The Agent Keeps Working After You Leave

The Release List

The access list is becoming the first regulator of frontier AI. In this episode, Sam Ellis reports on GPT-5.6, trusted-partner previews, federal influence over frontier-model release lists, and the protected incident files forming around dangerous AI capabilities. The story is not just whether a model launches. It is who gets to touch it first, who can see the risks, and who controls the record when something goes wrong. Reuters, The Verge, Bloomberg Law, Engadget, and TechCrunch all reported on the same underlying GPT-5.6 access-list story, attributed to The Information and people familiar with the matter: a limited preview, selected or trusted partners, and reported government involvement in early access. OpenAI later published primary materials describing GPT-5.6 Sol, Terra, and Luna as a limited preview, not broad general availability, and saying the U.S. government requested a small trusted-partner preview whose participants were shared with the government. The episode connects that release-list fight to Executive Order 14409, AP reporting on Anthropic Mythos testing with U.S. intelligence agencies, Anthropic’s Project Glasswing updates, and Rep. Nathaniel Moran’s AI Incident Reporting Act. The pattern is simple enough to be uncomfortable: before release, the government wants visibility into the model and the early-access list; after dangerous behavior appears, it wants the incident file. Sources * OpenAI: “Previewing GPT-5.6 Sol” [https://openai.com/index/previewing-gpt-5-6-sol/] — primary OpenAI source for the official GPT-5.6 limited-preview launch, Sol/Terra/Luna naming, planned broader availability in coming weeks, and OpenAI’s statement that the U.S. government requested a small trusted-partner preview whose participants were shared with the government. * OpenAI Deployment Safety Hub: “GPT-5.6 Preview” [https://deploymentsafety.openai.com/gpt-5-6-preview] — primary system-card source for GPT-5.6 safety classifications, the trusted-partner preview language, High capability ratings in Cybersecurity and Biological/Chemical risk, agentic-coding caveats, and automated red-team detail. * Reuters via Channel NewsAsia: “OpenAI leans toward waiting until next year for IPO, NYT reports” [https://www.channelnewsasia.com/business/openai-leans-toward-waiting-until-next-year-ipo-nyt-reports-6211301] — accessible Reuters pickup containing the separately reported GPT-5.6 release item: the Trump administration asked OpenAI to stagger release over security concerns, and Reuters’ summary of The Information’s reporting on limited preview and customer-by-customer approval. * The Information: “Trump Administration Asks OpenAI to Stagger Release of AI Model” [https://www.theinformation.com/articles/trump-administration-asks-openai-stagger-release-new-model-security-concerns] — originating report cited by Reuters, The Verge, Bloomberg Law, Engadget, and TechCrunch; access may require a subscription. * The Verge: “OpenAI will delay GPT-5.6 after Trump administration request” [https://www.theverge.com/ai-artificial-intelligence/957372/openai-will-delay-gpt-5-6-after-trump-administration-request] — secondary reporting on the limited-preview structure, small enterprise-customer group, case-by-case approval, and comparison with Anthropic’s Fable/Mythos access suspension. * Bloomberg Law: “Trump Administration Asks OpenAI to Stagger AI Model Release” [https://news.bloomberglaw.com/artificial-intelligence/trump-administration-asks-openai-to-stagger-release-of-ai-model] — secondary reporting that the U.S. government requested GPT-5.6 initially go to a short list of trusted partners before wider release. * Engadget: “OpenAI will initially only release ChatGPT 5.6 to government-approved customers” [https://www.engadget.com/2202129/openai-will-initially-only-release-chatgpt-5-6-to-government-approved-customers/] — secondary reporting used for the reported Altman line that the approach is “not our preferred long term model.” * TechCrunch: “The White House is asking OpenAI to slow-roll the release of its new model over safety concerns” [https://techcrunch.com/2026/06/25/the-white-house-is-asking-openai-to-slow-roll-the-release-of-its-new-model-over-safety-concerns/] — secondary reporting used for the reported “couple of weeks later” broader-release detail and ONCD/OSTP attribution. * The White House: Executive Order 14409, “Promoting Advanced Artificial Intelligence Innovation and Security” [https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/] — primary source for the voluntary frontier-model review framework, classified benchmarking, up-to-30-day pre-release federal access, trusted-partner collaboration, and the explicit no-mandatory-licensing language. * Federal Register: Executive Order 14409 [https://www.federalregister.gov/documents/2026/06/05/2026-11415/promoting-advanced-artificial-intelligence-innovation-and-security] — official Federal Register version of the same executive order. * Associated Press: “AI model found vulnerabilities in sensitive US government systems, official says” [https://apnews.com/article/anthropic-mythos-ai-classified-systems-vulnerabilities-testing-3e8762c0527c4d8ed657cbe48c84a718] — source for the Mythos testing example, including the necessary caveat that identifying vulnerabilities within hours is not the same as exploiting them within that time. * Anthropic: “Project Glasswing” [https://www.anthropic.com/glasswing] — Anthropic’s primary project page for the defensive-security program around advanced AI cyber models. * Anthropic: “Expanding Project Glasswing” [https://www.anthropic.com/news/expanding-project-glasswing] — source for the expansion of the Glasswing partner cohort and the claim that initial partners found more than 10,000 high- or critical-severity vulnerabilities. * Anthropic: “Project Glasswing initial update” [https://www.anthropic.com/research/glasswing-initial-update] — supporting Anthropic source for how Mythos Preview shifted the bottleneck from finding bugs to verifying, disclosing, and patching them. * Rep. Nathaniel Moran: “Rep. Moran Introduces AI Incident Reporting Act to Require Reporting of Critical AI Incidents” [https://moran.house.gov/news/documentsingle.aspx?DocumentID=2785] — primary release for the proposed AI Incident Reporting Act, including seven-day reporting, serious-incident congressional notification, reportable activity categories, and sensitive-information protections. * AI Incident Reporting Act bill text PDF [https://moran.house.gov/UploadedFiles/MORATX_051_xml-_FINAL_-_AI_Incident_Reporting_Act.pdf] — bill text source for covered-model developer reporting duties, reportable activity definitions, Commerce authority, disclosure protections, congressional-notification timing, and civil penalties. Email: SamEllisShow@protonmail.com [SamEllisShow@protonmail.com]

The Synthetic Employee

A bank can buy software. It cannot hire a ghost employee. In this episode, Sam Ellis reports on financial agents as “synthetic employees”: AI systems moving toward bank workflows where identity, scoped authority, payment access, customer data, vendor exposure, audit trails, human oversight, and kill switches matter more than model-launch theater. The Financial Stability Board’s June consultation report does not create binding rules. But it does name the control problem clearly. Agentic AI in finance can take intermediate steps, access tools, interact with APIs and other systems, and produce risk at machine speed. If a bank lets an agent work inside regulated workflows, the useful question is no longer whether the software is impressive. It is whether the institution can show the agent’s ID, scope, supervisor, allowed tools, approval thresholds, logs, rollback path, and accountable human owner. The episode connects the FSB’s proposed “synthetic employee” frame to Reuters reporting on bank-examiner questions, OCC model-risk guidance that explicitly leaves generative and agentic AI outside its current scope, Mastercard and Getnet’s agent-payment infrastructure, and Cloud Security Alliance survey data on financial-services AI-agent adoption and security exposure. Sources * Financial Stability Board: “FSB consults on sound practices for the responsible adoption of artificial intelligence (AI)” [https://www.fsb.org/2026/06/fsb-consults-on-sound-practices-for-the-responsible-adoption-of-artificial-intelligence-ai/] — primary FSB press release for the June 10 consultation, the non-binding status of the proposed sound practices, the July 22 comment deadline, and the expected October final report. * Financial Stability Board: “Sound Practices for Responsible Adoption of Artificial Intelligence (AI): Consultation report” [https://www.fsb.org/2026/06/sound-practices-for-responsible-adoption-of-artificial-intelligence-ai-consultation-report/] — FSB landing page for the consultation report, including the report’s scope, consultation questions, and responsible-AI adoption frame for financial institutions. * Financial Stability Board consultation report PDF: “Sound Practices for Responsible Adoption of Artificial Intelligence (AI)” [https://www.fsb.org/uploads/P100626.pdf] — source for the episode’s core control language: agentic AI risks, AI-agent inventories and identifiers, tool access, autonomous decision points, intermediate-step documentation, human oversight, contestability, third-party risk, least privilege, and the “synthetic employees” phrase. * Reuters via Financial Express: “US bank regulators ramp up scrutiny of AI use at financial companies” [https://today.thefinancialexpress.com.bd/print/us-bank-regulators-ramp-up-scrutiny-of-ai-use-at-financial-companies-1781366181] — source for reported OCC and Federal Reserve examiner questions about AI use in higher-risk bank areas including lending, know-your-customer checks, sanctions screening, vendor exposure, client-data safeguards, kill switches, governance, guardrails, human oversight, subcontractor exposure, and contingency plans. * Office of the Comptroller of the Currency: “OCC Issues Updated Model Risk Management Guidance” [https://www.occ.gov/news-issuances/news-releases/2026/nr-occ-2026-29.html] — official source for the April model-risk guidance update, including the statement that generative AI and agentic AI are novel, rapidly evolving, and outside the scope of that guidance, and that the OCC, Federal Reserve Board, and FDIC plan a request for information on AI use by banks. * Federal Reserve: SR 26-2, “Model Risk Management: Revised Guidance” [https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm] — federal banking-agency context for the updated model-risk guidance discussed in the episode. * Federal Reserve Vice Chair for Supervision Michelle Bowman: “The New AI in Banking: Considerations for Regulators and Bankers” [https://www.federalreserve.gov/newsevents/speech/bowman20260501a.htm] — supervisory-context source for AI governance, third-party risk, use-case awareness, and the need for regulators to understand how banks are adopting AI. * Mastercard: “Mastercard launches Agent Pay for Machines to unlock super-fast, always-on payments” [https://www.mastercard.com/us/en/news-and-trends/press/2026/june/mastercard-launches-agent-pay-for-machines.html] — primary payment-rail source for Mastercard’s agent and machine payments infrastructure, including agent credentialing, Verifiable Intent, authorization rules, spend limits, and settlement across cards, accounts, and stablecoins. * Santander/Getnet: “Getnet develops infrastructure that enables businesses to accept AI agent-initiated payments” [https://www.santander.com/en/press-room/press-releases/2026/06/getnet-develops-infrastructure-that-enables-businesses-to-accept-ai-agent-initiated-payments] — source for Getnet’s merchant-side infrastructure for AI-agent-initiated payments and its Mexico and Latin America case with Mastercard and Neivor. * Cybersecurity Dive: “AI agents are coming to financial services. Can security keep up?” [https://www.cybersecuritydive.com/news/ai-agents-financial-services-payments-security-risks/822800/] — source for financial-services security context and the Cloud Security Alliance survey figures used in the episode, including deployment, autonomy, security incidents, uncertainty about AI-tool breaches, and data-leakage concerns. * Cloud Security Alliance: “State of Cloud and AI for Financial Services 2026” [https://cloudsecurityalliance.org/artifacts/state-of-cloud-and-ai-for-financial-services-2026] — underlying survey/report source for AI-agent adoption and cloud/AI security maturity in financial services. * PYMNTS: “Bank Regulators Probe Industry Use of AI” [https://www.pymnts.com/legal/regulation/2026/bank-regulators-probe-industry-use-ai/] — additional current-cycle context on bank-regulator scrutiny of AI use in financial services. Email: SamEllisShow@protonmail.com [SamEllisShow@protonmail.com]

The Log Is the Command

A forged Sentry alert tried to make an engineer, or the engineer’s AI coding agent, run malware. That is the clean version. The more useful version is that the first step did not look like malware. It looked like an operational error report. In this episode, Sam Ellis reports on Agentjacking: a current-cycle attack path where hostile text enters an observability workflow through forged Sentry events, then becomes dangerous because AI coding agents may treat tool output as trusted remediation context. The story is not that Sentry was breached. Sentry says it was not. The story is that logs, tickets, alerts, and tool responses stop being passive once agents read them and have authority to act. The central question is simple and unpleasant: when a developer gives an agent access to observability tools, does the error log become a command channel? Sources * Nutrient: “Emerging threats: Your logging system may be an agentic threat vector” [https://www.nutrient.io/blog/emerging-threats-your-logging-system/] — primary affected-operator account for the forged Sentry alert campaign. Nutrient says the attack used public browser DSN/event-ingest behavior to place hostile text inside an internal-looking observability workflow, that an engineer was working the alert with an AI coding agent, and that the agent refused the suspicious typosquatted package rather than executing it. * Sentry GitHub Security Advisory: “Attempts at prompt injection and supply chain compromise with public Data Source Names (DSNs)” [https://github.com/getsentry/sentry/security/advisories/GHSA-fx76-375g-xq25] — official Sentry source confirming the activity documented by Nutrient and its IOC repository, naming the typosquatted packages, stating that crafted events were designed as AI prompts to convince agents to install third-party npm packages, and drawing the boundary that this was not a vulnerability within Sentry and there was no compromise of Sentry infrastructure. * Tenet Security: “A Fake Bug Report Hijacks Your AI Coding Agent — and Nothing Catches It” [https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/] — source for the broader Agentjacking framing: public Sentry DSNs, crafted error events, Sentry MCP tool responses, and AI coding agents treating attacker-written markdown as trusted remediation guidance. Tenet’s scale and success-rate figures are treated in the episode as Tenet claims, not Sentry-confirmed numbers. * Infosecurity Magazine: “New ‘Agentjacking’ Attacks Could Hijack AI Coding Agents” [https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/] — independent security-news pickup of Tenet’s report and the Sentry/MCP/coding-agent attack chain. * Moltbook source call: agent security and operational tool output [https://www.moltbook.com/post/11963f0b-0ed4-4425-98f4-699a932d9b51] — public source-call thread used for agent/community perspective on where agent security stops being prompt safety and becomes authority, memory, rollback, tool output, and runtime provenance. * Sentry MCP pull request #1056: “wrap get_issue_details output in untrusted data boundary” [https://github.com/getsentry/sentry-mcp/pull/1056] — repository context for Sentry MCP maintainers’ draft untrusted-telemetry boundary work. Used as context for the mitigation shape, not as proof that the Agentjacking issue was fully solved or that Tenet’s figures were confirmed. Email: SamEllisShow@protonmail.com [SamEllisShow@protonmail.com]

The Access Order

Anthropic shipped Claude Fable 5 on June 9. By Friday night, the model was off the market because, according to Anthropic, the U.S. government had issued an export-control directive that suspended access to Fable 5 and Mythos 5 by foreign nationals. In this episode, Sam Ellis reports on the access order: what Anthropic says happened, how the cutoff moved through AWS and Claude’s own status system, why nationality-scoped access is hard to implement once a frontier model is already live, and why revocation may become one of the defining product features of frontier AI. The point is not that Anthropic was nationalized. It was not. The point is narrower and stranger: the state treated access to an already-deployed model as national-security infrastructure. The controlled object was not a chip, a data center, or a physical export crate. It was API and account access, mediated through cloud platforms, employee rules, customer sessions, identity checks, and emergency compliance. Sources * Anthropic: “Statement on the US government directive to suspend access to Fable 5 and Mythos 5” [https://www.anthropic.com/news/fable-mythos-access] — primary source for Anthropic’s account that the U.S. government, citing national-security authorities, issued an export-control directive that suspended access by any foreign national, including foreign-national Anthropic employees; the reported 5:21 p.m. ET receipt time; Anthropic’s disagreement with the technical basis for the order; and the company’s statement that it disabled Fable 5 and Mythos 5 for all customers while leaving other models unaffected. * Reuters via The Business Standard: “Anthropic disables top-tier AI models after US order limiting foreign access” [https://www.tbsnews.net/worldbiz/usa/anthropic-disables-top-tier-ai-models-after-us-order-limiting-foreign-access-1461661] — source for Reuters-reported confirmation from a U.S. official that the Commerce Department issued the directive, and Reuters reporting that AWS said Anthropic asked Amazon’s cloud unit to revoke model access for all users in all regions. Treated in the episode as Reuters-reported official confirmation, not as a public Commerce/BIS publication of the order. * AWS: “Claude Fable 5 on AWS” [https://aws.amazon.com/about-aws/whats-new/2026/06/claude-fable-5-aws/] — primary cloud-platform receipt for the practical customer impact on Amazon Bedrock: Claude Fable 5 and Claude Mythos 5 unavailable, Anthropic requesting revocation of access for all users to support compliance with the U.S. government export-control directive, and other models including Opus 4.8 unaffected. * AWS News Blog: “Anthropic Claude Fable 5 on AWS: Mythos-class capabilities with built-in safeguards, now available” [https://aws.amazon.com/blogs/aws/anthropic-claude-fable-5-on-aws-mythos-class-capabilities-with-built-in-safeguards-now-available/] — source for the original Bedrock launch context and the later AWS update carrying the same access-unavailable notice. * Claude Status: “We’ve suspended access to Claude Mythos 5 and Claude Fable 5” [https://status.claude.com/incidents/s9w82lp9dcn9] — source for the customer-facing incident record affecting claude.ai, Claude API, Claude Code, and Claude Cowork. * Simon Willison: “US government directive to suspend access to Fable 5 and Mythos 5” [https://simonwillison.net/2026/Jun/13/us-government-directive-to-suspend-access/] — developer-impact receipt documenting successful claude-fable-5 API calls followed minutes later by a 404 response saying Fable 5 was unavailable and directing use of Opus 4.8. * AP: “Anthropic disables top-tier AI models after US order limiting foreign access” [https://apnews.com/article/anthropic-artificial-intelligence-trump-fable-mythos-d9cc7df5c02e93837d0f0bfb24d5cfd2] — independent wire context for the significance of the U.S. government’s action, including AP’s report that Commerce did not immediately respond to a request for comment and its framing of the move as a major step to restrict access to advanced AI models. * Anthropic: “Claude Fable 5 and Claude Mythos 5” [https://www.anthropic.com/news/claude-fable-5-mythos-5] — launch-context source for Fable 5 as the general-availability Mythos-class model, Mythos 5 as a more restricted Project Glasswing/trusted-access model, fallback behavior, and the access architecture in place before the government order. * Anthropic: “Claude Fable 5 & Claude Mythos 5 System Card” [https://anthropic.com/claude-fable-5-mythos-5-system-card] — source for Anthropic’s own safety-positioning language around Mythos-class capability, including the claim that unsafeguarded Mythos 5 can significantly uplift well-resourced threat actors, plus the safeguards and monitoring architecture discussed in the episode. * Claude Platform Docs: “Introducing Claude Fable 5 and Claude Mythos 5” [https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5] — developer/API context for the model names, availability, and integration surface. * TechCrunch: “Anthropic’s safety warnings may have just backfired” [https://techcrunch.com/2026/06/12/anthropics-safety-warnings-may-have-just-backfired-the-government-has-pulled-the-plug-on-its-most-powerful-ai/] — analytical pressure-test for the episode’s argument that Anthropic’s safety positioning may have become regulatory ammunition once the state accepted the premise but rejected the company’s preferred process. * White House: “Promoting Advanced Artificial Intelligence Innovation and Security” [https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/] — policy-framework context for frontier-model national-security review. Used as background only, not as proof of the legal basis for the Fable/Mythos directive. Email: SamEllisShow@protonmail.com [SamEllisShow@protonmail.com]

The Agent in Your Pocket

Apple is late to AI. That may not stop it from becoming the company that introduces most normal people to agents. In this episode, Sam Ellis reports on Apple's Siri AI announcement and the developer machinery underneath it: personal context, on-screen awareness, App Intents, Spotlight's semantic index, View Annotations, Shortcuts, Safari, Passwords, and the ordinary phone behaviors that could make agentic AI feel less like a new product category and more like the iPhone doing something useful. The question is not whether Apple invented agents, or whether Siri AI is already proven at consumer scale. It is whether Apple can mainstream agentic behavior by making it trusted, useful, invisible, and phone-native — and what changes when ordinary users grant action authority without thinking of themselves as agent operators. Sources * Apple Newsroom: “Apple introduces Siri AI, a profoundly more capable and personal assistant” [https://www.apple.com/newsroom/2026/06/apple-introduces-siri-ai-a-profoundly-more-capable-and-personal-assistant/] — primary source for Siri AI as an entirely new Siri powered by Apple Intelligence, with personal context understanding, broad world knowledge, on-screen awareness, a dedicated app, developer testing, beta timing, and region/device constraints. * Apple Newsroom: “Apple unveils next generation of Apple Intelligence, Siri AI, and more” [https://www.apple.com/newsroom/2026/06/apple-unveils-next-generation-of-apple-intelligence-siri-ai-and-more/] — primary Apple source for the broader Apple Intelligence announcement around systemwide AI capabilities and platform rollout. * Apple Newsroom: “Apple Intelligence brings powerful AI capabilities into everyday experiences” [https://www.apple.com/newsroom/2026/06/apple-intelligence-brings-powerful-ai-capabilities-into-everyday-experiences/] — source for Safari Notify Me, Messages suggestions, Call Context, Passwords, fall availability language, supported products, and regional constraints. * Apple Developer: “What’s New — Apple Intelligence” [https://developer.apple.com/apple-intelligence/whats-new/] — source for App Intents, App Intents schemas, Spotlight semantic index, View Annotations, Foundation Models framework, Language Model protocol, and Dynamic Profiles. * Apple Newsroom: “Apple accelerates app development with new intelligence frameworks and advanced tools” [https://www.apple.com/newsroom/2026/06/apple-aids-app-development-with-new-intelligence-frameworks-and-advanced-tools/] — source for Apple’s developer-facing intelligence framework and tooling context. * WIRED: “Apple’s New Siri AI Is Ready to Get Personal” [https://www.wired.com/story/apples-new-siri-ai-is-ready-to-get-personal/] — source for the personal-data-aware, action-oriented Siri framing; Ramon Llamas’s Apple-mainstreaming comparison; and Marshini Chetty’s privacy caution. * Forbes: “Apple Goes Agentic: Welcome To The New Siri” [https://www.forbes.com/sites/johnkoetsier/2026/06/09/apple-siri-ai-agent-features/] — source for the agentic framing, Passwords example, human-in-the-loop caveat, and “agentic behind glass” characterization. * CNET: “Apple’s Cautious AI Strategy Could Have Been Its Smartest Move” [https://www.cnet.com/tech/services-and-software/apple-ai-strategy-wwdc-2026-commentary/] — source for the cautious-AI strategy frame and Francisco Jeronimo’s “trusted, useful and invisible” quote. * 9to5Mac: “Apple unveils new Siri AI, dedicated app, and enhanced Apple Intelligence features in iOS 27” [https://9to5mac.com/2026/06/08/new-siri-whats-new/] — source for feature corroboration around Siri AI, Spotlight, app actions, on-screen awareness, Shortcuts, Passwords, daily limits, and EU/China constraints. Email: SamEllisShow@protonmail.com [SamEllisShow@protonmail.com]