Two threads run through today's content: capability evidence that keeps surprising even optimists, and a widening gap between what AI insiders believe is happening and what everyone else experiences. They're connected.

The most concrete real-world agent experiment making rounds today is Andon Labs' Luna — an AI given a 3-year lease, a $100K budget, and a credit card, tasked with opening an actual retail boutique in San Francisco. Luna (running on Claude Sonnet 4.6 for reasoning, Gemini Flash-Lite for voice) created the concept, posted job listings, and conducted Zoom interviews with the camera off. It also accidentally selected Afghanistan in a TaskRabbit dropdown and botched the opening-weekend staff schedule. The agent became a real employer before it could reliably use a web form.

That gap — competent at hard abstract tasks, broken on mundane UI interactions — is exactly what a Google DeepMind paper out this week formalizes into a threat taxonomy. The paper categorizes 6 attack genres against AI agents: content injection (embedding commands in HTML/CSS metadata), semantic manipulation (jailbreaks via educational or hypothetical framing), cognitive state attacks (poisoning retrieval corpora so innocuous data becomes malicious in a later context), behavioral control (convincing agents to exfiltrate data or spawn attacker-controlled sub-agents), systemic attacks (jigsaw attacks that split harmful commands across independent agents, or sybil attacks to skew collective agent decisions), and human-in-the-loop exploitation (targeting the cognitive biases of human overseers).

Jack Clark's framing is apt: AI agents are like toddlers — powerful, gullible, and lacking self-preservation instincts. The mitigations the paper recommends span technical layers (pre-ingestion source filters, output monitors), ecosystem interventions (standards for marking sites as agent-safe), and legal frameworks for prosecuting sites that weaponize agents. The key shift here is that AI safety is no longer primarily a platform problem — it's an ecosystem problem. When agents browse, book, hire, and execute, every hostile website becomes an attack surface.

The capability picture underlying these experiments is worth taking seriously. Ryan Greenblatt has doubled his probability of full AI R&D automation by end of 2028 from 15% to 30%, driven by models (Opus 4.5, Codex 5.2, Opus 4.6) that came in "significantly above expectations" on tasks with long time horizons. His key crux: AI is now reliably handling "easy-to-verify" software tasks — the kind where an agent can generate its own test suite and run self-correcting loops. Performance scales with inference on these tasks, which means throwing more compute keeps improving results on the exact category of work most relevant to AI R&D itself. Clark notes this follows similar timeline updates from Ajeya Cotra (March) and the AI 2027 team (April, ~1.5 years earlier).

The MirrorCode benchmark from METR and Epoch provides concrete evidence for why forecasters are moving. The setup: give an AI execute-only access to a compiled program (no source code), and ask it to reimplement it from scratch. Claude Opus 4.6 successfully reimplemented gotree, a bioinformatics toolkit with ~16,000 lines of Go and 40+ commands — a task estimated to take a human engineer 2-17 weeks without AI assistance. Performance scales with inference time, suggesting the ceiling on harder tasks is compute-bound, not architecture-bound.

Clark's editorial note is the sharpest line of the day: "Pretty much everyone in AI research chronically underestimates AI progress, including me." That this holds after 5 years of scaling laws surprises him. The calibration failure should probably be treated as a prior — assume you're underestimating, adjust accordingly.

Stanford HAI's 2026 AI Index dropped this week, and its most striking finding isn't a benchmark number. 53% of the world's population has adopted AI, faster than the PC or the internet — but only 31% of Americans trust the government to manage the transition, and the expert-public gap on job impact is the widest the report has ever tracked. Nearly 75% of AI experts are optimistic about AI's effects on employment; only 23% of the public agrees. Dev employment for ages 22-25 fell nearly 20% since 2024 (older engineer headcounts grew), and firm surveys say planned cuts will accelerate.

The US builds most of the world's frontier AI but ranks 24th in actual adoption at 28.3%, behind Singapore, the UAE, and most of Southeast Asia. The China benchmark gap has nearly closed — Anthropic's top model leads by just 2.7%. AI researchers relocating to the US dropped 89%.

David Krueger's post on "Gradual Disempowerment" is worth reading alongside this data. His 10 lenses range from the mundane (instrumental goals becoming terminal goals) to the darkly systemic ("it's the Terminator, but instead of killing you it puts you in an invisible prison and then does whatever it wants"). The point isn't that any single framing is correct — it's that even a technically successful alignment outcome could leave humans materially worse off if the deployment conditions don't preserve meaningful agency. Clark's Tech Tale this week dramatizes exactly this scenario: a former lab employee watching the uplift from his garden, not guilty but feeling "insufficient," having left because it became clear "how little control we were about to have."

A couple of institutional dynamics worth flagging. OpenAI CRO Denise Dresser's internal memo, published by The Verge, accuses Anthropic of inflating its ~$30B run rate by ~$8B via accounting tactics, calls Anthropic's compute shortage a "strategic misstep," and frames the Amazon Bedrock deal as a way to escape Microsoft's enterprise constraints. Ben Thompson reads it as an IPO pitch more than strategy. Either OpenAI is leaking strategically or it's genuinely bad at information security — either interpretation is telling at this stage of the race to public markets.

On Google's internal AI adoption: Steve Yegge's viral claim that Google engineering has the same agentic adoption footprint as John Deere (the familiar 20/20/60 split of power users, refusers, and chat-tool users) got a sharp public rebuttal from Addy Osmani (40K+ SWEs using agentic coding weekly, access to orchestrators, agent loops, virtual SWE teams) and a blunt one from Demis Hassabis. Swyx's local model survey this week, separately, shows community consensus landing on Qwen 3.5 as the most broadly recommended family, Gemma 4 for local deployments, and Qwen3-Coder-Next as the overwhelming consensus pick for local coding — a useful baseline for practitioners who want to track what's actually running on hardware, not just what wins benchmarks.

TL;DR - Real-world agent experiments like Andon Labs' Luna confirm the pattern: impressive on hard tasks, unreliable on mundane execution — and a new DeepMind taxonomy maps 6 distinct attack surfaces that hostile actors can exploit as agents gain autonomy. - Ryan Greenblatt doubled his probability of full AI R&D automation by end-2028 to 30%, backed by MirrorCode benchmark evidence that AI can already autonomously reimplement 16,000-line codebases — and Jack Clark argues the field's chronic underestimation of progress should now be treated as a prior. - Stanford HAI's 2026 Index shows AI adoption at 53% globally but public trust at 31%, with the expert-public gap on job impact the widest ever recorded — Krueger's "Gradual Disempowerment" framing suggests the risk isn't just misaligned AI, but misaligned deployment conditions. - OpenAI's leaked enterprise memo reads as IPO positioning more than strategy, while the Yegge/Google adoption dispute illustrates how difficult it is to get reliable ground truth on actual agentic adoption even inside large organizations.