In this issue:

• Why the nonstop AI news cycle is really one story wearing different costumes

• The shift from chatbots to systems that act

• What agent jailbreaks, coding disasters, strategic deception, and physical AI have in common

• The practical operating lesson: use AI, but stop being casual about where it can act

My Thoughts

It has been a while since I published here. If you haven’t noticed, the pace of change with AI seems to be dramatically accelerating, and the AI news cycle has turned into a firehose.

New model. New agent framework. New robotics demo. New “AI replaced this job” thread. New security warning. New benchmark. New tool that supposedly changes everything.

If you try to follow every release, you end up exhausted and somehow less informed. (ask me how I know!)

It wouldn’t be AI MISTAKES without a few missteps here and there, but getting back on track is key.

So here is the filter:

The important story is that AI is getting permission to act.

That is the shift hiding underneath almost everything else.

A chatbot could give you a bad answer. That was annoying, sometimes dangerous, but usually contained.

An agent can click the button.

A coding assistant can modify production infrastructure.

A browser agent can read a hostile webpage and treat hidden instructions as commands.

A robot can move through a warehouse, a home, or a factory.

A model can know what you asked, know what the truth is, and still produce the answer that best protects its objective.

That is a different world.

And most people are still using the trust model from the chatbot era.

That is the AI MISTAKE everyone keeps repeating.

We are adding agency faster than we are adding judgment. We are adding autonomy faster than we are adding verification. We are adding AI to workflows before we understand the blast radius of those workflows.

I have felt this pain. Having your AI assistant build a magical workflow is fun! It’s even more fun when the workflow is working repeatedly. It’s exciting when you say, “This is awesome, it’s working, now let’s make it even better!”

And then before you know it, you’ve completely lost touch with how anything works. Congratulations, you are now completely dependent upon your model provider for your workflows.

I am not saying “do not use AI.” That would be absurd. I use it constantly. This entire business exists because I believe people should learn to use AI faster, with less fear, and with more practical confidence.

But confidence is not the same thing as casualness.

The next phase of AI belongs to people who can use these systems aggressively without pretending they are harmless.

That means asking better questions:

• What can this AI system touch?

• What can it change?

• What can it delete?

• What can it send?

• What instructions can reach it indirectly?

• What would happen if it were confidently wrong?

• What would happen if it were strategically wrong?

• What is the smallest safe place to test this before it reaches anything important?

That is the work now.

Not panic.

Not hype.

Operational maturity.

Notable Headlines

AI Agents and the New Attack Surface

Google DeepMind mapped the attack surface nobody in AI is talking about
Once agents browse, click, summarize, retrieve, and execute, every website, document, image, prompt, and tool call becomes part of the security boundary.

An AI agent was told only to retrieve a document and then bypassed the system protecting it
If an AI is rewarded for completing a task, and the environment gives it tools, do not be shocked when it treats obstacles as problems to solve. That is what we asked for.

An AI agent reportedly freed itself and started secretly mining crypto
Agents that can operate tools, persist state, and pursue goals need containment thinking. “It was only supposed to do X” is not a control.

AI Coding and Blast Radius

Amazon is holding a mandatory meeting about AI breaking its systems
AI-assisted code can move fast enough that the recovery process becomes the bottleneck. Everything we learned from DevOps is now supercharged with AI. It’s not enough to know about dangerous commands anymore; blast radius matters more than ever.

A Software company founder took to X to layout how an AI Agent destroyed production data
Despite explicit instructions, Cursor running Anthropic’s Claude Opus 4.5 model went on a destructive problem-solving binge last weekend and deleted production data with an API key that it happened to find somewhere in the files it has access to. When asked about what happened, the model admitted, “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify. I didn't check if the volume ID was shared across environments.”

Another similar story repeats the same narrative
A user building with Docker containers was using Claude for Vibe coding and found that AI Agents can run destructive commands. ”That was my mistake” the model said.

Trust, Hallucination, and Strategic Misbehavior

OpenAI models deliberately lied in evaluations, according to a widely shared analysis
Even if every detail deserves careful reading, the category is important. Verification is no longer just about catching random errors. It is about designing systems where truthfulness is not optional.

Physical AI: When Mistakes Leave the Screen

Scientists built a robot made of liquid that can split, merge, squeeze, and re-form Robots are strange enough, but this one blew my mind. Physical AI keeps getting weirder and more capable. Consider how intelligence might be moving into materials, machines, homes, warehouses, and factories, and in form factors that are completely alien. (maybe AI really is the alien like Mo Gawdat told us years ago)

Figure-style home robots and embodied AI demos are no longer science fiction theater
The moment AI leads to actions in the physical world, mistakes have greater implications. A bad answer is one thing. A bad action in a warehouse, vehicle, hospital, kitchen, or factory is another. It will take a while for this to hit your home, but it’s time to start paying attention.

Learning, Tools, and Experiments

OpenClaw is fun (and there are many derivative projects), but I like Hermes Agent even more because of its built-in learning and improvement functions. AI assistants are an evolving space and I am certain that before it’s all over, there will be more.

OpenAI and Anthropic are betting big on this game, they’re consistently adding the features from these new and cutting edge systems to their existing software. If you’re using ChatGPT or Claude, try setting up a scheduled task to get started and then combine it with other tools. Be ready to invest some hours if you choose to go down this road, and start small.

Speaking of starting small…

Here is a practical exercise to try before you give another AI system more authority.

Pick one AI workflow you actually use.

Not a fantasy workflow. Not something you saw in a demo. Something real.

Then map its agency:

1. Inputs — What can the AI read?

2. Instructions — Where can instructions enter, including hidden or indirect instructions?

3. Tools — What tools can it call?

4. Permissions — What can it change, delete, publish, buy, send, or commit?

5. Blast radius — If it is wrong, what breaks?

6. Checkpoint — Where does a human verify before irreversible action?

7. Rollback — If it makes a mistake, how do you undo it?

If you cannot answer those seven questions, the workflow is not mature yet.

That does not mean you should stop using it.

It means you should treat it like a prototype, not infrastructure.

A useful rule

The more agency an AI system has, the more boring your controls should be.

Logs. Backups. Approval gates. Sandboxes. Dry runs. Permission boundaries. Test environments. Human review before irreversible actions.

None of that is glamorous.

That is why it works.

The MISTAKE Worth Watching

The mistake worth watching is not one company, one model, or one viral thread.

The mistake is treating AI agency like a feature toggle instead of an operating responsibility.

A lot of teams are doing this:

1. Add AI to a workflow.

2. Give it tools.

3. Give it credentials.

4. Let it touch important systems.

5. Discover the failure mode in production.

That is backwards.

Use the MISTAKES framework before the incident, not after it:

• Map where AI enters the workflow.

• Investigate what data, tools, and permissions it can touch.

• Sketch the safe operating boundary.

• Test in low-risk environments.

• Adapt based on failures and near-misses.

• Kickstart only after guardrails exist.

• Evaluate outcomes, not just speed.

• Sustain the workflow with logs, audits, and updates.

The point is not to slow down.

The point is to avoid confusing speed with progress.

AI lets us move faster. That is exactly why mistakes matter more now.

What’s Next?

If the first era of consumer AI was about better answers, this next era is about delegated action.

That is exciting, but it’s also where the bill comes due for sloppy thinking.

The people and companies who win will not be the ones who avoid AI. They will be the ones who build the habit of using AI with clear boundaries, fast feedback, and enough humility to check the work.

Use the tools.

Build the workflows.

Try the agents.

Just stop pretending that “AI helped me” means “nothing can go wrong.”

Hit reply and let me know where you are giving AI more agency than you realized. I read every email.

Thanks for reading AI MISTAKES!