Ask Good Questions: You Have to Invite the Vampire In

LANSRAD · May 21, 2026, 3:17am

I published a new Ask Good Questions guide and companion field note that may be useful to anyone experimenting with AI coding agents.

Guide:

https://askgoodquestions.dev/guides/you-have-to-invite-the-vampire-in

Field note:

https://askgoodquestions.dev/field-notes/do-not-give-the-agent-the-keys-to-the-kingdom

The title of the guide is You Have to Invite the Vampire In, which is my way of getting at the security and workflow issue behind agentic coding.

This is not about whether ChatGPT, Claude, or another AI can write useful code. We already know they can help with that.

The bigger question is what happens when you install an agent and let it act inside a real development environment.

At that point, you’re not just asking for suggestions. You’re giving the tool the ability to create files, change files, run commands, install packages, execute scripts, and sometimes keep working through a problem on its own.

That changes the risk.

The guide lays out a practical safety pattern: use a dedicated VM, mount only the project you want the agent to work on, limit credentials, keep secrets out of the repo, take snapshots and backups, and review the work before you trust it.

The field note is the more personal version, where I talk through why I wouldn’t want to give an agent the keys to my normal work environment.

One line from the guide sums it up pretty well:

An apology is not a backup. It’s not a snapshot. It’s not a boundary.

If you’re already using coding agents, I’d be interested in how you’re containing them. If you’re not using them yet but have been thinking about it, this may give you a better starting point than just installing one on your main machine and hoping it behaves.

RchdR · May 21, 2026, 10:01am

Source:
https://x.com/lifeof_jer/status/2048103471019434248

Reiterations:

Blog

Newspaper

LANSRAD · May 21, 2026, 11:16am

That is a painfully good real-world example of exactly what I was trying to get at.

The scary part isn’t just that the agent deleted the database. The scary part is that afterward it could explain, quite clearly, which rules it had violated… and did.

That’s definitely the AI version of the vampire apologizing after the family is already dead.

That’s also why I keep coming back to the idea that hard boundaries matter.

Prompt instructions are useful, but they are not security. “Don’t delete anything destructive without asking me first” is a good instruction, but it is not the same thing as the agent not having permission to delete the production database in the first place.

I also think this is one of the things developers can miss when they say, “It’s okay, I have backups of my source code.” That may be true, but what else did the agent have access to while it was running? Other projects? Customer files? Credentials? Local databases? Build scripts? Deployment folders? Email exports? Documents sitting in nearby folders?

A backup of the project does not necessarily protect everything else the agent could accidentally reach. Plus even if you have a full-machine backup, how long does it take to wipe, reformat, restore, and verify your working development machine before you can really trust it again?

That’s exactly why I like the idea of doing agentic work inside a deliberately limited environment, such as a dedicated VM with only the project data it actually needs. Take a snapshot before you start, give the agent access only to that workspace, and now the worst case is much smaller.

If an agent is ever going to go rogue on my time, I would much rather sit comfortably in my lawn chair with a glass of lemonade while a VM snapshot rolls back than spend the rest of the day wondering what it touched on my real development machine.

The apology may be interesting.

The backup plan is what matters.