The meta-problem ("who watches the watcher?") is real, but I think the framing shapes the answer. If you're building a second AI to monitor the first, you've just doubled your attack surface.

The more tractable approach IMO is focusing on input validation. The primary attack vector for agentic AI isn't the model going rogue—it's prompt injection through tool outputs, RAG results, API responses, and external content. The model follows instructions; attackers craft instructions that look like legitimate data.

We're building something for this at Aeris (PromptShield)—lightweight guardrails that scan inputs before they reach the model. Think of it less as "watching the AI" and more like input sanitization in traditional security. You wouldn't let untrusted data hit your database without validation; same principle applies to LLM context windows.

Curious whether people think the "watcher" needs to be an AI at all, or if deterministic/rule-based scanning catches the majority of attack patterns?

I think everything is absurdly chaotic at the moment, and a major question is whether it will ever calm down or perhaps this level of chaos is the new norm.

Case in point is Moltbook: it went from being an idea to going viral in a matter of days, and now it could either become the ecosystem that powers the next wave of innovation or the textbook example of the risks of vibe coding.

Is every AI post on HN gonna be Claw* or Molt* themed now? Is this the new DAO MCP NFT hypeword?