ChooChoo

Are you downloading “skills” from the internet and feeding them to your AI agents like candy from a stranger? If so, you may be entitled to a security incident... Agent skills, MCP servers, plugins, scripts, tool definitions, workflow templates, and prompt packs are not harmless productivity boosters by default. They can define what your agent can access, what it can execute, where it can send data, and what decisions it can make. In other words, they are not just “instructions.” They are operational authority. And yet, a lot of teams are installing them with less review than they would give a browser extension. Before giving an agent a new capability, teams should be asking: ✅ Who created this? ✅ What permissions does it require? ✅ What systems can it touch? ✅ What data can it access? ✅ Can it exfiltrate information? ✅ Is anyone logging what it does? ✅ Can we revoke it if something goes wrong? Agent governance is not just about reviewing model outputs. It is about understanding the tools, permissions, context, and authority you are handing to the system. Because “my agent did it” is not going to be a great incident response strategy. At ChooChoo, we are building visibility into what agents are doing, what tools they are using, what data they are touching, and where risk is emerging. AI governance starts with visibility. Try it free at choochoo.cc.

The hardest part of deploying AI agents is not getting them to do things. It is knowing what they did. 👇 As agents move into the SDLC, security workflows, customer operations, and internal tools, teams need a way to understand: - What happened? - Why did it happen? - What data was touched? - What tools were used? - Where did it fail? - What should be improved? That is what we are building at ChooChoo 🚂 The ChooChoo Platform gives a unified view into AI agent activity, helping technical and non-technical teams evaluate performance and risk. We help legal, security, and compliance teams start building governance around real system behavior. Plus, our insights into token spend will make your finance team happy too. AI governance starts with visibility. Try it free at choochoo.cc.

ChooChoo + GitHits = 💪🤖

One of the things I love about being in San Francisco is getting to meet builders who are passionate and excited about the problem they’re solving. Here’s a quick example of why that matters. I wanted to understand how Superset’s desktop app handles config resolution when there are config files at multiple levels, the main repo, the worktree, and a user override, and what config.local.json is for. Using Anthropic’s Opus 4.7 without GitHits, it took 10.1k (1.8k + 8.3k) output tokens and about 7 minutes. With GitHits, it took 2.1k output tokens and 40 seconds. How do I know this? ChooChoo. Alex Rigler from ChooChoo and I took a walk along the Embarcadero, and I was telling him how I’ve been using ChooChoo to evaluate token usage across coding agents, comparing sessions with and without GitHits. I mentioned it’d be really useful to compare sessions side by side, since I’m constantly running parallel benchmarks. Right after we got back from the walk, Alex messaged me: “I’m gonna try to get this working before your demo tomorrow.” By the next morning, ChooChoo had a brand new Arena feature, session comparison, shipped and working, and I was using it live onstage that night while demoing GitHits. A conversation on a walk to a production feature overnight. This is why we’re excited to be working alongside teams like ChooChoo. They’re building the observability and evals layer for coding agents, and it’s exactly the kind of tool we rely on to understand how agents perform with GitHits in the loop. When two teams are building in the same space and actually using each other’s products, things move fast.

Been reading the news lately… Vercel got breached through an AI workflow tool. Meta had a rogue agent expose data. The pattern isn’t failure. It’s lack of visibility. ChooChoo’s free desktop app lets you actually see what your agents are doing, where spend is going, and how they’re behaving across tools. choochoo.cc Would love your thoughts. DM me if you try it.

They say the best things in life are free. So we built one 🚂 We just launched a free desktop app for anyone running coding agents. It sits on top of your existing stack and gives you: 🟢 visibility into what your agents are actually doing 🟢 real signal on where tokens and spend are going 🟢 a unified view of past agent sessions across tools (Claude Code, Cursor, Codex, Copilot, and more) No integrations. No setup. No commitment. Just open it and see what’s actually happening under the hood. If agent spend, performance, or governance has been sitting on your “we’ll get to it” list, this is the easiest place to start. We’re also opening up a few design partner spots for teams who want to go deeper. choochoo.cc Start with context. Ship with confidence.

⭐🎤 Women in Tech Global Conference 2026 Speakers ⭐🎤 👏 Kimberly Nyitray, Co-Founder & COO of ChooChoo, is an AI governance leader specializing in observability, policy enforcement, and translating regulatory requirements into practical system-level controls for modern AI systems. 💡 Kimberly’s talk "Building Powerful AI Without Losing Trust" explores how founders can navigate the risks of agentic AI by embedding governance, accountability, and control directly into the systems they build. Key Takeaways: ✔️ Why traditional governance frameworks fall short for agentic AI ✔️ The importance of runtime visibility, traceability, and embedded controls ✔️ How to balance rapid innovation with trust, accountability, and compliance 👉 Get your ticket now: https://lnkd.in/d4HZyyh 👉 Get your Group Pass: https://lnkd.in/dZwXqM-m #womenintech #wtgc2026 #conferencespeaker #ResponsibleAI #AIGovernance #TrustInAI

NEW LAUNCH 🚂✨

Your coding agents are running blind on the tracks. 🚂 You kick off a Claude Code or Cursor session, go make coffee, come back, and there's a diff. Which files did it read to get there? Which sites did it browse? Which tools fired? Where did all those tokens go? Good luck finding out. Today we're launching ChooChoo Desktop. Free, local, private observability for coding agents. Install it, and every session gets captured and analysed on your machine. No cloud, no telemetry, nothing leaves your laptop. What you get: • High-level insights across every agent you run • Full session replay: files read, sites browsed, context used, tools and MCPs and skills invoked, models run, tokens spent • Reviews for workflow, security, and code quality, plus daily and weekly rollups And the timing's useful: with Opus 4.7 shipping today, every team is about to be running two models in parallel and wondering which one's actually earning its keep. ChooChoo will tell you. 👉 Link in comments. #AI #DeveloperTools #CodingAgents #Observability

Everyone wants AI to make compliance faster. The Delve news is a good reminder of the risk. The allegations are contested, but the bigger point stands: you cannot automate trust without proving it. 🛑 Compliance is not a generated policy. - It is not a dashboard. - It is not a polished report. 🏁 It is evidence. Can you show what your system actually did? Can you trace how controls were applied? Can you prove it when someone outside your company starts asking hard questions? That is the difference between looking compliant and being compliant. In an agentic world, that gap gets even bigger. Because compliance is no longer just what you wrote down. It is what your system actually does in production. That is where this market is heading: - from faster compliance - to provable compliance. 🚂 At ChooChoo, that is exactly what we are building: governance that lives inside the system, not just around it. 💡 If you are thinking about how to make AI compliance observable, enforceable, and audit-ready, let’s talk.