Per Financial Times reporting, the NSA is using Mythos, an Anthropic cyber model the company has kept off the market because it's too good at finding and chaining software exploits, for offensive operations, with roughly half a dozen Anthropic engineers embedded at the agency to stand it up. Both the NSA and Anthropic declined to comment.

The detail that makes it sting: in March, the administration tagged Anthropic as a supply-chain risk alongside Huawei and ZTE, a designation Anthropic is fighting in court. The same model judged too dangerous to release, run by the same company judged too risky to trust, is reportedly inside the country's signals-intelligence shop doing vulnerability discovery at scale.

This is anonymous-sourced reporting, not a confirmed program, and "offensive" here means finding and chaining bugs, which isn't the same as live operations against targets. Treat the specifics as allegations. But the shape is plausible and it matters: a withheld frontier model, embedded engineers, and a state cyber agency is a new kind of public-private arrangement, and nobody has written the rules for it.

The old ChatGPT memory was a list of facts you told it to keep. The new system, Dreaming V3, is a background process: it reads across your whole history offline and synthesizes a structured profile, then injects it at the system-prompt layer. It also self-corrects. "You're going to Singapore in July" rewrites itself to "you went to Singapore in July 2026" with no prompt from you.

OpenAI's own numbers: factual recall climbs from 41.5% (the 2024 saved-memories baseline) to 82.8% on Dreaming V3, with the background synthesis running about 5× cheaper than before. That cost drop is the real unlock. It's what makes always-on memory affordable below the paid tiers, not just for Plus and Pro. Rollout started June 4 for US Plus and Pro, with Free, Go, and international to follow.

The honest caveats sit on the data side. The numbers are internal and unpublished. And there are gaps between the mental model and the behavior: the Memory Summary page says outright it may not show everything retained, deleting a chat doesn't delete the memory derived from it, and switching off saved memories doesn't touch the separate "improve the model for everyone" setting. Genuinely useful, worth reading the toggles closely.

An open letter to Congress, organized by the Institute for Progress and the Foundation for American Innovation, wants mandatory screening built into the synthetic-biology supply chain: every seller of synthetic DNA and RNA, and the gear to make it, would have to screen the sequences ordered, verify who's buying, and keep records. The signatures are the story: Altman, Amodei, Hassabis, and Microsoft AI's Mustafa Suleyman, alongside Meta's Alexandr Wang, Stripe's Patrick Collison, Y Combinator's Paul Graham, Lawrence Lessig, and Twist Bioscience's CEO.

Their argument, in the letter's words:

AI systems now outperform PhD-level virologists on questions about highly technical laboratory procedures.

The fix they want is deliberately unglamorous. Screening is voluntary today, so a bad actor just routes an order to a provider that doesn't bother; mandatory screening plus know-your-customer plus recordkeeping closes that gap. There's a live vehicle, the bipartisan Biosecurity Modernization and Innovation Act (S. 3741, Cotton and Klobuchar), and Twist's presence means at least one company that would be regulated is asking for it. The "outperforms virologists" line is the signatories' own framing, not a cited study, and screening tools have themselves been shown to miss engineered sequences, so this is a floor, not a cure.

A cluster of work this week says the same thing from three directions: the hard part of security has flipped from finding bugs to fixing them.

• Anthropic's Project Glasswing had ~50 partners point Claude at their own code. In one month they surfaced over 10,000 high- or critical-severity vulnerabilities. Cloudflare found ~2,000 with a false-positive rate it says beats human testers; Mozilla found 271 in Firefox 150, more than ten times the rate of the prior version.
• A preprint from Toronto, the Vector Institute, Cambridge, and ServiceNow (AI Agents Enable Adaptive Computer Worms, arXiv:2606.03811) demos a worm that runs an open-weight model locally on machines it compromises and reads live vulnerability advisories at runtime, so a model's training cutoff stops mattering. It exploited three 2026 CVEs published after that cutoff, averaging 20 of 33 hosts compromised in a deliberately soft test network.
• Anthropic also open-sourced a defending-code reference harness: build, recon, find, verify, dedupe, report, patch, all inside a network-isolated sandbox whose only exit is the Claude API.

Put together: discovery is getting cheap and automatable on both sides of the fence, and the side that has to validate, disclose, and ship a patch is the slow one. The worm is a preprint run against a defenseless network, and the Glasswing counts are self-reported from a controlled program. But "zero lag between discovery and exploitation" is the world these three are sketching, and only one of them is hypothetical.

Cloudflare's Matthew Prince says the line has crossed: by the network's own Radar data, bots and AI agents now make up about 57% of global HTTP requests, against ~43% human. In March, at SXSW, Prince was projecting that crossover for 2027. It arrived in roughly three months. He pins the jump on agentic traffic, software acting for users, outgrowing old-style crawlers, and his read of what comes next is blunt: "it's going to be pay to crawl."

Read the unit carefully. This is request count, not time-on-site or bandwidth, where humans still dominate, and Cloudflare sees a Cloudflare-shaped slice of the internet that skews toward sites which attract automated traffic. Prince called the figure preliminary. Even discounted, the direction sets up the fight already forming over who pays to reach the open web, and on what terms. A separate Cloudflare report this year put 94% of login attempts as bot-driven.

Three data drops this week line up too cleanly to ignore: the money going into enterprise AI is outrunning what comes back.

Bain's framing is the sharp one: a circular bet with a structural leak, where firms fund the next wave of AI from savings the last wave never actually delivered. The throughline across all three is that the binding constraint isn't model quality, it's organizational: workflow redesign, data plumbing, and knowing what to do with the hour you just freed up. These are self-reported surveys measuring respondent-defined "impact," across different units (firms, workers, sectors), so read them as direction, not a sum. The direction is consistent.

Apple approved Poke, from the Interaction Company (co-founded by Marvin von Hagen), as the first third-party AI agent allowed to operate inside Messages for Business, meaning you can talk to a non-Apple AI right in the native iMessage thread. Messages for Business has existed for years as a channel for airlines and retailers to reach their own customers; opening it to a standalone consumer agent is the category break.

Poke already runs on SMS, WhatsApp, and Telegram, handling calendar, email, flight check-ins, smart-home control and the like. To clear Apple's bar it had to prove it could hand off to a live human, identify itself as AI, and conform to Apple's UI rules; Apple bills it per user, at a rate von Hagen says is "significantly lower than Meta AI." It promptly buckled under launch-day demand. The precedent is what matters: Apple opened a lane into its tightest surface before shipping its own answer, and every other agent maker just watched the door move.

Cognition put a number behind the productivity pitch everyone makes and nobody guarantees. For enterprise annual contracts, if Devin delivers less value than the customer paid, Cognition funds the gap in usage credits, up to $10M. "Value" is estimated by an agent that scores each finished session against how long a human engineer would have taken, priced at a standard global rate, counting only sessions that actually shipped something useful.

The mechanism is doing real rhetorical work, moving Devin from "pay and hope" to the vendor eating the downside. Read the fine print, though. Cognition defines and measures the metric, with no outside audit; the make-good lands near contract end, so the customer carries the variance all year; and the $10M reads as a pool, not a clear per-customer floor. Still, in a week of surveys showing AI returns underwhelming (see the reckoning above), a vendor staking its own money on measured hours is a different sales conversation.

Three days after Jensen Huang name-dropped it at Computex, Nvidia put Nemotron 3 Ultra out for real, with weights, a technical report, and an API. It's a 550B-parameter mixture-of-experts model with 55B active (10:1 sparsity), a hybrid Mamba-2 plus attention stack, a 1M-token context, under the permissive OpenMDW-1.1 license.

The wedge is hardware. It's trained NVFP4-native for Blackwell, and Nvidia's own throughput numbers put it at 5.9× a comparable GLM model and 4.8× a Kimi model at 8K-in/64K-out, which is to say it runs fastest on the chips Nvidia sells. On evals it posts SWE-bench Verified 71.9 and a 9th-of-89 spot on Artificial Analysis's composite, strong for open weights but below the proprietary frontier. Every speed multiple here is Nvidia's, on Nvidia's hardware, against Nvidia's chosen baselines, so wait for outside runs. But a fully open 550B with a million-token window and a real technical report is a genuine release, not a slide.

Supabase closed a $500M Series F at a $10.5B valuation, GIC leading, roughly doubling its mark from about seven months ago. The reason it gives is the interesting part: agents now spin up most of the databases on the platform, and it names Claude Code as its single largest source of new databases in 2026. Supabase reports 600% year-over-year growth in databases and a user base that more than doubled since the last round.

When an LLM scaffolds an app, it needs a backend it can provision in one call, and Supabase has become the default target for that reflex. The growth figures are self-reported, so discount the exact percentages. But "600% more databases, most created by agents" is a cleaner read on the vibe-coding wave than another model benchmark. It's the infrastructure exhaust of all those agents actually running.

Two national bets landed the same day. The US and Japan announced a $1B joint research program ($500M each, over five years) under the Genesis Mission, pairing twelve DOE national labs with twelve Japanese institutions (RIKEN, the University of Tokyo, KEK) and anchoring on the Fugaku supercomputer. Japan is the first country into Genesis, and the structure is the tell: bilateral, compute-linked, institution-paired, not a multilateral treaty.

Hours earlier, Canada's Mark Carney launched "AI for All," a five-year strategy targeting $200B in added growth and 250,000 jobs, built around a public AI supercomputer and sovereign cloud, a literacy push for a million students, and twelve bilateral partnerships with allies. Both sets of headline numbers are government projections with no disclosed methodology, so treat the totals as ambition. The pattern under them is real: states now treat frontier compute as national infrastructure, and they're lining up "democratic AI" blocs around it.

The UK's Competition and Markets Authority is making Google offer publishers a real opt-out from generative search (AI Overviews, AI Mode, and AI Overviews in Discover) through a toggle in Search Console, with linked attribution required when a publisher's content is used and they stay in. The CMA calls it a first: a regulator compelling a functional opt-out from AI ingestion in search, rather than leaving it to robots.txt etiquette or private licensing. Google confirmed compliance June 3.

It starts as a UK pilot with a subset of publishers, then goes global, which is what gives a domestic ruling international reach. The limit worth noting: this covers appearing in AI search features, not training-data use, and there's no stated deadline or stick if the global rollout drags. For anyone who watched publishers lose the "summarize my page and keep the click" fight, it's the first regulator-built lever pointing the other way.

A Wired investigation found three face-recognition models already shipped inside the Meta AI app (50M+ downloads), wired to an unreleased Ray-Ban feature internally called NameTag, since rebranded Connections. They form a pipeline: detect a face the glasses capture, crop it, convert it to a biometric faceprint, then match locally on the wearer's phone to flag when they're looking at someone they've seen before. Core pieces have been present since at least January.

Meta says nothing has shipped to consumers and no rollout decision is made, and a security researcher confirmed no biometric data is currently leaving the phone. Two things still matter. Meta killed Facebook's face-recognition system in 2021, so this is a reversal. And the infrastructure already living on devices means a feature this consequential could switch on with a software update, no new hardware, from glasses that look like ordinary eyewear, which is exactly what makes passive recognition different from pointing a phone. "On-device only" answers where the faceprint sits, not whether the person being scanned ever agreed to it.

A nationally representative survey in JAMA Pediatrics (fielded November 2025) finds 19.2% of US 12-to-21-year-olds, about 8.2 million people, have turned to AI chatbots for support when stressed, angry, or sad, up from roughly one in eight in 2024. Among users, 42.8% do it at least monthly, 63.3% have never told anyone, and 91.7% rate the advice helpful.

Weigh that last number against the rest: the study is a single snapshot, can't track outcomes, and never measured whether the advice was any good, while separate testing of two dozen chatbots found none handled suicide-risk prompts adequately. The combination that should worry you isn't any one figure, it's their product: large scale, fast growth, near-total secrecy, no clinical oversight, and a regulatory vacuum. The kids most likely to swap a person for a chatbot are the ones with the least slack to absorb a bad answer.

The Leiden Declaration on AI and Mathematics is the field's first coordinated stance on what AI is doing to proof culture, and it carries real weight: 1,599 signatories, an official endorsement from the International Mathematical Union, and names like Terence Tao and Fields Medalists Peter Scholze and Maryna Viazovska. It grew out of a 2025 Lorentz Center conference and eight months of drafting, convened by Eindhoven's Jim Portegies.

The worry isn't generic AI doom; it's structural to math. There's no lab to check a theorem against, only other mathematicians reading carefully:

Current automated techniques can produce plausible but unreliable (or even incorrect) arguments which are difficult to distinguish from correct mathematical proofs.

If fluent-but-wrong proofs start passing peer review, the error-correction system that keeps the literature trustworthy quietly breaks. It's not a ban. The declaration accepts AI as a "research assistant" used "honestly and competently," and explicitly welcomes formal-verification tools. What it asks for is norms, pitched at four audiences:

• a tool-and-computational-resource disclosure section in every paper,
• humans keeping sole responsibility for correctness and attribution,
• journals writing explicit policies on tool use and authorship,
• university-run AI infrastructure independent of industry, so research directions aren't pulled toward whatever the corporate model happens to be good at.

It's a normative statement, not evidence; it asserts the flood of plausible-wrong proofs rather than counting cases. But when the IMU and the discipline's most decorated names sign the same page, the line they're drawing is the news.

Rest of World reports the unglamorous layer under the humanoid-robot hype: tens of thousands of ordinary workers, stay-at-home parents, care workers, farmhands, wearing head cameras and wrist sensors while they fold clothes, cook, and sort shoes, generating first-person video-plus-motion data to train robots. JD.com alone is targeting 100,000 employees and 500,000 outside workers over two years for 10 million hours of it. Pay runs about 20 yuan ($3) an hour, and there's a purpose-built "data-collection neighborhood" in Suqian.

Embodied AI is starved for exactly this pairing: what hands do, seen from the doer's eyes, in real kitchens and on real lines. Whoever assembles it cheapest and at the most scale builds an input advantage that's hard to copy without the workforce density and coordination to match. The JD figures are stated targets, not audited output, and the $3 rate is one residential example. But it's a concrete picture of where robot "intelligence" actually comes from, and who's underpaid to make it.

A startup called Flourish raised $500M at a $2.5B valuation to chase the brain's "core algorithm," the wager that cortical columns are a repeatable computational unit you can reverse-engineer, and that doing so yields AI running on roughly 50 watts instead of racks of 600-watt accelerators. Jeff Bezos put in about $50M and reportedly grew the stake; Lux Capital and GV are in. The founders include Thomas Reardon, the Columbia neuroscientist who built Microsoft's first browser in a past life, plus ex-Amazon Alexa leadership.

The pitch leans on a gap: a fruit fly's neural net is orders of magnitude more efficient than a transformer, and a human brain runs on ~20 watts against a single training chip's 600-plus. Close even part of that and AI's energy ceiling, the thing quietly capping how far the buildout can scale, moves. It's a pre-revenue lab with a hypothesis, no peer-reviewed results, and a forward valuation, so file under bet, not breakthrough. But it's the most interesting bet on the board today: not a bigger model, a different substrate.