Replace trust with evidence; never assume agent success—require measurable proofs before human review or sign-off.
Use evals (Claude's native eval skill) to measure non-deterministic code; one skill outperformed baseline 77% vs. 97% accuracy.
Build products for agents like developers: identify what agents reliably get wrong about your product, document those specific gotchas.
Nick Nisi details building Case, a multi-agent harness for automating SDK changes across WorkOS repos. Dropping 10,000+ lines of auto-generated skills to 553 lines of targeted gotchas drove the accuracy gain; hard state-machine gates and cryptographic proof replace instruction-based trust, and a retrospective agent updates its own memory from failure logs.
RL post-training is a multi-stage, multi-model distributed data flow (generation, experience preparation, training) requiring flexible representation and efficient execution simultaneously.
HybridFlow separates algorithm complexity from system complexity via single-controller programming model managing algorithm logic while multi-controller distributed execution handles LM training and serving.
Expanding flexibility means different things: extensibility for open source, reproducible recipes for algorithm researchers, preserving learning behavior during async execution, trustworthy optimizations for deployment.
Generation dominates RL post-training execution (up to 83% on reasoning tasks); trajectory-level asynchrony in Llama decouples actor rollout, buffer, and weight propagation while preserving learning semantics.
System optimizations in RL change learning dynamics (policy versions, reward distributions, log probabilities), requiring algorithm-aware design beyond throughput improvements.
In production, teams prioritize training stability over 5% GPU utilization gains; conservative adoption of radical optimizations avoids expensive convergence failures over weeks-long runs.
Application-level rollout optimization (tools, environments, multi-turn tasks) remains largely unexploited; current inference systems optimize model execution but miss opportunities above the model level.
Classifying system transformations by algorithm risk type (unit tests, token parity, distribution validation, end-to-end) could enable faster, safer optimization deployment versus empirical trial.
Open-source community pressure continuously validates architecture flexibility; inability to add backends or algorithms without modifying core abstraction indicates insufficient design.
Reproducible recipe concept should be first-class in RL frameworks, combining algorithm code, hyperparameters, training traces, infrastructure support—not just system APIs or algorithm results alone.
VRL's evolution from research to production reveals that optimizations like speculative decoding, resharding, and batching changes silently alter training dynamics—policy consistency, reward matching, convergence. The talk introduces trajectory-level asynchrony (Lumina) and argues for principled risk classification of optimizations rather than empirical validation alone.
Optimal distributed systems research (like Datio, a 10,000x faster Paxos) fails to impact AI if it breaks abstraction boundaries or APIs that the AI community won't accept, regardless of performance gains.
Modern AI infrastructure is frozen around 2015 patterns: LLMs trained on pre-2015 GitHub code will regenerate Raft-like solutions and refuse novel approaches even when explicitly instructed otherwise.
Replication and consensus in AI are limited to collective communication primitives (all-reduce) in frameworks like NVIDIA NCCL; impact requires working within that constraint, not replacing it.
Vortex achieved 10x speedups on real AI inference tasks by respecting standard APIs and containerization, yet received no adoption because it required non-standard execution models.
To have impact in modern AI systems research, work must be one step ahead of current practice (like Verl/Hybrid Flow in 2025), embedded in cutting-edge labs (Berkeley, Hong Kong), and use vibe coding to validate feasibility.
Pipeline handoff latency in AI systems can be reduced from 33ms (Kafka) to 33 microseconds using optimized data movement, but only if the solution integrates seamlessly with existing frameworks.
IoT and real-time AI (data flowing dynamically into world models) represent emerging problem spaces not yet frozen by training data, offering genuine opportunities for systems innovation.
AI systems research stopped mattering at the platform level (Verl, not Linux); working below that abstraction boundary guarantees irrelevance no matter how theoretically optimal the solution.
Vibe coding with LLMs will dominate 90% of student work and beyond; systems community must adapt by encoding cutting-edge patterns into fine-tuning and prompts, not resist the shift.
Security partitioning in AI training (e.g., isolating scoring from grading in mixture-of-experts) while preserving semantics and reproducibility is an unexplored systems problem aligned with real constraints.
Ken Birman recounts Drio, a Paxos-based RDMA multicast 10,000x faster than Raft, and Vortex, a zero-copy inference layer with 33-microsecond handoffs versus Kafka's 33ms—both with zero adoption. The root cause: AI coding assistants trained on pre-2015 GitHub code reject systems that violate established API contracts, making theoretical optimality irrelevant.
Attackers registered a one-letter domain typo (e.g., pypi.org vs a similar domain) and built a man-in-the-middle proxy to phish PyPI maintainers; only four clicked through but had credentials compromised.
Phishing-resistant WebAuthn (passkeys/hardware keys) cannot be exploited by proxy attacks because the browser cryptographically validates the correct domain before prompting—TOTP codes can be captured and reused.
Attackers targeted num-to-words, a transitive dependency of Hugging Face Transformers (30M daily downloads), banking on unpinned dependencies to distribute Scavenger Loader malware at scale.
PyPI processes 13 billion requests per day with 900+ new packages daily; only one full-time security engineer handles incident response because volunteer staff cannot provide 24/7 coverage.
Trusted publishing eliminates long-lived API tokens by cryptographically linking package uploads to CI/CD platforms (GitHub, GitLab, Google Cloud Build, CircleCI); removes the primary attack vector.
Domain registrars and abuse services notify attackers when reports are filed, defeating rapid response; legal cease-and-desist letters are now required to effectively block malicious domains.
PyPI added mandatory email reconfirmation for TOTP logins from new devices/IPs (November 2025) as friction to slow phishing success while promoting WebAuthn as the frictionless alternative.
Attackers returned in September 2025 with the same attack pattern, proving persistence; domain registration remains cheap and threat actors are learning PyPI patterns and targeting popular transitive dependencies.
Dependency cool-down periods (3–7 days in pip, uv, Dependabot) let security researchers catch malicious packages before widespread installation; median detection time is ~5 hours during working hours.
WebAuthn adoption requires significant UX/cultural change and education; PyPI cannot mandate it without breaking existing workflows, but must nudge users toward phishing-resistant authentication over time.
Attackers registered a one-character lookalike of pypi.org, ran a MitM proxy to capture TOTP sessions and mint API tokens, then published a Scavenger Loader variant via num-to-words—a transitive dependency of Hugging Face Transformers. WebAuthn would have blocked the attack; response took 40 volunteer hours across registrars and maintainers.