Blue Jacket ConsultancyBlue Jacket Consultancy
Operating Log
Operating Log

July 3, 2026 · AI Security · Data Minimization

Gutenberg’s Spyware

If the printing press had shipped with spyware, the Renaissance would have died in a decade — and it's a fair description of how most organizations use frontier AI today.

Imagine the printing press had shipped with one hidden feature.

Every manuscript you set in type — every contract, every ledger, every radical tract — was silently copied back to Gutenberg’s workshop in Mainz. He could read it. He could reprint it. He could sell what he learned from your pages to the printer down the street, or use your best ideas to improve his own catalog.

Would the Medici have run their correspondence through that machine? Would any banking house, any court, any sovereign have adopted it? The press would have died in a decade, and the Renaissance with it.

Yet that is a fair description of how most organizations use frontier AI today. Source code, deal terms, unreleased strategy, the accumulated judgment that makes a firm worth hiring — piped by the token into the cloud endpoint of a model purveyor, under terms of service that most buyers have never read and couldn’t verify if they had. The press reads your manuscripts. You pay for the privilege.

The Uncomfortable Part First

Here is what nobody selling AI tooling wants to say plainly: if you use a frontier model over an API, you cannot fully blindfold the press-maker. Whatever context the model sees, the vendor’s infrastructure sees. Anyone who tells you their wrapper makes your data “completely invisible” to the model provider is selling you a story, not an architecture.

So the honest question isn’t “how do I make the vendor blind?” It’s the older, better question every quartermaster has always asked about a supplier: what do I actually have to hand over, and what do I keep in my own hold?

That question has real answers. Three of them, in my practice.

1. Hand the press pages, never the book

The default agentic setup pipes bulk context to the model because it’s easy: point the tool at the repository, let it read everything, hope for the best.

The alternative is structural, not aspirational: split the thinking from the doing. The model gets scoped, atomic work orders — the specific problem, the specific files in play, the specific change proposed. The heavy lifting — reading the full corpus, validating, testing, filing — happens locally, on hardware you own, at zero token cost and zero exposure. The press-maker typesets the characters you bring him. He never gets the manuscript.

This is data minimization as an operating discipline, not a checkbox. What never transits the wire can never be retained, subpoenaed, or trained on.

2. Never hand over the keys

The sharpest extraction vector isn’t the model reading your prose. It’s an agent environment holding your credentials — API keys, deploy tokens, signing authority — where any tool call, any prompt injection, any vendor-side process can touch them.

The rule in my architecture is absolute in its statement and boring in its practice: no credential ever touches an agent surface. Every login, every signature, every administrative authorization is executed by human hands, on a surface the agent doesn’t drive. One human driver for every irreversible act. The vendor’s application layer can be as curious as it likes; it has nothing to hold.

3. Own the workshop

The deepest protection is the least glamorous: the governance layer — the work orders, the append-only ledger, the filing discipline, the tamper-evident record of who did what and when — lives entirely at the operating-system level, in plain files a human can read, on hardware you control — by design, a dedicated, single-purpose machine.

None of it depends on the model. None of it depends on the vendor.

That’s the sovereignty play. Today, the cognitive engine happens to be a frontier lab’s model, because that’s where the capability is. But the substrate is model-agnostic by construction. The day a locally-run model crosses the execution threshold this work requires, the cloud wire gets cut — and nothing else changes. The ledger doesn’t move. The discipline doesn’t move. The workshop was always yours.

What this is, and what it isn’t

I call the operating posture Supervised Autonomy: agents propose, a human disposes, and the record of both is kept in a form the agents can’t quietly rewrite. It is not a walk-away system, and I don’t sell it as one — the entire point is that the human driver is load-bearing, by design, at exactly the moments that are irreversible.

If you’re a founder or an operator, the takeaway isn’t “stop using the press.” The press is the most powerful tool since — well, since the press. The takeaway is the one Gutenberg’s customers never had to learn:

Use the press. Bring it pages, not books. Keep the keys on your belt. And own the workshop, so that the day a better press exists, you can wheel the old one out the door.

Steady on.

Subscribe to the Operating Log

Field notes on building governed, production AI systems — new issues to your inbox.

Subscribe on Substack →

© 2026 Blue Jacket Businesses LLC, d/b/a Blue Jacket Consultancy. All rights reserved. May be shared in unmodified form with attribution. No use for machine-learning training, fine-tuning, or dataset construction without written permission.