stand in 2026, which formats have real adoption, and what to capture today even if the standards are still in motion.
LLM-suggested package names that do not exist are a registered attack vector in 2026. Here is where hallucination rates sit today and how to contain them.
A senior engineer's survey of AI-BOM and ML-BOM standards in 2026, from CycloneDX ML components to SPDX 3.0 AI profile, and what to actually ship.
Your SBOMs come from a dozen vendors, three scanners, and two CI systems. Normalising them into one queryable graph is where SBOM programs actually succeed or fail.
A benchmark you can't reproduce is marketing. A benchmark you can rerun on your own infrastructure is evidence. The reproducibility gap is wide.
Weekly insights on software supply chain security, delivered to your inbox.