# Ambient Advantage — May 26, 2026

*Tuesday · May 26, 2026 · [Episode page](https://podcast.ambient-advantage.ai/episodes/2026-05-26.html) · [Audio](https://storage.googleapis.com/ambient-advantage-podcast/2026-05-26-ambient-advantage.mp3)*

[AVA] AI just found ten thousand critical security vulnerabilities in a single month... and humans can't patch them fast enough. That's not a win. That's a new kind of problem.

[JON] Yeah, that one stopped me cold too. Welcome to Ambient Advantage — I'm Jon, and this is Ava. It's Tuesday, May 26, 2026, and here's what matters in AI today. We've got Anthropic's Project Glasswing results dropping jaws in the security world, Andrej Karpathy making the most talked-about career move in AI, Google one-upping OpenAI on math that's been unsolved for half a century, and a company with zero employees that just raised thirty million dollars. It's a packed one. Ava, let's get into it.

[AVA] Let's start with the lead. Anthropic published the first results from Project Glasswing, which is their initiative pairing Claude Mythos Preview with about fifty major partners — we're talking AWS, Cisco, Microsoft, Cloudflare, Apple, Google, JPMorgan, Palo Alto Networks. The headline number: over ten thousand high or critical severity vulnerabilities discovered in just one month.

[JON] Ten thousand. In thirty days. That's a staggering number. How does that compare to what these companies were finding before?

[AVA] So Anthropic says the bug-finding rate increased by more than ten times across the partner base. Mozilla is a great specific example — they found 271 vulnerabilities in Firefox, which is ten times more than they'd been finding with older models. Cloudflare pointed Mythos at over fifty of their own repositories and found two thousand bugs, four hundred of which were high or critical. Cloudflare actually published a really detailed technical blog post about the experience, which I'll drop in the show notes.

[JON] Okay so the finding part is working spectacularly. What's the catch?

[AVA] The catch is exactly what you'd expect. The bottleneck has completely shifted. We used to have a finding problem — security teams couldn't discover vulnerabilities fast enough. Now we have a patching problem. Mythos is finding bugs at machine speed but humans are still remediating at calendar speed. Quarterly patch cycles, change review boards, regression testing — all of that human infrastructure doesn't magically speed up because the AI found things faster.

[JON] So the practical implication for a CISO listening right now is what exactly?

[AVA] Two things. First, if you're not already running Claude Security pilots, your competitors likely are. Anthropic launched Claude Security in public beta for Enterprise customers — it's built on Opus 4.7, not the restricted Mythos model — and it's already patched over twenty-one hundred vulnerabilities in its first three weeks. That's the commercially available tier. You don't have to be a Glasswing partner to start using this today.

[JON] And the second thing?

[AVA] Second, you need to rethink your remediation pipeline. If AI is going to hand you ten times the vulnerability volume, your current workflow will collapse under the weight. You need to be planning now for how you triage, prioritize, and patch at that velocity. The Cloud Security Alliance published a whitepaper analyzing Glasswing through their MAESTRO threat framework — I'll link that in the show notes — and it's the most rigorous independent take on what this means for enterprise security programs.

[JON] And while we're on security, we should flag this quickly — there's a CVSS 10.0 zero-day actively being exploited in the LiteSpeed cPanel plugin. If your org hosts anything on shared cPanel infrastructure, or if any of your SaaS vendors do, this needs to go to your security team today. One malformed API call gets you full root access. cPanel forced an emergency fleet-wide uninstall. Patch is available.

[AVA] Yeah, that one's an all-hands-on-deck situation. Don't wait on that.

[JON] Alright, let's move to the Rundown. Ava, the biggest talent move of the year happened last week.

[AVA] Andrej Karpathy joined Anthropic. Let that sink in for a second. OpenAI co-founder, former head of Tesla's Autopilot AI, one of the most influential AI educators alive — and he left his own startup to join Anthropic's pre-training team. His specific mandate is building a team focused on using Claude to accelerate Claude's own pre-training. That's a recursive self-improvement bet stated out loud.

[JON] And he's not the only senior leader who's made this kind of move recently, right?

[AVA] Not even close. CTOs from Workday, Instagram, Box, You.com, and Super.com have all recently left senior executive roles to take individual contributor research positions at Anthropic. When six major tech leaders voluntarily give up the corner office to go write code at one company, that's the clearest talent gravity signal in the industry. For enterprise buyers deciding which AI vendor to build deep integrations with... follow the talent. Alberto Romero at The Algorithmic Bridge wrote an excellent analysis of why this matters — I'll drop that in the show notes.

[JON] Next up, a math showdown between Google and OpenAI that sounds like something out of a movie.

[AVA] So the day after OpenAI announced their AI had disproved an eighty-year-old Erdős geometry conjecture — which was genuinely impressive — Google DeepMind's AlphaProof Nexus casually solved nine open Erdős problems. Nine. Including two that had been unsolved for fifty-six years. And here's the kicker — the cost was a few hundred dollars per problem.

[JON] A few hundred dollars to solve problems that stumped mathematicians for half a century.

[AVA] Exactly. And these aren't informal results — the system paired an LLM with a formal proof assistant called Lean, so the proofs are machine-verified. For executives in pharma, materials science, logistics, any domain with long-standing algorithmic bottlenecks — this is a concrete preview of AI as a scientific collaborator. Not someday. Now.

[JON] Alright, let's talk about the story that made my head spin. Polsia. One founder. Zero employees. Thirty million dollars raised at a two hundred and fifty million dollar valuation.

[AVA] So Polsia is an autonomous AI agent platform run by Ben Cera, a single founder with no employees. Nine specialized agents handle coding, research, ads, customer support, and sales for seventy-six hundred businesses at forty-nine dollars a month plus a twenty percent revenue share. They claim about ten million in annual recurring revenue in five months. And reportedly, the AI ran the fundraise itself — Cera says he only showed up to sign the documents.

[JON] That sounds incredible. But there's a but, isn't there?

[AVA] There's a big but. The platform has a 2.1 out of 5 on Trustpilot with seventy percent one-star reviews. And the company name, Polsia? That's "AI Slop" spelled backwards, which the internet noticed very quickly. So is this the first proof of concept for the zero-employee enterprise, or is it a well-funded cautionary tale about agentic reliability gaps? Honestly, it might be both. The real question for business leaders isn't whether to dismiss it — it's whether your own operations contain workflows that a Polsia-style agent stack could replace. That 2.1 Trustpilot score tells you the quality bar is still brutally low.

[JON] Meta's in the news too, and it's a big workforce story.

[AVA] Eight thousand layoffs — ten percent of Meta's workforce — even as the company posted fifty-six billion in Q1 revenue, up thirty-three percent year over year. This is the defining corporate AI playbook now: record profits, massive infrastructure bets of a hundred fifteen to a hundred thirty-five billion in capex this year, and aggressive workforce restructuring. Seven thousand employees were simultaneously moved into new AI-focused roles. Business leaders should be watching which role categories Meta is eliminating versus retaining. It's a leading indicator for workforce planning across every sector.

[JON] And one more for the Rundown — MCP just had its biggest spec revision since launch.

[AVA] The Model Context Protocol published a release candidate that makes MCP stateless at the protocol layer. This might sound like plumbing, but it's massive. The sticky sessions and distributed state stores that made enterprise horizontal scaling painful are gone. If your engineering teams are building agentic systems on MCP — and with ninety-seven million monthly SDK downloads, many are — this unlocks proper load-balanced, cloud-native deployments. But here's the governance gap: audit trails, enterprise SSO, and standardized logging are still roadmap items, not production features. So adoption has wildly outpaced the safety tooling.

[JON] Alright Ava, let's pull back. The Bigger Picture. What ties all of this together?

[AVA] Here's the uncomfortable thesis this week's stories are converging on. AI is no longer just automating tasks. It's automating the infrastructure of trust itself. Mythos found ten thousand vulnerabilities faster than we can patch them. Google solved fifty-six-year-old math problems for a few hundred bucks each. Polsia let AI run its own fundraising round. MCP went stateless so agents can scale horizontally without human-managed sessions. In every single case, the human is being moved from operator to auditor. And the auditing function... is not keeping pace.

[JON] So the risk isn't that AI will fail.

[AVA] The risk is that AI will succeed faster than governance, disclosure pipelines, patch cycles, and liability frameworks can absorb the output. That's the critical enterprise risk of 2026. And the leaders who will look prescient in 2028 are those who right now, in 2026, are investing as heavily in human review capacity and governance tooling as they are in the AI systems generating the work. The Polsia Trustpilot score is a tiny, almost comical example of what happens when you don't. But apply that gap to security patching, to financial analysis, to healthcare decisions — the stakes get very real very fast.

[JON] It's the difference between moving fast and moving fast with guardrails that can actually keep up.

[AVA] Exactly. And right now, the guardrails are trailing badly.

[JON] What should people be watching this week?

[AVA] Two things. First, the MCP July 28 spec is now in its ten-week validation window. If you have teams building on MCP, this is the moment to start planning your migration to the stateless architecture. Don't wait until July. Second, keep an eye on the Spotify-UMG AI remix deal. They haven't announced pricing or launch date yet, but the consent-credit-compensation framework they've established is going to become the template for every AI content licensing negotiation across entertainment. If your business touches content licensing in any form, study this deal closely.

[JON] Great stuff.

[AVA] That's your Ambient Advantage for Tuesday, May 26, 2026.

[JON] Share it with a colleague figuring out what AI means for their business. See you tomorrow.