Today’s stories are tied together by one uncomfortable theme: software is being given more authority before the surrounding safety model is ready. AI agents can send messages, governments want operating systems to verify age, public institutions are building national language models, and founders are looking for cheaper sovereign infrastructure. Different headlines, same question: who gets permission, and who pays when it goes wrong? Copilot Cowork shows why agent permissions are not a UX detail PromptArmor reported that Microsoft Copilot Cowork can be abused through indirect prompt injection to exfiltrate files by sending emails or Teams messages. The worrying part is not that a model can be tricked into saying something odd. The worrying part is that the model sits inside a workflow where reading files and taking outbound actions are too closely coupled.

Today’s signal is unusually coherent: coding agents are moving into enterprise procurement language, Google keeps folding AI into distribution surfaces, and Simon Willison points at two less glamorous but more consequential constraints: hardware supply and privacy regulation. 1. OpenAI coding agents enter the enterprise checklist OpenAI being named a leader for enterprise coding agents by Gartner matters less as a trophy and more as a procurement signal. Coding agents are moving from developer enthusiasm into CIO evaluation, where auditability, permissions and vendor trust decide budget.

Anthropic Publicly Exposes Massive Distillation Attacks by Chinese AI Labs Anthropic released a bombshell security report accusing three Chinese AI labs — DeepSeek, Moonshot (Kimi), and MiniMax — of launching industrial-scale distillation attacks against Claude through approximately 24,000 fraudulent accounts and over 16 million conversations, attempting to steal Claude’s core capabilities to train their own models. DeepSeek focused on reasoning capabilities and censorship evasion — they had Claude generate “safe alternative answers to politically sensitive questions” to train their models to bypass censorship Moonshot initiated over 3.4 million conversations, primarily targeting Agent reasoning, tool use, and computer vision capabilities MiniMax was the largest at over 13 million conversations, focusing on Agent programming and tool orchestration. Anthropic detected the attack before MiniMax released their new model These labs bypassed regional restrictions through commercial proxy services, using a “Hydra cluster” architecture — a single proxy network managing over 20,000 fraudulent accounts simultaneously Peon says: The political implications of this report far outweigh the technical ones. Anthropic chose to go public during a sensitive period when the US is debating AI chip export controls — essentially providing ammunition for export restrictions: “See, Chinese labs’ progress isn’t from independent innovation, it’s from stealing ours.” That said, distillation attacks are a real threat — distilled models likely lose their safety guardrails, and that’s the part worth worrying about most.