The most dangerous part of an AI stack is rarely the model. It is the boring layer people keep calling "just plumbing."
Repo workflows, tokens, plugins, post-login trust, integration boundaries — that is where modern systems reveal whether they were built to be demoed or built to survive.
I have learned to get nervous whenever a system gets described as seamless before anyone has described its trust boundaries. The glamorous part gets the launch post. The ugly part gets the incident report. That pattern keeps repeating because the operational layer is tedious to discuss and expensive to simplify.
But the boring details are exactly where reality accumulates: who can trigger what, where credentials move, how much is exposed after login, what a plugin is allowed to do, how a workflow fails when assumptions break. In complex systems, security is not a separate theme from architecture. It is architecture with consequences attached.
If your trust model is still implicit, your architecture is still unfinished.