Secure AI agents
you actually own.
I implement secure AI agents inside your company. You stay in control of the models, permissions, API keys, files, and memory.
Why am I qualified?
I'm Damian. 15 years shipping production code. Daily-driver of Claude Code, Codex, and self-hosted agents. Eight hours a week on technical survey to stay at the forefront of what's possible with AI. I build secure Nanoclaw servers - a hardened, Docker-isolated alternative to OpenClaw - for companies that can't afford a credential leak or a vendor outage.
Pick one provider today,
start over tomorrow.
Pick Claude, Gemini, or ChatGPT - and you commit the core of your company to that ecosystem. When the price doubles or your data policy changes, you start from zero.
Most companies are about to outsource the most strategic part of their operations to a single vendor - and they don't even know it yet.
Lock-in is just the headline. Four quieter problems are corroding the AI projects I see today.
Confidential data leaves the building.
Every prompt your team types goes to a third party - customer names, contract terms, salaries, unreleased products. The "we don't train on your data" line in the ToS won't protect you the day a sub-processor is compromised.
API keys nobody can rotate.
Keys hardcoded in scripts, pasted in Notion, dropped on Slack DMs. The day a developer leaves or a provider forces a rotation, nobody has an inventory of where the keys live. Rotation becomes a multi-day archaeology project.
No idea who has access to what.
Agents and humans read and write the same data. Without a permission model that treats agents as first-class actors, one rogue prompt can wipe customer records, send a thousand wrong emails, or expose internal pricing.
No memory, no audit trail.
When something goes wrong, you can't replay what the agent did. When something works, you can't capture the lesson. You are running production AI without a black box recorder.
Flexibility is
the new speed.
The company that wins the next decade of AI is not the one that picked the right vendor in 2026. It is the one that can swap any piece - model, provider, prompt, agent, workflow - in an afternoon.
Speed is what AI is supposed to buy you. Lock-in is what kills it. The teams shipping fastest aren't the ones with the best contract - they're the ones who change their mind every quarter and have the next model running on the same agents by Friday.
It is better to maintain a simple, owned infrastructure every week than to depend on a black box you can't audit, can't move, and can't unplug.
What the agents
actually do.
What your team actually sees - in Slack, Linear, the inbox - quietly doing the work nobody wants to do twice. Six I deploy most often. Yours will be different.
The lead enrichment agent.
A messy CRM row in. The agent enriches it, drafts a personalized opener in your voice, and queues it in Slack for a rep to approve. Four hundred half-warm leads a week become four hundred clean rows and four hundred drafts.
The ticket triage agent.
A ticket lands. The agent classifies it, pulls relevant past tickets and docs, and drafts a reply. Easy ones go to human review, hard ones get escalated with context attached. First-response time drops by a factor your support lead feels.
The content review agent.
A draft lands in Slack. The agent checks it against your brand voice, claims library, and legal redlines, then returns one annotated version with risky lines flagged. Three-day review cycles compress into an hour, with human sign-off intact.
The contract redline agent.
An NDA, MSA, or vendor contract arrives. The agent compares it to your playbook, flags deviating clauses, suggests redlines in your firm's wording, and summarizes it on one page. Legal stops being the bottleneck on every six-figure deal stuck in someone's inbox.
The meeting prep agent.
Tomorrow's calendar at 7am. For every external meeting, a one-page brief: who is in the room, recent CRM and inbox activity, open threads, three questions worth asking. Walking in unprepared stops being a question of willpower.
The bug-to-PR agent.
A Sentry alert lands. The agent reproduces the error, writes a fix on a branch, adds a regression test, and opens a draft PR. A human still merges - the diagnosis and boilerplate are gone before standup.
Your company's brain
in plain markdown.
Almost nobody selling AI talks about this. The agents are the visible part. The part that compounds is what your team teaches them - and that knowledge has to live somewhere your company actually owns, not in some vendor's vector database.
Skills your team writes once. Every agent uses them forever.
A skill is a short markdown file that teaches an agent one thing the way your company does it - how to write a customer reply, structure a contract review, triage a Sentry alert. Anyone can write one. Anyone can edit one. New agents inherit them on day one, so your second hire and your tenth agent are both productive faster than the first.
A wiki per team, kept up to date by the agents themselves.
Every decision an agent makes - and every correction your team gives it - gets written back into a markdown wiki the team owns. Legal has its own. Finance has its own. Sales has its own. Confidential information stays inside its team's perimeter; agents in other teams can't even see it exists. The wiki gets smarter every week, on its own, in a format you could open in TextEdit ten years from now.
Most AI products treat your company's knowledge as something they store for you. This treats it as something you own - in files, in git, inside your perimeter. The day you switch a piece of the stack, the brain comes with you.
A Company OS
you can keep extending.
Standard, open-source pieces. Nothing you can't read, audit, fork, or replace. A foundation your team can build on every week, not a black box they renew every year.
Provider-neutral by design.
Start with Claude or GPT today. Switch to a local Llama tomorrow. Same agents, same prompts, same workflows. The provider sits behind a thin adapter - the day you want to move, you move.
Local models, when you need them.
For confidential workflows - legal, HR, finance, R&D - open models run on hardware you control. The prompt never leaves the building. GDPR-friendly by construction, not by checkbox.
A credential proxy your agents talk to.
Agents never see raw API keys. A central proxy injects them per request, per agent, per scope. When a key has to rotate, you rotate it in one place. No grep across a hundred repos.
Permissions for humans and agents, in one model.
An agent is a first-class actor with an identity, a scope, and a tool allowlist. The same policy that says "Marketing can read the CRM but not export it" applies to the agent Marketing spun up. No more "the AI did it" as an excuse.
Rate limits and a real kill switch.
Cap API spend per agent, per day, per task. When something misbehaves, one command unplugs it before it floods Stripe with refunds or sends ten thousand wrong emails.
Full audit logs, replayable.
Every prompt, tool call, and output is logged. When something breaks you replay it. When something works, you extract the recipe and scale it. How "AI experiments" become a repeatable engineering discipline.
Memory in plain markdown, tracked in git.
Decisions, conventions, and hard-earned lessons live as markdown files in a git repo. Diffable, reviewable, portable. If the AI vendor disappears tomorrow, your context doesn't.
A safe place for employees to build.
A sandbox where your team spins up agents, tries ideas, and breaks things - without risking production data or burning the API budget. The people who care about AI need a playground. This is theirs.
If you're the CEO, the pitch above is the whole pitch. From here down is for your CTO or security lead - architecture, security model, and the objections they will raise when this hits their Slack.
Eight layers.
Eight questions answered.
Most "AI security" reviews stop at "encrypted storage, SOC-2 vendor" - two of the eight places an agent can leak, escape, or be tricked. One question per layer, one tool per layer. If a proposed change bypasses another layer, it's wrong.
Where do secrets live? In a single vault your team trusts, not scattered across .env files and Notion pages.
How do credentials reach a running agent without sitting on disk in plaintext? A signed pull at the moment of use, not a copy-paste into a CI variable.
How does a key reach an outbound request without the agent seeing the bytes? A local HTTPS proxy adds the secret and strips it from logs.
Which hosts can the agent reach? Default-deny, with a small per-agent allowlist. A prompt-injected agent is useless to an attacker if it can't phone home.
Can the agent read .env files or SSH keys? No. The container only sees the directories it was given - the rest is invisible at the kernel level, not by politeness.
If an agent is compromised, can it escape its container? Each one runs in a hardened Docker box with capabilities dropped, no privilege escalation, and a seccomp profile. One agent's compromise doesn't become the company's.
What about access the agent legitimately has, but is tricked into misusing? Thin per-service proxies enforce business rules: "refund up to 100 EUR" or "email customers but never delete them." The credential is fine; the operation is bounded.
When something goes wrong, will you know? Every proxy call is logged with agent identity, destination, and outcome. A first-time host or a rate spike fires an alert before anyone reads the post-mortem.
Most discussions cover layers 1 to 3 and stop. Layers 4 to 8 are where prompt-injection-resistant design actually lives. The difference between "we trust the vendor" and "we built the perimeter ourselves."
The objections
people actually raise.
"Isn't this just LangChain, CrewAI, or the framework of the week?"
Those are SDKs that help you call a model with tools. They don't give you a credential proxy, a permission model, an audit trail, a kill switch, or vendor neutrality. Use LangChain inside the spine if you want - the choices that matter when an agent goes wrong are not solved by any framework.
"We already pay for ChatGPT Enterprise or Claude Enterprise."
Good - that's one provider with a stricter data contract. The Company OS is the layer above: the agents themselves, who can run them, what they did last week, how to swap the provider next year. ChatGPT Enterprise tells you what one chat said. The Company OS shows what every agent did, who approved it, and how to reproduce it.
"What about GDPR, SOC-2, or our compliance team?"
Built for it. Confidential workflows stay on-prem with local models. Every agent call is logged and replayable - half of any audit. I am not a lawyer, but your lawyer gets a system they can point at.
"What happens when you leave?"
You own everything: code, prompts, credentials, runbooks, audit logs. Docs are written during the engagement, not after. Your team is trained on the system while we work, not handed a binder at the end. Any competent engineer can pick it up - including one who isn't me.
"We don't have engineering bandwidth to maintain this."
Less than you think. Agents are small, dependencies are boring, maintenance is mostly "review what the agents did" and "keep packages up to date." 10 to 20 percent of one engineer covers a typical Company OS at fifty employees. Less than that, we scope smaller. Doing zero is the worst answer, because your competitors aren't.
Three ways to start.
All end with you in control.
Paid audit
- 1 hour, credited if we move forward.A live walkthrough of your AI footprint - where prompts go, who holds which keys, what GDPR and SOC-2 risks are running today - plus a short Nanoclaw demo in Slack. You leave with a one-page summary. Fee credited if you book a Quickstart or full engagement after.
Quickstart
- 4 to 8 days.One isolated agent server. Two or three agents wired into Slack or Teams, doing real work by end of week. Credential proxy, permission model, kill switch in place from day one. A working spine you can extend yourself, not a slide deck.
Full engagement
- 4 to 8 weeks.Audit, defendable roadmap, deployed agent fleet tied to real workflows, training for the engineers who own it after I leave, direct Slack access throughout. You exit with a Company OS your team can extend and can replace any piece of - including me.
Own your agents
before someone else owns you.
Start with a 15-minute call. I'll show you a real agent fleet running locally - no slides, no abstract diagrams, just the actual code and config you'd own at the end.