Discussion about this post

User's avatar
Michael Lopez Chiesa's avatar

Useful walk-through, and the "what was missing, what landed, what's at parity" frame is the right way to read 460 sessions. The thread I'd surface: the consequential launches aren't the models, they're the isolation and governance primitives, and they answer a problem the rest of the stack creates.

Once you have hosted agents running arbitrary code, managed memory they write to, and MCP/A2A endpoints, failures stop being SRE-shaped and turn trust-boundary-shaped: untrusted execution, write paths into memory, tool calls with authority. So the untrusted-code sandboxes, the least-privilege Execution Containers SDK, and the Gateway logging every tool call are what I'd lead with, defense-in-depth as product. Two boundary questions in that spirit: does memory's "remember/forget" CRUD go through a verification gate or can the agent mutate its own memory freely (unconstrained writes are how persistent memory rots silently), and does Gateway model-fallback flag that it fails over to a different trust profile, different refusals and blind spots, making routing a security decision, not just uptime.

Worth pressing because you've got a great posture, agent-as-untrusted by default, and those are the two seams where it either holds or quietly leaks. The parity read is the most clarifying I've seen on where Azure sits now.

No posts

Ready for more?