Category: Technica Aquarius

It’s refreshing when a leading AI company states the obvious. In a detailed post on hardening ChatGPT Atlas against prompt injection, OpenAI acknowledged what security practitioners have known for years: “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved.'”

What’s new isn’t the risk — it’s the admission. OpenAI, the company deploying one of the most widely used AI agents, confirmed publicly that agent mode “expands the security threat surface” and that even sophisticated defenses can’t offer deterministic guarantees. For enterprises already running AI in production, this isn’t a revelation. It’s validation — and a signal that the gap between how AI is deployed and how it’s defended is no longer theoretical.

None of this surprises anyone running AI in production. What concerns security leaders is the gap between this reality and enterprise readiness. A VentureBeat survey of 100 technical decision-makers found that 34.7% of organizations have deployed dedicated prompt injection defenses. The remaining 65.3% either haven’t purchased these tools or couldn’t confirm they have.

The threat is now officially permanent. Most enterprises still aren’t equipped to detect it, let alone stop it.

OpenAI’s LLM-based automated attacker found gaps that red teams missed

OpenAI’s defensive architecture deserves scrutiny because it represents the current ceiling of what’s possible. Most, if not all, commercial enterprises won’t be able to replicate it, which makes the advances they shared this week all the more relevant to security leaders protecting AI apps and platforms in development.

The company built an “LLM-based automated attacker” trained end-to-end with reinforcement learning to discover prompt injection vulnerabilities. Unlike traditional red-teaming that surfaces simple failures, OpenAI’s system can “steer an agent into executing sophisticated, long-horizon harmful workflows that unfold over tens (or even hundreds) of steps” by eliciting specific output strings or triggering unintended single-step tool calls.

Here’s how it works. The automated attacker proposes a candidate injection and sends it to an external simulator. The simulator runs a counterfactual rollout of how the targeted victim agent would behave, returns a full reasoning and action trace, and the attacker iterates. OpenAI claims it discovered attack patterns that “did not appear in our human red-teaming campaign or external reports.”

One attack the system uncovered demonstrates the stakes. A malicious email planted in a user’s inbox contained hidden instructions. When the Atlas agent scanned messages to draft an out-of-office reply, it followed the injected prompt instead, composing a resignation letter to the user’s CEO. The out-of-office was never written. The agent resigned on behalf of the user.

OpenAI responded by shipping “a newly adversarially trained model and strengthened surrounding safeguards.” The company’s defensive stack now combines automated attack discovery, adversarial training against newly discovered attacks, and system-level safeguards outside the model itself.

Counter to how oblique and guarded AI companies can be about their red teaming results, OpenAI was direct about the limits: “The nature of prompt injection makes deterministic security guarantees challenging.” In other words, this means “even with this infrastructure, they can’t guarantee defense.”

This admission arrives as enterprises move from copilots to autonomous agents — precisely when prompt injection stops being a theoretical risk and becomes an operational one.

OpenAI defines what enterprises can do to stay secure

OpenAI pushed significant responsibility back to enterprises and the users they support. It’s a long-standing pattern that security teams should recognize from cloud shared responsibility models.

The company recommends explicitly using logged-out mode when the agent doesn’t need access to authenticated sites. It advises carefully reviewing confirmation requests before the agent takes consequential actions like sending emails or completing purchases.

And it warns against broad instructions. “Avoid overly broad prompts like ‘review my emails and take whatever action is needed,'” OpenAI wrote. “Wide latitude makes it easier for hidden or malicious content to influence the agent, even when safeguards are in place.”

The implications are clear regarding agentic autonomy and its potential threats. The more independence you give an AI agent, the more attack surface you create. OpenAI is building defenses, but enterprises and the users they protect bear responsibility for limiting exposure.

Where enterprises stand today

To understand how prepared enterprises actually are, VentureBeat surveyed 100 technical decision-makers across company sizes, from startups to enterprises with 10,000+ employees. We asked a simple question: has your organization purchased and implemented dedicated solutions for prompt filtering and abuse detection?

Only 34.7% said yes. The remaining 65.3% either said no or couldn’t confirm their organization’s status.

That split matters. It shows that prompt injection defense is no longer an emerging concept; it’s a shipping product category with real enterprise adoption. But it also reveals how early the market still is. Nearly two-thirds of organizations running AI systems today are operating without dedicated protections, relying instead on default model safeguards, internal policies, or user training.

Among the majority of organizations surveyed without dedicated defenses, the predominant response regarding future purchases was uncertainty. When asked about future purchases, most respondents could not articulate a clear timeline or decision path. The most telling signal wasn’t a lack of available vendors or solutions — it was indecision. In many cases, organizations appear to be deploying AI faster than they are formalizing how it will be protected.

The data can’t explain why adoption lags — whether due to budget constraints, competing priorities, immature deployments, or a belief that existing safeguards are sufficient. But it does make one thing clear: AI adoption is outpacing AI security readiness.

The asymmetry problem

OpenAI’s defensive approach leverages advantages most enterprises don’t have. The company has white-box access to its own models, a deep understanding of its defense stack, and the compute to run continuous attack simulations. Its automated attacker gets “privileged access to the reasoning traces … of the defender,” giving it “an asymmetric advantage, raising the odds that it can outrun external adversaries.”

Enterprises deploying AI agents operate at a significant disadvantage. While OpenAI leverages white-box access and continuous simulations, most organizations work with black-box models and limited visibility into their agents’ reasoning processes. Few have the resources for automated red-teaming infrastructure. This asymmetry creates a compounding problem: As organizations expand AI deployments, their defensive capabilities remain static, waiting for procurement cycles to catch up.

Third-party prompt injection defense vendors, including Robust Intelligence, Lakera, Prompt Security (now part of SentinelOne), and others are attempting to fill this gap. But adoption remains low. The 65.3% of organizations without dedicated defenses are operating on whatever built-in safeguards their model providers include, plus policy documents and awareness training.

OpenAI’s post makes clear that even sophisticated defenses can’t offer deterministic guarantees.

What CISOs should take from this

OpenAI’s announcement doesn’t change the threat model; it validates it. Prompt injection is real, sophisticated, and permanent. The company shipping the most advanced AI agent just told security leaders to expect this threat indefinitely.

Three practical implications follow:

• The greater the agent autonomy, the greater the attack surface. OpenAI’s guidance to avoid broad prompts and limit logged-in access applies beyond Atlas. Any AI agent with wide latitude and access to sensitive systems creates the same exposure. As Forrester noted during their annual security summit earlier this year, generative AI is a chaos agent. This prediction turned out to be prescient based on OpenAI’s testing results released this week.

• Detection matters more than prevention. If deterministic defense isn’t possible, visibility becomes critical. Organizations need to know when agents behave unexpectedly, not just hope that safeguards hold.

• The buy-vs.-build decision is live. OpenAI is investing heavily in automated red-teaming and adversarial training. Most enterprises can’t replicate this. The question is whether third-party tooling can close the gap, and whether the 65.3% without dedicated defenses will adopt before an incident forces the issue.

Bottom line

OpenAI stated what security practitioners already knew: Prompt injection is a permanent threat. The company pushing hardest on agentic AI confirmed this week that “agent mode … expands the security threat surface” and that defense requires continuous investment, not a one-time fix.

The 34.7% of organizations running dedicated defenses aren’t immune, but they’re positioned to detect attacks when they happen. The majority of organizations, by contrast, are relying on default safeguards and policy documents rather than purpose-built protections. OpenAI’s research makes clear that even sophisticated defenses cannot offer deterministic guarantees — underscoring the risk of that approach.

OpenAI’s announcement this week underscores what the data already shows: the gap between AI deployment and AI protection is real — and widening. Waiting for deterministic guarantees is no longer a strategy. Security leaders need to act accordingly.

Tis the season when professional Santas are in peak demand, but many who choose this line of work often view it as a higher calling and maintain some aspects of the identity all year round—even those who don’t fit the stereotypical popular image of Santa, according to a paper published in the Academy of Management Journal.

Co-author Christina Hymer of the University of Tennessee got the idea for the study during the COVID pandemic, when she spent a lot of time watching Christmas movies with her toddler. One favorite was 2003’s Elf, starring Will Farrell as a full-sized human raised among elves who goes to New York City to find his biological father. The film prompted her to wonder about why someone would want to be Santa Claus and what their experiences in that role would be.

Hymer and her co-authors partnered with the leader of a “Santa school” to analyze archival surveys of 849 professional Santas, and conducted a new survey of another 382 Santas. They also did over 50 personal interviews with professional Santas. (One subject showed up in full costume for his zoom interview, with a North Pole background, and signed off with a merry “ho! ho! ho!”)

Read full article

Comments

The House of Representatives cleared the way for a massive overhaul of the federal environmental review process last Thursday, despite last-minute changes that led clean energy groups and moderate Democrats to pull their support.

The Standardizing Permitting and Expediting Economic Development Act, or SPEED Act, overcame opposition from environmentalists and many Democrats who oppose the bill’s sweeping changes to a bedrock environmental law.

The bill, introduced by Rep. Bruce Westerman (R-Ark.) and backed by Rep. Jared Golden (D-Maine), passed the House Thursday in a 221-196 vote, in which 11 Democrats joined Republican lawmakers to back the reform effort. It now heads to the Senate, where it has critics and proponents on both sides of the aisle, making its prospects uncertain.

Read full article

Comments

Editor’s note: Warning: Although we’ve done our best to avoid spoiling anything major, please note this list does include a few specific references to several of the listed shows that some might consider spoiler-y.

This was a pretty good year for television, with established favorites sharing space on our list with some intriguing new shows. Streaming platforms reigned supreme, with Netflix and Apple TV dominating our list with seven and five selections each. Genre-wise, we’ve got a bit of everything: period dramas (The Gilded Age, Outrageous), superheroes (Daredevil: Born Again), mysteries (Ludwig, Poker Face, Dept. Q), political thrillers (The Diplomats, Slow Horses), science fiction (Andor, Severance, Alien: Earth), broody fantasy (The Sandman), and even an unconventional nature documentary (Underdogs).

As always, we’re opting for an unranked list, with the exception of our “year’s best” selection at the very end, so you might look over the variety of genres and options and possibly add surprises to your eventual watchlist. We invite you to head to the comments and add your own favorite TV shows released in 2025.

Read full article

Comments

AI coding agents from OpenAI, Anthropic, and Google can now work on software projects for hours at a time, writing complete apps, running tests, and fixing bugs with human supervision. But these tools are not magic and can complicate rather than simplify a software project. Understanding how they work under the hood can help developers know when (and if) to use them, while avoiding common pitfalls.

We’ll start with the basics: At the core of every AI coding agent is a technology called a large language model (LLM), which is a type of neural network trained on vast amounts of text data, including lots of programming code. It’s a pattern-matching machine that uses a prompt to “extract” compressed statistical representations of data it saw during training and provide a plausible continuation of that pattern as an output. In this extraction, an LLM can interpolate across domains and concepts, resulting in some useful logical inferences when done well and confabulation errors when done poorly.

These base models are then further refined through techniques like fine-tuning on curated examples and reinforcement learning from human feedback (RLHF), which shape the model to follow instructions, use tools, and produce more useful outputs.

Read full article

Comments

For the second time this month, a Chinese rocket designed for reuse successfully soared into low-Earth orbit on its first flight Monday, defying the questionable odds that burden the debuts of new launch vehicles.

The first Long March 12A rocket, roughly the same height and diameter of SpaceX’s workhorse Falcon 9, lifted off from the Jiuquan Satellite Launch Center at 9:00 pm EST Monday (02:00 UTC Tuesday).

Less than 10 minutes later, rocket’s methane-fueled first stage booster hurtled through the atmosphere at supersonic speed, impacting in a remote region about 200 miles downrange from the Jiuquan spaceport in northwestern China. The booster failed to complete a braking burn to slow down for landing at a prepared location near the edge of the Gobi Desert.

Read full article

Comments

You’ve no doubt heard some version of the Robert Burns adage about the best-laid plans. Marvel Studios had an elaborate marketing plan in place to introduce four teaser trailers for Avengers: Doomsday as previews prior to screenings of Avatar: Fire and Ash, with one teaser rolling out each successive week. But the first one leaked online a few days early, revealing that (as rumored) Steve Rogers/Captain America (Chris Evans) will appear and will have a newborn baby, presumably with Hayley Atwell’s Peggy Carter.

So maybe you’ve seen a bootleg version floating around the Internet, but Marvel has now released the HD version to the public. Merry Christmas! And we can look forward to three more: one focused on Thor, one on Doctor Doom, and the final one is purportedly a more traditional teaser trailer.

As previously reported, Marvel Studios originally planned to build its Phase Six Avengers arc (The Kang Dynasty) around Jonathan Majors’ Kang the Conqueror (and associated variants), introduced in Loki and Ant-Man and the Wasp: Quantumania. But then Majors was convicted of domestic violence, and Marvel fired the actor soon after. That meant the studio needed to retool its Phase Six plans, culminating in the announced return of the Russo brothers, who directed four of the Marvel Cinematic Universe’s most successful films, which brought in more than $6 billion at the global box office.

Read full article

Comments

Americans will be unable to buy the latest and greatest drones because the Federal Communications Commission (FCC) has banned foreign-made drones as of today.

On Monday, the FCC added drones to its Covered List, which it says are communications equipment and services “that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.” The list was already populated by Kaspersky, ZTE, Huawei, and others.

An FCC fact sheet [PDF] about the ban released on Monday says:

Read full article

Comments

OpenAI sent 80 times as many child exploitation incident reports to the National Center for Missing & Exploited Children during the first half of 2025 as it did during a similar time period in 2024, according to a recent update from the company. The NCMEC’s CyberTipline is a Congressionally authorized clearinghouse for reporting child sexual abuse material (CSAM) and other forms of child exploitation.

Companies are required by law to report apparent child exploitation to the CyberTipline. When a company sends a report, NCMEC reviews it and then forwards it to the appropriate law enforcement agency for investigation.

Statistics related to NCMEC reports can be nuanced. Increased reports can sometimes indicate changes in a platform’s automated moderation, or the criteria it uses to decide whether a report is necessary, rather than necessarily indicating an increase in nefarious activity.

Read full article

Comments

CBS cannot contain the online spread of a “60 Minutes” segment that its editor-in-chief, Bari Weiss, tried to block from airing.

The episode, “Inside CECOT,” featured testimonies from US deportees who were tortured or suffered physical or sexual abuse at a notorious Salvadoran prison, the Center for the Confinement of Terrorism. “Welcome to hell,” one former inmate was told upon arriving, the segment reported, while also highlighting a clip of Donald Trump praising CECOT and its leadership for “great facilities, very strong facilities, and they don’t play games.”

Weiss controversially pulled the segment on Monday, claiming it could not air in the US because it lacked critical voices, as no Trump officials were interviewed. She claimed that the segment “did not advance the ball” and merely echoed others’ reporting, NBC News reported. Her plan was to air the segment when it was “ready,” insisting that holding stories “for whatever reason” happens “every day in every newsroom.”

Read full article

Comments