One Set of Hands

Evolution didn't give us different hands for every task. We got one set of hands - general, limited, observable - and civilization made them safe not by removing them but by constraining what they can touch: locks, badges, dual signatures. A bank teller can move millions. Not because anyone trusts them with everything, but because the system makes most wrong actions impossible.

The AI industry is building the opposite. Every vendor pitch is more: more tools, more integrations, more autonomy. Agents with your email, your database, your production credentials. Every capability gets bolted on like an extra hand - and every extra hand is another audit surface, another way for things to leave the building.

Enterprise buyers feel exactly the fear this architecture deserves: if it can touch everything, it can leak everything. They're right.

But here's what everyone is missing: the authority you can safely delegate to an AI scales inversely with its capability surface. Fewer hands, fewer audit surfaces, lower risk - and more real power delegated. The power is not in the model. The power is in the harness.

The Narrow Waist

Every action our AI systems take - every query, every write, every generated app calling home for data - goes through a single API surface. The generated code never holds a credential. The agent never opens a raw connection. It asks, through one narrow waist, and the harness decides.

This is not a new idea. The internet scaled because everything squeezes through IP. The browser figured out how to run hostile code from strangers - not by trusting the code, but by giving it exactly one guarded way to touch the world. Same thing here: the model can be brilliant, erratic, or manipulated… it doesn't matter, because the set of things it can physically do is small and enumerated.

And it's more literal than it sounds. In our platform, drafting an email goes through the same endpoint as creating a dashboard. Both are one create operation - a request to create a model of a certain type, with the same scope checks and the same audit log. The agent doesn't get an email tool, a dashboard tool, a report tool… it gets one verb, and because everything runs through the same surface, we control exactly what the nouns can be.

Reading works the same way. No connector per system. A minimal set of query tools reaches the core system, the integrated systems, the databases - all behind the same waist, all with the same injected scope. Adding an integration doesn't add a new hand. The hands stay the same; the world behind them grows.

the model (infinitely capable) create read update delete core system integrated systems external data shares emails dashboards everything else… one surface (same scope checks on every call)
fig. 1 - the narrow waist

The part that matters most is where the context lives. Tenant scope, session, permissions - the model doesn't choose any of it. The harness injects it on every call. The model cannot cross a customer boundary. Not because a prompt says so, but because the request cannot be expressed. Policy says "do not leak data." Physics says the pipe does not exist.

Alignment is what you hope for. Capability scoping is what you deploy.

Fewer Tools, More Power

An agent with two hundred tools and open network access gets a sandbox, a babysitter, and a pilot that dies in security review. An agent with nine narrowly-scoped tools behind one surface can be handed production write access - because every one of those nine is an answered security question. Every tool you remove from an agent is a paragraph you remove from the security questionnaire.

Security reviews don't fail because systems are dangerous. They fail because nobody can hold the whole capability surface in their head. A small, closed set of actions behind one gateway means a reviewer can build a complete model of the system - and the list of things it cannot do is not a promise, it's an architecture. If you can enumerate it, you can audit it. If you can audit it, you can trust it. If you can trust it, you can delegate to it. And delegation, not capability, is where the value of AI actually lives.

The maximalists have it exactly backwards. "Give the agent everything it might need" is the new chmod 777: works great in the demo, and it's why the deployment never leaves the demo.

The Fear Is Rational. The Answer Is Architectural.

Every enterprise AI deal stalls on the same three questions. Does our data train your model? Can it move data across boundaries? What happens when someone prompt-injects it?

The losing answer is a trust-center page and a SOC 2 badge. The buyer isn't afraid of your people. They're afraid of a system that reads untrusted input, touches private data, and has a channel to the outside world. That combination is the whole anatomy of an AI leak - and it takes all three. The narrow waist exists to make sure they never end up in the same place.

The winning answer is a diagram. Here's the one surface everything goes through. Here's the complete list of actions the model can take. Here's why exfiltration has no code path. You're not asking anyone to trust your intentions - you're showing them a system they can reason about themselves.

And here's the part most people miss: a harnessed agent is more auditable than a human employee. Every action is a typed, logged, parameterized call - who asked, what tool, what arguments, which tenant. A human clicking around a UI leaves worse forensics. The "scary" AI is the most surveilled worker you've ever hired. One set of hands, every motion on tape.

Trust Is Shown, Not Promised

In the AI era, the security architecture isn't the appendix of the pitch deck. It is the pitch deck. "What can't it do" is the feature list. Partners don't extend trust because you promised to be careful - they extend it because you showed them the cage and they couldn't find a way out either. The strongest position in an enterprise AI sale is inviting the customer's security team to attack the narrow waist. A system built around one surface survives that meeting. A system built around two hundred integrations doesn't attend it.

We argued in August that the cost of creating software is collapsing toward zero. In March, that the margin migrates to operators. Here's the third piece: models are commoditizing fast, and every competitor calls the same frontier APIs. What doesn't commoditize is the harness - the tool schemas, the tenant isolation, the injected context, the audit trail. That layer is earned customer by customer, and it compounds.

You don't buy the model. You buy the harness.

The safest AI is not the one that refuses. It's the one that can't. And in the enterprise, the AI that can't do most things is the only one that will ever be allowed to do the things that matter.