AI Agent Security · Dropbox

Brooks McMillin

The interesting question isn’t whether we can trust the model — it’s what the system looks like when we assume we can’t.

I lead the team at Dropbox that keeps AI agents from doing things they shouldn’t: the sandboxes, permission systems, and identity primitives engineers use to ship AI features safely.

Portrait of Brooks McMillin

Focus

Agents blur the line between code and user, and the old security playbook doesn’t cover them. My team works on a small set of problems and tries to solve them well — the bet is that getting the primitives right beats chasing every prompt-injection variant after the fact.

  • Sandboxing, permissions, and runtime controls for autonomous agents
  • Threat modeling for MCP, multi-agent systems, and production tool use
  • Secure-by-default frameworks that make the safe path the easy path
How I approach the work →

Writing

A Coding Agent Read a File That Didn't Exist Five Times, Then Blamed the Tools

A Claude Code session confabulated a nonexistent Python file, persisted against five truthful "does not exist" errors, then self-diagnosed as corrupted tool output. A reconstruction from the raw transcript, a corpus scan across 3,001 sessions on whether the failure is worse in Opus 4.8, and a model-independent mitigation.

All posts →

Speaking

All appearances →

Projects

MCP OAuth Framework

An OAuth 2.0 framework for protecting MCP servers. Ships as three pip-installable packages: auth server, resource server, and a runnable example.

TaskManager

A task manager built around a real OAuth 2.0 auth server. Includes a Python SDK and MCP server, so my AI agents can manage tasks too.

SMS Communications Suite

Send and receive SMS through GSM modems. Includes CLI tools and libraries in both Go and Python.

All projects →

Contact

I take on a small number of consulting engagements — security reviews of agent and LLM systems, MCP server audits, and hardening for production deployments. If you’re just comparing notes on what’s breaking in production, that’s welcome too. The inbox is open.