# Agent Safety Is Becoming Infrastructure - Date: 06 Jun 2026 (2026-06-06T17:52:44.000Z) - Summary: Today’s strongest AI discourse shifted from raw agent capability to the infrastructure needed to constrain it: diagnostic evals, scoped payments, sandboxes, and egress controls. The practical canon is becoming clear: useful agents need bounded authority, observable failures, and reusable workflow... - Tags: `digest`, `ai-discourse`, `agents`, `evals`, `agent-safety`, `payments`, `sandboxes`, `prompt-injection` ## Sources 1. [AI Engineer - Evals Are Broken, Use Them Anyway — Ara Khan, Cline](https://www.youtube.com/watch?v=QuuIywMG4s8) (youtube) 2. [AI Engineer - Building safe Payment Infrastructure for the autonomous economy — Steve Kaliski, Stripe](https://www.youtube.com/watch?v=KLSuFPj2ld0) (youtube) 3. [Simon Willison - OpenAI Help: Lockdown Mode](https://simonwillison.net/2026/Jun/5/openai-help-lockdown-mode/) (website) 4. [Simon Willison - MicroPython in a sandbox](https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbox/) (website) 5. [Sebastian Raschka / Ahead of AI - LLM Research Papers 2026, Part 1](https://magazine.sebastianraschka.com/p/llm-research-papers-2026-part1) (website) # Agent Safety Is Becoming Infrastructure, Not Advice ## Executive Summary The strongest signal today is that serious agent discourse is moving from “can the model do it?” to “can the system constrain, measure, and audit it?” The day’s best items all point in the same direction: useful agents need scoped payments, sandboxes, egress controls, and evaluations that diagnose failure modes rather than merely decorate product launches. ## What Happened Two AI Engineer talks supplied the clearest practitioner frame. In [“Evals Are Broken, Use Them Anyway”](https://www.youtube.com/watch?v=QuuIywMG4s8), Ara Khan of Cline argued against both benchmark literalism and pure vibes. The useful middle position is that evals are not final truth, but they are also not disposable. Model-lab scores can approximate capability, yet two models with similar public numbers can behave very differently inside a real workflow. The practical move is to use evals as a diagnostic instrument: separate failures caused by the model from failures caused by the harness, tools, task design, or eval itself. That is where teams find the “small levers” that improve agents. The companion infrastructure story came from Stripe’s Steve Kaliski in [“Building safe Payment Infrastructure for the autonomous economy”](https://www.youtube.com/watch?v=KLSuFPj2ld0). His central distinction was crisp: discovery and exploration may benefit from LLM non-determinism, but credentials, payments, and checkout require determinism. Agents are already economic actors in the narrow sense that tools like Claude Code and Codex spend tokens. Extending that spending to merchants creates familiar but newly automated failure modes: buying from the wrong place, buying the wrong thing, spending the wrong amount, or using the wrong credential. Stripe’s answer is not “let the bot browse like a human,” but scoped payment tokens, explicit buyer confirmation, API-driven payment flows, and constraints around merchant, amount, and expiration. Together, the talks turn agent safety from a moral abstraction into an interface-and-protocol problem. ## Why It Matters This reinforces a developing canon in the digest: agent progress is less about one spectacular model jump than about moving capability into bounded operating environments. The agent that matters is not just the one that can plan a task; it is the one whose failure can be localized, whose tools can be scoped, whose network access can be limited, and whose spending authority can be revoked or constrained. That view was echoed by Simon Willison’s note on [OpenAI’s Lockdown Mode](https://simonwillison.net/2026/Jun/5/openai-help-lockdown-mode/). The important detail is what the feature claims to do and what it does not claim to do. It is aimed at limiting outbound network requests that could transfer sensitive data during the final stage of prompt-injection exfiltration. It does not make prompt injection disappear from content the model processes. In other words: containment, not immunity. Willison’s separate note on a [MicroPython/WASM sandbox for Datasette Agent](https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbox/) fits the same pattern. If agent-generated code is going to be useful, it needs execution boundaries. Sandboxed code execution, egress controls, scoped credentials, and transaction protocols are all versions of the same design principle: assume the agent can be useful and wrong at the same time. ## The Bigger Story The interesting shift is that “agentic” is becoming less mystical. The better discourse is converging on mundane constraints: what can this agent read, execute, call, buy, persist, and report back? How do we know whether a failure came from the model, the surrounding software, or the task specification? What authority is delegated, and how is it bounded? That also complicates a common benchmark-centric story about model progress. If teams cannot attribute failures, a better model can look worse inside a broken harness. If teams cannot constrain authority, a more capable model can become a more expensive or dangerous operator. And if rejected outputs are not converted into durable rules, taste, and evaluation cases, every workflow keeps relearning the same lessons. Nate B Jones made that last point in a short clip: rejection of AI output is a “knowledge creation event” only if the constraint is captured and reused. ## Workflow Implications For builders, today’s takeaway is practical: stop treating evals, permissions, and sandboxes as separate afterthoughts. They are the agent product. A useful near-term checklist is simple: define the task-specific eval before trusting benchmark claims; log failures by cause, not just outcome; scope external actions separately from exploratory reasoning; constrain credentials and spending by merchant, amount, time, and user confirmation; and capture rejected output as reusable workflow knowledge. The discourse is maturing because it is becoming less impressed by autonomy theater. The most credible agent builders are not promising unconstrained digital employees. They are building constrained systems that can do real work without pretending uncertainty, payment authority, code execution, and network access are solved by prompting alone. ## Further Reading - [Sebastian Raschka’s 2026 LLM research paper roundup](https://magazine.sebastianraschka.com/p/llm-research-papers-2026-part1) — useful as a research catch-up pointer, though today’s available evidence did not surface a single new argument from the list.