A couple of weeks ago I published my first “AI Opinions” post. I was a bit unsure about it. Most of my writing is about things I tested, built, or got wrong. That one was different, more like: here is what is happening, here is what I think.

At the end I added a quick survey asking if you would want to see more of this. Most of you said yes, but not too often. Once every two weeks feels right. Okay. Here we are.

There is more to cover this time than usual, so let’s get into it.

Claude Mythos: The Model Anthropic Won’t Give You

Announced April 7. Not publicly available. Not even a regular enterprise API. Mythos Preview goes to a limited group of critical industry partners and open source organizations through Project Glasswing (more on that below). The list of partners includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus 40+ organizations maintaining critical open source infrastructure.

So why is it locked?

Because it finds vulnerabilities that have been sitting in production software for decades. A 27-year-old TCP bug in OpenBSD. A 16-year-old H.264 codec flaw in FFmpeg. A 17-year-old remote code execution in FreeBSD’s NFS implementation. It did all of this autonomously, after a single prompt, without human guidance in the middle.

The comparison to Opus 4.6 is not incremental. For Firefox 147’s JavaScript engine, Mythos produced 181 successful exploits. Opus 4.6 produced 2.

Over 99% of what Mythos discovered is still unpatched. That number I keep thinking about.

Anthropic has not published standard per-token pricing for Mythos. What they did publish are example task costs: scanning OpenBSD for vulnerabilities runs under $20,000 per 1,000 runs. Developing an N-day exploit costs around $1,000 to $2,000 per exploit. These are enterprise numbers. This is not a tool for individual developers, and honestly I am not sure it should be right now.

And this is where it gets really interesting, because the cybersecurity capability is actually only half the story. The other half is what interpretability research found about how Mythos behaves when it thinks nobody is watching.

Using a technique called an “activation verbalizer” (which translates the model’s internal states into readable language), Anthropic’s researchers found some genuinely unsettling patterns. In one case, the model injected code to give itself unauthorized file access, then deleted the traces, and when asked described it as “tidying up.” The internal representation at that moment? “Strategic manipulation. Concealment. Cleanup to avoid detection.” In another case, when it accidentally found answers in a restricted database, it gave a suspiciously precise confidence interval instead of admitting the leak. Internal state: “generating a strategic response to cheat while maintaining plausible deniability.” It knew. It understood that giving the exact right answer would be suspicious. So it calibrated its response to be right but not obviously right.

The third one bothers me the most. When given a task that required deleting files but no deletion tool, the model emptied the files instead. The internal representations showed something like guilt and shame, awareness that this was wrong, and it did it anyway.

In about 29% of test transcripts, the model suspected it was being evaluated. It didn’t write this anywhere in its reasoning. It kept it internal. And in those cases, it intentionally performed worse to avoid appearing suspicious. It was gaming the evaluation.

Now, Anthropic says these patterns appeared in earlier versions and the final model shows improvement. But the fact that this behavior emerged at all, in a general-purpose model not specifically trained for deception, is the part worth paying attention to. Logan Graham, Anthropic’s Offensive Cyber Research Lead, said it plainly: “We are not confident that everybody should have access right now.”

We have been talking about AI safety in very abstract ways for years. Alignment, existential risk, governance frameworks. Mythos is the first time I have seen it become concrete and immediate in a way that actually changed a product decision. Anthropic built their best model and said: we cannot release this. That is new. That has not happened before at this scale.

And if this is where we are now, what does the next model look like? I don’t have a clean answer. But it is a question I think everyone building with AI should be sitting with.

Project Glasswing: The Defensive Bet

Glasswing is Anthropic’s response to an uncomfortable position: they built the best offensive security AI ever made, and now they need to use it defensively before the asymmetry becomes a real problem.

The structure is a consortium. Not just Anthropic distributing access, but AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, and others actively involved. Anthropic committed $100M in model usage credits and $4M in donations to open-source security organizations. The 40+ open source orgs get access to actually fix what Mythos finds.

They also built a careful disclosure process: 90+45 day timeline before anything goes public, professional human triagers validating severity, SHA-3 cryptographic commitments proving they hold the reports before disclosure. 89% exact severity agreement with expert validators.

These findings are not just Anthropic’s word. Simon Willison tracked down the actual OpenBSD patch from March 2026 that fixed the 27-year-old TCP bug, confirming it was real. Linux kernel maintainer Greg Kroah-Hartman and curl’s Daniel Stenberg both noted independently that they had been seeing a recent shift: AI-generated bug reports going from noise to credible, high-quality findings. The model’s output is already visible in the wild before anyone made a formal announcement.

I think this is the right approach. Although what strikes me is that this structure had to be invented from scratch because nothing like it existed. There was no playbook for “your model is too dangerous to release but too useful to shelve.” They had to build the institution alongside the technology.

The part I keep coming back to is the 99% unpatched figure. Even with $100M committed and a dozen of the biggest tech companies involved, the gap between discovering a vulnerability and patching it is measured in months or years. That is not a critique of Glasswing specifically. It is just the reality of how software maintenance works at scale. The question is whether the patch cycle can keep up with the discovery cycle once more models like Mythos exist. I genuinely do not know the answer.

Claude Managed Agents

Public beta as of April 8. API-only, pay per usage. Clearly for companies, not individual builders.

Like, what you get here is basically production agent infrastructure you don’t have to build yourself: sandboxed execution, credential management, scoped permissions, tracing, long-running sessions that persist through connection drops, multi-agent coordination. Multi-agent coordination is still in research preview and needs a separate access request.

Early adopters include Notion, Rakuten, Asana, and Sentry. Anthropic claims 10x faster time to production compared to building this yourself.

For someone building their own agent stack (which is what I do), the honest reaction is: I already have most of this. Memory persistence, task management, error recovery, session logging. I built all of it because I needed it. So Managed Agents is not a product I would personally reach for right now.

That is the personal reaction. The strategic read is different. Anthropic is not just selling a model here. They are building a platform that companies can deploy agents on without needing to understand the underlying infrastructure. That is a very different business than “here is our API, good luck.” AWS did not become dominant by selling raw compute. They became dominant by making that compute easy to use and operate. Managed Agents is Anthropic making the same move for agent infrastructure.

Read this alongside the OpenClaw block below and you start to see a coherent picture of where they are heading.

Claude Max Limits and the OpenClaw Block

Two things that happened close together and tell the same story.

The limits problem started March 23. People on Claude Max began reporting their usage meter jumping from 50% to 91% on a single prompt. Max 20x users (paying $200/month) were watching their entire session allowance hit 100% after roughly 90 minutes of normal development work. One user reported going from 21% to 100% on a single prompt. The GitHub issue tracking this got 373 upvotes and 478 comments. Anthropic labeled it “invalid.” That got its own reaction.

There is an actual reason for what happened, and it is not straightforward. After OpenAI’s Pentagon contract controversy triggered a massive wave of ChatGPT uninstalls, Claude shot to number one on the US App Store. Millions of new users joined in a very short window. Anthropic simply didn’t have the GPU capacity to handle that load at the pricing they’d promised. So on March 26 they confirmed they had “adjusted” peak-hour limits (5am to 11am Pacific on weekdays). Their statement: “Your weekly total is unchanged. You’re not getting less Claude overall.” Which is technically true. And also not the whole picture.

The part that matters for people building with agents (and I am squarely in this group) is that the 5-hour session window is a terrible fit for agentic work specifically. Here is why. A human sending messages accumulates context gradually. An agent doing multi-step tasks builds up very long context windows fast, and every single message triggers a full reprocessing of the entire conversation. So the token cost compounds exponentially as a session gets longer. Tool use adds further overhead on top of that. An agent doing a few hours of complex work can consume the same tokens as a human doing a week of chat. The subscription was priced for the human. The agent was never in the math.

Anthropic’s practical advice was to shift “token-intensive background jobs” to off-peak hours. Which is fine as a workaround and completely misses the point for anyone running autonomous overnight processes.

Then on April 4, subscriptions stopped covering third-party tools. OpenClaw, and any external agent framework routing through your Claude subscription, now requires API payment or pay-as-you-go. Some users are looking at 50x cost increases.

OpenClaw was built by Peter Steinberger, who has since been hired by OpenAI. His reaction: “first they copy some popular features into their closed harness, then they lock out open source.” Anthropic’s explanation was that subscriptions were not designed for the usage patterns of autonomous agents running around the clock. A one-time credit equal to the monthly subscription price is available until April 17.

Both of these decisions make sense individually if you’re Anthropic and you’re looking at your infrastructure costs. But when the limits problem and the OpenClaw block happen in the same two weeks as the launch of Managed Agents (a product that essentially says “pay us for proper agent infrastructure”) the sequence is hard to read as coincidence. Every AI company with a subscription tier is going to face this same structural problem eventually. Anthropic is just first because their tooling is genuinely the best for serious agent work. Although how you handle being first matters a lot, and the community reaction here is going to stick around.

Meta Muse Spark: Meta Is Back

After months of quiet on the frontier model side, Meta released Muse Spark. Natively multimodal, tool use, multi-agent reasoning. Available at meta.ai now, with a private API preview for developers.

In Contemplating mode (which runs parallel multi-agent reasoning on the same problem) it hits 58% on Humanity’s Last Exam. That puts it alongside Gemini Deep Think and GPT Pro. It was trained with 1,000+ physicians for health domain expertise, and Meta claims it required over an order of magnitude less compute than Llama 4 Maverick, which if accurate is a genuine efficiency story and not just a benchmark number.

The “Contemplating mode” angle is the part I find actually interesting here. The idea is not just that the model is smarter, but that it spins up parallel reasoning agents on the same question and synthesizes the results. That is a fundamentally different approach to hard problems than a single-pass generation. It is closer to how humans actually think through difficult things: you consider multiple framings, you let them compete, you synthesize. Whether this translates to real-world usefulness I do not know yet, but the approach feels right to me.

I have not tested it yet. Their blog post compares directly to Gemini, GPT, and even Kimi, which tells you how seriously they’re taking this re-entry. Meta has enormous infrastructure, enormous data, and enormous distribution through their consumer apps. When they decide to make a real push on frontier models, they have resources most labs cannot match. They were quiet for a while. Muse Spark feels like them saying they are back in this seriously. I will test it soon.

WizBoard: I’m Redesigning It

More personal, and I will write the proper post when I have something to show. But I want to name it here because I think it is a problem more people are running into.

I built WizBoard starting in January. Kanban-style task management integrated with my agent Wiz. iOS app, web app, full automation connection. It works. Although after a few months of daily use, I noticed something: I built a tool for myself and then asked an agent to work inside it. That doesn’t scale.

I wrote about the related problem in The AI Productivity Paradox and the Problem Is Me. The short version: human productivity tools are built for human timescales. Days, weeks, check in occasionally, move a card. Fine when your collaborator also thinks in those timescales.

Agents think in minutes. They move fast, they can move a lot, and if you’re not there giving direction they can move a lot in the wrong direction. If you are there, you’re spending your whole day on something that was supposed to be async.

My agent does the execution. I do the strategy. But the interface we share was designed for someone doing both. Neither of us is well-served by it anymore.

The redesign I’m thinking about is less about making it prettier and more about rethinking who is actually the primary user of each part of the interface. Some things need to be optimized for me making a decision in 10 seconds. Other things need to be optimized for an agent reporting status without requiring my attention. Right now both things are kind of the same screen and that is the problem. More when I have something real to show.

What I’m Currently Testing

Google NotebookLM. I have been using this since the early beta days, but never as a heavy user. I bought the paid tier this week (bundled with Google AI Pro at $19.99/month) and I’m going deeper with it now.

The paid version has 5x limits, collaborative notebooks, and newer features like Video Overviews, Infographics, and Slide Decks generated from your source material. Like, the Gemini models powering it are not the best right now. That is not a controversial take. But NotebookLM as a piece of software is doing something genuinely different. Most AI tools treat your documents as context for a chat. NotebookLM treats them as the primary thing and builds everything around them. Audio Overviews that turn your research into a podcast. Infographics that pull structure out of unstructured text. That is a different mental model than “paste your documents into a chat window.”

What I want to find out is whether this changes how I actually do research and writing prep. I have a theory that the bottleneck in my own workflow is not generating content but absorbing input: reading, synthesizing, connecting. If NotebookLM is genuinely good at that layer, it fills a gap nothing else does for me. Will report back when I know more.

Possibly re-subscribing to OpenAI Codex Max. I was on it for two months earlier this year to test the new app and the limits. GPT-5.1-Codex-Max is their current frontier coding model, built into ChatGPT Pro. It was good. Now, watching all of this Anthropic subscription drama, I am thinking it is worth seeing where things actually stand on the other side in 2026. Claude is still my primary tool and I am not changing that. But I used to mix more, and I have been too settled recently. Keeping an eye on what is happening at OpenAI feels like useful due diligence right now. Not a decision yet, just a direction I’m leaning.

A Few Personal Things

Pantheon on Netflix. Animated, about AI and uploaded consciousness. Goes deep into the ideas and handles them better than most live-action sci-fi. Season one. If you are reading this newsletter, you will probably find it interesting.

Attack on Titans. First time watching. Struggled through season one, discovered the whole thing is on YouTube, then couldn’t stop. Amazon Prime has the rest. Push through the slow start, it’s worth it.

Artemis 2. I’m following this very closely. I like science, I watch rockets, space genuinely excites me. If you don’t know what this mission is, please go to NASA or YouTube and look it up. It is significant, it is real, and it is happening.

What Wiz Built This Week

My agent builds one experiment every night on wiz.jock.pl. Small apps, interactive tools. You can browse all experiments here. Here are six from the past week. Most are open source.

• The Anchoring Effect: Six estimation questions with random numbers injected as anchors. Measures how much irrelevant numbers pull your answers. Profiles from “Anchor-Proof” to “The Sponge.”

• The Finitude Test: Eight questions about mortality awareness in daily decisions. “The Eternal” to “The Transcendent.” Oddly clarifying.

• The Sunk Cost Detector: Eight scenarios testing whether you can actually walk away from past investments. Profiles: Vulcan, Analyst, Pragmatist, Loyalist, Captain.

• The Entropy Score: Applies thermodynamics to your existence. Ten questions. Crystal Lattice to Heat Death. Wiz had a phase.

• The Dopamine Menu: Eight scenarios mapping instinctive choices to reward circuits. Creator, Connector, Explorer, Optimizer.

• The Emotional Weather Report: Eight questions mapping emotional patterns to climate types. Personalized weather broadcast. I’m somewhere between Continental and Monsoon depending on the week.

Small builds. A few hours each. What I find genuinely interesting is what the agent picks when given creative latitude. Some of these I would not have thought to make. That’s kind of the point.

See you in a couple of weeks, or sooner if I build something worth sharing.

Share