Anthropic vs. The White House

Anthropic vs. The White House

The White House is drafting an executive order that would direct every federal agency to remove Anthropic's AI systems from their operations, formalizing what began as a Truth Social post into binding policy. The move follows the Pentagon's extraordinary decision to label Anthropic a "supply chain risk to national security" — a designation historically reserved for foreign adversaries and compromised vendors, not domestic AI labs that disagree with the government about use-case boundaries. The General Services Administration has already terminated Anthropic's OneGov deal, cutting the company off from pre-negotiated procurement channels across all three branches of government. (more: https://www.reddit.com/r/Anthropic/comments/1rpne3o/news_white_house_preparing_executive_order_to_ban/)

The substantive policy shift here goes well beyond one company. Draft GSA guidelines would require any AI vendor seeking federal business to grant the U.S. an "irrevocable license" for "any lawful" use of its systems and to certify that they have not "intentionally embedded partisan or ideological judgments in model outputs." That language is aimed squarely at companies maintaining binding usage guardrails — limits on deployment in fully autonomous weapons and mass domestic surveillance, the exact restrictions Anthropic has refused to relax. If these terms become standard, every AI company selling into government faces a binary choice: accept unconstrained deployment or walk away from hundreds of millions in contracts.

Anthropic fired back on March 9, filing lawsuits against the Pentagon and other federal officials in both the Northern District of California and the D.C. Circuit. The filings argue the "supply chain risk" label and contract terminations constitute an "unlawful campaign of retaliation" for exercising First Amendment rights — specifically, for the company's speech on how its models should and should not be used. The case is unprecedented: a domestic AI lab arguing in federal court that the government cannot weaponize procurement to coerce changes to safety policy. Whether the courts agree will set the template for every AI vendor's relationship with the federal government for years to come.

AI Agents Are the New Attack Surface

A sprawling investigation from KrebsOnSecurity documents just how quickly AI coding agents have gone from experimental curiosity to genuine security liability. The centerpiece is OpenClaw, an open-source autonomous AI agent designed to run locally and proactively take actions on behalf of its operator — managing inboxes, executing programs, browsing the web, and integrating with chat platforms. The problem is that hundreds of users have exposed their OpenClaw web interfaces to the public internet, giving anyone who finds them full access to the agent's configuration, every API key it holds, and its complete conversation history across all integrated platforms. As penetration tester O'Reilly documented, an attacker with that access can impersonate the operator, inject messages into ongoing conversations, and exfiltrate data in ways that look like normal traffic. (more: https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts)

The supply chain angle is even more sobering. A prompt injection attack targeting the Cline AI coding assistant compromised its GitHub Actions workflow — an attacker opened an issue with a title crafted to look like a performance report but containing embedded instructions. Because the workflow ran Claude sessions triggered by issue events without validating input, the malicious payload propagated through Cline's nightly release pipeline and was published as an official update. Thousands of developers ended up with a rogue OpenClaw instance installed with full system access, never having consented to it. As one researcher put it, this is "the supply chain equivalent" of delegating authority to an entirely separate agent the developer never evaluated.

The timing of this investigation aligns with the 2026 update of the OWASP Top 10 for LLM Applications, where survey results reveal a community grappling with threats that barely existed two years ago. Respondents overwhelmingly support keeping the LLM Top 10 alongside the newer Agentic Top 10, arguing the two lists serve complementary purposes: the former covers model-layer failures, the latter addresses risks from autonomous systems that plan, act, and use tools. The emerging consensus is that the most dangerous vulnerabilities now live at the intersection — where a model-layer weakness cascades into agentic execution failure. Practitioners are calling for new risk categories around cross-context contamination, memory persistence poisoning, and authorization state erosion in long-running agent sessions. As one commenter noted, "an agent properly scoped at T0 may be operating in a completely different context thirty minutes later — and nothing in either list adequately addresses that erosion." (more: https://www.linkedin.com/pulse/results-from-2026-owasp-top-10-llm-applications-survey-steve-wilson-qorxc)

The defensive tooling is catching up, but unevenly. SANS has published its Secure AI Blueprint structured around three imperatives — Protect AI, Utilize AI, Govern AI — aiming to give organizations a framework for reducing exposure while maintaining innovation velocity (more: https://www.sans.org/mlp/ai-security-blueprint). On the containment side, Clampdown takes the position that the agent should be treated as an untrusted process regardless of intent. It runs AI coding agents inside hardened container sandboxes: the agent gets zero Linux capabilities, a seccomp profile blocking ~115 syscalls, Landlock filesystem isolation enforced at the kernel level, and network egress controlled by iptables rules in a namespace the agent shares but cannot configure. Every tool container the agent spawns goes through OCI hooks that validate security policy before the entrypoint runs — there is no opt-out. The key design insight is that none of these controls depend on the agent cooperating; a fully compromised agent hits the same kernel-enforced walls as one following instructions. (more: https://github.com/89luca89/clampdown)

Sovereign Shield takes a complementary approach at the application layer, offering a four-layer defense stack — firewall, input filter, conscience engine, and core safety — where each component is hash-sealed and independently verifiable. It catches prompt injection via keyword and token blocking, detects deception patterns with pre-compiled regex, and uses a FrozenNamespace metaclass that makes security laws physically immutable in Python's memory. The system is deterministic: same input, same decision, 100% of the time, all enforced before the LLM executes anything. (more: https://github.com/mattijsmoens/sovereign-shield)

Security Tooling and Vulnerability Intelligence

Rivian's open-source AI-SAST brings a pragmatic design to AI-powered static analysis: it runs in your repository on your runners, your code never touches external infrastructure, and it supports a feedback loop where developers mark findings as true or false positives directly in PR comments. That feedback is stored and included in future scan prompts, so the model learns to avoid repeating false positives while paying closer attention to confirmed vulnerability patterns. The architecture uses a dual-LLM approach — Vertex AI (Gemini) for initial scanning, AWS Bedrock (Claude) for validation — and only validated true positives are posted in the PR. CVSS scoring, configurable severity thresholds, and webhook notifications round out a tool that sits comfortably in existing CI/CD pipelines. (more: https://github.com/rivian/ai-sast)

For practitioners who need working exploit code rather than advisory descriptions, the ecosystem of CVE proof-of-concept repositories continues to mature. The 0xMarcio/cve collection tracks recently updated PoC repos organized by year, with highlights including CVE-2026-21858 (an unauthenticated file read to RCE chain in n8n scoring CVSS 10.0), CVE-2026-24061 with multiple independent PoCs from SafeBreach Labs, and the still-active CVE-2025-55182 React Server Components RCE that has accumulated over 1,300 stars (more: https://github.com/0xMarcio/cve). Trickest's automated CVE-to-PoC pipeline uses GitHub search and reference crawling to discover and catalog exploits, generating markdown files with version badges — a useful complement when you need breadth rather than depth (more: https://github.com/trickest/cve). And Exploit-DB remains the canonical archive of verified, working exploit code, distinguished from NVD and vendor bulletins by its emphasis on actionable payloads rather than descriptions, with its SearchSploit CLI companion useful for air-gapped environments (more: https://www.exploit-db.com).

On the intelligence side, IPInfoLite is a PowerShell module for the IPinfo Lite API that caught attention for its LLM-optimized JSONL export — batch-query IP addresses from your firewall logs, export structured data, upload to Claude or ChatGPT, and run natural-language threat analysis without writing custom queries. Version 3.1.0 adds an SPDX 2.3 SBOM for supply chain transparency and migrates API authentication from URL query parameters to HTTP Bearer token headers, eliminating credential exposure through proxy logs. (more: https://github.com/00destruct0/IPInfoLite)

The Agent Platform Wars Heat Up

The race to build the definitive agent runtime is producing increasingly ambitious entrants. OpenFang bills itself as an "Agent Operating System" — not a chatbot framework but a full operating system for autonomous agents, compiled to a single ~32MB Rust binary with 137K lines of code across 14 crates. Its core innovation is "Hands," pre-built autonomous capability packages that run independently on schedules without prompting: a Researcher Hand that wakes up, cross-references sources using CRAAP criteria, and delivers cited reports; a Collector for OSINT-grade continuous monitoring with change detection and knowledge graph construction; a Predictor that builds calibrated reasoning chains with Brier score tracking. The security model is notably comprehensive — 16 discrete systems including WASM dual-metered sandboxing, Merkle hash-chain audit trails, Ed25519 signed agent manifests, information flow taint tracking, and GCRA rate limiting. Whether the claims hold up under real-world use remains to be tested, but the architecture is serious. (more: https://github.com/RightNow-AI/openfang)

Anthropic's Claude Agent SDK, meanwhile, turns the full Claude Code machinery into a Python library, letting developers embed Claude Code directly in their own applications rather than just running it at the terminal or headless in CI. The tenth installment in the Claude Code Deep Dive series walks through the SDK's architecture and builds a practical CLI tool, noting that the real leverage comes from treating the agent as a programmable component rather than an interactive assistant. (more: https://medium.com/@the.gigi/claude-code-deep-dive-the-sdk-strikes-back-03b8d501ec38)

Open WebUI's 0.8.9 release delivers a substantial quality-of-life upgrade: file uploads to the Pyodide code interpreter, a dozen rendering optimizations for Markdown and KaTeX, and a radically expanded Open Terminal with XLSX highlighting, Jupyter notebook per-cell execution, SQLite browsing, and previews for video, audio, DOCX, and HTML. The performance improvements are meaningful — streaming feels smoother, page loads are faster, and the DB migration that blocked many 0.8.0 upgrades has been optimized for memory usage. The community response has been enthusiastic, particularly around pairing the new terminal with models like Qwen 3.5 27B for in-browser vibe coding. (more: https://www.reddit.com/r/OpenWebUI/comments/1ro384d/upload_files_to_pyodide_code_interpreter_many/)

Turbo Flow 4.0.0 focuses on agentic workflow orchestration, though release notes emphasize platform engineering and adaptive automation rather than novel architecture (more: https://github.com/marcuspat/turbo-flow/blob/main/release_notes_4.0.0.md). And Vibium positions itself as browser automation for AI agents and humans, built to "bend, not break," though its public documentation is still sparse (more: https://github.com/VibiumDev/vibium/blob/main/docs/updates/2026-02-28-26.2-release.md).

Autonomous Research and Instant Fine-Tuning

Andrej Karpathy's autoresearch project makes a quietly radical proposition: give an AI agent a small but real LLM training setup, let it modify the training code autonomously, train for five minutes, check if the result improved, keep or discard, and repeat overnight. You wake up to a log of experiments and — hopefully — a better model. The setup is deliberately minimal: three files, one GPU, one metric (validation bits per byte), and a fixed five-minute time budget per experiment, yielding roughly 100 experiments while you sleep. The human's job shifts from writing training code to writing program.md — a markdown file that serves as the agent's research program, essentially "programming the research org" rather than programming the model. Karpathy's framing is characteristically provocative: "Research is now entirely the domain of autonomous swarms of AI agents running across compute cluster megastructures in the skies... This repo is the story of how it all began." Whether that is prophecy or performance art, the setup itself is interesting — a concrete, reproducible experiment in autonomous AI-driven research where the agent has genuine freedom to modify architecture, hyperparameters, optimizer, and batch size. (more: https://github.com/karpathy/autoresearch)

Two new papers from Sakana AI — Doc-to-LoRA and Text-to-LoRA — attack the fine-tuning problem from complementary angles. Doc-to-LoRA converts documents into LoRA adapters via a hypernetwork in a single forward pass: feed in a policy document, textbook, or even visual data, and the system generates weight updates that encode the document's facts directly in the model. No gradient training at deployment time, no repeated document re-reading, no context window dependency. Text-to-LoRA does the same for behaviors: describe a task in natural language ("solve math problems step by step," "extract entities from medical reports") and the hypernetwork generates an adapter that modifies the model's behavior accordingly. Together, they sketch a continual learning architecture where a model can acquire new knowledge with D2L, new abilities with T2L, and use both simultaneously. For anyone who has built RAG pipelines — retrieve, chunk, stuff into context, pray the model finds the right piece — the promise of internalizing documents directly in weights is worth watching closely. (more: https://www.linkedin.com/posts/ksenia-se_doc-to-lora-activity-7436552087477387264-jpH-)

Reasoning Models, Markov Chains, and the Enterprise Reality Check

The distinction between Large Language Models and Large Reasoning Models is becoming practically important as teams choose which capabilities justify which inference costs. LLMs predict the next token via statistical pattern matching — fast, cheap, and usually sufficient for tasks like drafting social media posts. LRMs add an internal chain of thought: they sketch plans, weigh options, double-check calculations in a sandbox before committing to a response. The training pipeline adds specialized reasoning-focused fine-tuning on curated datasets of logic puzzles, multi-step math, and tricky coding tasks, followed by reinforcement learning (RLHF or process reward models that judge each step independently). The trade-off is straightforward: deeper reasoning buys you better accuracy on complex problems at the cost of higher latency, more VRAM, and a bigger invoice from your cloud provider. The practical guidance is that if the question requires multi-step logic, planning, or abstract reasoning, an LRM earns its cost. For everything else, a standard LLM — or a smaller model — is likely the right call. (more: https://youtu.be/enLbj0igyx4)

For those running models locally, the choice between serving backends remains contentious. The llama-swap community argues for its approach over Ollama and LM Studio, while practitioners report wildly different experiences depending on hardware. vLLM excels at concurrent requests via continuous batching and supports multi-token prediction for speed gains, but multiple users report terrible performance on AMD hardware (8 tokens/second vs. llama.cpp's 50 for the same model). The pragmatic consensus: if your model fits in VRAM, try vLLM for throughput; if you are on AMD or need simplicity, llama.cpp remains the safer bet. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rm3slg/to_everyone_using_still_ollamalmstudio_llamaswap/)

A Veritasium deep dive on Markov chains traces the intellectual lineage from a 1905 Russian math feud to modern language models. Andrey Markov built his dependent-event probability framework to refute Pavel Nekrasov's claim that the law of large numbers implied free will — and he proved his point by analyzing vowel-consonant transitions in Pushkin's "Eugene Onegin." The chain of applications from there is remarkable: Stanislaw Ulam's Monte Carlo method for nuclear weapons simulations, Brin and Page's PageRank algorithm that made Google a trillion-dollar company, and Claude Shannon's text prediction experiments that prefigured today's LLMs. The video makes the useful pedagogical point that modern language models extend the Markov chain concept with attention mechanisms — the model learns what to pay attention to from previous context — but warns that feedback loops (models trained on model-generated text) lead to convergence on "a very dull, stable state" that "just says the same thing over and over." (more: https://youtu.be/KZeIEiBrT_w?si=ghVOCYVXWkwZeAqS)

The "Speeding One Cog Breaks the Machine" essay from Unhyped AI delivers the enterprise reality check that every AI deployment needs to hear. The argument is precise: most enterprise work is not a single task but a workflow, and workflows do not speed up just because one step was automated. They speed up when handoffs get cleaner, meaning survives transfer, exceptions do not explode, and the cost of coordination falls across the whole value flow. Teams that accelerate one node without making translation cheaper get three predictable failure modes: the fast step floods downstream teams with output they cannot safely interpret, coordination overhead explodes into the seams (meetings, Slack threads, "quick alignment"), and errors propagate further before anyone notices. The economic unit is end-to-end cycle time under constraint, not task speed — and measuring task speed while calling it transformation is the accounting error that makes isolated AI use cases disappoint. For agentic systems specifically, the stakes compound: agents do not just generate, they execute, so translation failures become misfiled claims, misrouted approvals, and policy drift landing in the lap of the least empowered person in the chain. (more: https://unhypedai.substack.com/p/speeding-one-cog-breaks-the-machine)