The interesting takeaway for me was that AI agents don't learn from incident reviews. You can't teach Kiro to "be more careful next time." The fix has to be structural — an external checkpoint that doesn't care who's deploying.

We built a public challenge around this concept: try to merge to a protected repo without a signed cryptographic receipt. Any method. https://permissionprotocol.com/challenge