Silmaril CTO Weekly

Good morning, Eduardo. It is Monday, June 1. Here is the cleanest read on last week, May 25 through May 31, Pacific time, written for how you actually have to build. In the bulletin: a cluster of new papers is trying to give agent execution a real vocabulary, down at the level of observe, score, act and audit. NIST is changing the shape of vulnerability data again, which is a quiet reminder that our “system of record” for software risk is still under strain. And on the commercial side, the control layer for agents is getting productized in timeouts, rate limits, and runtime guardrails you can turn on, rather than in abstract policy decks. Segment 1: The runtime is becoming a product surface Two arXiv papers landed this week that feel like they were written from the same bruises. One argues for inserting a dedicated agent runtime layer between agent frameworks and serving engines, with a small set of primitives that any policy can plug into: observe, score, predict, act (preprint). The verbs are a convenience. The recognition is that “policy” keeps getting bolted onto whichever layer happens to be nearby, and the seams keep tearing when systems scale. Another paper is even more explicit about enterprise reality. It proposes an organization-scoped agent runtime architecture for regulated cybersecurity operations, with typed security context created at entry points, governed tool adapters into SIEM and XDR systems, human gates, and append-only audit (preprint). You can disagree with the design and still take the lesson. The compliance boundary sits outside the model. It lives in the execution path that produces an action in a real system. That same boundary showed up in a much more prosaic form in Splunk’s MCP Server release notes (product documentation). Version 1.2.0 shipped a telemetry dashboard for how MCP tools consume compute, made “run saved search” and rate limiting generally available, and surfaced guardrails like configurable timeouts for cloud admins. This is a vendor saying, in plain terms, that agent connectors are not just integrations. They are a controlled interface to operational data, and the knobs people will need are the same knobs we already use for anything that can run arbitrary queries. For Silmaril, this is a good week to re-check your own surface area map. Where do you already have a runtime seam that deserves to be first-class? Three concrete questions worth keeping close in product conversations: First, what is the unit of policy in your system. If a customer is buying “agent governance,” are they really buying a model filter, or are they buying constraints on a specific tool call, on a specific resource, with a recorded justification they can replay. Second, what is the unit of identity. If you have more than one agent, or one agent with multiple skills, can you attribute every action to an identity that survives retries, replays, and handoffs. Third, what is the unit of audit. If a customer asks, “why did you allow this,” can you give them a single trace that includes input, context, intermediate decision points, and the exact action taken, without hand-waving about probabilistic behavior. Segment 2: Trust is being measured in smaller, more useful units Two other papers from Friday are worth your time because they both cut against a lazy instinct: treating “agent quality” as a single scalar. One paper asks a deceptively simple question: how much does a model’s uncertainty behavior look like human uncertainty, and how does it show up in activations (preprint). Calibration work has often been framed as “make the confidence match the accuracy.” This paper pushes on alignment: does the model act uncertain in the same places a person would, or does it just learn a confidence style. The other paper is narrower and more operational. It studies skill documents as procedural knowledge provided to agents at inference time and tests whether presentation granularity matters (preprint). In their setup, skill availability is the big lever; formatting details move the needle less and inconsistently. That is an empirical argument for focusing your product energy on availability, provenance, and routing, rather than spending cycles on making every skill doc feel like literary craftsmanship. Put those two together and you get a clean product instinct for this week: break trust down. In customer language, “trust the agent” is too large. It turns into a debate about vibes. “Trust this action, in this context, because the system can show you the record” is smaller, and it closes procurement loops. The calibration paper is a reminder that confidence cues are often learned behaviors. The skills paper is a reminder that the most important thing is whether the right guidance is available at all, and whether the system can reliably choose it when it matters. This is also where the market conversation around “governance” gets real. A governance platform that cannot point to the specific artifacts used during execution will end up being a reporting layer. A governance platform that can show provenance at the moment of action becomes part of the runtime itself. Segment 3: Guard models are starting to look like systems, not filters EvoDefense proposes a co-evolving attack and defense loop for black-box settings, using a guard model plus an “experience memory” that accumulates defense knowledge from prior interactions (preprint). The authors emphasize generalization across attacks and target models without retraining, which is the right ambition. But read this with a builder’s caution: any defense that learns from interactions has to answer two uncomfortable questions. The first is poisoning. If your defense changes based on what it sees, you have created a learning channel that attackers can attempt to shape. A guardrail that gets “smarter” over time is also a guardrail that can be nudged, and you will need a story about how that learning is constrained, reviewed, versioned, and rolled back. The second is explainability under pressure. When a guard model blocks an action, you need a reason that a human can accept quickly. Otherwise the guard becomes an operational nuisance and gets bypassed. “The model said no” is never going to be an acceptable control surface for a mature customer. This is where your advantage can be structural. Silmaril’s best competitive posture is to assume the guard will be imperfect and ship the governance around it: decision plus reason plus trace plus the ability to replay. The reason this matters right now is that the rest of the ecosystem is normalizing adaptive systems. It is getting easier to build a guard model and ship it. It is still hard to ship the boring parts that make it trustworthy in production. Segment 4: Vulnerability volume keeps rising, so patching is becoming a cadence problem Three advisories from this week make the same operational point from different angles. Jenkins shipped a security advisory covering multiple issues in LDAP-related plugins, including SSRF and deserialization vulnerabilities (security advisory). If your world includes CI and build automation, this is the kind of supply-chain-adjacent surface that gets overlooked because it lives inside “internal tooling,” until it doesn’t. Debian published a Linux kernel security update for a local privilege escalation CVE (security advisory). These are the classic problems that never go away. Local escalation is less dramatic than remote code execution, and it is still what turns a foothold into control in real environments. Oracle introduced a new monthly Critical Security Patch Update stream and shipped the first one on May 28 (vendor security advisory). Whatever you think of Oracle’s product ecosystem, the meta move is worth noticing. Large vendors are making patching more frequent because they are accepting that quarterly is too slow for the pace of discovery. Now connect that to NIST’s May 28 update: the NVD is going to include SSVC and “affected” data in its feeds and API results starting mid-June (government site update). That sounds like plumbing, but it is a signal that vulnerability management is shifting from “one universal score” toward “multiple stakeholder decision aids,” and that the raw records are being enriched with more structured data. This is the week’s unglamorous through-line. Capability gains and discovery gains are putting pressure on the same human bottleneck: triage and operational response. For you, I would translate that into two immediate operating moves. First, make sure Silmaril’s story about “policy” includes patch velocity and rollback. Customers do not just want a model to decide. They want to know what happens when the decision logic itself needs to change quickly, and safely. Second, treat vulnerability metadata as an input stream that will keep changing. If your product depends on CVE feeds, treat that dependency like an API contract you monitor. When NVD changes what it publishes, or how much it publishes, that will show up downstream as alert volume spikes and broken assumptions. A mature system expects that and has backpressure. Segment 5: Startups are selling the control layer, not the model Two startup announcements from this week rhyme in a way that should sharpen your competitive read. Geordie announced a $30 million Series A and framed the market in one sentence: enterprises lack the visibility and operational controls to deploy autonomous agents safely at scale (company post). Their write-up is unusually direct about where the risk lives: between instruction and output, in the decisions that happen during execution. Even if you discount the marketing, that is an accurate diagnosis of the buyer pain. RunSybil published a funding announcement that positions offensive security as a runtime problem too: black-box exploration, authentication boundary probing, chained vulnerability discovery, and live validation (press release). They are trying to industrialize the part of security that still relies on a small number of people with good intuition and a lot of time. And SAFE shipped an AI security posture management product that promises unified visibility into AI exposure across common AI platforms, plus an “agentic workflow engine” to operationalize the work (press release). This is a different wedge, more governance and risk management than runtime enforcement, but it points at the same organizational truth. As soon as “AI usage” becomes normal in an enterprise, someone is going to be asked for the inventory: what tools exist, what they touch, and what the exposure looks like this week, not last quarter. The competitive read is simple. The market is converging on a control layer for agents. Some entrants are coming from governance. Some are coming from offensive testing. Some are coming from SIEM and telemetry. The common question they are all circling is the one you can keep turning into product: what exactly did the agent do, and who can prove it. Operating close: what I would do this week One, take the runtime-layer papers seriously as a design prompt. Make sure Silmaril’s internal architecture has a clear place where policy, identity, and audit live, separate from the model and separate from the tool implementation. Two, keep “trust” small. Bias toward checkable actions, replayable traces, and provenance for any guidance that shaped a decision. It is the difference between a dashboard and a system. Three, assume patch cadence keeps tightening. Build for frequent updates without drama: versioning, rollback, and backpressure are features, not chores. Four, keep a tight competitor watch on the control layer. When a startup pitch says “govern agents,” translate it into which controls they actually ship: timeouts, rate limits, scoped credentials, runtime gates, and audit trails. That translation is where your differentiation becomes concrete. Sources https://arxiv.org/abs/2605.27744 https://arxiv.org/abs/2605.30604 https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/1.2/mcp-server-release-notes https://arxiv.org/abs/2605.30675 https://arxiv.org/abs/2605.31408 https://arxiv.org/abs/2605.31140 https://www.jenkins.io/security/advisory/2026-05-27/ https://lists.debian.org/debian-security-announce/2026/msg00216.html https://www.oracle.com/security-alerts/cspumay2026.html https://www.nist.gov/itl/nvd https://arxiv.org/abs/2605.30963 https://arxiv.org/abs/2605.25653 https://www.geordie.ai/resources/geordie-ai-raises-30m-series-a-as-enterprises-race-to-govern-autonomous-ai-agents/ https://www.runsybil.com/post/runsybil-raises-40m-to-build-the-ai-native-platform-for-offensive-security https://safe.security/resources/press-release/safe-launches-ai-security-posture-management/