All posts by Davi Ottenheimer

Is Credal Building the Palantir of Agentic AI?

Two Palantir staff left to build a startup, and what they built is a centralized system that watches every question employees ask, every document an AI retrieves on their behalf, and every action an agent takes across an enterprise.

Sometimes I ask myself who would gladly admit they worked at Palantir. For several years, after it first started, a regular flow of staff would leave and reach out to me personally to discuss the ethical dilemmas that forced them to quit. I literally held a confession box routine in the pizza parlors and cafes of downtown San Francisco, effectively Big Data Ethics counseling. Some of the brightest people I ever met, who had gone to work expecting to do good, came out expressing severe disappointment, soul-searching like people processing the evil they had helped build.

When I see the inverse, the proud Palantir alums overtly stating they are launching more surveillance centralized for more use-cases, I guess I’m the person expected to call it out for what it is.

Credal, founded in 2022 by Jack Fischer and Ravin Thambapillai after five and seven years respectively at Palantir, sells what it calls “The Control Plane for Enterprise Agents.” Their tagline is an embarrassment. The control plane is where power concentrates, and they named the product for amassing power over people, as if Palantir has inverted ethics in America.

The company documentation is candid about what the platform does, which makes the analysis below straightforward: no whistleblowers, no leaked memos, just their own words.

Architecture

Credal is structurally indistinguishable from a surveillance platform, built as a data custody and observation layer. Their documentation describes indexing unstructured data from Slack, Confluence, Google Drive, Salesforce, and databases into a central context layer running on infrastructure the vendor operates or ships. Administrators get, in Credal’s own framing, a single control panel showing every agent using a given system, full audit logging, and usage visibility across the organization. Prompts, retrievals, and actions all transit the vendor’s code. Only the vendor can make the distinction between governance and surveillance verifiable, and nothing they publish does.

We all know what that means based on breaches like Uber’s “God View”. A system that ingests an organization’s communications and documents into a centralized store, mediates all queries against that store, logs who asked what and what they were shown, and reports it to a monitoring authority. That is literally a commercialized intelligence system.

Staff trained on Palantir’s architecture emerge selling surveillance and governance as the same capability to different orgs. Palantir built a generation of systems on exactly this duality, so the repetition is unsurprising. The founders’ stated insight was that their Palantir background in enterprise data positioned them to build a data platform doing the same thing again, with sprinkles on top.

Structural Warning

Intent is unknowable and irrelevant to the judgment. The relevant question for any customer, and the only question a security review should ask, is: can a Palantir-derived surveillance system achieve safety?

The answer, for Credal, is hand-waving with generic policy documents. Contractual terms, a SOC 2 Type II report, HIPAA-ready configurations, Data Privacy Framework registration. These are weak, just attestations about process, audited periodically, by auditors the vendor engages. They are not disclosing the properties of the system that any auditor or customer can verify. Their code is closed. Their audit logs are produced by the entity judging them, avoiding independence. There is no external mechanism by which a customer can confirm that their observation layer observes less than everything Palantir would.

A system whose safety rests entirely on unverifiable policy should be evaluated by its structure, not the glossy brochures. Palantir itself leaked its own tools and key customer list to TechCrunch in 2015, and a 2021 misconfiguration gave FBI employees unwarranted access. The systems that watch everyone are not exempt from failure, and certain types of vendors have a documented record of screwing it up completely.

Structurally, an agentic surveillance platform has been built from first steps to violate the distributed nature of privacy. Centralization for observation moves the burden of demonstrating otherwise to the vendor, and the demonstration would have to be structural: verifiable builds, inspectable enforcement code, customer-held keys, tamper-evident logs the vendor cannot rewrite. Until then, “trust us” is the entire security model, offered by alumni of the company that made “trust us” indefensible.

Dangerous EU Exposure

For European customers the product fails under jurisdictional requirements.

Credal was created to be a rapid-valuation venture-backed US company. Its EU legal story, per the founders’ own statements to press, leans on Data Privacy Framework registration. The DPF is the third attempt at a US-EU transfer mechanism; the Court of Justice of the EU invalidated the first two, Safe Harbor in 2015 and Privacy Shield in 2020, both times over US government access to data held by US providers. A compliance posture built on the third iteration of a twice-invalidated mechanism shows they haven’t done more than the bare minimum, which could evaporate any day.

Jurisdiction does not stop at the transfer mechanism. Under the US CLOUD Act, a US provider is subject to US legal process for data in its possession, custody, or control regardless of where the servers sit. Credal’s architecture therefore maximizes risk to non-US customers: the product’s value proposition is in data custody. The corpus, the query history, the audit trail of what every employee asked and saw, all held by a US entity that also serves the US Federal Government as a customer. An EU customer can’t avoid the fact that no data processing agreement will protect against harm. The vendor knows the agreement binds them and not the American government, putting their customers in harm’s way.

The on-premises option shifts the servers, not the trust model. Closed code running on your hardware is still closed code. What are you allowed to verify about what it phones home, what its update channel delivers, or what its logging omits? Orca’s amended complaint documented Wiz architecture reading customer snapshots into Wiz’s own cloud account while Wiz marketing claimed snapshots never leave the customer tenant. On-prem deployment of an unverifiable system is a different variation of the same question, opposite of a proper answer.

The EU Cloud and AI Development Act (COM(2026) 502 final) makes it clear. Its sovereignty requirements are aimed at vendors like this one: critical AI infrastructure whose custody, code, and legal exposure resolve to a non-EU entity. A European organization routing its internal communications and its agents’ actions through this centralized architecture is installing a foreign-controlled observation layer at the center of its operations, without protection from American political whimsy.

Test Time

There is a simple test for whether a governance platform is distinguishable from a surveillance platform: can the customer verify they are free from surveillance, or only get marketing docs?

Everything Credal publishes describes a system where the customer is told. Certifications attest, contracts promise, dashboards display what the vendor’s code chooses to display. Nothing published describes a mechanism by which a customer, or a regulator, could independently confirm the system’s behavior against its claims.

Companies who define products the way Credal does are playing against transparency while asking for trust. Customers who evaluate the architecture on structure alone, regardless of intention, should note an agentic observation layer with unverifiable behavior is a privacy anti-pattern, if not a national security exposure. The assessment stands because only the vendor can make it falsifiable, and the vendor, not the customer, holds the means to do so.

The founders learned at Palantir that the control plane is where power concentrates. Palantir’s police deployments show what concentrated observation becomes in practice: a secret predictive program run without the knowledge of New Orleans city government, LAPD training manuals for searching people by race and family association, a German constitutional court ruling against it. In Hesse, the German state that pioneered Palantir’s Gotham as hessenDATA, police insiders pulled non-public personal data from the force’s databases that surfaced in neo-Nazi death threats against a lawyer, politicians, and an artist, signed “NSU 2.0”, and not a single officer was convicted. Centralized observation does not stay pointed where the brochure promises. European customers should recognize the pattern before signing.

Who is Liable for Flaws in an Op-Ed on AI Liability?

A recent technologist op-ed piece in The Guardian on AI liability seems to miss the forest for the trees. Or, perhaps to stretch the metaphor for the lawyers who asked me to look at this, the trees themselves are individually flawed to the point where they could never grow into a forest.

First, perhaps most importantly, the post centers on an example where the customer is liable. It says liability follows whoever deploys the agent, and then it asks whether Visa will answer for an agent the customer deployed. This example contradicts the principle.

AI agents are agents of the person or organization that deploys them – and should be treated by the law as such. […] It makes no sense for a company to be able to honor its statements when it wants to and disavow them when it doesn’t.

Visa and OpenAI recently announced a partnership to build personal AI agents to, among other things, make purchases on our behalf. This is just one of many similar projects in the works, as companies race to provide us all with AI assistants. Will Visa take responsibility when its AI makes a purchase in your name that you don’t want? And if Visa won’t, why would anyone trust the system? Properly allocating liability is key to make this kind of thing work.

Are agents deployed by Visa, or they are deployed by the customer who owns a Visa agent, like they own and deploy a Visa card? The example kills the article. I can’t emphasize enough that if you are going to write an article about liability for errors, you shouldn’t dump a giant, steaming error on the page. Or at least that page should not work. A liability argument that can’t allocate liability in its own hypothetical, not only has no argument, it demonstrates the kind of lack of liability it argues against.

I believe this is called a mic drop. Shall I continue?

Failures in the op-ed actually have names in an old and established field of liability literature (Calabresi in 1970 on who should bear the cost, Shavell in 1980 on when liability backfires and in 1984 on when courts can’t do the job at all). That field settled these questions decades before this op-ed ran without mentioning any of them.

There’s a lot more wrong, after it fails its own premise, and leaves out the entire field it seems to want to reinvent, so I’ll continue here just for the sake of practicing integrity checking.

Second, the post predicts liability will fix Google and then flips itself and predicts liability will kill AI doctors. Same rule, two teams get opposite scores, meaning the author sees themself as a referee handing out the trophies before the game: Google jumps, shoots, wins, while AI doctors can’t dribble and go extinct. Based on what? No mechanism, no threshold, no reason the identical rule fixes one business and blocks the other. What is this FIFA? A referee who declares winners without transparency in the rules for scoring goals is just an integrity breach waiting to happen. I mean, come on, show the criterion, or admit that this theory predicts everything and therefore predicts nothing.

Third, a lawsuit is presented as the remedy. I’m not opposed to this, yet its own statistic is a rate of 16,000 erroneous summaries per second, with the post itself conceding most are benign. Nobody really sues successfully over a wrong restaurant summary. The author wants us to take harms so small and so frequent that courts could never hear them, in the same breath courts get prescribed to hear them as the fix. Flooding the courts with low-quality reports is the inversion of integrity. Anyone familiar with the AI-generated bug-bounty noise should already know this context. The authors must have put on a blindfold in order to propose this remedy that already doesn’t work.

Fourth, the post never says what counts as fault. Quality has a line. Failure has a line. Somewhere. Every liability regime in history starts by drawing it. “Liable for inaccuracies” is a standard that no doctor, lawyer, or newspaper (*cough* The Guardian *cough*) has ever faced. The post demands parity with human professionals and then quietly writes a rule far stricter than the one humans have today. See point one, above.

Fifth, I’m getting tired of making points. The post sees only the company’s temptation to hide behind an agent, and never admits that a customer has temptation to hide behind one. Full corporate liability for agent purchases means every regretted purchase becomes “agent fault.” The central Visa paragraph presents a question with an answer called… wait for it… both sides can cheat! Shocker, I know.

Sixth, are we still going? The post argues over a default rule between parties who already have a contract, and never notices the contract. The tension is kind of easy to imagine being resolved in the most usual way. Visa will wave its hand and move the liability claims to page one of the terms of service. When a huge firm simply writes around the objection, the magical remedy that a courtroom victory would bring instead gets written out of existence a minute after any case really threatens that outcome.

Seventh, the post expects a company facing unbounded per-error exposure to keep investing until the numbers come under control. Deep pockets facing unbounded exposure do the opposite and simply withdraw the feature. They can afford to throw it away and avoid liability because economics. The supposed happy path in the post is claiming a plausible outcome that its own numbers make the least plausible.

Whew. This is a lot wrong.

Back to the fundamental flaw that really caught my eye. If the authors’ say “deploy” to mean the infrastructure, then Visa deploys, and their own rule makes Visa the principal for purchases made in the customer’s name with the customer’s authority, a result that lawyers tell me agency law flatly rejects and that no court would reach. Yet if “deploys” means directs the agent to act for oneself, then the customer deploys, and their question “will Visa take responsibility” contradicts their own rule sitting directly above it.

There’s no third reading.

Google’s overview speaks for Google to users.

Air Canada’s chatbot speaks for Air Canada to passengers.

The AI doctor gives advice to the patient.

In every case presented the harm flows from the AI deployer outward, toward a third party. The Visa agent is the one example in the piece where the agent acts for the user, and the harm question (“a purchase you don’t want”) flows from the agent back to its own principal. See the logic trick?

The op-ed built a rule to flow one direction and then it applied that rule to flow the opposite direction. With that trick revealed, the best answer to “will Visa take responsibility” is not a simple hand wave.

  1. Visa answers for the tool’s defects (product-liability, agent malfunctions, agent execution failures)
  2. The customer answers for authorized transactions they merely regret (agency)

The piece never separates these layers when they say someone “deploys”. That’s an integrity breach.

And this is payment card 101 stuff for anyone familiar with how the networks have allocated liability for decades: zero liability for unauthorized transactions, chargebacks for defective ones, full responsibility for purchases the cardholder actually authorized, and loss shifted to whichever party skipped the required controls such as those specified under PCI DSS.

Bottom line, any one of the seven should be treated as an integrity failure of the post. It has so many, it becomes deeply ironic for a piece whose entire subject is liability design. It seems like the release process for the post didn’t have quality gates in place to catch basic flaws before it shipped. So now, really, who is liable? Is it the author, or was it their agent?

Silence for the Anthem of Nazism, Scrutiny for the Witness: From Orff to Koeppen

The New Yorker recently ran a book review that garnered a sharp letter from Dominique Haensell in Berlin. She presented the Koeppen curriculum debate to a US magazine audience. Germany conducted a national debate over whether 17-year-olds in Abitur preparation, the oldest and best-equipped students in the system, should encounter a novel written to indict postwar racism and amnesia unless it came with stronger critical framing.

Becca Rothfeld’s insightful review of Wolfgang Koeppen’s “trilogy of failure” deftly navigates the nuances of how the books were received in postwar Germany (Books, May 4th). A new chapter has been added to the story of their reception: Jasmin Blunt, a Black German teacher, recently initiated a petition to stop the first book in the series, “Pigeons on the Grass,” from being part of the final qualification exam in German secondary schooling.

The petition proves German institutions know how to hold this debate when they choose to, which makes Carl Orff presented to Grundschule children with no framing at all a choice, not an oversight.

An author who confronted the NS past was put under public scrutiny by a single teacher, while the composer who took the Mendelssohn replacement after Egk, Strauss, and even the antisemite Pfitzner had refused to touch it is still being handed to small German children through a false sole-authorship claim that intentionally erases his own collaborators and the Jewish pedagogues who built the field.

The obvious objection is that Koeppen has been mandated exam material while Orff is spread by teachers claiming him as “ordinary classroom culture”, so the cases differ. They do not. Paragraph 1 of the Berlin Schulgesetz binds every level of the school system, Grundschule included, to educate students to oppose NS ideology, and Berlin primary schools already teach this history from Klasse 1. Both texts sit under a mandate. Baden-Württemberg debated the one it assigned to its most prepared students.

Berlin ignores the same statutory duty where it owes it to its least prepared.

The letter from Haensell to the New Yorker explains how the Blunt petition asked for optionality and framing, not removal.

It is important to stress that the petition was not about banning or redacting an undeniably important novel. Rather, it sought to make reading it non-mandatory, allowing people—particularly Black students and teachers—the option to forgo a days-long discussion of a novel that features the German equivalent of the N-word about a hundred times, and that culminates in a pogrom-like attack on a Black jazz bar. More broadly, it was an attempt to acknowledge that German classrooms are diverse, that Black German perspectives exist within them, and that students should not be forced to engage with racist material presented without sufficient critical framing. This is arguably the most prevalent discourse surrounding Wolfgang Koeppen in Germany today.

The letter also calls Koeppen “despite good intentions, likely a product of his time,” a phrase that shows the apologia is a reflex formula rather than analysis, since it gets applied even to an author it cannot describe.

As for the reception of Koeppen, who was, despite good intentions, likely a product of his time…

Koeppen was writing in 1951 against the amnesia of his time, which is the exact opposite of being its product; the phrase is not just weak, it is backwards for this particular author. The reflex is cultural: German criticism is afraid of landing directly, and cushions its subjects so they can accept the judgment. Haensell pads Koeppen with unnecessary good intentions; the same padding around Orff has been protecting a record that does not survive without it. The apology is the German equivalent of an indictment, where other cultures would take anti-racism without so much sugar coating.

The Blunt petition modeled an obvious remedy of allowing context to appear instead of disappear, and it is the same one echtorff.org documents: a restoration of those being erased, a proper framing. Name Keetman on the cover she co-wrote. Name Mendelssohn in the lesson built on his banned score. Germany has run a debate for an author who told the truth, but it allows the composer whose success depended on erasure of Jews and lies after the war to be presented as a hero to young school children.

France Explains Win Over “Ugly” Paraguay

The emphasis in the game is reported as staying safe, given the officials refused to protect the players.

“We know how to play ugly football,” Mabppe said afterwards.

“They [Paraguay] thought we’d show up in tuxedos, but we were ready. Even at that game, we were better than them.

“That’s their style of football – there’s no right or wrong way to play the game. They tried to beat us that way, but we won.”

Deschamps, who is now the first coach to secure 10 World Cup knockout victories, revealed he had instructed his players to shield Mbappe in the closing stages as Paraguay searched for a way back into the game.

“I asked the two biggest lads to go and stand around Kylian at the end because they were going to chop him down,” Deschamps added.

[…]

But it went wrong for Ilgiz Tantashev.

Tantashev should have been fully aware of how Paraguay were likely to play – tough tackling and trying to limit France’s ability to play freely.

The Uzbek referee should have clamped down earlier, shown his authority and given the impression that the rough tactics would not be tolerated.

Instead, the referee apparently tried to penalize the team protecting itself, enabling the obvious aggressors.

Studying Paraguay in past matches shows disregard for rules, which begs the question why does FIFA want players to be injured and who benefits from these obvious safety failures?

In related news, European soccer officials gave a red card Donald Trump, emphasizing how America isolates itself with obnoxious corruption.

European soccer body UEFA has lashed out at FIFA’s decision to suspend U.S. striker Folarin Balogun’s red-card ban ​in the World Cup, after U.S. President Donald Trump called ‌FIFA to ask it to review the case, saying world soccer’s governing body had “crossed a red line” and undermined the integrity of ​the game.

Donald Trump personally ordered FIFA to undo a ban on U.S. forward Folarin Balogun, removing the red card after a match with Croatia.

Now, any further games that America plays they will only be seen as the cheaters, the villain of the show.