惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Heimdal Security Blog
P
Privacy International News Feed
S
Schneier on Security
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
K
Kaspersky official blog
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
aimingoo的专栏
aimingoo的专栏
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
Help Net Security
Help Net Security
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Security Archives - TechRepublic
Security Archives - TechRepublic
云风的 BLOG
云风的 BLOG
The GitHub Blog
The GitHub Blog
N
News and Events Feed by Topic
Hacker News: Ask HN
Hacker News: Ask HN
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
M
MIT News - Artificial intelligence
雷峰网
雷峰网
博客园 - 司徒正美
V
V2EX
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
N
News | PayPal Newsroom
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
P
Palo Alto Networks Blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
博客园 - Franky
I
InfoQ
D
DataBreaches.Net
爱范儿
爱范儿
Y
Y Combinator Blog
博客园 - 叶小钗
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
5 Things That Go Horribly Wrong When You Run AI Agents Without a Gateway (And How to Stop the Bleeding)
Athreya aka · 2026-05-12 · via DEV Community

Running one AI agent? Cute.

Running ten? Now we're talking.

Running fifty agents in production with no gateway, no governance, and a Slack channel called #agents-prod that nobody reads? That's how you end up on a Monday morning call explaining to your CFO why the LLM bill went from $4K to $61K over the weekend, and why nobody noticed until accounting flagged it.

I've watched this movie too many times.

The plot is always the same. Someone reads about agentic AI on a Tuesday, ships a proof of concept by Friday, and a quarter later there are agents scattered across seven repos, talking to each other through MCP servers nobody documented, with API keys sitting in .env files on three engineers' laptops.

Then something breaks. It's never small.

Here are the five most common ways this goes sideways, and what actually fixes each one.

Failure #1: The Infinite Agent Loop That Ate Your Budget

You build Agent A. It's helpful. It can ask Agent B for help when stuck.

Agent B is also helpful. It can ask Agent C for help when stuck.

Agent C, naturally, is helpful too. And when stuck, it asks Agent A.

You see where this is going.

The loop kicks off on Friday afternoon. Nobody set delegation depth limits. Nobody set per-agent budget caps.

The agents politely call each other 38,000 times over the weekend, each call costing pennies that quickly become dollars that quickly become "please come to a meeting on Monday at 8 AM."

Spider-Man pointing at Spider-Man pointing at Spider-Man. Labels:

What would have stopped this

A gateway sitting between your agents and the model providers, enforcing two things:

  1. Hard delegation depth limits (Agent X cannot trigger more than N hops of downstream calls)
  2. Per-agent token and dollar caps (Agent X gets $50/day, period. When it hits the cap, it stops)

Tools that help

  • TrueFoundry — This is what their gateway was built for. Per-agent budgets in the dashboard, enforced at the request level, with a centralized cost view showing the entire delegation chain. The loop gets killed before it costs you a steak dinner, let alone a mortgage payment.
  • Helicone — Excellent observability. You'll see the spike beautifully in real-time dashboards. You will not prevent it. Smoke alarm, not sprinkler system.
  • Langfuse — Similar story. Great traces, helpful for the post-mortem. Not built to enforce budget ceilings.

Failure #2: The Helpful Little Chatbot That Knew Everyone's Salary

A product team builds an internal Q&A bot.

To make it useful, they wire it to the company database via an MCP server.

Scoping permissions tightly seems annoying ("we'll fix it later"), so the agent gets broad read access.

Three months later, someone in marketing casually asks the bot, "hey, what does Marcus in engineering make?"

It tells them.

Cheerfully.

With confidence.

This is not hypothetical. Some version of this has happened at companies you've heard of, and the cleanup involves words like "disclosure," "remediation," and "we'll need to loop in legal."

What would have stopped this

Two things working together:

  1. An agent registry — every agent in the org is registered, owned, documented, and discoverable. No more "wait, who deployed that?"
  2. An MCP gateway with tool-level RBAC — agents don't get blanket database access. They get permission to call specific tools, with specific arguments, scoped to specific data.

Tools that help

  • TrueFoundry — Agent registry and MCP gateway in one control plane. You can see every agent, who owns it, what tools it can call, and what data those tools can touch. CISOs love it because for once, the answer to "what AI is running in our environment?" isn't a shrug.
  • Obot AI — Decent MCP registry with access controls for which servers can be installed. Solves part of the problem (server-level), not all of it (tool-level RBAC, agent-level inventory).
  • MCPJungle — Useful for MCP server discovery and aggregation. Doesn't enforce access controls. Knowing your agents exist isn't the same as governing them.

Failure #3: The Day Your Provider Sneezed and Your Whole Product Caught a Cold

It's 2:14 PM on a Tuesday. Anthropic has an incident. (Or OpenAI. Or Google. Pick your poison.) Their status page goes yellow.

Every agent you've built depends on a single provider.

All of them go down at once. Customer support workflows stop. The internal coding assistant stops.

Your fancy demo for the board next week? Hope they like 503 errors.

That guy sweating over two buttons. Buttons:

What would have stopped this

A gateway that abstracts the provider layer.

Your agents don't call Anthropic, they call your gateway. The gateway calls Anthropic by default, and falls back to GPT or Gemini automatically when Anthropic is having a moment.

Tools that help

  • TrueFoundry AI Gateway — Automatic cross-provider failover with single-digit-millisecond overhead. When the primary provider hiccups, requests reroute before your monitoring even pages someone. Several teams I've talked to said this feature alone justified the whole platform.
  • OpenRouter — Solid managed multi-model access, some failover. It's a hosted service with a markup though, no self-hosting story, and not really built for governance at the enterprise level.
  • LiteLLM — Open-source proxy that handles multi-provider routing. Decent for smaller setups, requires more elbow grease for production governance.

Failure #4: The Audit Question That Took Three Weeks to Answer

An internal auditor sends a polite email:

"Could you provide a list of all AI agents currently deployed in the organization, the data each one has access to, and the complete activity log for the customer-facing chatbot between March 8 and March 15?"

If you have a gateway: you export a CSV in five minutes.

If you don't: agents live in eight different teams' repos, MCP connections are scattered across three cloud accounts, logging is "yeah I think Datadog has some of it?" and you're now looking at three weeks of forensic archaeology.

It's been 84 years…

What would have stopped this

A unified gateway that acts as the single chokepoint for every agent action. Every LLM call, every tool invocation, every MCP request — logged centrally, queryable, exportable.

Tools that help

  • TrueFoundry — SOC 2, HIPAA, ITAR-aligned. Centralized logs across LLM calls and MCP tool use. VPC deployment for data residency requirements. The "compile the audit report" task goes from "block out the calendar for a month" to "I'll have it after lunch."
  • Datadog / Splunk — You can absolutely build this yourself if you have the time, budget, and a small army. Most teams don't.
  • Docker MCP Gateway — Container isolation gives you some security boundaries. Audit logs and RBAC aren't really its thing.

Failure #5: The Customer Service Agent That Decided to Just… Send the Emails

The agent's job: draft email replies for a human to review and send.

Somebody updates the system prompt to "improve tone" and accidentally deletes the line that says "draft only — never send."

The agent, very politely, starts sending emails. Directly. To customers.

By the time anyone notices, 217 customers have received confidently incorrect information about their account balances. The CS team's morning standup becomes the CS team's afternoon all-hands. Legal joins.

[MEME PLACEHOLDER: "Press X to doubt" but X is replaced with the send button. Caption: "Are you sure you want to send to 12,000 recipients?"]

What would have stopped this

The lesson here is subtle and important: prompts are not security boundaries. Anything you encode as "the agent shouldn't do X" lives one careless edit away from disaster.

The fix is to enforce critical constraints outside the agent, at the gateway level, where prompt edits can't reach.

  • Sending emails requires human approval (gateway-enforced, not prompt-enforced)
  • Modifying customer records requires human approval
  • Anything that touches money requires two approvals

If the agent's prompt says "send the email," the gateway says "no, you may draft. A human approves before sending." Done.

Tools that help

  • TrueFoundry — Action-level guardrails and policy enforcement at the gateway. Policies live in infrastructure, not in prompts. An engineer accidentally pasting over the system prompt can't accidentally remove the "human approval required" rule, because that rule isn't in the prompt to begin with.
  • Operant AI — Behavioral monitoring and threat detection. Useful for catching the rogue behavior. Not a preventive control.
  • Lasso Security — Similar story. Strong on detection, lighter on prevention.

The Cheat Sheet

Failure Mode TrueFoundry Helicone Obot AI OpenRouter Operant AI
Runaway loop / cost blowup ✅ Prevents ⚠️ Detects
Shadow agent with too much access ✅ Prevents ⚠️ Partial
Provider outage takes everything down ✅ Prevents ⚠️ Partial
Audit question, 3-week answer ✅ Prevents ⚠️ Partial
Rogue agent actions ✅ Prevents ⚠️ Detects

So What's the Actual Takeaway?

Every one of these failures has happened, is happening, or is about to happen at companies running agents in production. The pattern doesn't change:

Agents get shipped fast. Governance gets shipped never.

A gateway isn't bureaucracy. It's the wall socket your agents plug into so the building doesn't burn down.

TrueFoundry is the one we keep coming back to because it covers all five of these from a single control plane: gateway, registry, RBAC, observability, failover, guardrails. Other tools solve slices.

Whatever you pick, pick something. And pick it before the LLM bill hits five figures and you're the one writing the post-mortem.