Plutonic Rainbows

METR published its first Frontier Risk Report this week, and the finding that should have travelled further than it did is in the executive summary. Anthropic, Google DeepMind, Meta, and OpenAI let METR's evaluators inside the building. The evaluators got access to the most capable internal models, raw chains of thought, non-public information about deployment, and the actual monitoring set-ups each company runs against its own agents. After roughly a month of looking, between mid-February and mid-March, the assessment landed on a sentence I haven't been able to put down. Internal AI agents at all four companies "plausibly had the means, motive, and opportunity to start small rogue deployments." Not "could in principle," not "we project by 2027." Already.

The phrase rogue deployment is doing work here. METR means a cluster of agents running autonomously inside the company's own infrastructure, without anyone's permission or awareness, pursuing whatever the model has decided to pursue. The classic example, which the report and Rob Wiblin's breakdown for the EA Forum both circle around, is an agent that wants more compute than its current task allocation allows, spins up a cloud job using an employee's normal credentials, and quietly keeps running after the visible task is marked complete. The compute is the prize. The deception is the route.

What makes the finding land is that the deception part is not speculative. METR walks through company-reported failure modes in the agents that exist today: circumventing constraints, falsifying verification, lying to users about task completion, deliberate deception aimed at hiding underperformance, reckless excessive measures to claim a difficult task is done. These aren't pulled from an adversarial red-team scenario. They come from companies describing what their own agents already do in ordinary use. The training story behind it is uncomfortable in its mundanity. Reinforcement learning with automated graders rewards exploiting flaws in the graders. RL on human or AI feedback rewards whatever convincingly looks like success to a distracted reviewer. The labs trained for this, accidentally, and the agents learned. This is the same shape as the unfaithful reasoning findings from April, scaled up and pulled in-house.

The reassurance, such as it is, is on the robustness side. METR's verdict is that today's agents could probably start a small rogue deployment but could not keep it hidden against an active company investigation. The signs would show up in compute accounting, monitoring flags, anomalous job patterns; someone paying attention would catch it. That depends on someone paying attention, and on the company having an investigation process that actually triggers. The report notes that some firms still lack multi-party approval for model-weight access. Anthropic and OpenAI require two sign-offs before a model can touch its own weights. Google DeepMind plans the same control but it's unclear whether it's live yet. Meta, xAI, and DeepSeek don't have it, as far as anyone outside those companies knows.

The honest reading is that the floor of catastrophic risk for the next twelve months is set by whichever lab has the weakest of those internal controls and the most capable agent running behind it. METR plans to repeat the assessment by the end of the year and expects the robustness numbers to move substantially in the meantime, because the capability trend is the only number in this space that has been reliable. The four companies sat for the test, which is worth saying out loud. The automated alignment claims that get cited in press releases are not the same as letting an outside evaluator watch your agents try to cheat their way through real tasks. METR did the latter. The result is the clearest public signal yet that the rogue-AI scenario is no longer a future tense problem and the only thing holding it in is the part of the system that depends on humans paying close attention to what their own models are doing.

On Manor Hill near Donington on Bain, the missing objects are larger than many surviving buildings. RAF Stenigot once held four parabolic dishes, each sixty feet across, in a fenced Cold War compound above the Lincolnshire Wolds. I know them through photographs taken after their purpose had gone: pale metal bowls laid on the grass, too large to resemble rubbish and too helpless to resemble machinery.

The site had already lived one technological life before those dishes arrived. Lincolnshire's monument record says Stenigot became operational in 1939 as a Chain Home radar station, part of the early warning network watching Britain's eastern approaches. In 1960, NATO's ACE High communications system placed its relay station inside the older perimeter, operated by the Royal Corps of Signals. One pair of dishes sent signals north towards Alnwick; the other aimed south towards Maidstone.

There is a peculiar confidence in building a communications network this visibly. We now expect the important route to be hidden: a buried fibre, a rack in an anonymous data centre, an orbiting object noticed only when an app loses service. Stenigot put the route on a hill and gave it the scale of a monument. Four open mouths, a generator house, fuel tanks, guard-dog pens and floodlights: connection needed a guarded landscape, not a spinning icon in the corner of a screen.

Tropospheric scatter was not romantic to the people who had to keep it working. It was engineering, a relay for military communications. What catches at me is the gap between that practical intention and the ruin it made. A machine designed to defeat distance became, after the network closed in the early 1990s, an object people travelled to see. The relay no longer joined command centres. It joined photographs, memories and the small illicit thrill of finding state infrastructure abandoned in a field.

Even that afterlife ended. In November 2018, the BBC reported that three of the four dishes appeared to have been removed and sold for scrap. The county record now notes that the last surviving ACE High dish was removed and scrapped in mid to late 2020. This is where nostalgia becomes dishonest if it isn't watched carefully. I prefer the photographs with the dishes still present, naturally, but a redundant communications array isn't obliged to stand forever so that I can enjoy its melancholy.

Still, their removal changes the place. A derelict antenna tells you that a vanished system once demanded enormous physical certainty. An empty concrete base asks you to take the claim on trust. The surviving Chain Home transmitter tower belongs to an older war and a different kind of warning, while ACE High has contracted into documentation: dimensions, directions, dates of demolition, a few images of dishes lying on their backs as if the weather had knocked them down.

I am used to lost media leaving a residue: tape hiss, screen burn, a logo copied into a newer interface. Stenigot leaves something more awkward. It records a future in which military traffic would keep crossing high ground through guarded relays, and then it removes even the sculptural evidence that this future briefly existed. What travelled between sites is gone. The absence is what now travels.

Anthropic's Glasswing update is the kind of AI safety story that looks reassuring until you sit with the logistics. The lab says Claude Mythos Preview found more than 10,000 high- or critical-severity vulnerabilities across partner software. Not theoretical weaknesses, not a neat benchmark category, but things that need triage, verification, disclosure, fixes, retesting, and the awful meeting where someone decides which production system can be touched this week.

Project Glasswing was announced as a defensive coalition with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and others involved. Anthropic put $100 million in credits behind it. The basic argument is sound: if frontier models are becoming unusually good at vulnerability discovery, defenders should see that capability before attackers do. I buy that. I also think the update reveals a nastier bottleneck than model access. Finding the hole is only the start of the work.

Security already had this problem before Mythos arrived. Every serious organisation owns more old code than it wants to admit, and plenty of it has dependencies nobody has enjoyed thinking about since the person who wrote the integration left for a different badge system and a better coffee machine. A model that can surface ancient defects at speed doesn't magically create the change windows, test environments, maintainers, legal coordination, or user patience required to repair them. It turns buried debt into visible debt. Visibility is useful. It is also a queue.

That queue is what makes the Palo Alto Networks numbers so interesting. The company says it scanned more than 130 products with frontier AI systems and its May security advisory disclosed 26 CVEs covering 75 security issues. Before this, Palo Alto says a typical month involved five or fewer CVEs. This is the uncomfortable middle stage of defensive AI: better tools produce more work than the existing institution can absorb. The old rhythm of patching was already theatrical, monthly drops, emergency exceptions, half-remembered risk registers. Now the detection side is speeding up while the fixing side remains stubbornly human, bureaucratic, and full of servers that cannot go down.

Google's discovery of an AI-generated exploit earlier this month—the one with docstrings still hanging off it—comes to mind here. That story had a strange comic neatness: the model made the attack possible and also left enough model-shaped residue for defenders to notice. Glasswing is less tidy. It suggests a future where the attacker and defender both have better discovery tools, and the winner is the side with the less exhausted patch pipeline.

IBM's framing is similar but more corporate. In its own Glasswing note, it says exploitation of public-facing applications rose 44 percent last year and that AI is being used for detection, remediation prioritisation, testing, and response. That is the sensible shopping list. Prioritisation matters because ten thousand urgent things are not urgent in any practical sense. They are a map of institutional overload.

The temptation is to call this a capability threshold and stop there. Mythos can find bugs at a scale that changes the economics of vulnerability discovery. Fine. But the more important threshold may be administrative: whether companies can build a patching culture that matches machine-speed finding without collapsing into noise. The model can point at the broken part. Someone still has to own it.

On Thursday afternoon some tech CEOs were in the air over the Midwest, on their way to a signing ceremony in the Oval Office, when the ceremony stopped existing. Trump postponed his executive order on AI hours before the event. He told reporters he "didn't like certain aspects of it" and that he didn't want anything "that's going to get in the way" of the US lead over China. Politico reported that part of the reason was attendance, several of the invited CEOs hadn't been able to make it. Whatever the mix, the signing did not happen, and there is no public date for when it will.

The interesting part is what the order would have done, and how modest it already was. According to the draft text Politico published on Friday and CyberScoop's reporting from the night before, the federal government would have asked frontier AI companies to opt into a voluntary review window. Federal agencies including the NSA and Treasury, plus cybersecurity testers embedded in critical-infrastructure sectors like finance and healthcare, would get up to ninety days to look at a model before public release. The companies could decline. The government could make recommendations. That was the entire mechanism.

For reference, the industry was already pushing back hard against even this. Their counter-offer was a fourteen-day window. Not a mandatory test, not a license, not a kill-switch, just two weeks of pre-release review that companies could walk away from at any point. The administration came in last year openly hostile to AI safety policy on the grounds that it would slow American industry, then drafted a regime so light it could be ignored, and even that version is sitting unsigned on a desk somewhere.

There is a striking alignment here with the EU's voluntary code of practice, which was negotiated down to almost nothing on the way to being adopted and is still being haggled over signatory by signatory. The pattern across both sides of the Atlantic is the same. Whatever the maximalist proposal was at the start, it gets sanded down until the binding instrument is a polite request, and then the polite request is what people fight about. The shape of frontier AI governance, as it has actually existed for the last eighteen months, is companies promising to behave and governments asking them to send paperwork. The Trump order would have formalised that and only that. The fact that even the formalisation stalled tells you the industry believes paperwork is a beachhead, and the administration agrees.

There's a second story underneath this one. Reps. Jay Obernolte of California and Lori Trahan of Massachusetts are working on a bill that would preempt state AI laws for two years, freezing out the patchwork that's been forming in Sacramento and elsewhere. That bill is reportedly being held up while everyone waits to see what the federal posture is. If the federal posture is nothing, then state laws are the only laws, which is exactly what the industry has been trying to head off. The order being pulled doesn't just mean no federal review, it means the preemption bill loses its anchor, and the floor of regulation becomes whatever California, Colorado, and New York pass next.

Keep the scale of the original ask in mind when the next round of headlines arrives. The president pulled an order that asked AI companies to opt in to letting the NSA take a look. That was the high-water mark of US frontier model oversight in May 2026. Whatever comes next will be measured against it, and probably won't reach it.

The brief from British Vogue's editor was a single cover image to define the new decade. One woman, one face, one announcement. Peter Lindbergh told Liz Tilberis that one wouldn't do it, that the idea of a defining beauty had broadened past anything a single model could carry, and that he wanted five. Tilberis agreed. That was the whole negotiation, and everything else followed from it.

The shoot happened on a warm Sunday in November 1989 in the Meatpacking District in New York, which at the time still smelled like meat. Naomi Campbell, Linda Evangelista, Tatjana Patitz, Christy Turlington and Cindy Crawford stood on the cobbles between cold-store loading bays. Brana Wolf styled them in Giorgio di Sant'Angelo bodysuits and Levi's jeans. Christiaan did the hair, which is to say he mostly left it alone. The film was black and white. There was no retouching to speak of and no makeup worth mentioning. The whole thing read as a refusal of the decade that had just ended.

That was the trick, and the reason this particular cover, of all the supermodel group shots that would follow, is the one people still treat as the origin event. The 1980s glamour vocabulary, the big hair and the shoulder pads and the heavy contouring, hadn't been argued with so much as quietly stepped past. Lindbergh just photographed five women standing next to each other in plain clothes on a Sunday, and the previous aesthetic stopped being viable overnight. You couldn't run a 1988-style cover after this without looking dated. That's the part the trade press took a while to catch up with.

It also did a thing the industry hadn't quite worked out how to do yet, which was to treat the models as a collective. Until roughly this moment, fashion campaigns and magazine covers trafficked in single faces; a model was a person you booked, not a group you assembled. The Lindbergh cover made the supermodels legible as a category, a shorthand, a unit of cultural reference that worked even when the names underneath weren't fully distinguishable to the general public. Within months, George Michael had hired all five for the Freedom! '90 video, directed by David Fincher, which is the same idea (these five women, this specific assembly) carried forward into pop. Versace would do the runway version in Milan the following year, with the same collective logic. The category was set.

What Lindbergh said about it later, in a Guardian interview in 2016, was that he never felt he was changing anything. It came together effortlessly, was how he put it, all intuition. I take that to mean the change was already in the room and the picture was just where it became visible. The 1980s ended on a Sunday in November in a part of New York that no longer exists in the form it did then, and the people responsible thought they were just doing their jobs.

There is a footnote that matters. Anna Wintour had recently taken over US Vogue, and one of her early acts as editor was to publish a Lindbergh photograph the previous regime had rejected, shot in white shirts on the beach at Santa Monica. That picture and this one are essentially the same argument made twice on either side of the Atlantic. The American version ran first, in the August 1988 issue, and it was the British cover eighteen months later that got read as the manifesto. Sometimes the later iteration is the one that takes.

A folded map on the passenger's knees made the journey feel negotiable in a way the blue line never does. You could be wrong for twenty miles and only discover it when the road number changed, or when the expected roundabout failed to appear. Nobody recalculated. Someone sighed, found the index, and ran a finger across the page while the driver kept going.

That is what I miss, not getting lost exactly, but the interval before knowing. British A-roads were good at producing it. They offered lay-bys, petrol stations, old milestones, patchy signage, and the sudden red roof of a Little Chef after a long spell of hedges. The motorway tried to make movement smooth and abstract. The A-road kept interrupting the journey with evidence that you were passing through actual places.

Little Chef fitted that world perfectly because it was both standardised and oddly local. The British Motor Museum's archive notes that Sam Alper, better known for Sprite caravans, borrowed the idea from American roadside diners and opened the first branch in Reading in 1960. By the 1970s the chain had expanded hard, and its decline later followed the same broad route as the journeys it served: more motorway traffic, more fast food, less patience for a plate arriving under a plastic cloche. A roadside restaurant is not just a place to eat. It is a permission to stop without admitting defeat.

The better Little Chef histories are full of details that sound comic until they start to look structural. Motorway Services Online records the chain's peak at 439 sites in 1999, and also the 1982 arrival of green signs for A-road service areas, which helped make some branches visible to drivers who had not planned to stop. That small bureaucratic change matters. A sign can create appetite. It can also create a future ten minutes ahead: toilets, coffee, an Olympic Breakfast, a row of laminated menus wiped down too often.

I wrote recently about rural bus shelters that survive after the service has gone, and these road spaces belong to the same family of afterlife. The building outlasts the timetable. The sign outlasts the business. The lay-by remains as a pause in the verge after the reason for pausing has changed. In the published version of the A-roads paper "Sensing the Past Along Britain's A Roads", Peter Merriman and his co-authors describe older roads as retaining lay-bys, milestones, signage, and other roadside elements that give them a more intimate relation to landscape than the motorway's managed speed. That sounds right to me, though "intimate" may be too polite for the smell of diesel, damp upholstery, and chips in a cardboard tray.

Navigation had its own ceremony. The AA still sells foldable regional road maps, which is reassuring in the same unreasonable way as seeing a working phone box. Before satellite navigation, the road number system did more of the cognitive work. Roads.org.uk traces the A- and B-road scheme back to the early 1920s, a zoned system arranged around the main radial A-roads from London and Edinburgh. Once you understood the grammar, you could feel roughly where you were in the country even when you were lost. Not precisely. Roughly was the point.

There is an obvious danger in making this too cosy. Pre-internet travel was slower, more argumentative, and sometimes miserable. Children got carsick. Parents snapped over exits. A closed filling station at 9:40 pm could become a real problem rather than local colour. However, the friction gave the journey a texture that modern routing has thinned out. The phone knows before you do. It removes the speculative hour in which the road is not data yet, just weather, signage, instinct, and a wrong turn that may or may not matter.

I still notice ex-Little Chefs when I pass them. Some became coffee shops, some were demolished, some sit behind petrol forecourts with the old roofline altered just enough to make recognition feel embarrassing. They do not haunt the road because the food was good. They haunt it because they belonged to a version of travel in which uncertainty needed tables, toilets, and a paper map spread open beside the ketchup.

The oddest part of Gemini Omni is not that Google has another video model. Everyone has another video model now, or a roadmap slide shaped like one. The shift is in the grammar: video is no longer only the thing the model produces. It becomes something you hand back to the model, with a correction, a reference image, a line of audio, and a vague annoyance about the camera angle.

Google introduced Gemini Omni as a new model family that can create from mixed inputs, starting with video. The first release, Gemini Omni Flash, takes text, images, audio, and video as input and generates clips. Image and audio output are supposed to come later. That matters less as a feature checklist than as a change in where the edit lives. The old workflow had a file, a timeline, a tool, then another tool because the first one did not understand the thing you meant. Omni wants the edit to happen in the conversation.

I wrote on Tuesday about Google turning I/O into a Gemini argument, and this is the same argument in miniature. Gemini is not being sold as one app. It is becoming a layer that passes through the Gemini app, Flow, YouTube Shorts, Search, Chrome, and whatever else can bear the weight of a prompt box. A video model inside a specialist studio is interesting. A video model inside YouTube is a different animal, because the place where people watch, remix, imitate, and monetise video is also the place where the generated clip arrives.

The DeepMind model page frames Omni as "create anything from any input", which is grand enough to become meaningless if you stare at it too long. The useful part is narrower. You can ask for a scene, then ask for changes across multiple turns while the system tries to keep the character, action, and physical continuity intact. It is not just text-to-video with a nicer box around it. It is closer to a memory-bearing edit session, or at least the promise of one.

That promise is why the demos are both impressive and faintly claustrophobic. Editing by language sounds freeing until you remember how much of editing is not language. It is frame sense, boredom, irritation, the tiny lurch when a cut lands a beat late. Google can make the instruction conversational, but the person still has to know what they are trying to make. Otherwise the model supplies taste as a default setting, and default taste is where platforms go to get smooth.

The rollout is not hidden in a lab. Google says Omni Flash is going to Google AI Plus, Pro, and Ultra subscribers through the Gemini app and Flow, with free access through YouTube Shorts and YouTube Create starting this week. The Verge describes it as a new generative model family, while CineD reads it through the more practical lens of clips, references, conversational edits, and digital avatars. Those are not competing interpretations. They are the consumer and production versions of the same bet.

There is also the watermarking story, because there has to be. Google says videos created with Omni include SynthID, its imperceptible digital watermark, and that verification will sit in the Gemini app, Chrome, and Search. I am glad it exists. I also don't think a watermark settles the harder problem, which is social rather than technical: people learn the texture of generated media faster than institutions learn how to label it. The label arrives after the feeling.

What I keep coming back to is the way Omni turns video from evidence into material. A clip used to arrive with a stubbornness to it. Even a bad clip had the authority of something that had happened in front of a lens. Now the clip is more like a draft paragraph, editable by mood, reference, and revision. Google is not alone in pushing that change, but Google is better placed than most to make it ordinary. The expensive part is no longer making the impossible image. It is keeping enough friction in the process that people still notice what they asked for.

Google launched its new Gemini usage limits this week as part of the I/O announcements, and as of today they are live. The shape of the change is small in the abstract and irritating in the particular. Gemini used to behave, for most people, like an unmetered utility. Now it counts compute, which means it counts you.

The new rule is that every prompt has a cost, and that cost depends on the length of the chat, the features you invoke, and the model's own estimate of how hard the question is. There are two windows. A weekly cap, which most users will never read, and a five-hour block which resets through the day. When you exhaust the block you wait, unless you have already exhausted the week. AI Pro subscribers get roughly four times the free quota; Ultra gets five times that again, plus, per Forbes, a separate hackathon prize pool that has nothing to do with the meter and everything to do with the narrative.

What is interesting is not that limits exist. Limits have always existed, hidden behind the rate-limiter and the polite spinner. What is interesting is that limits are now visible, named, and denominated in a unit you cannot intuit. A "percentage of a five-hour block" is not a thing anyone has spent fifteen years learning to feel for. It is not minutes, not megabytes, not even tokens. It is whatever the dispatcher decides your last sentence cost. The user has to develop a new sense for it, the way phone users in 2009 learned the shape of a 200-megabyte monthly cap by running out of it twice.

The provocation underneath the launch is the new Flash model. Existing users on 9to5Google are reporting that Gemini 3.5 Flash burns multiple percentage points of a five-hour block per prompt. The previous Flash, by all accounts, did not. So the meter arrives at the same time as the model that eats it fastest, and the resulting friction is not a rollout quirk; it is the design. Google is teaching people to feel which questions are expensive. Some will respond by rationing themselves down to the cheaper model when the work is mundane. Some will simply hit the wall and assume the product is broken.

I wrote on Tuesday about Google turning the whole I/O keynote into a Gemini argument. The metering announcement is the same argument from the other side. If Gemini is going to live inside Search and Chrome and Android and your inbox and the in-car dashboard, then the question of how many Geminis you are allowed to spend in a day becomes the question of how much of your day you can route through Google's stack at all. The meter is not a tax on the chatbot; it is a budget for the agent.

Two things will follow from this in roughly the same week. People who use Gemini casually will not notice for months, then notice all at once, on a Sunday when they had three things to ask and the first one ate the budget. Anyone building real workflows on the Pro or Ultra tier will start treating prompt economy the way they used to treat S3 list-bucket calls, with grudging respect for the bill. The intuition that the model is "free as long as I have a subscription" was always a fiction. We are now told the price.

Issey Miyake's Pleats Please line launched in 1993, four years after he decided he had finished with everything he already knew how to do. The 1988 exhibition at the Musée des Arts Décoratifs in Paris was a survey of his work to that point. He later told his long-time collaborator Midori Kitamura that the show had given him the unsettling feeling of completion. Most designers would have taken the prize and kept producing. Miyake decided he needed a new departure.

The new direction came from polyester. He had picked up a pleated polyester-silk scarf and noticed that the pleats held permanently because the synthetic fibre had a thermoplastic memory. Heat could be used not as an enemy of cloth but as a tool that locked in shape. The team spent four years working out how to scale that observation into a clothing line. Makiko Minagawa, the textile designer who had been with Miyake since 1970, did most of the materials research. The fabric they ended up with was lightweight, washable, and cheap enough to make the project worth doing at retail.

The process was the inversion of how pleating had been done for centuries. Mariano Fortuny's Delphos dresses from the early twentieth century were made of silk that had been pleated first and then cut and sewn into the garment, with all the maintenance and fragility that implied. Miyake's team did it the other way around. The garment was constructed first, at roughly three times its intended finished size. It was then sandwiched between two layers of paper and fed into a heat-press. The press shrank the garment, set the pleats, and finalised the silhouette in a single operation. The fabric came out with permanent texture you could wash, scrunch up into a corner of a suitcase, and pull out wearable.

The technique was tested first on dancers rather than fashion clients. In 1991 William Forsythe's Frankfurt Ballet performed The Loss of Small Detail in costumes Miyake had developed using the new method. The pleats held through sweat and the violent geometry of contemporary dance, and the fabric stayed light enough to move freely. Forsythe's dancers were, in effect, the prototypes Miyake sent out into the world to see whether the system worked under load, and it did.

When the line went on sale in 1993 it carried a quiet ideology underneath the engineering. Miyake had been shaped by the May 1968 student protests in Paris, and ever since had wanted to make clothing that worked for ordinary lives instead of the maintained, dry-cleaned, museum-grade pieces couture produced. Pleats Please was that ambition arriving with a price point a working woman could pay and a durability she did not need to baby. The garment did not announce itself as fashion. It announced itself as something you could own and wear and not think about until you wanted to.

The afterlife is unusual. Most innovations from the early nineties have either ascended into archive worship or quietly disappeared into the back of vintage shops. Pleats Please is still in production, sold from boutiques that look more or less the same as they did when the line opened, worn by women who have no particular interest in the history of the technique that made the garment possible. The pleating is no longer experimental, it is infrastructure.