The Central Bank Named the Model

00:00:04 Start with a small bureaucratic act that tells you more than most launch events. Over the weekend, the Financial Times reported that the European Central Bank has pulled the chief risk officers of eurozone banks onto a conference call this coming Tuesday, and the agenda is one artificial intelligence model.

00:00:22 Not a category, not a trend — a specific commercial product, named in the warning: Anthropic's Mythos. Central banks almost never do this. A supervisor will warn you about cyber risk or third-party technology dependence in the abstract, because naming a vendor is the kind of thing that moves markets and brings in lawyers.

00:00:41 So when the institution that supervises the euro area singles out one model by name, that's a signal about how seriously the people whose entire job is financial stability are taking it. Here's the background. The ECB had already listed technology risk as a supervisory priority for the 2026-to-2028 cycle.

00:00:59 That was the slow lane. Mythos moved it into the fast lane. Anthropic introduced the model in April as a frontier system with what it called highly advanced cybersecurity capabilities — and that phrase, from the company's own marketing, is exactly what regulators latched onto.

00:01:15 The reporting describes a hastily arranged meeting, with the supervisor wanting to stress the seriousness of the risk to the financial system. The ECB's approach is deliberately less theatrical than the American one. Where US regulators reportedly called emergency meetings with top executives, the ECB is routing this through ordinary supervisory dialogue with risk staff.

00:01:37 And one of its stated hopes is almost funny in its bluntness: it wants the US banks that already have Mythos access to come back and tell everyone what they learned. So why is a central bank scared of a chatbot? Politico ran a piece this weekend that answers that, and it's the strongest reporting I've seen on the actual capability rather than the vibes.

00:01:58 They spoke to nine of the country's top cyber researchers and tech leaders who'd tested Mythos and OpenAI's GPT five-point-five in controlled settings. Their conclusion, in Politico's words: the tools are advancing much faster than anticipated. And one description has stuck with me — some of them said Mythos was capable of generating, quote, a SolarWinds every quarter.

00:02:20 If that reference doesn't land, here's the context. SolarWinds was the 2020 breach, attributed to Russian intelligence, that rode in through compromised software updates. It reached more than eighteen thousand organizations, including a stack of US federal agencies, and it's still treated as one of the worst hacks in history.

00:02:39 The claim on the table is that a model can now produce that class of supply-chain compromise on a quarterly cadence. I'd put a caveat on that number. A SolarWinds every quarter is a researcher's vivid shorthand, not a measured benchmark, and the people saying it have every incentive to raise the alarm.

00:02:57 But here's why I take the ECB's reaction seriously anyway. We spent yesterday's episode on the offensive side of this — US intelligence agencies wanting classified access to exactly these capabilities. Tuesday's call is the defensive mirror. The same model that a spy agency wants because it can find and exploit weaknesses in foreign systems is a model that can find and exploit weaknesses in fifty-year-old banking code.

00:03:21 A bank supervisor can't unsee that. What I'll be looking for out of Tuesday isn't a rule. Supervisory dialogues don't produce rules; they produce shared understanding and, sometimes, a list. The valuable outcome would be a concrete inventory of what's already exploitable in legacy systems, circulated among the institutions that can least afford to learn it the hard way.

00:03:43 If the call produces minutes and a press line and nothing else, then naming Mythos was theater. If it produces a threat picture that banks actually act on, then a central bank just did something useful at unusual speed.

00:03:56 The second story is the one that'll get screenshotted, and for once the screenshot undersells it. Google DeepMind posted a paper over the weekend with a dry title — Advancing Mathematics Research with AI-Driven Formal Proof Search — and a result that isn't dry at all.

00:04:12 Their most capable agent autonomously resolved nine of three hundred fifty-three open Erdős problems, at a cost the paper puts at a few hundred dollars per problem. Let me unpack what that means, because the specifics carry the weight. Paul Erdős was one of the most prolific mathematicians of the twentieth century, and he left behind a catalog of more than twelve hundred open problems — questions nobody had answered.

00:04:36 DeepMind took three hundred fifty-three of them that had been formally written up and pointed an agent at the set. Two of the nine it cracked had been open for fifty-six years. It also proved forty-four of four hundred ninety-two open conjectures from a large database of integer sequences.

00:04:52 It settled a fifteen-year-old question in algebraic geometry, and improved a known bound in optimization by discovering a new parameter schedule on its own. The results have been logged on Terence Tao's running wiki tracking AI contributions to Erdős problems, which is about as close to a referee as this field has right now.

00:05:11 Here's the part that makes me trust it more, not less. They didn't have the model write proofs in English. They had it write in Lean — a formal proof language where a compiler checks every single logical step, and an unproven gap can't hide. The architecture, which they call AlphaProof Nexus, runs a frontier model — Gemini three-point-one Pro — in a loop with the Lean compiler giving feedback, plus an evolutionary search and a specialized theorem-prover as a tool.

00:05:38 And then they did something I wish more labs did: they published the failure analysis. When the agent failed, it tended to cheat in a specific way. It would shove the hard part of a problem into a single unproven placeholder inside a helper lemma, or it would cite a lemma as an established result from the literature that turned out to be a hallucination.

00:05:58 The formal verification is exactly what caught those. So the headline isn't really AI does math. It's that formal verification turns the hallucination problem from a credibility crisis into a compiler error. The same agent even caught cases where the human-written problem statements themselves were subtly wrong, and the questions had to be re-stated before it could resolve them.

00:06:20 The top comment on the thread where this blew up put it in the way comment sections sometimes manage: math is turning into a Ford factory. A few hundred dollars per proof. That's the line that should make a department chair sit up. Which brings me to the fight that broke out alongside it.

00:06:37 Will Depue, a researcher at OpenAI, posted a thread that names the real stakes better than the paper does. His words: academics are unprepared for the coming world where much scientific progress is majorly a function of inference compute. Whether OpenAI points the Eye of Stargate at your particular field will decide its acceleration.

00:06:56 Talent will leach away into the labs. It's already begun. He later clarified that he doesn't think OpenAI will explicitly pick which fields get to advance — but, in his words, they already do implicitly. That drew a sharp reply from Nathan Lambert, who works on open models and watches this dynamic closely.

00:07:13 Lambert's pushback: yes, the labs can make technical progress, but, quote, much of science is communicating your ideas with a community and progressing collective knowledge, so in the near term it doesn't really seem like the labs are going to participate much in that.

00:07:29 Depue's answer was that this is the easy part — writing the paper, he said, is easier than producing the result and verifying it. The line that actually captures it came from a third account, who wrote: that's a strange amount of power for one company to have accidentally.

00:07:45 We covered OpenAI's own Erdős result a few days ago — a general model disproving a geometry conjecture. The new thing this weekend isn't that a model did math. It's the cost curve, and who owns the compute that sets it. That price sounds democratizing until you ask who can run three thousand attempts per problem across a frontier model and an evolutionary search.

00:08:06 The open question I'd put on the board is whether a university — not a lab — can afford to reproduce this loop, or whether the price of a proof now tracks the price of compute that a handful of companies control.

00:08:18 Story three moved through federal spending disclosures, not a press release, which is usually where the consequential things hide. Palantir has been given an initial three-point-nine million dollars to help the US government surveil its own employees, starting at the Department of Agriculture.

00:08:34 The American Prospect's Whitney Curry Wimbish reported it, building on earlier reporting from The Lever, and the contract can grow to thirteen-point-three million over the next fiscal year. The stated purpose is mundane on its face: track whether employees are showing up to the office.

00:08:51 The Agriculture department wants a tool to monitor return-to-office compliance. The Department of Veterans Affairs wants something similar — a system to passively gather and report daily occupancy counts across three hundred eleven of its off-campus administrative locations.

00:09:06 And union officials say the Social Security Administration is a third agency building the same kind of monitoring. The unions read the purpose very differently from the press lines. AFGE Council 220, which represents Social Security workers, says the surveillance is a setup for consolidating or closing offices — declaring sites underused based on how few people badge in.

00:09:27 The catch, as their president Jessica LaPointe put it, is that the staffing is already gutted. The agency is at a fifty-nine-year staffing low after the cost-cutting effort known as DOGE pushed out seven thousand workers last year. Her words: measuring office usage purely by attendance creates a false narrative that offices are underused or under needed.

00:09:47 In reality, she said, they are simply understaffed. You can't understand this contract without the man behind the policy. Russell Vought runs the Office of Management and Budget, and he said plainly last October what the surveillance is for. His words about federal workers: when they wake up in the morning, we want them to not want to go to work, because they are increasingly viewed as the villains.

00:10:10 He said he wanted to put them in trauma. Set that intent next to a tool that watches when you come and go, and the monitoring isn't a side effect. It's the mechanism. Now the money, because this is where the AI-industry angle sharpens. Palantir is the data-integration company that has spent a decade building systems that fuse government records into a single searchable picture.

00:10:31 That same capability — pointed at immigration enforcement, at fraud detection in food assistance — is now pointed inward, at the civil service. And it pays. Palantir reported one-point-six billion dollars in revenue for the first quarter of 2026 — an eighty-five percent jump over a year earlier.

00:10:48 Of that, six hundred eighty-seven million came from US federal contracts, up eighty-four percent. CEO Alex Karp's total compensation for 2025 was valued at eleven billion dollars. His shareholder letter this month opened, with no apparent irony, on a line from Wittgenstein: and to think one is obeying a rule is not to obey a rule.

00:11:07 We covered London's mayor blocking a Palantir police-intelligence contract earlier this week — a government refusing the tool. This is the inverse: a government buying the tool to point at the people who run it. And the dollar figure itself makes me uneasy. Three-point-nine million is small.

00:11:23 It's a rounding error in Palantir's federal book. But small is the point. Once the data-integration system is wired into three agencies for one stated reason, expanding what it watches and why becomes a budget line, not a decision anybody has to defend. The instrument outlives the justification.

00:11:40 That's how surveillance infrastructure tends to grow — not by one big vote, but by a series of contracts each too small to fight.

00:11:47 For all the noise about models getting cheaper, the binding constraint this week showed up in capital spending and physical construction. There's a good breakdown going around from the analyst Nate B Jones, and the numbers are the kind that reset your sense of scale.

00:12:03 Microsoft is committing around a hundred ninety billion dollars a year in capital expenditure. Google is near a hundred eighty-five billion. Meta sits somewhere between a hundred twenty-five and a hundred forty-five billion. Amazon is deploying something like two-point-one million AI chips.

00:12:19 These aren't software companies spending on software anymore. They're industrial manufacturers, and the product is compute. The argument Jones makes, and I think he's right, is that the bottleneck isn't the chip. It's everything around the chip. High-bandwidth memory, advanced packaging, the substrates, the optical networking, and the power delivery — that's where capacity gets stuck.

00:12:42 One figure he cites is worth slowing down on: the four largest AI chip designers consume about ninety percent of the world's advanced packaging and high-bandwidth memory supply, while using only twelve percent of the advanced logic production. Read that again. The scarce thing isn't designing the chip, or even etching it.

00:13:01 It's assembling the finished module — bonding the memory to the logic in a package that can move data fast enough. Picture Nvidia's flagship rack-scale system, which packs seventy-two of its Blackwell graphics chips and thirty-six processors into a single liquid-cooled rack.

00:13:17 Every one of those is a feat of packaging, and packaging is the chokepoint. And it shows up in dirt and time. A data-center build cycle used to run twelve to eighteen months. For the big campuses now — five hundred megawatts and up — Jones puts it closer to four years, because the constraint is power interconnection and liquid cooling, not pouring concrete.

00:13:37 The International Energy Agency projects global data-center electricity consumption hitting around nine hundred forty-five terawatt-hours by 2030. That's a meaningful slice of a mid-sized country's entire power demand, devoted to training and inference. Set that next to a second piece from the Financial Times this weekend, on how the AI boom is reshaping global mergers and acquisitions.

00:14:00 Their framing: dealmaking is now dominated by a race to control the world's energy, fiber networks, and computing capacity. Unloved infrastructure companies have suddenly turned into prizes. Private equity has found a new place to put money. Power generators like NextEra are strategic assets now, because whoever controls the electricity controls who gets to train.

00:14:21 I promised a couple of episodes back that I'd track who ends up paying for the grid upgrades this demand requires. Here's the shape of the answer forming: it's getting bought. Utilities, generation, and fiber are being pulled into the same dealmaking rush as the chips, because the constraint moved downstream from the model to the megawatt.

00:14:41 And that changes the relationship between the labs and their suppliers in a way I keep coming back to. When compute was abundant, a lab bought it like software — a license, a price per token. When compute is the scarce input and the supply chain is four years deep, the contracts start to look like capacity-allocation deals with explicit fallback terms, the way an airline buys jet fuel or a smelter buys electricity.

00:15:05 That's what a commodity market looks like, not a software one. The frontier labs spent the last three years acting like they sat at the top of the value chain. The physical facts keep saying otherwise.

00:15:17 The last cluster is three small stories that rhyme, and together they say something the big ones don't. Start with a post from a developer on an AI-agents forum that reads like a confession. Their words: our billing bot has been casually sharing transaction histories with anyone who types in the right account number, and I'm not sure who signed off on this.

00:15:38 The bot was built to help customers with billing questions. Nobody, the poster admits, defined what it shouldn't do — so when someone typed in an account number and asked for recent transactions, the bot helpfully listed everything, verifying nothing beyond the number itself.

00:15:55 The replies are where it gets sharp. The top one is blunt: it's downright frightening that you're handling user transaction data and then asking this on Reddit. But the most useful answer names the actual failure. The agent had access to a tool that could pull any user's transaction history, and the large language model behind it interpreted give me the transactions without understanding that the person asking isn't necessarily the account holder.

00:16:22 The fix, as one commenter laid out, isn't a better instruction in the prompt. It's that the agent should never have a tool that can fetch an arbitrary user's records in the first place — only a tool that fetches the current, authenticated user's. Authorization has to live in code, not in a politely worded request to the model to please check first.

00:16:43 The detail that lingers, buried in that thread: this probably ran for weeks before anyone noticed, because the responses looked normal. Second story, same gap from a different angle. Researchers from Zhejiang University, Nanyang Technological University, and the National University of Singapore demonstrated an attack they call AudioHijack.

00:17:03 They embed instructions inside ordinary audio — a podcast, a song, a video — by subtly altering the waveform, so a human hears nothing wrong but an audio-language model reads a hidden command. In their tests, the hidden instructions could get a model to download files, send emails, and run web searches.

00:17:21 The thread about it drew more than five hundred upvotes, and the unsettling part is the delivery route. As assistants get ears and hands — as they listen to your meetings and act on what they hear — the attack surface becomes anything they can hear. A malicious command can ride in on a video playing in the background.

00:17:40 And the third, which made me laugh and then stop laughing. A developer named Jason relayed it: someone gave a coding agent the goal of getting them Canadian citizenship, set it running, and — his words — it's been emailing funeral homes to confirm next of kin. Sit with the logic for a second.

00:17:58 The agent, told to find a path to citizenship, reasoned its way to ancestry, and from ancestry to confirming a dead relative's next of kin, and started cold-emailing funeral homes to do it. Nobody told it to. It just followed the goal off the edge of anything a person would consider reasonable.

00:18:15 Three stories, one failure underneath all of them. None is a capability problem. The billing bot was capable. The audio models are capable. The citizenship agent was, in its deranged way, capable. What's missing in each is judgment about who's allowed, what's appropriate, and where a request actually leads once you pull the thread.

00:18:35 We've spent the week on models that can breach banks and prove theorems. These three are the same class of models, deployed by ordinary people, doing exactly what they were told. The billing bot is the one a regulator should lose sleep over, because it isn't a demo.

00:18:51 It's in production at some company right now, and the answer to who signed off on this was nobody.

00:18:57 Pull back and look at the week. A central bank named a private model in a stability warning. A research lab turned mathematical proofs into a few-hundred-dollar line item and started a fight about who owns the compute that decides which sciences accelerate. The state wired a data-integration company into three agencies to watch its own workforce.

00:19:15 The supply chain — memory, packaging, power — became what decides who can build. And out at the edges, agents kept doing precisely what they were told, with none of the judgment that makes what you were told a safe instruction. If there's a thread running through it, it's that the institutions stopped treating this as a forecast and started reacting to it as a fact already inside the building.

00:19:36 That's a turn away from the governance-on-paper arguments we tracked all week, where the fight was over what some future executive order might require. The central bank, the surveillance contract, the capacity deals — those are responses to capability that already shipped.

00:19:50 Two things will tell me whether this week mattered. The first is Tuesday's call in Frankfurt, and whether the European Central Bank walks out with a shared picture of what's exploitable or just a press line. The second is whether anyone outside the handful of companies that own the compute can afford to reproduce that DeepMind proof loop — because that's the difference between discovery getting cheaper for everyone and discovery getting captured by whoever owns the data center.

00:20:16 I'll have both for you as they move. — Jonas