How to enable safe usage of AI at startups

Startups are known to move fast and break things. However, for the first time I’m seeing startup founders and leaders worried about moving fast.

Why?

Because, now if something breaks due to AI, it can break pretty badly.

AI, like any junior person, is prone to make mistakes. Not only that but it can hallucinate (like a person on mushrooms).

For example, Amazon blames human employees for an AI coding agent’s mistake | The Verge

Some other possible mistakes AI can make:

• Delete production databases or data

• Make S3 buckets public accidentally

• Leak PII or PHI data

So now you have this entity that can make mistakes and is prone to drug usage, working on your production code. What are you to do?

You build guardrails.

Guardrails & Least Permissions

Now that the mistakes can be so much bigger, companies are finally thinking about how to lock things down.

But this is not new.

We should have been practicing guardrails and least privilege permissions from the beginning.

But we were OK with some flexibility here because humans were behind the wheel. If they mess up, they’ll get fired.

Are we firing our AI agents? No. Instead, we forgive them and blame ourselves for giving them too much power.

Sounds like empathetic parenting to me.

Use Case: Finance wants access to production data

So let’s go over a concrete example.

Finance wants to have better financial clarity. Claude says to them they need access to the database (Supabase) so they can get the best information.

Finance makes a request for Claude to get access to production data.

Do we give them access? Of course not.

But we want to enable the business.

So let’s come up with a few solutions from easiest (less secure) to most complex (more secure / robust):

1. Create a Read-Only Role + MCP Access

   1. We create a read-only role

   2. We point their MCP to a read-replica (if we point to prod, could affect load with a bad query)

Pros:

• Easy and quick setup

• Works agentically using an MCP

Cons:

• Finance still has access to the FULL DB including any PII or sensitive information

2. Create a Reporting Schema + MCP Access

   1. Create a reporting schema that pre-joins all the necessary information, but without the PII/PHI

   2. Point MCP to a read-replica

Pros:

• Safe access. Only access what they need

• Works agentically using an MCP

Cons:

• Takes more work to setup. Will require a senior person who knows the DB well to create the view

• May require additional maintenance for the view

  • This can be absolved where Finance can make a PR for the new view via Claude Code

    • This requires IAC (Infrastructure As Code) like Terraform

3. Create a Data Warehouse + MCP

   1. Create a Data Warehouse (BigQuery, Redshift, Clickhouse. etc) so that many people can access the data

   2. Point MCP to Data Warehouse

Pros:

• Scalable way for teams to access data

• Multiple pipelines of data from various sources (Posthog, Segment, Sentry, etc), not limited to just prod DB

Cons:

• Requires some Data Engineering work to build and possibly maintain (Maintenance can probably be done with agents tbh)

Strategy For Enabling Safe AI Usage

Having been in the trenches trying to solve runaway AI usage, I have developed a multi-layered approach towards security company data while enabling safe AI usage.

Below are the main principles:

1. Segment users into various groups based on sensitive data access and/or permissions

2. Leverage all the native and built in tooling in Anthropic and OpenAI to lock things down where appropriate.

   1. Everything from settings.json for Claude to limiting MCP server usage

   2. Enable telemetry from your AI tooling for visibility

3. Leverage a layer on the endpoint that will give you:

   1. Full insight into AI tool calls

   2. The ability to disable/enable specific tools calls and permissions for ALL AI tools

      1. ie. Allow gmail MCP to read emails, but not send emails

4. Implement a robust DLP tool on top that will track company and customer data and ensure human or non-humans don’t send it to the wrong place!

At the end of the day, it’s about building the right guardrails so people can do the 10x work they want to do. I am a big believer in a “yes, and” approach vs a straight “no”.

In Other News

Some interesting articles or links I ran into over the course of the week:

Claude Code:

• Launch sessions from links - Claude Code Docs

• Run prompts on a schedule - Claude Code Docs

• Keep Claude working toward a goal - Claude Code Docs

Local LLMs:

As part of my SNTS (Shiny New Tool Syndrome) and desire for infinite tokens, I’ve been fascinated by running local LLMs. A friend of mine showed me his rig and it was fascinating. However, I don’t have $10-30k to drop on that, so I’m curious on what’s out there and the inner workings of making it work.

• Good howto an primer: Local AI Explained | Hardware, Setup and Models

• Interesting: Tiiny AI (discovered from YT lol)

• https://www.xda-developers.com/local-llm-call-claude-changed-everything-local-first-setup/

Random

• Sit down & single task this. Turn up the volume and listen to this:

Share

Have a great week!!

-Ayman