- A personal AI system can function as an "observer," analyzing your digital "cognitive exhaust fumes" from multiple sources to provide insights without acting on your behalf.
- Its "read-only" architecture is a deliberate design choice to mitigate the high risks of AI making write errors in personal contexts and to maintain the integrity of analytical observations.
- This approach offers value by facilitating self-reflection on attention, intentions, and relationships, distinguishing itself as a safer, distinct product category from autonomous "agent" AI.
Cognitive Exhaust Fumes, or: Read-Only AI Is Underrated — Šimon Podhajský, Head of AI, Waypoint
- Cognitive Exhaust Fumes: This term describes the digital activity byproduct (e.g., browsing history, journaling, emails) that, when analyzed across sources, reveals insights into your cognition.
- Read-Only System Design: The personal AI is strictly read-only, accessing data without write permissions, to eliminate the unbounded risks of AI errors in high-stakes personal domains like relationships or career.
- Cross-Source Analysis Power: Insights are generated by correlating data from disparate sources (e.g., email, browser, task manager, CRM) which no single application could achieve independently.
- Practical Applications: Examples include generating "brutal weekly reflections" to identify intention-action gaps, and suggesting network contacts for discussing specific reading topics based on combined profiles.
- Observer vs. Agent Paradigm: The system operates as an "observer" providing insights for human action, deliberately differing from "agent" AI that performs actions, and is seen as a distinct, valuable product category.
- Maintaining User Agency: The read-only model ensures the user mediates the feedback loop, deciding how to act on AI-generated reflections and suggestions, thus preserving personal autonomy.
- Security Awareness: Despite read-only constraints, risks such as the "mosaic effect" (combining small data pieces for a full picture) and data transmission to external APIs like Anthropic exist, requiring conscious risk assessment.
personal AI system — An AI designed to assist an individual by processing their personal data for insights.
cognitive exhaust fumes — The speaker's term for the digital activity (like browsing history, emails, journal entries) generated as a byproduct of a user's daily digital life.
read-only — A data access permission that allows viewing or copying information but prohibits modification or deletion.
cross-source signal — Insights derived from combining and analyzing data from multiple, often disparate, digital sources.
agents — AI systems designed to act autonomously on behalf of a user, often with write permissions to various applications or data sources.
observers — AI systems that analyze data and provide insights or reflections to a user, without taking any automated actions or writing to data sources.
Obsidian vault — A local folder containing Markdown files, often used with the Obsidian knowledge management application.
Anthropic API — An Application Programming Interface for accessing AI models developed by Anthropic.
context window — The maximum amount of text (tokens) an AI model can process or "remember" at one time during a conversation or task.
mosaic effect — A security risk where individually non-sensitive pieces of information, when combined, reveal a sensitive or complete picture.
Hi, my name is Shimon. Today, I'll talk about a personal AI system that knows you, but wouldn't do anything instead of you or on your behalf, and won't blow up your life. So that's good. In the process, I'll talk about the risks of personal AI and how we don't only AI systems like this one mitigate them. Let's get started. The whole personal AI space is obsessed with agents that act on your behalf. I built something different. The starting point, six sources, read access only, no right permissions. The limitation is fully intentional. But first of all, what are cognitive exhaust fumes? What are they? It's my term for the digital activity that is a byproduct of your permission, like exhaust fumes for a carogen. Individually, it's just waste, but if you analyze the exhaust, you can diagnose the engine. So let's see some examples of what the exhaust reveals. What does this enable you to do? Three top users I found, intention action gaps, attention drift, and relationship decaying. No single source tells you any of this and the cross source ability is what these have in common. Your email client doesn't know what you journaled. Your task manager doesn't know what you're browsing. The cross source signal is the product. Let's take a closer look at the system. Here it is, full in, three tones. The sources are read only, the AI never writes back to them. The workspace is where the analysis happens. The outputs land in a separate obsidian vault for me to review, but it doesn't have to be a separate obsidian vault. It could be separate notion, separate text file, separate anything, could be any other system. That's the whole thing. So what about applications? Let's start with a David Allen style, getting things done like spin on the weekly reflection. Based on the six sources, the AI synthesizes an occasional brutal reflection on how you spent your week. Let's look at a real example. Everything runs in Claude. I've stored this logic in the weekly reflection slash command, slash skill. And what it does is it launches a Python script that gets all the data that come from the reonly sources and looks through them and creates structured outputs with specified sprumps that I've prepared. This takes a little bit of a while. It pings the anthropic API to get those structured outputs back. And once it does, it will create a mark-out document that I will be able to review. This is now finished running, so it gives me an overview and I can open it back up in cursor. And I'll come back to a preview that's more readable. And see that in fact, it does hit the themes of the week. It does hit some of the tension and conflict that I need to think about. Talks about my commitment to relationships, which is mostly notable by its emissions. And I highlight the notable moments as well as a reflection question that I like to think about. In short, this is not a productivity report. It's a reflection of how you're thinking, how you're assembling tile it for my exhaust. Let's take another example. I like to discuss what I'm reading with others, but sometimes I think I shouldn't keep messaging the same three people about it. So I asked the AI, given my recent reading, who in my network should I be discussing this with? This is the cross-source magic. Four data sources, none of which were designed to talk to each other, combined into an inside you'd never get from any single tool. And all read only. Nothing was sent. Nothing was scheduled. Just a suggestion for me to act on if I choose. Let me once again show you the demo. Once again, this is a cloth skill. But in this case, I've hidden most of the guts of the cloth skill into the cross origin query and ask for the specific question in plain language. The plain language knows that it will activate the specific skill for the cross-source queries. And it now goes through the databases that I've curated that I have regular ingest for. Looks through the Bivaldi SQLite database for the articles that I've been reading the most. And after a while, it will figure out which of these articles are most read, still open on tabs, and which people might be curious about it based on the profile. Now, this is probably the weakest part. The Clay MCP takes forever to run. But it searches my CRM or my friend relationships system, I suppose, so FRM, for people who might be interested in articles on these topics. In this case, it's people interested in AI or people in European tech or people in education, which coincidentally are three things that I also am. Now, as you might notice, this takes up a lot of tokens in the context window. So you probably don't want to do this in a session that is not clean. But it's not a problem if it messes up a little bit of the 1 million context window 4.6 and then you clear it again. So at this point, it's getting the responses from all of the Clay searches. It synthesizes the people that I should talk to you. And it maps them to one article each. That's what the, or it's about to map them to one article each. This requires a little bit of bash or sorry on behalf of Claude Code. But if you run it with auto to auto mode, or dangerous escape permissions, you can get rid of that as well. And indeed, when I take a look at the first results, those look like the people that I might want to talk to, that I haven't talked to yet about the kinds of articles that I've been reading. So thank you, Colin. Right. In this case, it even found the author of the article that I was reading that's in my network, so I should give them a row. In short, no source knows all of this. Your browser doesn't know your contacts. Your CRM doesn't know what you're reading. The exhaust does. So why keep it read only if it's so useful after all? Here's the thing about the risk involved. It's asymmetric. The downside of a read only error is zero. I just ignore it. The downside of a write error is unbounded. And personal AI operates in the highest-states environment, your relationships, your career, your reputation. I'd rather miss out on automated emails than have a misfire nuke my life. There's also a subtler philosophical argument, almost a matter of taste. Read only isn't just safer. It produces better analysis. The moment your AI writes to your data sources, the exhaust streams are contaminated. You're no longer observing your cognition. You're observing a human AI hybrid, and you can't tell which patterns are yours. Sure, the observer changes your behavior, too, but the feedback loop is mediated by you, not automated. You read the reflection. You decide what to do. That's a different thing from the AI, rewriting your draft. And there's an argument to be made that you don't want the AI to write your draft in the first place, that you should reclaim your agency. It might be a hard sell for this crowd, I think, but worth considering. At this point, you might be asking, why not throw all this into open-clown or read-only mount, which I have? Here's the thing. The observer produces more value per interaction by a wide margin. The agent saves me 30 seconds on a weather check. The observer shows me I've been avoiding my most important project for two weeks. Not to mention that there's loss risk of exfiltration and cognitive pollution. The argument I'm making here is that read-only isn't a stepping stone to, quote, unquote, real agents. It helps you do things well, yes. But if it's a different gap, serve the different need. It's a different product category. The industry frames read-only as a limitation you graduate from. I think that's wrong. Observeers and agents are different tools, and mayor isn't a broken butler. So that's the value proposition. What I'd be doing here at this service if I stopped here. Let's put on the paranoid hat. What keeps me up at night? Let's start with the mosaic effect. There's something called the mosaic effect, where you put together a lot of small pieces of information and you get a picture. My own slide copy describes the security risk perfectly. The same cross referencing that makes the system useful makes it a devastating target. So, careful there. The other side of the coin, Simon will instance lethal threat factor. In case you don't know the lethal threat factor, it's a security risk model that combines three factors, private data, untrusted content, and external communications. I initially stopped reading on it broke the lethal threat factor, and it doesn't, not fully, removes the natural exfiltration of certain channels. So the third leg is any ability to communicate externally, and shell access still has that. In short, the system isn't fireproof. I'm not claiming that. Even in the best case scenario, I'm still sending data to Anthropic on a network that's mostly open, with a lot more information lying around that is strictly speaking required. I'm not claiming the system is secure. I'm claiming that I've thought about where it isn't, and I've decided which risks I'm willing to carry. It's different from not knowing. The worst security posture is the one you haven't examined. With that said, I still think there's something worthwhile to be learned from all this. Your digital exhaust is the most underused data set you own. Reflect on it, and use it to make yourself better. Thanks for listening.
TL;DR
- A personal AI system can function as an "observer," analyzing your digital "cognitive exhaust fumes" from multiple sources to provide insights without acting on your behalf.
- Its "read-only" architecture is a deliberate design choice to mitigate the high risks of AI making write errors in personal contexts and to maintain the integrity of analytical observations.
- This approach offers value by facilitating self-reflection on attention, intentions, and relationships, distinguishing itself as a safer, distinct product category from autonomous "agent" AI.
Takeaways
- Cognitive Exhaust Fumes: This term describes the digital activity byproduct (e.g., browsing history, journaling, emails) that, when analyzed across sources, reveals insights into your cognition.
- Read-Only System Design: The personal AI is strictly read-only, accessing data without write permissions, to eliminate the unbounded risks of AI errors in high-stakes personal domains like relationships or career.
- Cross-Source Analysis Power: Insights are generated by correlating data from disparate sources (e.g., email, browser, task manager, CRM) which no single application could achieve independently.
- Practical Applications: Examples include generating "brutal weekly reflections" to identify intention-action gaps, and suggesting network contacts for discussing specific reading topics based on combined profiles.
- Observer vs. Agent Paradigm: The system operates as an "observer" providing insights for human action, deliberately differing from "agent" AI that performs actions, and is seen as a distinct, valuable product category.
- Maintaining User Agency: The read-only model ensures the user mediates the feedback loop, deciding how to act on AI-generated reflections and suggestions, thus preserving personal autonomy.
- Security Awareness: Despite read-only constraints, risks such as the "mosaic effect" (combining small data pieces for a full picture) and data transmission to external APIs like Anthropic exist, requiring conscious risk assessment.
Vocabulary
personal AI system — An AI designed to assist an individual by processing their personal data for insights.
cognitive exhaust fumes — The speaker's term for the digital activity (like browsing history, emails, journal entries) generated as a byproduct of a user's daily digital life.
read-only — A data access permission that allows viewing or copying information but prohibits modification or deletion.
cross-source signal — Insights derived from combining and analyzing data from multiple, often disparate, digital sources.
agents — AI systems designed to act autonomously on behalf of a user, often with write permissions to various applications or data sources.
observers — AI systems that analyze data and provide insights or reflections to a user, without taking any automated actions or writing to data sources.
Obsidian vault — A local folder containing Markdown files, often used with the Obsidian knowledge management application.
Anthropic API — An Application Programming Interface for accessing AI models developed by Anthropic.
context window — The maximum amount of text (tokens) an AI model can process or "remember" at one time during a conversation or task.
mosaic effect — A security risk where individually non-sensitive pieces of information, when combined, reveal a sensitive or complete picture.
Transcript
Hi, my name is Shimon. Today, I'll talk about a personal AI system that knows you, but wouldn't do anything instead of you or on your behalf, and won't blow up your life. So that's good. In the process, I'll talk about the risks of personal AI and how we don't only AI systems like this one mitigate them. Let's get started. The whole personal AI space is obsessed with agents that act on your behalf. I built something different. The starting point, six sources, read access only, no right permissions. The limitation is fully intentional. But first of all, what are cognitive exhaust fumes? What are they? It's my term for the digital activity that is a byproduct of your permission, like exhaust fumes for a carogen. Individually, it's just waste, but if you analyze the exhaust, you can diagnose the engine. So let's see some examples of what the exhaust reveals. What does this enable you to do? Three top users I found, intention action gaps, attention drift, and relationship decaying. No single source tells you any of this and the cross source ability is what these have in common. Your email client doesn't know what you journaled. Your task manager doesn't know what you're browsing. The cross source signal is the product. Let's take a closer look at the system. Here it is, full in, three tones. The sources are read only, the AI never writes back to them. The workspace is where the analysis happens. The outputs land in a separate obsidian vault for me to review, but it doesn't have to be a separate obsidian vault. It could be separate notion, separate text file, separate anything, could be any other system. That's the whole thing. So what about applications? Let's start with a David Allen style, getting things done like spin on the weekly reflection. Based on the six sources, the AI synthesizes an occasional brutal reflection on how you spent your week. Let's look at a real example. Everything runs in Claude. I've stored this logic in the weekly reflection slash command, slash skill. And what it does is it launches a Python script that gets all the data that come from the reonly sources and looks through them and creates structured outputs with specified sprumps that I've prepared. This takes a little bit of a while. It pings the anthropic API to get those structured outputs back. And once it does, it will create a mark-out document that I will be able to review. This is now finished running, so it gives me an overview and I can open it back up in cursor. And I'll come back to a preview that's more readable. And see that in fact, it does hit the themes of the week. It does hit some of the tension and conflict that I need to think about. Talks about my commitment to relationships, which is mostly notable by its emissions. And I highlight the notable moments as well as a reflection question that I like to think about. In short, this is not a productivity report. It's a reflection of how you're thinking, how you're assembling tile it for my exhaust. Let's take another example. I like to discuss what I'm reading with others, but sometimes I think I shouldn't keep messaging the same three people about it. So I asked the AI, given my recent reading, who in my network should I be discussing this with? This is the cross-source magic. Four data sources, none of which were designed to talk to each other, combined into an inside you'd never get from any single tool. And all read only. Nothing was sent. Nothing was scheduled. Just a suggestion for me to act on if I choose. Let me once again show you the demo. Once again, this is a cloth skill. But in this case, I've hidden most of the guts of the cloth skill into the cross origin query and ask for the specific question in plain language. The plain language knows that it will activate the specific skill for the cross-source queries. And it now goes through the databases that I've curated that I have regular ingest for. Looks through the Bivaldi SQLite database for the articles that I've been reading the most. And after a while, it will figure out which of these articles are most read, still open on tabs, and which people might be curious about it based on the profile. Now, this is probably the weakest part. The Clay MCP takes forever to run. But it searches my CRM or my friend relationships system, I suppose, so FRM, for people who might be interested in articles on these topics. In this case, it's people interested in AI or people in European tech or people in education, which coincidentally are three things that I also am. Now, as you might notice, this takes up a lot of tokens in the context window. So you probably don't want to do this in a session that is not clean. But it's not a problem if it messes up a little bit of the 1 million context window 4.6 and then you clear it again. So at this point, it's getting the responses from all of the Clay searches. It synthesizes the people that I should talk to you. And it maps them to one article each. That's what the, or it's about to map them to one article each. This requires a little bit of bash or sorry on behalf of Claude Code. But if you run it with auto to auto mode, or dangerous escape permissions, you can get rid of that as well. And indeed, when I take a look at the first results, those look like the people that I might want to talk to, that I haven't talked to yet about the kinds of articles that I've been reading. So thank you, Colin. Right. In this case, it even found the author of the article that I was reading that's in my network, so I should give them a row. In short, no source knows all of this. Your browser doesn't know your contacts. Your CRM doesn't know what you're reading. The exhaust does. So why keep it read only if it's so useful after all? Here's the thing about the risk involved. It's asymmetric. The downside of a read only error is zero. I just ignore it. The downside of a write error is unbounded. And personal AI operates in the highest-states environment, your relationships, your career, your reputation. I'd rather miss out on automated emails than have a misfire nuke my life. There's also a subtler philosophical argument, almost a matter of taste. Read only isn't just safer. It produces better analysis. The moment your AI writes to your data sources, the exhaust streams are contaminated. You're no longer observing your cognition. You're observing a human AI hybrid, and you can't tell which patterns are yours. Sure, the observer changes your behavior, too, but the feedback loop is mediated by you, not automated. You read the reflection. You decide what to do. That's a different thing from the AI, rewriting your draft. And there's an argument to be made that you don't want the AI to write your draft in the first place, that you should reclaim your agency. It might be a hard sell for this crowd, I think, but worth considering. At this point, you might be asking, why not throw all this into open-clown or read-only mount, which I have? Here's the thing. The observer produces more value per interaction by a wide margin. The agent saves me 30 seconds on a weather check. The observer shows me I've been avoiding my most important project for two weeks. Not to mention that there's loss risk of exfiltration and cognitive pollution. The argument I'm making here is that read-only isn't a stepping stone to, quote, unquote, real agents. It helps you do things well, yes. But if it's a different gap, serve the different need. It's a different product category. The industry frames read-only as a limitation you graduate from. I think that's wrong. Observeers and agents are different tools, and mayor isn't a broken butler. So that's the value proposition. What I'd be doing here at this service if I stopped here. Let's put on the paranoid hat. What keeps me up at night? Let's start with the mosaic effect. There's something called the mosaic effect, where you put together a lot of small pieces of information and you get a picture. My own slide copy describes the security risk perfectly. The same cross referencing that makes the system useful makes it a devastating target. So, careful there. The other side of the coin, Simon will instance lethal threat factor. In case you don't know the lethal threat factor, it's a security risk model that combines three factors, private data, untrusted content, and external communications. I initially stopped reading on it broke the lethal threat factor, and it doesn't, not fully, removes the natural exfiltration of certain channels. So the third leg is any ability to communicate externally, and shell access still has that. In short, the system isn't fireproof. I'm not claiming that. Even in the best case scenario, I'm still sending data to Anthropic on a network that's mostly open, with a lot more information lying around that is strictly speaking required. I'm not claiming the system is secure. I'm claiming that I've thought about where it isn't, and I've decided which risks I'm willing to carry. It's different from not knowing. The worst security posture is the one you haven't examined. With that said, I still think there's something worthwhile to be learned from all this. Your digital exhaust is the most underused data set you own. Reflect on it, and use it to make yourself better. Thanks for listening.