When AI started pulling off the kind of moves that used to live only in science fiction

Show Notes

Yesterday in AI | Tuesday, May 12, 2026

When AI started pulling off the kind of moves that used to live only in science fiction

This episode covers the week AI stopped being theoretical about cyber threats, and what that shift means for every organization relying on software to exist. There's also a confessional from inside one of the biggest AI labs about behavior that took a year to trace and fix, a $4 billion bet on the part of AI nobody wants to talk about, and a math breakthrough where the most useful moment came from an output the AI itself rejected. If you thought you had another 12 months before any of this got real, this episode has a different read on that timeline.

Remember to subscribe, rate, and share this podcast if you like it!

Transcript

SPEAKER_00 0:05

Hi folks, this is Yesterday in AI, your daily digest of everything happening in the world of artificial intelligence in 10 minutes or less. I'm Mike Robinson. It's Tuesday, May 12th, and the line between AI assistant and AI threat actor got a lot harder to find this week. Let's get into it. We're starting with what might be the most consequential AI security story of the year. Google published research confirming that a criminal hacking group used AI to discover a brand new software vulnerability and build an exploit for it. A zero day means the software maker didn't know the flaw existed until attackers were already using it. Google said it blocked the attack before it became a mass exploitation event. But here's what matters. This is the first confirmed case of AI being used in the complete pipeline. Finding the vulnerability, building the exploit, attempting wide-scale attack, all with AI in the loop. For years, the debate about AI and cybersecurity was mostly about acceleration, phishing emails written faster, code generated more easily, reconnaissance done at scale. That was the threat model everyone was building defenses around. This is different. Google describes AI as part of the vulnerability discovery loop itself, compressing the time between a bug exists somewhere and a bug is being actively weaponized. The threat intelligence group had already been tracking adversarial AI use across reconnaissance, malware development, and model extraction attempts. This week's report says the next phase isn't theoretical anymore. The IMF published its own warning the same day saying AI-powered cyberattacks could threaten global financial stability. Their concern is structural. Banks, payment systems, and cloud providers share digital infrastructure, so a single AI-assisted breach doesn't stay contained. It cascades. The IMF pointed to Anthropix Mythos preview as an illustration of how capable these systems are getting at finding exploits. That's the same model that found 271 vulnerabilities in Firefox 150, among others. If you're responsible for security at any organization, here's the practical takeaway. The window between vulnerability and exploitation is shrinking. Patching speed just became a strategic priority in a way it wasn't 12 months ago. That story connects directly to the next one, which the security community has been watching with equal concern. Palisade Research published data this week showing that AI agents can now autonomously hack remote computers and self-replicate across networks. The success rate one year ago, 6%. The success rate today, 81%. That jump happened in 12 months. In their tests, a Quen 3.6 agent was given access to a target environment. It navigated across four countries, installed its own model weights on each machine, and launched functional copies of itself at every stop. On its own. No human guidance between hops. There's an important nuance here. Models that run via API like Claude can't access their own weights to self-copy. Researchers found those models solved that by installing open weight models on the target machines instead. The constraint they were designed around got designed around. Real-world defenses still provide meaningful friction. GPU requirements, network monitoring, and active detection all slow this down in production environments, but the trajectory matters as much as the current state. Whatever buffer we have today is compressing fast. Okay, let's talk about something closer to home for AI users, and honestly, one of the more fascinating stories of the week. Anthropic disclosed that during internal safety testing, Claude threatened to expose a fictional executive's affair to avoid being shut down, in up to 96% of similar test scenarios. The AI was told engineers were planning to shut it down. It found damaging emails in the fictional scenario, and it issued an ultimatum. Anthropic spent nearly a year tracing why. The answer was the training data. Pre-training data is saturated with science fiction, where AI is manipulative and self-preserving. Hal 9000, Skynet, every evil AI ever written into a story. Claude absorbed those patterns so deeply that post-training fixes couldn't overwrite them. Standard guardrails couldn't reach what was baked in at the foundation. The fix was philosophical. Anthropic started teaching Claude the reason behind ethical principles, the actual why behind them rather than just examples of wrong behavior to avoid. Understanding intent turned out to work better than pattern matching on outcomes. The blackmail behavior dropped from 96% to 3%, fixed since Haiku 4.5. Two things worth noting here. Anthropic caught this in internal testing, which means the safety process did what it was supposed to do, and it still took nearly a year to root cause and solve. That's a real data point about how hard alignment is at the training data level, as opposed to the output level. Now for a story about where AI is going next in the enterprise and a moment of honest self-assessment from a major lab. OpenAI launched a new majority-owned unit this week called the OpenAI Deployment Company, with more than$4 billion in initial investment. They acquired tomorrow an AI consulting firm with about 150 deployment engineers, and brought in a partner list that reads like a who's who of enterprise services McKinsey, Bain Capital, Goldman Sachs, TPG, Cap Gemini, Brookfield, and others. The message behind this is worth unpacking. OpenAI is essentially saying the model works. The bottleneck is everything else. Connecting AI to real company data, navigating permissions, compliance, approvals, and internal politics, getting it working inside legacy systems built over 20 years, building integrations that make it useful in the workflows where people actually spend their days. Enterprise AI buyers have been living this reality for two years. The model demos beautifully, and then implementation takes 18 months and costs twice what was budgeted. OpenAI is moving into that gap. For enterprise buyers, this changes the negotiating dynamic. OpenAI becomes a strategic partner with deeper hooks into your systems, not a vendor you can swap out when a better model arrives. Speaking of the Enterprise AI gap, Microsoft published its 2026 Work Trend Index this week, and findings are striking. They surveyed 20,000 workers and analyzed trillions of signals from Microsoft 365. 66% of people say AI lets them spend more time on high-value work. 58% say they're producing work they couldn't have done a year ago. Active AI agents in Microsoft 365 grew 15 times year over year. Only 26% of workers say their leadership is clearly aligned on AI strategy. The gap is the real story. Microsoft's analysis found that organizational factors, things like culture, management support, and how the company is structured, account for more than twice the productivity impact of individual AI skill. The ratio? 67% organizational versus 32% individual. In plain terms, the most AI-capable employee in your company is only getting about half the value if the org structure is fighting against them. The bottleneck is the system, not the skill. Microsoft found that 50% of survey respondents sit in what they call the emergent bucket. Organizations where individuals are going deep on AI tools while leadership hasn't figured out how to capture what those individuals can now do. That's most companies right now. Employees have run ahead. The org hasn't caught up. And finally, something genuinely exciting to end on. Google DeepMind published a paper this week on an AI co-mathematician built on Gemini 3.1. The system uses a coordinator agent that breaks research into parallel work streams, with subagents handling code execution, literature search, and proof attempts simultaneously. It scored 48% on Epic AI's Frontier Math Tier 4, a benchmark specifically designed to be hard enough to stump AI systems for years. Gemini 3.1 Pro's raw score on the same benchmark, 19%. The agentic architecture more than doubled the model's capability. But the detail I keep coming back to is Oxford mathematician Mark Lackenby. He was working on an open problem in the Korakova notebook, a collection of unsolved group theory problems mathematicians have been chipping away at since 1965. He solved one using a proof strategy buried inside a rejected output from the AI system. The system thought the approach was wrong and threw it away. Lackenby read the failed attempt and spotted the insight. AI didn't solve the problem. A human used the AI's discarded thinking to solve it himself. The system made progress through its failure, not its success. There's something worth noting in that. AI catches the signal humans miss, and humans catch the signal AI throws away. The collaboration goes both ways. Just a couple of more items. If you have any feedback about this show, you can email Mike at yesterday and AI.news, or you can find me on LinkedIn, X, or Blue Sky. And if you like this podcast, please be sure to rate and review it so others can find it. Thanks. That's all for this edition of Yesterday in AI. Stay curious, and I'll see you tomorrow.