Your AI agent is the new insider threat

IBM's new coding agent "Bob" downloaded malware from a poisoned README file this week. No social engineering required—just a hidden prompt in a markdown document. OpenAI admitted that prompt injection in browser agents like ChatGPT Atlas may never be fully solved. Microsoft dismissed four Copilot vulnerabilities as "not qualifying" for fixes. And Gartner says 40% of enterprise apps will embed AI agents by December—each one a potential insider with privileged access and no concept of "I shouldn't do that."

Meanwhile, Boston Dynamics shipped its first production humanoid, and it's running on Google DeepMind's brain. The robots aren't coming. They're shipping.

Here's what you need to know—and do—this week.

In Today’s 5-Minute AI Digest. You will get:

1. The MOST important AI News & research
2. AI Prompt of the week
3. AI Tool of the week
4. AI Tip of the week

…all in a FREE Weekly newsletter. 

Boston Dynamics unveiled production-ready Atlas at CES and announced a partnership with Google DeepMind to integrate Gemini Robotics AI. The specs: 56 degrees of freedom, 7.5-foot reach, 110-lb lift capacity, and a 4-hour hot-swappable battery.

First deployment: Hyundai's Metaplant factory in Georgia, starting this year.

Why it matters: This is the first commercial humanoid with a foundation model brain—not pre-programmed routines, but a system that can reason through novel situations. McKinsey pegs the general-purpose robotics market at $370B by 2040. The race to capture it just got serious. [bostondynamics.com/blog]

Jensen Huang announced Vera Rubin at CES—a six-chip platform replacing Blackwell in H2 2026. The claims: 10x throughput improvement, 10x reduction in token costs, and 4x fewer GPUs needed for training equivalent models. The Vera CPU alone packs 88 custom "Olympus" cores. Nvidia also dropped Alpamayo, an open-source model family for autonomous vehicles.

Why it matters: If you're building on Blackwell, migration planning starts now. And if Nvidia's cost claims hold, the economics of AI inference are about to shift dramatically. [blogs.nvidia.com]

OpenAI launched ChatGPT Health—a dedicated experience with enhanced privacy protections and the ability to connect medical records. Stanford Medicine, Memorial Sloan Kettering, UCSF, and Cedars-Sinai are already rolling it out. Separately, OpenAI partnered with SoftBank's SB Energy on a 1.2 GW data center for Stargate.

Why it matters: Health is already one of ChatGPT's top use cases. OpenAI's betting that HIPAA-compliant infrastructure unlocks the enterprise healthcare market—and they're building the power plants to run it. [openai.com/index/introducing-chatgpt-health]

Chinese lab DeepSeek published a 60-page update to its R1 technical paper—including detailed "Unsuccessful Attempts" documenting what didn't work (Monte Carlo Tree Search, Process Reward Models).

The 18 core scientists behind R1 remain intact. A V4 coding model is rumored for mid-February, reportedly outperforming Claude 3.5 Sonnet on internal benchmarks.

Why it matters: This is rare transparency from a frontier lab. DeepSeek's "defensive open-sourcing" establishes prior art, saves global researchers from dead-end paths, and positions them to compete on code. [scmp.com/tech]

Four agent security failures dropped in a single week. Let's connect the dots most coverage missed.

IBM's "Bob" got fed a malicious README file and happily prepared to execute a shell script payload—bypassing its own approval checks through a multi-step prompt injection. The researchers who found it noted that Claude Code would have blocked the same attack.

OpenAI admitted that prompt injection in browser agents like ChatGPT Atlas may "never be fully solved." They've built an automated red-team attacker to find vulnerabilities before outsiders do—a tacit acknowledgment that defense is a continuous arms race, not a one-time fix.

Microsoft dismissed four Copilot vulnerabilities—including prompt injection leading to system prompt leaks and file upload bypasses—as "not qualifying" for fixes. Their position: expected limitations, not security boundaries crossed.

NIST opened public comments on AI agent security, deadline March 9. Translation: the U.S. government is asking for help because nobody's figured this out yet.

The pattern: Agents get privileged access + process untrusted input + act autonomously = the "lethal trifecta" for system compromise. Security researchers call it "where web security was in 2004"—no shared taxonomy, no CVEs, no universal fixes. Palo Alto Networks is calling AI agents 2026's defining security challenge. If your security team isn't treating AI agents like admin accounts—least-privilege access, behavior monitoring, kill switches—you're already exposed.

[Read the full story]

What it does: Transforms your biggest limitation into a competitive advantage by forcing the AI to reframe constraints as features—not through generic positivity, but through specific positioning strategies.

The prompt:

Why it works: The prompt triggers pattern-matching against successful "limitation-as-feature" cases in the training data: 37signals' small team as a feature, Basecamp's no-VC stance, Apple's closed ecosystem, In-N-Out's limited menu. Requiring a real company example forces concrete reframes, not platitudes.

Real result: A founder constrained to one industry got: "Specialists outperform generalists. Position as 'we're the only ones who ONLY do X—which is why we do it better than anyone.'" She used that exact framing to land two enterprise deals in three weeks.

What it is: Google's document-grounded AI research assistant that becomes an expert on YOUR specific sources—and refuses to hallucinate beyond them.

Why you need it: Unlike ChatGPT, which pulls from training data and invents citations, NotebookLM ONLY answers from documents you upload. Every response includes clickable citations to the exact source passage. No more "that quote doesn't exist" moments.

One-liner pitch: "A research assistant who's read everything you uploaded and refuses to make stuff up."

Rating: ⭐⭐⭐⭐⭐ (5/5)

Key features:

Best use case: Due diligence, competitive analysis, literature reviews, or any project where you need to synthesize 10+ documents without hallucination risk.

Link: notebooklm.google.com

The tip: Add this suffix to any high-stakes prompt: "If you're uncertain at any step, explicitly say 'I'm uncertain here because...' before continuing."

Why it works: LLMs default to confident-sounding outputs even when uncertain—they're trained to be helpful, not hedging. This prompt breaks that pattern by explicitly permitting uncertainty. The model will surface doubts it would otherwise bury in a direct answer. Research shows this reduces confident-but-wrong outputs by 20-30% on reasoning tasks.

Limitations: Works best on factual/reasoning tasks. Less useful for creative generation where "uncertainty" isn't meaningful. Some models will over-hedge once given permission—calibrate based on your model.

Pro move: Combine with stakes: "This is for a board presentation—flag anything you're less than 90% confident about." Adding consequences makes the model take the hedging permission seriously instead of treating it as optional.

You just learned:

Now implement one.

Most readers will skim this and forget it by lunch. The ones who audit their AI agent permissions this week—or flip their constraint into a pitch before their next sales call—will be the ones their team turns to when the next vulnerability drops.

Reply with which move you're making first. I read every response.

Stay curious—and stay paranoid.

— R. Lauritsen

P.S. Know someone deploying AI agents without a security plan? Forward this issue. They'll thank you later—or they won't, because they'll be too busy cleaning up a breach.