A Week In AI: Issue #4
The Settling Phase
I picked up an open source project this week that I haven’t touched in four or five months, Agentic AI The Hard Way, and the part that stood out to me wasn’t what I added. It was how little I needed to add.
Agentic sandboxes. Model failover. vLLM & llm-d.
That was it. That was the entire list of “new stuff” that had emerged in the 4 months since I worked on it. For a space that everyone keeps describing as moving at impossible speed, that’s an interestingly short list. It got me thinking… is the agentic AI world actually settling?
I believe a nice chunk of it is, and that’s a good thing. A lot of the “new stuff” that has been coming out is either how to interact with AI (e.g - kagent with NemoClaw and OpenShell), what tools/platforms are built with AI (e.g - Anthropics weekly tool/new platform drop), and new Models.
We got used to AI moving so fast that we forgot what most technology cycles actually look like. The way this usually goes is that the foundational ideas get worked out in a flurry, and then the industry spends years figuring out how to operationalize them. We had the flurry. It ran from late 2022 through 2024 and into 2025. And during that flurry, the big ideas (Models, Agents, MCP, tool use, Gateways, sandboxes, multi-agent patterns) got more or less hammered out. The shape of “what runs in production”, or rather, “how the thing is going go run in production) became visible.
What’s happening now isn’t another flurry. It’s the operational phase.
The cleanest signal that we’ve crossed into operational territory came later in the week, when I sat down and wrote a CI/CD pipeline via GitHub Actions for deploying Agents, configuring Gateways, and managing the registry layer. I hadn’t written a CI/CD pipeline in months because I’d been heads-down trying to figure out where the “new stuff” fits. Now? Organizations know they need AI. The question has shifted entirely. It’s not “should we adopt this,” it’s “how do we get this into the existing pipelines, the existing IdP, the existing observability stack, the existing internal process.”
You can see the same pattern even inside security conversations. Instead of only “how do we secure AI”, organizations are now thinking about how to integrate AI into their current security procedures and protocols. That’s not a less serious question, it’s a more practical one. The move from existential to integrative is one of the most reliable signs that a technology is maturing.
If you’ve been in cloud-native long enough, this should feel familiar. It’s the same arc Kubernetes went through. First, the big-ideas era, then the era of “okay, but how do I run this in my organization with my auth, pipelines, and security team.” The second era is less glamorous and significantly more valuable.
That’s where we are with agentic AI right now. It’s a good place to be.
A Question Worth Sitting With
One thing that came up this week that I’m still thinking through: what about the case where there’s no MCP Server in the picture at all?
Most security conversations around Agents assume MCP is in the path. Prompt guards, tool selection policies, traffic rules, all of it gets discussed in the context of MCP traffic. But spin up Claude Code or Codex and look at what’s actually happening. You’re hitting CLI tools, those CLI tools are hitting APIs, and the calls are authorized by your credentials. There’s no MCP Server. There’s just an Agent calling APIs directly the same way you would.
So what happens when your production Agent does the same thing? Can that be locked down? Where does the Gateway sit? What’s the unit of policy enforcement when the “tool” is just a credentialed API call?
I think the industry’s mental model has gotten a little MCP-centric, and the answer for direct-API Agents is going to matter more than people are giving it credit for. It’s definitely a topic worth diving into because before MCP, the “tools” Agents would hit were APIs. A big reason why there’s been so much adoption around MCP is that it gives you a spec/schema to secure.
More next week.
Michael