# Claude Mythos Finds 10,000 Vulnerabilities, Karpathy Joins Anthropic, and MCP Goes Stateless *Published Tuesday Β· May 26, 2026* Tuesday, May 26, 2026. Your daily dose of what matters in AI, curated for business leaders. AI stopped being a productivity story this week. It became an infrastructure-of-trust story β€” and the trust layer isn't keeping up. Anthropic's Claude Mythos found over 10,000 critical vulnerabilities in a single month, Google solved math problems that stumped humans for half a century at commodity cost, and a zero-employee startup let AI agents run its own fundraise. In every case, the AI succeeded faster than the humans responsible for reviewing, governing, and absorbing the output could follow. This edition covers twelve stories across security, research, enterprise, agentic infrastructure, and policy. The throughline: the bottleneck has decisively shifted from AI capability to human capacity β€” for patching, for auditing, for governance, for judgment. The organizations that invest in closing that gap now will be the ones still standing when the music stops. Let's get into it. ## Today's Stories - πŸ” **[Anthropic's Project Glasswing: Claude Mythos Finds 10,000+ Critical Vulnerabilities in One Month](https://www.anthropic.com/research/glasswing-initial-update)** β€” Anthropic published the first results from Project Glasswing, revealing that Claude Mythos Preview and ~50 partners (AWS, Cisco, Microsoft, Cloudflare, Apple, Google, JPMorgan, and more) discovered over 10,000 high- or critical-severity vulnerabilities in just one month β€” a 10x increase in bug-finding rate over previous models. Cloudflare alone found 2,000 bugs, and Mozilla found 271 Firefox vulnerabilities, ten times more than with older models. The enterprise imperative is immediate: the bottleneck in vulnerability management has shifted from *finding* bugs to *patching* them at machine speed β€” and most security teams are still operating on quarterly patch cycles that are now dangerously slow. - πŸ§ͺ **[Andrej Karpathy Joins Anthropic to Use Claude to Accelerate Claude's Own Pre-Training](https://www.axios.com/2026/05/19/anthropic-openai-karpathy-andrej-claude)** β€” Andrej Karpathy β€” OpenAI co-founder, former Tesla Autopilot AI director, and arguably AI's most influential public educator β€” has joined Anthropic's pre-training team to build a group focused on using Claude to accelerate pre-training research itself: a direct bet on recursive self-improvement. He's the sixth major senior executive this year to leave a top role for an individual contributor research position at Anthropic, joining former CTOs from Workday, Instagram, Box, and others. For enterprise buyers evaluating long-term AI vendor bets, the talent gravity has shifted β€” and where the talent flows, the frontier follows. - πŸ§ͺ **[Google's AlphaProof Nexus Solves Nine Open ErdΕ‘s Math Problems, Topping OpenAI's Single Breakthrough](https://www.therundown.ai/p/google-tops-openai-math-breakthrough-9-to-1)** β€” One day after OpenAI announced its AI disproved an 80-year-old ErdΕ‘s geometry conjecture, Google DeepMind's AlphaProof Nexus autonomously solved nine open ErdΕ‘s problems β€” including two unsolved for 56 years β€” at a cost of just a few hundred dollars per problem using Lean formal verification. Both results are being submitted to peer-reviewed journals, and neither team claims full "Major Advance" status yet. For executives in pharma, materials science, or logistics optimization, this is a concrete preview of AI as a scientific collaborator β€” your R&D team's longest-standing algorithmic bottlenecks may soon be solvable at commodity compute cost. - 🏒 **[Meta Cuts 8,000 Jobs in AI-Driven Restructuring β€” More Rounds Planned](https://www.cnbc.com/2026/05/20/meta-layoffs-zuckerberg-says-success-isnt-a-given-in-memo.html)** β€” Meta began notifying roughly 8,000 employees of layoffs (10% of its workforce) while simultaneously moving 7,000 employees into new AI-focused roles including "Agent Transformation Accelerator" and "Applied AI Engineering" teams β€” all while posting $56.3B in Q1 revenue (up 33% YoY) and planning $115–135B in 2026 AI capex. Zuckerberg's memo stated bluntly that "success isn't a given" in the AI race, with additional restructuring rounds anticipated in Q3 and Q4. This is the defining corporate AI playbook of 2026: record profits, massive infrastructure bets, and aggressive workforce reshaping toward AI-adjacent roles. Every enterprise HR and strategy leader should be studying which role categories Meta is eliminating versus retaining β€” it's a leading indicator for workforce planning across industries. - πŸ€– **[Polsia: One Founder, Zero Employees, $30M Raised at $250M Valuation Using AI Agents to Run 7,600 Businesses](https://aiweekly.co/alerts/polsia-solo-founder-raises-30m-at-250m-valuation)** β€” Polsia, an autonomous AI agent platform run by a single founder with zero employees, closed a $30M Series A at a $250M valuation. Its nine specialized agents handle coding, research, ads, customer support, and sales for 7,600 businesses at $49/month plus 20% revenue share, claiming ~$10M ARR in five months β€” and the AI reportedly ran the fundraise itself. Before you get too excited: the platform carries a 2.1/5 Trustpilot rating (70% one-star reviews) and the company's name is "AI Slop" spelled backwards. For business leaders, the question isn't whether to dismiss it β€” it's whether your own operations contain workflows that a Polsia-style agent stack could already replace, and whether the quality bar for agentic execution has risen enough to trust it. - πŸ€– **[MCP Goes Stateless: Biggest Spec Revision Since Launch Enables Enterprise-Scale Agentic Deployments](https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/)** β€” The Model Context Protocol published a release candidate for its largest spec revision since launching in November 2024, with the headline change being that MCP is now stateless at the protocol layer β€” eliminating the sticky sessions and distributed state stores that made enterprise horizontal scaling painful. The spec also adds MCP Apps (server-rendered UIs inside agents), a formal deprecation policy, and improved OAuth/OpenID Connect alignment, with the final spec shipping July 28. With 97 million monthly SDK downloads and 3,000+ published servers, this is the moment MCP graduates from developer experiment to production infrastructure standard β€” if your engineering teams are building agentic systems, the stateless architecture unlocks the cloud-native deployments that weren't reliably possible before. - 🏒 **[Spotify + Universal Music Group Strike Landmark Licensed AI Remix Deal β€” Stock Jumps 13%](https://techcrunch.com/2026/05/21/spotify-and-universal-music-strike-deal-allowing-fan-made-ai-covers-and-remixes/)** β€” Spotify announced a licensing deal with Universal Music Group enabling Premium subscribers to create AI-generated covers and remixes of UMG artists' tracks via a paid add-on, with consent, credit, and revenue share baked in β€” the first major licensed AI music creation product to thread the needle between consumer demand and rights-holder control. Spotify's stock jumped 13% on the news, and the company revealed 2030 guidance targeting 1 billion subscribers and $100B in revenue. For any business that licenses content or builds creator tools, the consent-credit-compensation framework established here is the new baseline for negotiation across entertainment verticals. - πŸ“œ **[Pope Leo XIV Releases First Papal Encyclical on AI](https://simonwillison.net/2026/May/25/encyclical-on-ai/)** β€” Pope Leo XIV released "Magnifica Humanitas," the first papal encyclical specifically addressing AI and its implications for human dignity, with practitioner Simon Willison publishing same-day commentary noting he "hadn't expected to spend a Sunday getting familiar with Catholic theology." When the Vatican issues formal doctrine on AI, the governance conversation has officially left the tech sector. For multinational enterprises with operations in Europe, Latin America, or the Philippines β€” regions where Catholic social teaching shapes labor law and political discourse β€” expect this document to influence policy debates, union negotiations, and public trust frameworks around AI deployment over the next 12–18 months. - ⚑ **[Nvidia Hits $5 Trillion Market Cap β€” First Company Ever β€” on $500B Order Backlog](https://www.superhuman.ai/p/the-one-man-250m-startup)** β€” Nvidia became the first company in history to cross a $5 trillion market capitalization, now accounting for ~8% of the S&P 500, with a disclosed order backlog of ~$500B through 2026 and hyperscalers having effectively pre-ordered chips 18 months out. This was achieved without access to the Chinese market. For enterprise buyers building on-prem or negotiating cloud GPU capacity, a sold-out 18-month supply chain means constrained availability and premium pricing persist well into 2027 β€” factor this into your AI roadmap timelines and vendor negotiations now. - πŸ” **[LiteSpeed cPanel Plugin 0-Day (CVSS 10.0) Under Active Exploitation](https://tldrnewsletter.com/tldr-infosec)** β€” CVE-2026-48172, a CVSS 10.0 logic flaw in the LiteSpeed cPanel plugin, allows any authenticated cPanel user to escalate to full root access with a single malformed API call β€” no race condition required. The flaw is under active exploitation and is particularly devastating on shared hosting environments; cPanel forced a fleet-wide emergency uninstall five hours ahead of schedule. If your organization or any of your SaaS vendors host anything on shared cPanel infrastructure, this needs immediate escalation to your security team today. - 🏒 **[ElevenLabs Ships Speech Engine β€” Cognitive and Physical Automation Converge](https://taaft.co)** β€” ElevenLabs launched its Speech Engine, a platform-level product for generating and deploying AI voices at scale, arriving the same week Figure AI's humanoid robot nearly matched a human intern in an 8-hour package-sorting marathon (12,732 vs. 12,924 packages). For any enterprise with media, customer service, e-learning, or brand content functions, Speech Engine dramatically reduces the time and cost of localized audio β€” and Figure's demo underscored that AI-driven displacement is no longer a white-collar-only story. - 🏒 **[Freelancing Splits in Two: AI Is Bifurcating the Gig Economy](https://taaft.co)** β€” Analysis flagged this week shows AI hasn't simply reduced freelancing demand β€” it has split it. Routine, deliverable-based freelance work (writing, data entry, basic design) is collapsing in volume and price, while high-judgment, relationship-dependent specialized work is seeing increased demand as companies deploy AI for the commodity layer. For enterprise leaders managing external talent and vendor relationships, every contract and statement-of-work should now be evaluated through the lens of "could an agent stack handle 80% of this?" β€” procurement teams and CPOs should have this conversation before the next renewal cycle, not after. ## One Thing to Think About This week's stories converge on an uncomfortable truth: AI is automating the infrastructure of trust itself β€” and the trust layer can't keep up. Claude Mythos found 10,000 vulnerabilities faster than any human team can patch them. Google solved 56-year-old math problems for the price of a nice dinner. Polsia let AI agents run a $30M fundraise. MCP went stateless so agents can scale without human-managed sessions. In every case, the human role has shifted from operator to auditor β€” but nobody is investing in the audit function at anything close to the rate they're investing in the systems generating the output. The critical enterprise risk of 2026 is not that AI will fail. It's that AI will succeed faster than your governance, patch cycles, disclosure pipelines, and liability frameworks can absorb what it produces. The leaders who look prescient in 2028 will be the ones who in 2026 invested as heavily in human review capacity as they did in the AI systems doing the work. ## Resources Worth Your Time - **[Claude Mythos: AI Vulnerability Discovery and Containment Failures (CSA Whitepaper)](https://labs.cloudsecurityalliance.org/research/ai-vuln-discovery-containment-claude-mythos-v1-0-csa-styled/)** β€” The Cloud Security Alliance's structured technical analysis of Project Glasswing using the MAESTRO threat framework β€” the most rigorous independent assessment of what Mythos's capabilities actually mean for enterprise security programs. - **[Andrej Karpathy Joins Anthropic: What Happens Next (The Algorithmic Bridge)](https://www.thealgorithmicbridge.com/p/andrej-karpathy-joins-anthropic-what)** β€” Alberto Romero's rapid-turnaround analysis of why Karpathy's hire signals the recursive self-improvement bet is no longer theoretical, and why it's the most consequential talent move in AI this year. - **[Project Glasswing: What Mythos Showed Us (Cloudflare Blog)](https://blog.cloudflare.com/cyber-frontier-models/)** β€” Cloudflare's practitioner-level debrief on pointing Mythos at 50+ of their own repositories, including the model's inconsistent guardrails and triage challenges. Essential reading for any security architect. *Curated by your AI briefing assistant for Chiel Hendriks.* ===NEWSLETTER===