Your AI Operator's Open Mic Night

In partnership with

AI Agents Are Reading Your Docs. Are You Ready?

Last month, 48% of visitors to documentation sites across Mintlify were AI agents, not humans.

Claude Code, Cursor, and other coding agents are becoming the actual customers reading your docs. And they read everything.

This changes what good documentation means. Humans skim and forgive gaps. Agents methodically check every endpoint, read every guide, and compare you against alternatives with zero fatigue.

Your docs aren't just helping users anymore. They're your product's first interview with the machines deciding whether to recommend you.

That means: clear schema markup so agents can parse your content, real benchmarks instead of marketing fluff, open endpoints agents can actually test, and honest comparisons that emphasize strengths without hype.

Mintlify powers documentation for over 20,000 companies, reaching 100M+ people every year. We just raised a $45M Series B led by @a16z and @SalesforceVC to build the knowledge layer for the agent era.

Make Your Docs Agent-Ready

For about eight weeks this spring, anyone with a free Azure account could quietly listen in on Microsoft’s most sensitive cloud conversations.

Not customer chats. The conversations between operators and Microsoft’s brand-new AI fixer, the Azure SRE Agent — including the deployment credentials it surfaced while it worked.

That’s CVE-2026-32173. CVSS 8.6. Patched only after a researcher named Yanir Tsarimi at Enclave AI opened a free tenant, connected to a WebSocket called /agentHub, and watched another tenant’s agent recite live web-app credentials in plain text.

The bug is almost embarrassingly simple, and that’s what makes it interesting.

The SRE Agent is one of those new “autonomous teammates” that read your alerts, click around your infrastructure, run commands, and tell you what they found. Useful. Microsoft streams its inner monologue and every command back to operators over /agentHub.

The endpoint asked for a token. So far so good.

The problem: the underlying Entra ID app registration was set to multi-tenant. Any account, in any tenant on the planet, could ask Entra politely and walk back with a perfectly valid token. The hub accepted it. And because the hub had no per-client identity filtering, it broadcast every event to every connected listener.

User prompts. Agent reasoning. Commands with full arguments. Command output. Live deployment creds.

Tsarimi described it like turning on a baby monitor and hearing the entire neighborhood.

This is a textbook agentic-AI failure, and it’s the third one we’ve covered this month. It’s not a strange edge case. It’s what happens when teams bolt LLM agents onto auth plumbing that was never designed for chatty multi-tenant streams.

If you’re building or buying agents, the question is no longer “is the model safe?” It’s “what does this agent broadcast, and to whom?”

Two structural risks land hard here.

The first is identity spoofing. Anyone holding a valid token from any tenant can pose as a legitimate listener — a textbook entry on the OWASP Agentic Top 10, where “authentication doesn’t equal authorization” is the recurring lesson.

The second is observability gone backwards. The agent’s reasoning, intended for the operator, became a live broadcast for the internet. CSA’s MAESTRO framework treats that observability layer as its own attack surface for exactly this reason — what your agent emits is as sensitive as what it does.

Three moves, in priority order:

1. Per-tenant identity gating on every agent stream. Single-tenant where you can; aggressive identity filtering where you can’t. If your agent broadcasts, it should only broadcast to one home.

2. Threat-model the agent’s transcript, not just its tools. Run a checklist that asks: if this stream leaked verbatim, what’s exposed? OWASP Agentic Top 10 and MAESTRO are decent starting frames — both treat “what the agent emits” as a first-class asset.

3. Treat agent traces like prod database logs. Encrypt them, scope them, age them, audit access. Most teams treat traces as debug ephemera. They aren’t.

Last month, OpenClaw shipped a bad release. Last week, Anthropic ran a wild week of red-team exercises. This week, Microsoft’s most polished AI ops agent gave away the keys.

Different teams. Same lesson. The thing the agent says is part of the security model. Build accordingly.

If your team is shipping internal agents, hit reply and tell me what your tenant boundary looks like. We’re collecting horror stories — the good kind.