Technical writing on operating AI agents safely on real infrastructure: access mapping, least-privilege drift, auditing Claude Code and MCP, and self-hosted AI governance.https://olivares.ai/enhttps://olivares.ai/blog/map-what-your-ai-agents-can-reach/https://olivares.ai/blog/map-what-your-ai-agents-can-reach/An AI agent holds credentials, is permitted some actions, and is observed doing others. The access map shows the gap — and where least-privilege quietly broke.Fri, 05 Jun 2026 00:00:00 GMTagent-accessleast-privilegeobservabilityaudithttps://olivares.ai/blog/auditing-claude-code-and-mcp-self-hosted/https://olivares.ai/blog/auditing-claude-code-and-mcp-self-hosted/How to build an auditor-grade trail for Claude Code and MCP servers without leaving your perimeter: per-agent identity, a hash-chained ledger, untrusted MCP signals.Thu, 28 May 2026 00:00:00 GMTMCPClaude Codeauditself-hostedhttps://olivares.ai/blog/least-privilege-drift-for-ai-agents/https://olivares.ai/blog/least-privilege-drift-for-ai-agents/AI agents accrue access faster than anyone reviews it. Learn to detect least-privilege drift with a permitted-vs-observed diff and policy enforced at access time.Wed, 20 May 2026 00:00:00 GMTleast-privilegeai-agentspolicy-as-codeaudithttps://olivares.ai/blog/self-hosted-ai-governance-data-residency-gdpr/https://olivares.ai/blog/self-hosted-ai-governance-data-residency-gdpr/Why self-hosting an AI platform is the strongest data-residency posture under GDPR: the governance tool never receives your data. Edges, not payloads.Wed, 13 May 2026 00:00:00 GMTdata-residencygdprself-hostedai-governancehttps://olivares.ai/blog/passive-discovery-vs-proxies-ai-agents/https://olivares.ai/blog/passive-discovery-vs-proxies-ai-agents/Two ways to see your AI agents: an inline proxy with high blast radius, or passive discovery from logs, OpenTelemetry and an eBPF backstop. An honest tradeoff.Wed, 06 May 2026 00:00:00 GMTpassive-discoveryobservabilityeBPFleast-privilege