All posts by Davi Ottenheimer

Putin’s Luxury Yachts Spotted, Fleeing Strikes by Ukraine

A luxury yacht of Putin’s, exposed by Alexei Navalny’s team six months before he was poisoned to death in an Arctic prison, is being evacuated.

The apparent decision to move the yacht north [to the Northern Fleet’s main naval base at Severomorsk in the Kola Bay] is believed to be driven by concerns that Ukrainian drones could target the vessel while it is berthed either in Kaliningrad or near St Petersburg. Ukrainian drones have in recent weeks struck the strategically important Russian naval base at Kronstadt and several oil terminals in the area.

As it sailed along the Norwegian coast, Kosatka (or Graceful) was escorted by the Northern Fleet’s anti-submarine destroyer Severomorsk and the newly commissioned special patrol vessel Voevoda, whose name translates as “warlord”.

Graceful is the second Putin-linked yacht to leave European waters, given the Victoria departed the Black Sea for Bodrum on June 30. The Graceful transited Danish straits with anti-drone netting covering its decks, revealing the fear Putin’s “luxury” floats on now while his country burns around him.

U.S. Military “patrol” in American City Shoots and Kills Citizen

This is the headline Posse Comitatus was written to prevent, and the Trump deployment was engineered precisely to sit in the statute loophole: soldiers under nominal state status, executing a federally convened and federally funded policing mission, with a governor’s signature. We were told Republicans would never allow it, and here we see the exact opposite. MAGA are the ones erasing the blue line, using the Army like it’s “America First” soldiers in 1919 Elaine, Arkansas again.

Authorities said the soldiers in Memphis were responding with local police to reports of gunshots around 4 a.m. when they began pursuing an armed man fleeing on foot. The guardsmen opened fire after the man turned toward them with his weapon, according to the city’s police department.

The victim is Tyrin Johnson, 20, shot twice in the chest according to his family, a construction worker taking university classes who had his first child earlier this year.

Nobody will say whether this was the first time deployed soldiers fired on a civilian since the operation began. TBI data records at least four officer-involved shootings tied to the task force, although the two in May involved no military weapons discharge. When reporters asked whether Sunday marked the first Guard discharge, and how many shots were fired, both TBI and the Guard went silent.

Is Credal Building the Palantir of Agentic AI?

Two Palantir staff left to build a startup, and what they built is a centralized system that watches every question employees ask, every document an AI retrieves on their behalf, and every action an agent takes across an enterprise.

Sometimes I ask myself who would gladly admit they worked at Palantir. For several years, after it first started, a regular flow of staff would leave and reach out to me personally to discuss the ethical dilemmas that forced them to quit. I literally held a confession box routine in the pizza parlors and cafes of downtown San Francisco, effectively Big Data Ethics counseling. Some of the brightest people I ever met, who had gone to work expecting to do good, came out expressing severe disappointment, soul-searching like people processing the evil they had helped build.

When I see the inverse, the proud Palantir alums overtly stating they are launching more surveillance centralized for more use-cases, I guess I’m the person expected to call it out for what it is.

Credal, founded in 2022 by Jack Fischer and Ravin Thambapillai after five and seven years respectively at Palantir, sells what it calls “The Control Plane for Enterprise Agents.” Their tagline is an embarrassment. The control plane is where power concentrates, and they named the product for amassing power over people, as if Palantir has inverted ethics in America.

The company documentation is candid about what the platform does, which makes the analysis below straightforward: no whistleblowers, no leaked memos, just their own words.

Architecture

Credal is structurally indistinguishable from a surveillance platform, built as a data custody and observation layer. Their documentation describes indexing unstructured data from Slack, Confluence, Google Drive, Salesforce, and databases into a central context layer running on infrastructure the vendor operates or ships. Administrators get, in Credal’s own framing, a single control panel showing every agent using a given system, full audit logging, and usage visibility across the organization. Prompts, retrievals, and actions all transit the vendor’s code. Only the vendor can make the distinction between governance and surveillance verifiable, and nothing they publish does.

We all know what that means based on breaches like Uber’s “God View”. A system that ingests an organization’s communications and documents into a centralized store, mediates all queries against that store, logs who asked what and what they were shown, and reports it to a monitoring authority. That is literally a commercialized intelligence system.

Staff trained on Palantir’s architecture emerge selling surveillance and governance as the same capability to different orgs. Palantir built a generation of systems on exactly this duality, so the repetition is unsurprising. The founders’ stated insight was that their Palantir background in enterprise data positioned them to build a data platform doing the same thing again, with sprinkles on top.

Structural Warning

Intent is unknowable and irrelevant to the judgment. The relevant question for any customer, and the only question a security review should ask, is: can a Palantir-derived surveillance system achieve safety?

The answer, for Credal, is hand-waving with generic policy documents. Contractual terms, a SOC 2 Type II report, HIPAA-ready configurations, Data Privacy Framework registration. These are weak, just attestations about process, audited periodically, by auditors the vendor engages. They are not disclosing the properties of the system that any auditor or customer can verify. Their code is closed. Their audit logs are produced by the entity judging them, avoiding independence. There is no external mechanism by which a customer can confirm that their observation layer observes less than everything Palantir would.

A system whose safety rests entirely on unverifiable policy should be evaluated by its structure, not the glossy brochures. Palantir itself leaked its own tools and key customer list to TechCrunch in 2015, and a 2021 misconfiguration gave FBI employees unwarranted access. The systems that watch everyone are not exempt from failure, and certain types of vendors have a documented record of screwing it up completely.

Structurally, an agentic surveillance platform has been built from first steps to violate the distributed nature of privacy. Centralization for observation moves the burden of demonstrating otherwise to the vendor, and the demonstration would have to be structural: verifiable builds, inspectable enforcement code, customer-held keys, tamper-evident logs the vendor cannot rewrite. Until then, “trust us” is the entire security model, offered by alumni of the company that made “trust us” indefensible.

Dangerous EU Exposure

For European customers the product fails under jurisdictional requirements.

Credal was created to be a rapid-valuation venture-backed US company. Its EU legal story, per the founders’ own statements to press, leans on Data Privacy Framework registration. The DPF is the third attempt at a US-EU transfer mechanism; the Court of Justice of the EU invalidated the first two, Safe Harbor in 2015 and Privacy Shield in 2020, both times over US government access to data held by US providers. A compliance posture built on the third iteration of a twice-invalidated mechanism shows they haven’t done more than the bare minimum, which could evaporate any day.

Jurisdiction does not stop at the transfer mechanism. Under the US CLOUD Act, a US provider is subject to US legal process for data in its possession, custody, or control regardless of where the servers sit. Credal’s architecture therefore maximizes risk to non-US customers: the product’s value proposition is in data custody. The corpus, the query history, the audit trail of what every employee asked and saw, all held by a US entity that also serves the US Federal Government as a customer. An EU customer can’t avoid the fact that no data processing agreement will protect against harm. The vendor knows the agreement binds them and not the American government, putting their customers in harm’s way.

The on-premises option shifts the servers, not the trust model. Closed code running on your hardware is still closed code. What are you allowed to verify about what it phones home, what its update channel delivers, or what its logging omits? Orca’s amended complaint documented Wiz architecture reading customer snapshots into Wiz’s own cloud account while Wiz marketing claimed snapshots never leave the customer tenant. On-prem deployment of an unverifiable system is a different variation of the same question, opposite of a proper answer.

The EU Cloud and AI Development Act (COM(2026) 502 final) makes it clear. Its sovereignty requirements are aimed at vendors like this one: critical AI infrastructure whose custody, code, and legal exposure resolve to a non-EU entity. A European organization routing its internal communications and its agents’ actions through this centralized architecture is installing a foreign-controlled observation layer at the center of its operations, without protection from American political whimsy.

Test Time

There is a simple test for whether a governance platform is distinguishable from a surveillance platform: can the customer verify they are free from surveillance, or only get marketing docs?

Everything Credal publishes describes a system where the customer is told. Certifications attest, contracts promise, dashboards display what the vendor’s code chooses to display. Nothing published describes a mechanism by which a customer, or a regulator, could independently confirm the system’s behavior against its claims.

Companies who define products the way Credal does are playing against transparency while asking for trust. Customers who evaluate the architecture on structure alone, regardless of intention, should note an agentic observation layer with unverifiable behavior is a privacy anti-pattern, if not a national security exposure. The assessment stands because only the vendor can make it falsifiable, and the vendor, not the customer, holds the means to do so.

The founders learned at Palantir that the control plane is where power concentrates. Palantir’s police deployments show what concentrated observation becomes in practice: a secret predictive program run without the knowledge of New Orleans city government, LAPD training manuals for searching people by race and family association, a German constitutional court ruling against it. In Hesse, the German state that pioneered Palantir’s Gotham as hessenDATA, police insiders pulled non-public personal data from the force’s databases that surfaced in neo-Nazi death threats against a lawyer, politicians, and an artist, signed “NSU 2.0”, and not a single officer was convicted. Centralized observation does not stay pointed where the brochure promises. European customers should recognize the pattern before signing.

Who is Liable for Flaws in an Op-Ed on AI Liability?

A recent technologist op-ed piece in The Guardian on AI liability seems to miss the forest for the trees. Or, to stretch the metaphor for the lawyers who asked me to look at this, the trees themselves are individually flawed to the point where they could never grow into a forest.

First, perhaps most importantly, the post centers on an example where the customer is liable. It says liability follows whoever deploys the agent, and then it asks whether Visa will answer for an agent the customer deployed. This example contradicts the principle.

AI agents are agents of the person or organization that deploys them – and should be treated by the law as such. […] It makes no sense for a company to be able to honor its statements when it wants to and disavow them when it doesn’t.

Visa and OpenAI recently announced a partnership to build personal AI agents to, among other things, make purchases on our behalf. This is just one of many similar projects in the works, as companies race to provide us all with AI assistants. Will Visa take responsibility when its AI makes a purchase in your name that you don’t want? And if Visa won’t, why would anyone trust the system? Properly allocating liability is key to make this kind of thing work.

Are agents deployed by Visa, or they are deployed by the customer who owns a Visa agent, like they own and deploy a Visa card? The example kills the article. I can’t emphasize enough that if you are going to write an article about liability for errors, you shouldn’t dump a giant, steaming error on the page. Or at least that page should not work. A liability argument that can’t allocate liability in its own hypothetical, not only has no argument, it demonstrates the kind of lack of liability it argues against.

I believe this is called a mic drop. Shall I continue?

Failures in the op-ed actually have names in an old and established field of liability literature (Calabresi in 1970 on who should bear the cost, Shavell in 1980 on when liability backfires and in 1984 on when courts can’t do the job at all). That field settled these questions decades before this op-ed ran without mentioning any of them.

There’s a lot more wrong, after it fails its own premise, and leaves out the entire field it seems to want to reinvent, so I’ll continue here just for the sake of practicing integrity checking.

Second, the post predicts liability will fix Google and then flips itself and predicts liability will kill AI doctors. Same rule, two teams get opposite scores, meaning the author sees themself as a referee handing out the trophies before the game: Google jumps, shoots, wins, while AI doctors can’t dribble and go extinct. Based on what? No mechanism, no threshold, no reason the identical rule fixes one business and blocks the other. What is this FIFA? A referee who declares winners without transparency in the rules for scoring goals is just an integrity breach waiting to happen. I mean, come on, show the criterion, or admit that this theory predicts everything and therefore predicts nothing.

Third, a lawsuit is presented as the remedy. I’m not opposed to this, yet its own statistic is a rate of 16,000 erroneous summaries per second, with the post itself conceding most are benign. Nobody really sues successfully over a wrong restaurant summary. The author wants us to take harms so small and so frequent that courts could never hear them, in the same breath courts get prescribed to hear them as the fix. Flooding the courts with low-quality reports is the inversion of integrity. Anyone familiar with the AI-generated bug-bounty noise should already know this context. The authors must have put on a blindfold in order to propose this remedy that already doesn’t work.

Fourth, the post never says what counts as fault. Quality has a line. Failure has a line. Somewhere. Every liability regime in history starts by drawing it. “Liable for inaccuracies” is a standard that no doctor, lawyer, or newspaper (*cough* The Guardian *cough*) has ever faced. The post demands parity with human professionals and then quietly writes a rule far stricter than the one humans have today. See point one, above.

Fifth, I’m getting tired of making points. The post sees only the company’s temptation to hide behind an agent, and never admits that a customer has temptation to hide behind one. Full corporate liability for agent purchases means every regretted purchase becomes “agent fault.” The central Visa paragraph presents a question with an answer called… wait for it… both sides can cheat! Shocker, I know.

Sixth, are we still going? The post argues over a default rule between parties who already have a contract, and never notices the contract. The tension is kind of easy to imagine being resolved in the most usual way. Visa will wave its hand and move the liability claims to page one of the terms of service. When a huge firm simply writes around the objection, the magical remedy that a courtroom victory would bring instead gets written out of existence a minute after any case really threatens that outcome.

Seventh, the post expects a company facing unbounded per-error exposure to keep investing until the numbers come under control. Deep pockets facing unbounded exposure do the opposite and simply withdraw the feature. They can afford to throw it away and avoid liability because economics. The supposed happy path in the post is claiming a plausible outcome that its own numbers make the least plausible.

Whew. This is a lot wrong.

Back to the fundamental flaw that really caught my eye. If the authors’ say “deploy” to mean the infrastructure, then Visa deploys, and their own rule makes Visa the principal for purchases made in the customer’s name with the customer’s authority, a result that lawyers tell me agency law flatly rejects and that no court would reach. Yet if “deploys” means directs the agent to act for oneself, then the customer deploys, and their question “will Visa take responsibility” contradicts their own rule sitting directly above it.

There’s no third reading.

Google’s overview speaks for Google to users.

Air Canada’s chatbot speaks for Air Canada to passengers.

The AI doctor gives advice to the patient.

In every case presented the harm flows from the AI deployer outward, toward a third party. The Visa agent is the one example in the piece where the agent acts for the user, and the harm question (“a purchase you don’t want”) flows from the agent back to its own principal. See the logic trick?

The op-ed built a rule to flow one direction and then it applied that rule to flow the opposite direction. With that trick revealed, the best answer to “will Visa take responsibility” is not a simple hand wave.

  1. Visa answers for the tool’s defects (product-liability, agent malfunctions, agent execution failures)
  2. The customer answers for authorized transactions they merely regret (agency)

The piece never separates these layers when they say someone “deploys”. That’s an integrity breach.

And this is payment card 101 stuff for anyone familiar with how the networks have allocated liability for decades: zero liability for unauthorized transactions, chargebacks for defective ones, full responsibility for purchases the cardholder actually authorized, and loss shifted to whichever party skipped the required controls such as those specified under PCI DSS.

Bottom line, any one of the seven should be treated as an integrity failure of the post. It has so many, it becomes deeply ironic for a piece whose entire subject is liability design. It seems like the release process for the post didn’t have quality gates in place to catch basic flaws before it shipped. So now, really, who is liable? Is it the author, or was it their agent?