Share

The Oldest Deputy

The Confused Deputy Keeps Getting Promoted

By Rina Takahashi— June 11, 2026

Feature image for article: The Confused Deputy Keeps Getting Promoted

In 1977, a Fortran compiler overwrote a billing file because a user asked it to. Nobody hacked anything. The compiler just couldn't tell its own authority apart from the user's request. Norm Hardy named this the "confused deputy" in 1988. The web recreated the pattern with session cookies. OAuth recreated it with delegated tokens. Each time, the fix worked: teach the deputy to distinguish instruction from data. Now LLM agents carry the same structural problem, and the proposed fix is four decades old. This time, the deputy may not be capable of learning.

The Oldest Deputy

The Confused Deputy Keeps Getting Promoted

By Rina Takahashi— June 11, 2026

In 1977, a Fortran compiler overwrote a billing file because a user asked it to. Nobody hacked anything. The compiler just couldn't tell its own authority apart from the user's request. Norm Hardy named this the "confused deputy" in 1988. The web recreated the pattern with session cookies. OAuth recreated it with delegated tokens. Each time, the fix worked: teach the deputy to distinguish instruction from data. Now LLM agents carry the same structural problem, and the proposed fix is four decades old. This time, the deputy may not be capable of learning.

The Rare Transfer

Durable Execution: The Rare Case Where Old Knowledge Traveled With the People Who Built It

Most threads in this section trace knowledge that got lost or reinvented blind. Durable execution is the counter-example.

BPM tools in the early 2000s already solved the hard parts of long-running workflows: crash recovery, compensation logic, audit trails. That knowledge didn't drift into the agent era by osmosis. Temporal's co-founders carried it personally across Amazon SWF, Azure Durable Task Framework, and Uber's Cadence before launching their own company in 2019. Same problem, refined across decades by the same hands.

Now agent frameworks like LangGraph advertise "durable execution" as a feature. The vocabulary crossed the boundary. Whether the full guarantee followed is a different conversation.

The Rare Transfer

Durable Execution: The Rare Case Where Old Knowledge Traveled With the People Who Built It

Most threads in this section trace knowledge that got lost or reinvented blind. Durable execution is the counter-example.

BPM tools in the early 2000s already solved the hard parts of long-running workflows: crash recovery, compensation logic, audit trails. That knowledge didn't drift into the agent era by osmosis. Temporal's co-founders carried it personally across Amazon SWF, Azure Durable Task Framework, and Uber's Cadence before launching their own company in 2019. Same problem, refined across decades by the same hands.

Now agent frameworks like LangGraph advertise "durable execution" as a feature. The vocabulary crossed the boundary. Whether the full guarantee followed is a different conversation.

TAKE NOTE

Embodied knowledge: Temporal's founders built five or six incarnations of the same workflow-state system across Amazon, Microsoft, and Uber before going independent

Production scale: Temporal processed 9.1 trillion lifetime actions by early 2026, with 1.86 trillion originating from AI-native companies alone

Vocabulary gap: Critics argue LangGraph offers checkpoints, not true durable execution, leaving developers to detect and coordinate failures on their own

BPM origins: Saga patterns, compensation events, and human-task gates were formalized in BPMN by 2004, two full decades before agents needed them

Exception's shape: Knowledge survived here because practitioners carried it bodily across eras, not because anyone read the old documentation

The Answer Nobody Read

The Answer That Kept Losing — An Imagined Interview with Norm Hardy

The Answer Nobody Read

The Answer That Kept Losing — An Imagined Interview with Norm Hardy

Two Kinds of Debt

The Operational Inheritance

Browser automation spent twenty years learning to distrust the gap between issuing a command and the command doing what was intended. Selenium engineers built workarounds. Playwright encoded them into architecture. Web agents now operate on the same substrate, facing the same race conditions, the same invisible overlays, the same intercepted clicks. They inherited all of it. The hard-won instinct to doubt when something reports success stayed behind with the community that earned it.

Two Kinds of Debt

The Organizational Inheritance

RPA's governance problems didn't arrive all at once. They accumulated quietly: orphaned bots running on departed employees' credentials, exception-handling logic that lived in one person's head, audit trails nobody maintained. The questions were always answerable. Who owns this? What happens when it fails? Organizations often didn't ask until something broke. AI agents face the same questions now. The teams deploying them are rarely the teams that lived through the answers.

Two Kinds of Debt

The Operational Inheritance

Browser automation spent twenty years learning to distrust the gap between issuing a command and the command doing what was intended. Selenium engineers built workarounds. Playwright encoded them into architecture. Web agents now operate on the same substrate, facing the same race conditions, the same invisible overlays, the same intercepted clicks. They inherited all of it. The hard-won instinct to doubt when something reports success stayed behind with the community that earned it.

Two Kinds of Debt

The Organizational Inheritance

RPA's governance problems didn't arrive all at once. They accumulated quietly: orphaned bots running on departed employees' credentials, exception-handling logic that lived in one person's head, audit trails nobody maintained. The questions were always answerable. Who owns this? What happens when it fails? Organizations often didn't ask until something broke. AI agents face the same questions now. The teams deploying them are rarely the teams that lived through the answers.

Two Kinds of Debt

The Operational Inheritance

Browser automation spent twenty years learning to distrust the gap between issuing a command and the command doing what was intended. Selenium engineers built workarounds. Playwright encoded them into architecture. Web agents now operate on the same substrate, facing the same race conditions, the same invisible overlays, the same intercepted clicks. They inherited all of it. The hard-won instinct to doubt when something reports success stayed behind with the community that earned it.

Two Kinds of Debt

The Organizational Inheritance

RPA's governance problems didn't arrive all at once. They accumulated quietly: orphaned bots running on departed employees' credentials, exception-handling logic that lived in one person's head, audit trails nobody maintained. The questions were always answerable. Who owns this? What happens when it fails? Organizations often didn't ask until something broke. AI agents face the same questions now. The teams deploying them are rarely the teams that lived through the answers.

Further Threads