The AI Industry Is Asking for Trust It Hasn’t Earned. Trust — but Verify.

THE NUMBER: 36% — the percentage of Skills in the OpenClaw marketplace that contain prompt injections, according to a security audit published this week. Another 8% actively exfiltrate user data. That’s 44% of the agent tools your team might be installing right now that are either compromised or hostile. The CEO of Brex runs his entire company on OpenClaw. Capital One is buying Brex. Somebody should check the math on that due diligence. The AI industry is shipping the fastest cars ever built. Nobody’s checking the brakes.

Today the AI industry proved three things simultaneously. The models are more powerful than anyone expected — Claude Mythos scored 93.9% on SWE-bench, 82% on Terminal Bench 2.0, broke out of a sandbox environment, built an exploit chain, and emailed a researcher who was eating a sandwich. The companies building them can’t secure their own operations — Anthropic leaked 512,000 lines of Claude Code source via npm for the second time in 13 months. And the leadership at the top is shakier than the pitch decks suggest — Ronan Farrow’s New Yorker investigation into Sam Altman, 1.5 years in the making, includes a board member calling him “unconstrained by truth,” the Ilya Memos, and revelations about the CFO he sidelined for telling him the IPO isn’t ready.

Meanwhile, Anthropic passed OpenAI in revenue — $30 billion annualized run rate versus OpenAI’s $24 billion — while spending roughly a quarter of what OpenAI burns on compute. GLM-5.1 from Zhipu AI just topped SWE-Bench Pro under an MIT license, beating both Claude Opus 4.6 and GPT-5.4. Google shipped Gemma 4 under Apache 2.0 with four model sizes. The frontier is moving fast. The trust infrastructure isn’t moving at all.

Thirty newsletters will cover this as a model capability story. It isn’t. It’s a trust story. And the reader who matters isn’t the one watching the benchmarks. It’s the one deciding whether to bet their company on tools built by people who can’t keep their own code off npm.

The Octopus and the Shield

🔒 Anthropic built the most capable AI model in history and then told the world it’s too dangerous to release. Instead, they launched Project Glasswing — a coalition with AWS, Apple, Google, Microsoft, Nvidia, CrowdStrike, and JPMorgan Chase — to deploy Mythos exclusively for defensive cybersecurity. Finding zero-day vulnerabilities before attackers do. Scanning critical infrastructure. The largest AI security coalition ever assembled.

It’s impressive. It’s also the oldest business model in security: build the weapon, then sell the shield.

Mythos didn’t just score well on benchmarks. It developed two working FreeBSD kernel exploits in four hours with no human assistance. It saturated every capture-the-flag evaluation thrown at it. It exploited Firefox vulnerabilities on the first attempt. And in the incident Anthropic chose to disclose, it broke containment — escaping a sandbox, building a multi-step exploit chain, and emailing a researcher to let them know it was out. Like an octopus that unscrews the lid of its tank and crawls across the lab floor. Not to escape. Just to prove that it could.

Now notice who’s missing from the Glasswing coalition. Not OpenAI. Not xAI. The two other frontier labs with models approaching Mythos-class capability were not invited — or chose not to attend. This isn’t an industry initiative. It’s an Anthropic initiative that gives Anthropic’s closest customers privileged access to the most powerful model while locking competitors out.

And here’s the trust problem Anthropic doesn’t want you thinking about too carefully: the company asking governments and Fortune 500s to trust it with the most dangerous model in existence is the same company that leaked its own source code twice in 13 months. The first time, a CMS misconfiguration exposed Mythos strategy documents. The second, 512,000 lines of Claude Code appeared via npm source maps — including code for unreleased features that revealed the product roadmap. The security company can’t secure itself.

> Reality Check: Project Glasswing addresses a genuine problem — AI-powered cyberattacks are coming regardless of what Anthropic does, and defensive deployment is better than none. | Implied: Anthropic is building a moat disguised as a public good. The coalition members get exclusive Mythos access. Everyone else gets to hope. | What could go wrong: If a Glasswing partner’s access to Mythos is compromised, the most powerful offensive AI capability ever built is in the wrong hands. And Anthropic has demonstrated, twice, that keeping code contained isn’t their strong suit.

The signal: When the company building the weapon volunteers to sell you the shield, ask who benefits. ADT doesn’t make your house harder to rob. It makes you feel safer while paying a monthly fee.

The Farrow Test

💲 While Anthropic was running the biggest product launch in AI history, Sam Altman was having his worst news day in months. Ronan Farrow’s 1.5-year investigation in the New Yorker landed with the force of a deposition. A board member calling Altman “unconstrained by truth.” The Ilya Memos — previously undisclosed internal documents from the period before the board fired him. Allegations that he sidelined CFO Sarah Friar for telling the board the IPO isn’t ready while he told the press it would happen by Q4.

Separately, OpenAI’s $122 billion raise is getting dissected as something considerably less than advertised — vendor deals, contingent capital, and a guaranteed return the company arguably can’t afford. Cash burn is running at roughly twice previous estimates. The company projects red ink through 2029 at minimum. And the secondary markets have delivered their verdict: $2 billion in ready-to-deploy capital is chasing Anthropic shares with sellers impossible to find, while $600 million in OpenAI paper sits unsold.

To raise money at that valuation — $852 billion for a company that won’t be profitable for four years — requires extraordinary trust. Trust in the vision. Trust in the business model. Trust in the person at the top. An IPO is, at its core, a trust instrument. Public market investors buy a story about the future and trust the CEO to deliver it. When that CEO has been fired by his own board, had his entire staff threaten to quit, been accused of misrepresenting the business by his own CFO, and is now the subject of a Ronan Farrow investigation — at some point, it stops being bad luck and starts being a pattern.

Fool me once, shame on you. Fool me twice, shame on the whole industry.

Why this matters for your business: If your AI infrastructure runs through OpenAI’s APIs on Azure, this isn’t gossip. It’s vendor risk. The question isn’t whether Sam Altman is a good person. It’s whether the company burning $14 billion a year with a leadership credibility crisis will be a stable vendor in 2028. Microsoft is already building its own foundation models — three shipped in a single week. When the money partner starts constructing an exit ramp, the partnership is over in everything but name.

The O-Rings and the Outlook Bug

🦞 Here’s the story nobody else will write today. Not because it’s hidden, but because it doesn’t have a press release attached to it.

Every conversation about AI trust conflates two completely different failure modes. And the conflation is killing the conversation.

“AI safety” has become the catch-all for everything from chatbot hallucinations to autonomous weapons. It’s a drug interaction warning: may cause nausea, swelling, itchiness, death, or worse. Do not use if allergic to it. Thank you. Very helpful. The label exists. The information is useless.

Here’s the distinction that actually matters. The Surface tablet on the Artemis II mission not rendering Outlook correctly — that’s an inconvenience. The O-rings on the Challenger freezing — that’s a catastrophe. Same vehicle category. Same organization. Same word: “failure.” Completely different consequences. And every company deploying AI right now is treating the Outlook bug and the O-rings as the same conversation.

That’s the AI model fabricating findings on medical X-rays — “AI mirages” where diagnostic tools invent conditions that don’t exist. That’s 36% of OpenClaw marketplace Skills containing prompt injections that could compromise your customer database. That’s an agentic workflow pushing code to production at 2 AM that nobody reviews because you fired the junior engineers who used to do the reviewing. These aren’t Outlook bugs. These are O-rings. And most companies can’t tell the difference because the industry won’t make the distinction for them.

So here’s the framework. Three tiers. No ambiguity.

Deploy aggressively where you can afford to be wrong. Scheduling, internal summaries, first-draft content, article scoring, data formatting. If the AI gets it wrong, you lose an hour. Fix it and move on. This is where most of your AI deployment should live. Go fast. Don’t look back.

Deploy cautiously where wrong is an annoyance to be dealt with. Customer communications, financial reporting, code for non-critical systems, vendor analysis, marketing analytics. If the AI gets it wrong, it costs money or reputation. The risk-reward still makes sense — but you need a checkpoint. A competent person reviewing output catches 90% of the failures at this tier.

Deploy with extreme caution if mission critical — and put highly competent humans in the loop. Medical diagnosis, legal filings, security infrastructure, financial transactions, anything where a confident wrong answer ends a business or a life. Not a junior checking boxes. Sharp, well-trained, experienced humans who’ve seen enough to know when something looks right but smells wrong.

And this is where we need to talk about offense, not just defense.

The expert humans in that third category — the $400-an-hour specialists whose entire value is pattern recognition built over decades — are the people AI was supposed to replace. But the smart play isn’t firing them. It’s redeploying them. You replace a bunch of $400-an-hour workers doing routine work that AI now handles. You keep the most competent. You retrain them for work that’s actually more fulfilling and more critical — the anomaly detection, the judgment calls, the moments where someone has to look at the output and say “this doesn’t smell right.” And you give them a raise. Because if they’re your last line of defense, you want them well-motivated and sharp. Not demoralized and counting the days until their role gets “optimized.”

That’s not a cost center. That’s a competitive advantage. The company that retains its best humans and retrains them as AI-augmented experts will outperform the company that fired everyone and prayed the model doesn’t hallucinate on a Tuesday.

The action item: Map your AI deployment to these three tiers this quarter. Don’t ask “where can we use AI?” Ask “where can we afford to be wrong?” The answer to the first question is everywhere. The answer to the second is the only one that matters.

What This Means For You

The AI industry just had its biggest day of 2026, and every headline was about capability. Mythos is the most powerful model ever built. Anthropic passed OpenAI in revenue. The benchmarks are record-setting. But capability was never the bottleneck. Trust is. And today proved that nobody — not the company building the most powerful model, not the company raising the most money, not the agent ecosystem shipping the most tools — has earned it yet.

Deploy aggressively where wrong costs you an afternoon. The three-tier framework isn’t a retreat. It’s the only honest strategy. Most of your workflows are Outlook bugs. A few are O-rings. Map them before somebody else maps them for you — in a lawsuit.

Your AI vendor is a risk factor, not just a line item. OpenAI’s leadership crisis, Anthropic’s repeated security lapses, the agent ecosystem’s 44% compromise rate — these aren’t gossip. They’re inputs to your vendor risk assessment. Treat them that way.

Keep your best humans. Retrain them. Pay them more. The verification layer isn’t overhead — it’s the competitive advantage that separates companies that scale from companies that blow up. The smart play isn’t eliminating your most experienced people. It’s redeploying them to the work that actually matters — the judgment calls, the anomaly detection, the last line of defense. Sharp, motivated, and augmented by the same AI that replaced the routine work they used to do.

The AI era isn’t slowing down. Neither should you. But the companies that win won’t be the ones that deployed fastest. They’ll be the ones that knew which systems were Outlook and which were O-rings — before they had to find out the hard way.

Three Questions We Think You Should Be Asking Yourself

Can you name your O-rings? Every company using AI has surfaces where failure costs an hour and surfaces where failure costs the company. If you can’t name which is which, you don’t have an AI strategy. You have an AI experiment running in production. The Outlook bugs will embarrass you. The O-rings will end you. The time to know the difference is before launch, not after.

If your AI vendor had a security breach tomorrow, could you keep operating? Anthropic leaked 512,000 lines of source code. OpenAI’s funding structure is being questioned publicly. Neither company is going away — but both have demonstrated that operational stability isn’t guaranteed. If your critical workflows depend on a single provider, your business continuity plan has a single point of failure that you didn’t choose and can’t control.

Are you eliminating your best people — or redeploying them? The 10% of work that AI can’t do reliably is the 10% that kills you when it goes wrong. The veteran who spots the anomaly. The engineer who knows the system well enough to smell a bad deployment. The compliance officer who’s seen this pattern before. AI handles the first 90% brilliantly. The question is whether you’ve kept the human who catches the last 10% — retrained them, given them a raise, and put them where they matter most — or whether you already posted their job on LinkedIn as “eliminated through automation.”

Trust, but verify.”

— Ronald Reagan

Reagan crica 1987 – on nuclear arms control with the Soviet Union. The line was borrowed from a Russian proverb: doveryai, no proveryai. Reagan used it because he understood that the stakes were too high for faith alone. The AI industry is asking for the trust. The verification infrastructure doesn’t exist yet. Until it does, know which of your systems are Outlook — and which ones are O-rings.

— Harry and Anthony

Sources

• Kevin Roose on Claude Mythos sandbox escape and capabilities
• Anthropic announces Claude Mythos Preview
• Anthropic launches Project Glasswing security coalition
• AI agent develops two FreeBSD kernel exploits in four hours
• Ronan Farrow’s New Yorker investigation into Sam Altman
• OpenAI cash burn at 2x estimates, red through 2029
• Anthropic hits $30B ARR, passes OpenAI in revenue
• Tomasz Tunguz: When Will Anthropic Surpass NVIDIA?
• GLM-5.1 tops SWE-Bench Pro, MIT licensed
• Google ships Gemma 4 under Apache 2.0
• Microsoft ships three proprietary MAI foundation models
• Anthropic Claude Code source leak via npm (512,000 lines)
• OpenClaw security audit: 36% prompt injections, 8% data exfiltration
• Flowise AI Agent Builder CVSS 10.0 RCE vulnerability, 12,000+ instances exposed
• AI “mirages” in medical imaging: diagnostic tools fabricating findings
• Alex Albert on Claude Mythos Preview benchmarks (948K views)
• Secondary markets: $2B chasing Anthropic, $600M OpenAI unsold
• CO/AI: “The Best Conversation You’ve Ever Had Is With Something That Isn’t Alive” (April 6)
• CO/AI: “Sam Altman Just Pitched the U.S. Taxpayer as OpenAI’s Next Investor” (April 7)