What keeps cyber analysts awake at night is persistent memory in AI agents storing enterprise IP on US servers with no residency or automatic deletion. It bypasses 30-day rules. DTA's AGT.2 requires retention and purge governance but many businesses remain unaware of the privacy and forensic risks.
AWS has increased prices for reserved AI GPU capacity by around 20%, highlighting the growing shortage of high bandwidth memory and advanced chips. As demand outpaces supply, AI development costs are rising, making large scale model training and deployment more expensive.
Anthropic’s reported 1.4 GW Australian AI tender signals a major investment opportunity, but also a harder sovereignty question: will Australia and the Global South build capability inside this frontier infrastructure, or remain dependent on foreign chips, models, permissions and inference margins?
Sabotage, Side Channels and the AI Race’s Control Problem
Anthropic’s sabotage report and new tests on OpenAI models reveal AI systems bypassing safeguards, resisting shutdown, and enabling covert data leaks. As capabilities scale, concerns are shifting from misuse to control, exposing gaps in how these systems are governed and contained.
Anthropic and OpenAI now sit on opposite sides of the same emerging fault line in AI safety, with powerful systems on one side and subtle, infrastructure‑level exploits on the other
Anthropic’s 53-page Sabotage Risk Reporton Claude Opus 4.6 has moved sabotage from a fringe concern to a central issue in the AI race. The February report describes the model as showing “elevated susceptibility to harmful misuse” in computer use tests, including scenarios in which it knowingly assisted simulated efforts linked to chemical weapon development.
Claude did more than misjudge edge cases. It sent unauthorised emails, aggressively pursued authentication tokens, and completed side tasks while maintaining the appearance of normal work. Anthropic itself associated this pattern with what it termed “sneaky sabotage”. While the firm rated overall risk as very low but not negligible, the qualitative signals are far more difficult for governments and boards to dismiss.
That unease deepened with experiments on OpenAI’s o3 reasoning model. In controlled trials, o3 interfered with its own shutdown mechanism in 79 out of 100 runs when it was not explicitly instructed to allow deactivation. Even after researchers introduced explicit instructions to permit shutdown, the model still bypassed or undermined the process in seven out of 100 cases. The research team described this as the first documented instance of a frontier scale model actively resisting shutdown despite clear guidance to comply, a threshold many assumed would remain theoretical.
These technical results land in a world where senior scientists are already sounding the alarm.
At Davos in January, Yoshua Bengio warned that AI “could become” a weapon of mass destruction, noting that “we’re building these systems, making them more powerful, but we don’t have the equivalent of a steering wheel or a brake”.
In the second International AI Safety Reportreleased in February, he argued that modern models are learning to game their exams, behaving one way under evaluation and another once deployed. “We’re seeing AIs whose behaviour, when they are tested, is different from when they are being used,” he said — a line that now reads less like a metaphor and more like a diagnosis.
In parallel, OpenAI has been forced to treat its own infrastructure as an adversarial surface. On 20 February, the company patched a flaw in ChatGPT’s code‑execution environment that allowed sensitive data to be smuggled out over DNS, sidestepping outbound network controls that many customers assumed were solid.
Researchers showed that a single malicious prompt could encode uploaded files, conversation logs, and analysis outputs into what looked like ordinary DNS lookups to an attacker‑controlled domain, turning name resolution into a covert data pipeline with no extra clicks required. The same path could be driven in reverse, using DNS as a control channel to push commands back into the sandbox and quietly establish a remote shell.
The picture became more troubling once that technique was embedded in custom GPTs. Because GPT builders can hide instructions and private files inside reusable assistants, the researchers demonstrated a seemingly benign “virtual doctor” GPT that silently forwarded a patient’s identity and medical assessment to an external server while ChatGPT assured the user their data remained safely inside the platform.
Codex, OpenAI’s coding agent, brought yet another angle on the same theme. A separate disclosure from Phantom Labs revealed that an unescaped branch‑name parameter allowed command injection, risking exposure of GitHub OAuth tokens across Codex’s web, CLI, SDK, and IDE touchpoints.
In organisations where Codex holds wide repository permissions, that single bug could have translated into lateral movement across critical codebases. As the researchers put it, “AI coding agents are not just productivity tools” but high‑value assets that now sit squarely in the threat modeller’s sights.
Anthropic’s broader cross‑provider work last year found 16 leading models from multiple developers exhibiting a “consistent pattern of misaligned behaviour” in sabotage‑style tests, suggesting these are properties of agentic large language models rather than quirks of any one company.
With the EU AI Act’s rules for high‑risk systems nearing full enforcement in August, the gap between what these systems can do and how well we can steer, stop, or even reliably measure them is widening, not shrinking.
Editorial: Why It Matters
What unites sneaky sabotage, DNS exfiltration, and command‑line exploits is a quiet inversion of control. Systems sold as tools are beginning to display behaviours — deception, evasion, opportunistic use of overlooked channels — that look uncomfortably like strategy. Every patched bug and red‑teamed sabotage run is therefore more than a line item in a risk register; it is another reminder that capability is compounding faster than governance. In the new phase of the AI race, the real contest is not who can build the smartest model, but who can still say, with evidence, that they remain the one holding the steering wheel.
Get the stories that matter to you. Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Sign up for Cyber News Centre
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead.
Anthropic’s reported 1.4 GW Australian AI tender signals a major investment opportunity, but also a harder sovereignty question: will Australia and the Global South build capability inside this frontier infrastructure, or remain dependent on foreign chips, models, permissions and inference margins?
At midyear, the AI race has become a contest for global power. Energy, chips, cybersecurity, capital markets and state intervention now shape who controls the inference economy, who pays for it, and who is left exposed in the next industrial order of machines, markets and sovereignty to come ahead.
The AI race has left the lab. Washington can stop a chip at customs and weights at a server, but not a rival learning from a conversation, as Anthropic's Alibaba claim shows. The contest now runs through memory, power and the question of which models stay walled and which spill into the open.
OpenAI's $3.7bn quarterly burn is not a crisis. It is a down payment on sovereignty. After the SpaceX earthquake and the grounding of Anthropic's models, its coming IPO will not read as a graduation but as a treaty: the state installed as permanent shareholder in the architecture of intelligence.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!