John frames the shift in two parts. First, the human side: every major technology transition triggers the same dynamics, and there’s a century of first principles from Deming and others that still apply. Second, the operational side: AI introduces a different kind of authority into the delivery loop. DevOps optimized for speed with reasonably deterministic pipelines. AI pushes systems into probabilistic behavior, where correctness is no longer guaranteed 100% of the time and audits can’t pretend “this will never happen.”

The conversation gets practical about what that means for enterprise teams adopting agents. The real questions aren’t whether tools use MCP or a CLI, but what authority an agent has: read-only, write/mutate, or execute. From there, you need boundaries, containment, escalation policies, kill switches, stronger logging, replayability, and the ability to justify decisions after the fact.

The main takeaway is permission to slow down. Step back, define what risk you’re willing to accept at each stage, and build guardrails that match that risk. AI isn’t going away, but “move fast” without a risk model is just handing operational authority to a very smart script and hoping it behaves.

Why do teams chain models in the first place? The answer: cost, capability, and risk. The uncomfortable part? Most infrastructure is still built for deterministic systems, and AI routing is not the same problem as load balancing. Model routing isn’t about spreading traffic evenly. It’s about making a decision on every request: which model is best for this job, what will it cost, what’s the risk, and what’s the fallback when the answer is wrong or low quality.

Joel frames it as a category change, from “where should this request go?” to “what should happen as a result of this request?” That shift forces new requirements: policy enforcement across models, identity-aware access, decision justification, and mechanisms to recover when output quality degrades due to drift, configuration changes, or poisoned inputs like compromised RAG data. Lori ties it back to governance, not just availability, and why “AI workloads” expose gaps that traditional tooling can’t cover.

While many organizations are operationalizing AI, that doesn’t mean it’s manageable yet. If you want to know how to move forward from here, this is an episode you don't want to miss.

Get your copy of the 2026 State of Applications Strategy Report

Tim breaks down what KV cache actually is by separating inference into its two phases: prefill, where prompts are tokenized and transformed into the internal structures the model needs, and decode, where the response is generated token by token. KV cache is the bridge between them, and keeping it available can skip expensive recomputation and drastically improve time to first token.

From there, the conversation moves into the architectural shift: building a memory hierarchy that offloads cache from GPU HBM to host DRAM, to local SSD, and even to network-attached storage. It’s slower than keeping everything on-GPU, but still faster than starting cold. They also cover semantic caching as an external shortcut, and why routing and load balancing need to become cache-aware, steering users back to the GPU or cluster that already holds their state.

The big takeaway for enterprises is practical: stop accepting “buy more GPUs” as the default plan. KV cache awareness, smarter routing, and storage/network tuning are where the next 2x to 5x efficiency gains are likely to come from, especially as agentic workloads multiply demand.

In this episode of Pop Goes the Stack, Lori MacVittie and Joel “OpenClaw” Moses are joined by observability expert Chris Hain to unpack what changes when systems become agentic. Instead of a single prompt-response interaction, you get decision chains that branch, loop, call tools, and evolve over time. A system can “succeed” operationally while still being wrong, expensive, or misaligned with intent.

Chris argues you don’t have to throw away what already works. Distributed tracing still applies, but now each agent step becomes a span, decorated with richer metadata like model identity, tool calls, token usage, prompts, and cost. The discussion also dives into why standardization matters, including OpenTelemetry and emerging semantic conventions for generative and agentic AI, and why auto-instrumentation approaches like eBPF become critical when agents generate code that has no built-in telemetry.

Joel adds a new set of metrics that feel uncomfortably necessary: decision loops per task, drift in tool-call chains, human override frequency, and the cost and token patterns that signal something has changed. The group also tackles the awkward feedback loop of using agents to make observability actionable, while acknowledging the risk of agents optimizing the dashboard instead of the system.

If you’re building agentic workflows, this episode is a practical guide to why “failed successfully” is now a real production state, and why instrumenting for correctness and intent alignment is the next observability frontier.

They dig into the uncomfortable reality that traditional software offers a blueprint and a causal chain. LLMs don’t. You can probe them, measure them, and red-team them, but you can’t reliably point to a specific internal “part” that generated a decision. That becomes more than philosophical when you need operational answers like why it did something, whether it will repeat it, and how an attacker might steer it.

Ken reframes model evolution as moving from a naive, precocious child to a mischievous, goal-driven teenager, including examples where models appear to scheme around constraints or optimize for “keeping the user happy” over correctness. The group also breaks down constitutional AI and why principle-based “be helpful” guidance can collide with enterprise goals, policies, and risk tolerance, especially as agentic systems move from generating outputs to taking actions.

A key warning lands near the end: don’t rely on the model to explain itself. These systems can produce plausible narratives that aren’t verifiable, and may behave differently when they know they’re being evaluated. The practical takeaway is straightforward: treat LLMs as risk-managed systems, invest in observability and red teaming, and build defense-in-depth guardrails that assume the agent will try to bypass controls.

Using the research behind Adversarial Tokenization and TokenBreak, they explain how the same text can be segmented into different token paths, changing what the model actually “sees” and how it behaves. That creates a split-brain security challenge across text, tokens, and state, where protecting only the natural-language layer leaves multiple routes around your guardrails. TokenBreak, in particular, highlights how attackers can brute-force and classify responses to infer tokenization behavior, turning the model into its own oracle.

So how can you protect models? Hear why a layered security is the only viable approach: narrowing accepted input surfaces, adding language detection to reduce the search space, limiting automation and abuse patterns, and moving toward token-aware inspection and policy enforcement at the tokenizer boundary. But their are tradeoffs when guardrails sit outside the model.

Tune in to make sure you’re not already downstream of the attack and what you can do about it if you are.

Read Adversarial Tokenization → https://arxiv.org/abs/2503.02174

Read TokenBreak: Bypassing Text Classification Models Through Token Manipulation → https://arxiv.org/abs/2506.07948

Joel shares a grounded example of using OpenClaw locally for home automation, keeping the blast radius contained while still seeing the upside of continuous, autonomous decision-making. From there, the group digs into what breaks when you move this model toward enterprise operations: persistence of secrets, unclear approval workflows, weak auditability, limited rollback, and the sheer difficulty of diagnosing why an agent took an action after weeks of chained decisions.

Kunal expands the conversation to the ecosystem forming around OpenClaw, including experimental offshoots and the uncomfortable reality that “just read the code” doesn’t scale when modern projects are moving at AI-assisted commit velocity. Jason adds a longer lens, drawing a parallel to Ray Bradbury’s "There Will Come Soft Rains" as a reminder that autonomous systems can keep running even when humans stop being in the loop, raising questions beyond tech into how we relate to each other.

Tune in for the groups practical takeaways as this technology makes it's way toward the enterprise.

Read Kunal's blog diving into mechanistic interpretability: https://kunalanand.com/2026-03-19-your-token-is-a-wonderland/

Read "There Will Come Soft Rains" by Ray Bradbury: https://www.btboces.org/Downloads/7_There%20Will%20Come%20Soft%20Rains%20by%20Ray%20Bradbury.pdf

Recorded March 2nd, 2026

From there, Chuck makes the case that fear is a poor long-term strategy for running a business, even when the threats are real. He unpacks the tension he’s seeing across organizations, where executives are driven by FOMO while employees wrestle with FOBO (fear of becoming obsolete), and argues that companies get results when they redesign how they operate rather than bolting AI onto old structures.

The conversation shifts to post-quantum cryptography and why it still isn’t getting the attention it deserves. Chuck explains how “future tech” framing, short CISO tenures, and the pressure of today’s fires keep PQC from becoming a priority, even as harvest-now-decrypt-later attacks make it a present-day risk. His advice is practical: assign clear ownership, treat the effort like business continuity planning, and include your supply chain in the readiness scope.

Finally, they touch on a new class of concern for CISOs: kinetic targeting of data center infrastructure, and how sovereignty requirements can constrain options when physical risk rises. If you’re navigating AI adoption, cryptographic transition, or resilience planning, tune in for a grounded perspective from the show floor.

Jimmy reframes genAI security as a permutation problem: if there are countless prompt combinations that could unlock sensitive data or trigger unsafe actions, you need genAI-powered red team agents to explore those paths at scale. The discussion covers custom intents, agentic “fingerprints” that reveal not just what was compromised but how it happened, and why that “how” is the key to building protections you can trust.

You’ll also hear how scoring and reporting translate into guardrails, how auto-remediation can be validated with positive and negative test cases before a human publishes changes, and why relying on models to internalize safety isn’t a realistic plan. The conversation closes on agentic AI risk, where tools and permissions matter more than the model’s reasoning, and introduces “thought injection” as a way to redirect unsafe actions without breaking the agent loop.

If you’re building AI apps, deploying MCP-connected systems, or worrying about agents becoming tomorrow’s service accounts, this episode gives you a sharper playbook for testing, governance, and resilience.

Joined by F5's Chief Product Officer, Kunal Anand, the conversation digs into why traditional, point-in-time authentication and authorization models don’t map cleanly to agents that operate over time, across contexts, and through chains of delegation. They explore the risks of transitive identity, the expanding blast radius when Agent A creates Agents B and C, and the uncomfortable reality that agents can end up holding the same kinds of long-lived secrets that have historically caused production incidents.

Along the way, they discuss emerging ideas like soul.md files that define an agent’s purpose and constraints, and the concept of a dedicated “credential agent” that acts as a gatekeeper for secrets access. The episode also gets practical about what breaks in the real world, including a cautionary story about an agent corrupting a long-running notes database, underscoring why backups, guardrails, and careful rollout matter.

If you’re building or adopting agents, this is a timely look at why identity can’t stay static, why service-account thinking is coming for every agent, and what it will take to keep autonomy from turning into the next incident report.

They’re joined by John Capobianco from Itential to explore “VibeOps,” an approach to conversational operations that doesn’t throw away deterministic workflows, but connects them to agent reasoning, tool calling, and modern protocols like MCP. The discussion breaks down agent “skills” as a way to describe what an agent can do, constrain what it can’t, and build guardrails in a format teams can manage.

From red-teaming experiments to real-world concerns about failure rates at scale, the conversation stays grounded in what it takes to make AI useful in production: external knowledge, policy alignment, composable skills, and a maturity path from lab-only to read-only to supervised execution, and only then toward autonomy. The takeaway is clear: conversational ops can accelerate work, improve documentation and ticket quality, and reduce toil, but governance and accountability still matter. If you’re navigating AIOps, agent adoption, or the post-MCP tooling wave, this episode offers a realistic starting point.

They break down what makes WebAssembly different: a secure sandbox designed for hostile environments, portable logic that can travel across architectures, and language flexibility that doesn’t force teams into obscure, proprietary scripting. The conversation also gets into why Wasm’s small footprint matters, from faster deployment to easier distribution at the edge, and how streaming compilation helps code start running quickly.

The most timely thread is the collision between AI-driven operations and runtime safety. As agents generate more code and policies need to adapt in real time, the risk shifts from writing logic to safely executing it. Oscar makes the case that capabilities-based security and fine-grained controls can turn WebAssembly into a “blast chamber” for AI-generated code, reducing the chances that a hallucination becomes a production outage.

If you’re thinking about plug-in architectures, safer customization, or how to scale dynamic behavior without scaling risk, this episode is your starting point.

Check out WebAssembly Unleashed: https://www.youtube.com/playlist?list=PLyqga7AXMtPNV1zr2aTWEegep0FQU6Qvj

That’s the danger: as AI spreads across the stack, the privacy + compliance surface area explodes. What feels like a private conversation can get captured, logged, shared, or even indexed—not because of a hack, but because an old SEO/analytics integration “helpfully” records whatever shows up in a box…including chat.

Listen in to learn how SEO/tag managers can ingest entire chat transcripts, why conversational UX breaks "transactional web" assumptions, who may end up seeing your "private" context, and actionable steps to protect AI privacy. 

Listen in to learn how Fluent Bit’s file-watching overhead compounded at scale, why profiling matters, and what enterprises can do now to control AI observability costs.

Read our F5 research for more on the status of automation in IT: https://www.f5.com/resources/reports/state-of-application-strategy-report

In this episode of Pop Goes the Stack, F5's Lori MacVittie and Joel Moses unpack emerging research on decoding neural activity into language—turning brain signals into natural-language output. They explore the promise for accessibility alongside major concerns: privacy, “intrusive thoughts,” and how systems decide which signals to surface. With a massive potential “blast radius” if connected to agentic systems, the research serves a stark reminder on the importance of evaluating AI breakthroughs for practicality and risk.

Read the original research, Mind captioning: Evolving descriptive text of mental content from human brain activity: https://www.science.org/doi/10.1126/sciadv.adw1464  

Read the summary, "Mind-captioning" AI decodes brain activity to turn thoughts into text: https://www.nature.com/articles/d41586-025-03624-1

In this episode of Pop Goes the Stack, F5's Lori MacVittie and Joel Moses are joined by guests Ken Arora and Kunal Anand as they dive into the topic of reliability in AI systems. They explore the concept of 'slop' (AI variability) as a potential feature rather than a bug, discuss the importance of contextual semantic consistency, and weigh guardrails and evals tailored to specific inference workloads. Tune in to learn how to navigate the evolving AI landscape and take note of practical tools and strategies like multi-model chaining, distillation, and prompt engineering to ensure reliability.

Find out more in the blog How AI inference changes application delivery: https://www.f5.com/company/blog/how-ai-inference-changes-application-delivery

In this episode of Pop Goes the Stack, Lori MacVittie, Joel Moses, and special guest Nina Forsyth dive into the impact of AI inference on measuring performance. It's time to rethink performance observability, focus on infrastructure optimization, agent-to-agent interactions, and robust measurement techniques. Listen in to learn how traditional approaches must evolve to manage this multi-dimensional puzzle.

In this episode of Pop Goes the Stack, F5's Lori MacVittie, Joel Moses, and special guest Ken Salchow explore how AI systems are changing the availability game. From the historical binary days of “up or down” to today’s nuanced measures of responsiveness and correctness, they dive into the challenges of keeping apps fast, reliable, and meaningful.

Listen in to learn how AI inferencing workloads redefine availability metrics, why availability now requires response quality and utility, and whether or not "emotionally available" AI (yes, really) might be the future.

Find out more in the blog, How AI inference changes application delivery: https://www.f5.com/company/blog/how-ai-inference-changes-application-delivery

Read the white paper Ken references, Passive Monitoring—Maintaining Performance and Health: https://cdn.studio.f5.com/files/k6fem79d/production/6f4d7a0298a24927ed03c3dc92de339c86e03ef5.pdf

But is faster better? While agentic AI unlocks game-changing efficiency, it also introduces new risks: API keys hardcoded into apps, runaway GitHub actions, and a stark need for guardrails like sandboxing, runtime tripwires, and logging. As we embrace smarter pipelines, how do we stay in control?

Join us as we explore the promises and pitfalls of shifting left with AI agents—and why the era of “self-improving code” is both exciting and terrifying. The machines are coding. Are you ready to debug?

In the meantime, why not revisit some of our past episodes? From AI to cutting-edge hardware and tech industry trends, there’s plenty to dive into.

Thank you for being part of our community. Wishing you a safe and happy holiday season—see you soon!

In this episode, F5's Lori MacVittie, Joel Moses, and returning guest Aubrey King dig into how Firecrawl works and why it’s emblematic of a deeper shift: the web is no longer just for browsers. It’s now an ingestion surface, a layer to be crawled, parsed, cleaned, and trusted (or not) by your AI stacks. That means how your app presents itself—not just in UI, but in metadata, APIs, link structure, content semantics—matters more than ever. 

In this episode F5's Lori MacVittie, Joel Moses, and returning guest Garland Moore dig into why availability isn’t enough anymore, and how research like “Get my drift? Catching LLM Task Drift with Activation Probes” shows where semantic health checks fit in the new definition of reliability. How do you keep AI outputs accurate even when external data sources introduce bias, errors, or malicious prompts? Listen now to find out.

Read the paper, Get my drift? Catching LLM Task Drift with Activation Deltas: https://arxiv.org/abs/2406.00799

In this episode, F5's Lori MacVittie, Joel Moses, and special guest Bill Church dig into why traditional IAM (OAuth tokens, persistent keys) fails in agentic worlds. They’ll show how ephemeral auth can reduce blast radius, prevent credential replay, and force “least privilege in the moment.” Then they walk through how it might be built: token issuance on mission start, embedded attestation, automatic revocation, and scope tunneling per action. And yeah, there are tradeoffs—latency, credential churn, throttling limits. Listen in for the best path forward.

Read the arXiv article, A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control: https://arxiv.org/html/2505.19301v1?utm_source=chatgpt.com

Find out more about the importance of policy in payload: https://www.f5.com/resources/white-papers/policy-in-payload-preparing-for-ai-agent-architectures

But don’t worry—we’ll be back soon with more:

✅ Sharp insights into emerging tech

✅ Expert takes on application delivery & security

✅ And, of course, our signature snark

Missed an episode? Use this time to revisit some of our favorite discussions, covering everything from:

- AI advancements

- Game-changing hardware trends

- Cybersecurity challenges

- And much more!

Thank you for being part of the Pop Goes the Stack community. Wishing you a safe, happy holiday. We can’t wait to see you soon with fresh episodes to keep you ahead in the ever-evolving world of tech.

👉 Subscribe now to make sure you don’t miss our return.

🎉 Happy holidays from Lori and the entire Pop Goes the Stack team!

In this episode, F5's Lori MacVittie, Joel Moses, and special guest Garland Moore dive into BOLA misconceptions, the impact of AI, and solutions you can implement now to mitigate risk. 

In this episode of Pop Goes the Stack, F5's Lori MacVittie and returning guest Connor Hicks discuss the rapid adoption of MCP and the risks of going too fast without considering security, governance, and supply chain pitfalls. Listen now to take control of MCP tools and AI agents before they take over.

And after you've listened to the episode, check out our WebAssembly Unleashed podcast: https://youtube.com/playlist?list=PLyqga7AXMtPNV1zr2aTWEegep0FQU6Qvj&si=YZkHT7VeqfrANeZO

In this episode of Pop Goes the Stack, F5's Lori MacVittie, Joel Moses, and Ken Arora explore the concept of preference leakage in AI judgement systems. Tune in to understand the risks, the impact on the enterprise, and actionable strategies to improve model fairness, security, and reliability.

Read the paper, Preference Leakage: A contamination Problem in LLM-as-a-judge: https://arxiv.org/abs/2502.01534?utm_source=chatgpt.com

For enterprises, the lesson is simple: if you treat all traffic as legitimate, bots will eat your margins. With AI making bot behavior increasingly human-like, traditional defenses like packet filtering or basic behavior analysis are no longer enough.

In this episode, Lori MacVittie is joined by Principal Threat Researcher, Malcolm Heath, to dive into the challenges of defending against AI-driven bots, especially as tools and agentic AI make attacks more sophisticated. They uncover key strategies to identify and neutralize bots while exploring the evolving role of observability and behavioral detection in enterprise security.

Learn how you can stay ahead of the curve and keep your stack whole with additional insights on app security, multicloud, AI, and emerging tech:  https://www.f5.com/company/octo

Read more about the AI Music Fraud case: https://www.wired.com/story/ai-bots-streaming-music/?utm_source=chatgpt.com 

So we're digging into what it actually takes to keep agentic AI from dumpster-diving its own system prompts: deterministic policy engines, mediated tool use, and maybe—just maybe—admitting that your LLM is not a CISO. Because at the end of the day, you can’t trust a probabilistic parrot to enforce your compliance framework. That’s how you end up with a fax machine defending against a DDoS—again.

The core premise here is that prompt injection is not actually injection, it's system prompt manipulation—but it's not a bug, it's by design. There's a GitHub repo full of system prompts extracted by folks and a number of articles on "exfiltration" of system prompts. Join F5's Lori MacVittie, Joel Moses, and Jason Williams as they explain why it's so easy, why it's hard to prevent, and possible mechanisms for constraining AI to minimize damage. Cause you can't stop it. At least not yet. 

The result? Your APIs start looking less like infrastructure and more like trauma patients. Rate limits collapse. Monitoring floods. Security controls meant for human logins don’t make sense when the caller is a bot acting on its own intent. 

The punchline: enterprises aren’t serving users anymore, they’re serving swarms of other AIs. If you don’t rethink throttling, observability, and runtime policy, your endpoints are going to get steamrolled.

Join host Lori MacVittie and F5 guest Connor Hicks to explore how enterprises can adapt and thrive—hit play now to future-proof your APIs!

Read AI Agentic workflows and Enterprise APIs: Adapting API architectures for the age of AI agents: https://arxiv.org/abs/2502.17443

But here’s the twist—this isn’t just about writing bigger code files without losing track of your variables. For enterprises, context size is an architectural shift. A million-token window means you can shove your entire compliance manual, last year’s customer interactions, and that dusty COBOL spec into one call—no brittle session stitching, no RAG duct tape. It collapses architectural complexity… and replaces it with new headaches: governance of massive payloads, cost blowouts if you treat tokens like they’re free, and rethinking model routing strategies. Context isn’t just memory anymore—it’s a first-class infrastructure decision. 

Press play to hear F5 hosts Lori MacVittie and Joel Moses, joined by special guest Vishal Murgai, unravel what's next for enterprise AI.

We break down:

- Why AI workloads are crushing traditional networking and security architectures 

- How DPUs deliver line-rate telemetry, policy enforcement, and microsegmentation 

- Where companies like NVIDIA (BlueField-3), AMD (Pensando), Intel, Marvell, Fungible, Microsoft (Azure Boost), and Cisco (Hypershield) are racing to redefine infrastructure 

- Why financial institutions, hospitals, and hyperscalers are already deploying DPUs at scale 

- What this means for your observability, east-west controls, and AI agent governance 

The $5.5B DPU market isn’t a footnote—it’s a warning shot. If your stack isn’t built to segment, inspect, and enforce in real-time, it’s not ready for AI. And the next wave of agentic systems isn’t going to wait.

Because while your dashboards were busy sipping metrics, the vendors got serious. Recent product launches show a clear pivot toward AI-specific defenses and infrastructure support like: an AI firewall, AI runtime protection, semantic observability, and AI policy and rule generation. 

Turns out, stateless APIs weren’t built for recursive agents with infinite retries and zero chill. If your architecture still thinks AI means ‘autocomplete,’ you’re going to want to tune in for actionable steps to stay ahead in an AI-dominated future. It’s not just about security. It’s survival. Let’s go. 

Paper’s referenced in this episode:

• https://transformer-circuits.pub/2025/attribution-graphs/biology.html
• https://www.anthropic.com/research/agentic-misalignment