Google published a guide to building AI agents for cybersecurity. It contains no architecture, no metrics, no failure analysis, and no adversarial threat modeling. Instead it contains the assertion that Google is doing AI security. It offers four recommendations indistinguishable from any enterprise software deployment checklist since, oh I don’t know, 2005.

This matters, because Google is claiming an authoritative voice, stepping up and then… whoops.

The danger isn’t that Google is wrong, per se. It’s more like they are having a wardrobe malfunction, that their advice is insufficient while dressed as comprehensive.

When Google says “here’s how we do it,” we’re all here waiting for Google’s actual methodology to keep us safe and warm. Then we’re left cold and exposed.

Examples?

1. The piece recommends “quality agents” to verify other AI agents. If your verifier shares architectural assumptions with the system it’s checking, you’ve added complexity without adding assurance. You’ve built a system that fails confidently. I’ve written and spoken about this many times, including a recent IEEE article on integrity breaches. When multiple systems make the same error, it’s not redundancy because it’s correlated failure. That can be worse than no safety net, because you operate as if you have one. Flawed agents to cover for flawed agents is how Ariane 5 blew up.
   

   A 64-bit velocity calculation was converted to a 16-bit output, causing an error called overflow. The corrupted data triggered catastrophic course corrections that forced the US $370 million rocket to self-destruct.

2. Their success metrics center on analyst trust and feature requests. Trust measures psychology, which is much broader and more interesting than narrow technical visions of control. A team can be enthusiastic about a tool that’s completely missing threats. The relevant question—what did the agent miss that humans would have caught—goes unasked.
3. Most remarkably for a security-focused guide: no discussion of attacks on the agents themselves. Prompt injection. Adversarial inputs. Training data poisoning. Any autonomous system with security permissions is a high-value target. Treating AI agents as trusted infrastructure rather than attack surface is the foundational mistake I’ve spent years warning about at RSA. If you aren’t automatically asking whether your security agent is a double-agent, you aren’t ready to deploy agents.

The “how we do it” framing implies authority as well as a form of completeness. It suggests that you should be following Google to take the steps to go where they must be already. But that doesn’t make sense when you read the text. It gets you to where you either already know that’s not how things are done, or you aren’t getting it done.

Confidence, unearned, is the actual “intelligence” vulnerability. Google just demonstrated it.

While writing this week about the Russian “Vulkangruppe” attacking Berlin, I was reminded of the Sony hack attribution games we played a decade ago.

The isolationist narrative of DPRK was always wrong. It served people who wanted easy answers in both directions. The harder truth has been that North Korea leaked evidence of its Russian-enabled connectivity for nearly twenty years, as anyone willing to trace the rails and cables would know.

I don’t take victory laps on attribution. But I’ll take one on the flyingpenguin blog methodology, because it might help set context for what’s happening in Germany today.

In January 2015, I published an investigation here that traced North Korea’s internet infrastructure to Russia.

Remember?

The security community was so busy arguing about whether DPRK was sophisticated enough to have hacked Sony, I doubt anyone noticed the more mundane proofs right in front of them. When the usual skeptics insisted the hermit kingdom lacked connectivity, while the FBI asked us to trust classified evidence, both seemed unnecessarily closed minded.

I took a different, rather classic, approach: follow the open rails, look for the exposed cables.

This is how I identified Russian TransTeleCom as the likely provider, which led to identification of even far greater Russian involvement. I traced their fiber network to the border, by following the railway. I found the Khasan-Tumangang crossing and located photographs showing cables running across the bridge into North Korea. And I noted this was a decade after the 2006 agreement between TTK and the DPRK Ministry of Communications.

In September 2017, 38 North and FireEye finally confirmed that TransTeleCom had gone live as North Korea’s second internet provider, using exactly the infrastructure I’d documented on this blog two and a half years earlier.

The connection runs through the Friendship Bridge at Khasan-Tumangang, precisely where I’d spotted the cables on a pole.

Fast forward to today and Trend Micro published research in 2025 on North Korean cyber operations, officially identifying Russian IP ranges in Khasan and Khabarovsk as key infrastructure for DPRK offensive activity. They note the railway station at Khasan facilitates operations across that exact same bridge I was showing photographs from Panoramio a decade ago.

The methodology holds. PR maps, rail schedules, flight routes, treaty boundaries, and even eye-level photography. None of it means classified access or insider sources. It is only following physical infrastructure through physical territory to find the copper or glass running through places controlled by states with interests.

The same methodology applies today when we are tracing who’s really attacking German infrastructure. Find and follow the burned cables in Berlin, and watch how you end up finding a heat source from Russia. Protip: look wherever AfD shows interest.

Over a decade ago on this blog, and in a presentation at the RSA Conference with a U.S. Army JAG, I discussed how the Clegg court had long ago distinguished between three shots fired while an approaching vehicle posed a threat, versus the fourth shot fired after the threat had passed.

The situation involved soldiers on patrol who ordered a car to stop. When the car failed to follow orders it was fired upon. The soldiers’ claims were evaluated against scientific proof that a fourth shot hit the threatening vehicle after it had passed (entered it from the rear) and was more than 50 feet away. This contradicted Clegg’s testimony that he fired three shots through the front and the fourth shot through the side door as the car passed nearby. The judge thus ruled a fourth bullet was fired “with the intention of causing death or serious bodily harm” and Clegg was found guilty of murder.

In Minnesota news today we have a case directly relevant.

A federal officer shot and killed a woman in Minneapolis on Wednesday, shortly after the Trump administration deployed thousands of immigration agents to the city.

An ICE agent named Jonathan Ross appears to have created his own separation from a woman and then fired when she fled, killing her. Quick review of the video circulating online easily reveals Ross manufactured his own safety position and used it to murder, meaning kill someone who clearly posed no threat to him.

I expect formal reviews also could confirm all the intimidation strikes on the car by agents constituted provocation, followed by lateral movement to get clear before firing from a safe position. If that’s what is found, it means premeditation measured in seconds—but nonetheless premeditation of murder.

Renee Nicole Good wasn’t even the target of whatever operation the agents were supposedly running. MPD Chief O’Hara stated “There is nothing to indicate that she was the target of law enforcement activity.” She was a bystander. She was a Christian who did youth mission trips and studied vocal performance and creative writing. She was a mother of a 6-year-old, a wife, who got trapped at a deadly militarized checkpoint.

The self-defense framework I presented back in 2012 explains how this tragedy isn’t a failure of training that led to a bad heat-of-the-moment decision. This is a sequence of deliberate choices, each of which moved agents toward killing rather than away from it. Any “heat of the moment” defense requires a lack of time to think. The video shows, in direct contrast, an aggressive escalation over many seconds, then a planned step-to-the-side, draw and fire from a stable position. It shows time to reposition. That time was used to aim, and shoot to kill.

Notably, approaching the vehicle to trap, yell and repeatedly bang on it is an aggressive act, not a defensive one (as defined by police themselves, given harsh charges dispensed on pedestrians who dare to obstruct or touch a vehicle).

Two agents approached. KSTP reported audio of agents shouting “Get the fuck out of the car” while violently and repeatedly yanking the door handle for over three seconds—accomplishing nothing except terrorizing the driver into fight or flight. The other positioned himself at the front left of the vehicle, indicating a trap blocking flight, to force a fight. When the panicked driver refused to fight and turned hard right to flee, the blocking agent pivoted left and fired into the departing vehicle from a safe position to the side and behind it as it drove away, as the BBC clearly proved.

He then kept walking toward the car he had just shot into—no stumble, no hesitation, no physiological response of someone who had just escaped a threat. Just forward motion toward his target.

A de-escalation-trained officer would step back, create space, communicate calmly. These agents did the exact opposite, moved in to escalate and push hard for a fight.

Their efforts were not a response to any threat. Stepping in front and then quickly to the side for a clear shot, before firing, is the evidence that an agent had planned and created clearance for himself, not for safety but for a provocation and pivot to achieve a deadly firing angle.

You cannot create a threatening situation through your own aggressive conduct, premeditate lethal force, and then claim self-defense against the response you provoked.

When I first looked at the video, given that I’ve studied defense ethics for over three decades and hold two degrees in it, my impression was that this has all the hallmarks of an execution sequence. ICE agents appear to have setup the exact plan seen around the world in military dictatorships. It is especially reminiscent of the 1989 checkpoint killing of Marine Lieutenant Robert Paz, which was used as a casus belli for American invasion of Panama to remove their leader.

Is this checkpoint killing by ICE considered an act of war against Americans, just like it would have been in 1989? Are officials convinced Trump is out of control and putting Americans in danger? And if so, who is going to invade America now to remove the head of state like America demanded for Panama in 1989?

The federal checkpoint in a US city trapped, provoked and killed an innocent citizen. She was simply trying to leave a checkpoint, which paints a structural parallel to Panama regime change that is damning.

Renee Nicole Good is a modern day Lieutenant Robert Paz.

Let me explain how we can see the injustice, in more detail.

Look at the agent movement frame-by-frame. Around 16.5 seconds into the video that I have, the agent who had been positioned at the front of the vehicle pivots to his left and fires into the car from a safe distance to the side. The vehicle already turned HARD RIGHT and is moving safely AWAY from all the agents to flee them. At the moment of discharge, the shooter positioned himself clear and to the LEFT SIDE and then rear of the vehicle—completely opposite its path.

A further analysis of 701 extracted frames at 30fps offers several provable conclusions:

1. Direction of travel: Vehicle turned right, agents all stood to the left. No agent was in danger on the right or in the vehicle’s path at the moment shots were fired at the vehicle leaving them.
2. Temporal gap: Approximately 1-2 seconds elapsed between vehicle movement initiation and shooting—enough time for the agent to assess threats (if any existed) had passed.
3. Agent mobility post-shooting: All agents standing and walking normally in aftermath frames. The supposed agent at risk is the most able and active, appearing to still be in aggression mode walking towards the vehicle. No agent showed any indication of any harm. Noem’s claim that the officer was struck is contradicted by the video that shows the officer positioned himself to strike the vehicle (not the other way around) and then shot the driver in violent aggression and escalation when the driver was leaving.
4. The pivot-to-the-side: The shooter had been at the front left of the vehicle. As the vehicle began moving, he pivoted left and fired from a position completely to the side—safe, clear, and facing a departing vehicle. He manufactured his own clearance, then used it to shoot.

This checkpoint killing is far worse than the foundational Clegg findings.

In that case, the court had to reconstruct bullet trajectories to prove the fourth shot entered from the rear. Here, you can watch the geometry in real time as an officer steps back and murders a woman who poses no threat to anyone. The agents’ high aggression and vehicle’s rotation away from the agents is visible by frame.

The Clegg forensics have been disputed in subsequent decades. But in Minneapolis, there’s no trajectory reconstruction needed as you can watch an agent step to the side and fire at a vehicle driving away from him. Even extremist gun advocates accept that shooting at a fleeing vehicle would be murder if proven. They just dispute whether it was proven in Clegg. In Minneapolis, it’s on video.

The video also shows a doctor identifying himself and attempting to provide aid, only to be told “I don’t care” by an agent who directed him to back away. That’s obstruction of emergency medical care to someone they just shot. It compounds the accountability question.

Related:

The Babbitt family sued after she joined a violent protest and was shot dead by federal officers.

Babbitt’s estate filed the $30 million lawsuit after her death, alleging that she was wrongfully killed by a Capitol Police lieutenant as she tried to climb through a broken window near the Speaker’s Lobby inside the U.S. Capitol.

President Trump sided with the family, and sent a clear message to law enforcement not to shoot.

The Trump administration has agreed to pay a $5m (£3.7m) settlement to the family of Ashli Babbitt, a US Air Force veteran who was shot and killed by a Capitol police officer while breaching the US Congress on 6 January 2021. […] Trump in March told conservative news outlet Newsmax that he’s “a big fan of Ashli Babbitt”…. “And a man did something unthinkable to her when he shot her, and I think it’s a disgrace,” he said, promising to “look into” the lawsuit brought by her family.

Presumably now Trump will offer the Good family millions as well.