Latent Space

Gavriel Cohen on Why AI Agents Are Never Deploy-and-Forget

Gavriel Cohen· Founder of NanoClaw at NanoClaw
·~23 min·English·Latent Space
Agents
TL;DR

NanoClaw's founder argues that autonomous work agents are living infrastructure, not software you ship once: because the model underneath keeps changing and the agent can be hijacked, you build it small and auditable, isolate its credentials, roll it out one person at a time, and maintain it forever.

01Core Mental Model

Deploy-and-Forget Is a Trap

The instinct to ship an agent and walk away fails because the model it runs on is a moving target, not a fixed dependency.

Agents are different than normal software in that normal enterprise software, you can deploy it, put it on some server, and let it run for like 5 years, and as long as you never touch it, it just works.

Gavriel Cohen, Latent Space
Key Insight
The distinction is not that agents are unreliable, it's that their foundation is non-stationary. A database or a web service is built on APIs that hold still for years; an agent is built on a model that the labs replace every few months, and each replacement quietly re-tunes its behavior. That makes an agent an operations commitment, not a one-time deploy, and it is the reason NanoClaw's whole company is organized around managing agents over time rather than handing them off.

02Origin Story

"I Can't Read This Codebase"

NanoClaw exists because the leading open-source agent framework was too large and opaque to trust, so Cohen rebuilt it small enough for outsiders to audit.

I want to make it readable and let other people look at it and validate it.

Gavriel Cohen, Latent Space
Key Insight
Readability is treated here as a security control, not a style preference. Cohen's move is to admit he does not fully trust his own judgment and to convert that into an architecture that many eyes can check, so far without anyone finding a hole in the core approach. It is the open-source security argument applied to agents: a small surface a stranger can read in an afternoon is safer than a large one nobody audits, and it is also what let a viral moment (a Karpathy tweet, a cabinet minister's public setup) turn into adoption instead of a liability.

03Security Architecture

Assume the Agent Gets Hijacked

The isolation model keeps every credential out of the agent's own environment, so a successful prompt injection has nothing to steal.

So, making sure there are no credentials in the agent's environment, so even if it gets prompt injected, it can't leak credentials, it can't leak API keys.

Gavriel Cohen, Latent Space
Key Insight
This is a concrete answer to the lethal trifecta, the failure mode where an agent has private data, exposure to untrusted input, and a way to send data out. Cohen breaks the chain at the credential: any useful agent will read attacker-controllable input, like the body of a pull request anyone can open, so the design assumes injection will succeed and removes the reward. Requests are proxied through a vault that attaches credentials only when policy allows, and irreversible actions like sending an email wait on a human tapping approve. Containment plus a review gate, rather than a promise that the model won't be fooled.

04Engineering Discipline

Buy the Boring Parts

Cohen shrank the attack surface by composing off-the-shelf components instead of hand-building session management, compaction, and messaging.

Pi is really minimal. Instead, we use Agent SDK, which comes with a lot of that stuff out of the box.

Gavriel Cohen, Latent Space
Key Insight
Every hand-written subsystem is code you have to secure, so Cohen treats dependency choice as threat-model surface area. Reaching for the Agent SDK instead of building session management and compaction, and for Vercel's Chat SDK instead of wiring each messaging app, is not laziness, it is deleting the lines of code most likely to hide a bug. Supporting a single model and a single agent at launch is the same logic pushed further: ship the smallest thing that can be reasoned about, then grow it only where the audit holds.

05Use Case

Stop Waiting for Finished Work

The reliable win today is a second brain that ingests your information and answers across it, not an agent you hand a task and abandon.

And initially, one of the biggest mistakes that people make is that they just want to throw something in an agent and then walk away and expect to get a finished result at the end.

Gavriel Cohen, Latent Space
Key Insight
Cohen is quietly rejecting pure vector retrieval for personal assistants. A question like which of my projects matters most this week has no passage to retrieve, because the answer has to be composed from a timeline, a project list, and a log of calls scattered across files. An LLM wiki, a maintained set of markdown notes the agent reads and rewrites, supports that kind of synthesis in a way semantic search does not. The lower-expectation framing, feed it and let it accumulate rather than demand a finished deliverable, is also what makes the agent tolerable while the model underneath keeps shifting.

06Go-To-Market

Nobody Wants to Be the IT Guy

Executives build powerful personal agent setups, then hit a wall trying to give the same thing to their teams without becoming full-time agent support.

I want to roll this out to everybody in my team. But I don't want to become the IT guy who's now like fixing their agents and debugging the memory issues.

Gavriel Cohen, Latent Space
Key Insight
The bottleneck for enterprise agents is not the model, it is the missing AI-engineering layer between a company's existing teams and a fast-moving agent stack. Cohen's read is that adoption starts one agent per person, because learning what agents are good at, how to prompt them, and how to manage a context window is a real skill curve. Firms already have strong devops and security people; what they lack is someone who can wire an agent to their credential vault and observability and then keep it current as the models change. That gap, not a shortage of enthusiasm, is the product NanoClaw is selling.

07Open Problem

Prompt Requests, Not Pull Requests

Coding agents made opening a pull request nearly free, so the real bottleneck in open source has shifted from writing code to triaging it.

it's an arms race where coding agents have just made it exponentially easier for people to open pull requests.

Gavriel Cohen, Latent Space
Key Insight
When generating a plausible pull request costs almost nothing, review becomes the scarce resource, and a project can drown in contributions it cannot verify are aligned. The proposed fix reframes the unit of contribution: no more pull requests, only prompt requests, meaning send your use case and intent rather than code. Incoming bugs and features land in a wiki that acts as a buffer, and developers pull from it and push context back on each commit. It is the same second-brain pattern from earlier, aimed at a codebase instead of a person: accumulate intent as living memory, then synthesize the actual change from it.