OpenAI shipped GPT-5.6 on Friday. You can’t use it. Not “rolling out slowly.” Not “check back in a few days.” A small group of trusted partners have access — and their participation was shared with the U.S. government before a single API call went out. Everyone else — every paying ChatGPT subscriber, every API customer, every developer who built on OpenAI’s stack — is outside the preview while OpenAI works through a government-coordinated release process. Broader availability is planned “in the coming weeks.” Altman told staff the government would be approving access customer by customer.

Same week, Anthropic’s Mythos 5 came back — but only for roughly 100 US critical-infrastructure organizations on a hand-vetted whitelist. Fable 5 — the model millions of people were actually using — is still dark. Day 17.

Last week the stack reshuffled. This week the stack got a guest list.


🛂 The Frontier Got a Guest List

The model release pipeline just bifurcated

Three things happened between Thursday and Saturday that, taken together, redraw how frontier models reach the market.

GPT-5.6 launched gated. On June 26, OpenAI previewed GPT-5.6 — three models branded Sol (flagship), Terra (balanced), and Luna (fast/cheap) — to a small cohort of “trusted partners whose participation has been shared with the government.” The launch follows Trump’s June 2 executive order directing agencies to build a formal review process for frontier models before public release. GPT-5.6 appears to be the first major model to ship under that framework. Pricing is public — Sol at $5/$30 per million tokens, Terra at half, Luna at $1/$6 — but the product isn’t. Commerce Secretary Lutnick reportedly called Altman directly to warn against releasing without cross-agency approval. Altman’s internal memo was blunt: “We’ve made clear to the U.S. government that this is not our preferred long-term model.”

Mythos 5 came back on a whitelist. Commerce Secretary Lutnick’s June 26 letter to Anthropic — first reported by Semafor — cleared Mythos 5 for roughly 100 US entities that operate and defend critical infrastructure, plus their foreign-national employees and Anthropic’s own foreign staff. Anthropic posted on June 27 that it was restoring access for these organizations. The Pentagon and NSA still need to sign off before Fable 5 returns for general use — and as of Sunday morning, Fable 5 remains offline. On Manifold, the odds of a full Fable restoration by month’s end sat at roughly 8% as of June 29.

Austria asked the EU to host Anthropic. On June 28, Austria’s State Secretary for Digitalization Alexander Pröll sent a formal letter to EU Commission EVP Henna Virkkunen urging member states to explore establishing Anthropic within the European Union — citing US restrictions on Fable and Mythos as the direct cause. Bloomberg and Reuters confirmed. This is the first formal EU-level institutional response to the ban.

Here’s the part that should make you pay attention: this isn’t an Anthropic-specific problem anymore. The GPT-5.6 gating proves the pattern is industry-wide. Two weeks after the government forced Anthropic’s models offline, OpenAI voluntarily launched its next model behind the same kind of permission layer — not because it was ordered to, but because the precedent made any other approach politically untenable. The frontier-model release model has bifurcated: an authorized tier behind partner programs, and a generally-available tier that runs a generation behind.

Why it matters: Your model fallback plan is no longer just “if the API goes down.” It’s “if the model gets reclassified.” You need capability fallback by access class: public model, trusted-access model, domestic-only model, open/local fallback. The model ID is becoming a compliance boundary.

Hype vs. Reality: 9/10 — The access restrictions are documented, the executive order is signed, and two separate labs are now operating under the same framework. The only open question is whether the government review regime formalizes into permanent law or stays voluntary. Either way, architects need to build for it now.


🌶️ OpenAI Built the Factory

The chatbot company is becoming an infrastructure company

On June 24, OpenAI and Broadcom unveiled Jalapeño — OpenAI’s first custom-designed inference processor and the most significant hardware announcement the company has ever made. This isn’t a GPU. It’s an ASIC built from scratch for the specific workloads that run ChatGPT, Codex, and the API — optimized around the exact kernels, memory movement patterns, and serving systems OpenAI actually uses in production.

The numbers: from initial design to manufacturing tape-out in nine months — what OpenAI believes may be one of the fastest high-performance semiconductor cycles on record. OpenAI used its own frontier models to accelerate the design. Engineering samples are already running GPT-5.3-Codex-Spark in the lab at production target frequency and power. Initial deployment targets end of 2026 at gigawatt scale with Microsoft as the primary data-center partner. Broadcom CEO Hock Tan told CNBC it would “really ramp up in ‘27 and go full tilt in first half ‘28.”

Pair that with the rest of the week’s OpenAI playbook. On June 25, OpenAI’s economic research team published the first large-scale empirical data on how Codex usage has shifted from single-turn prompts to delegated multi-hour work. By May, 80.6% of sampled individual Codex users had submitted at least one task estimated above 30 minutes of human work. 25.6% — one in four — had delegated tasks estimated above eight hours. Non-developer users grew 137x since August 2025. Inside OpenAI itself, Codex accounts for 99.8% of weekly output tokens. Samsung rolled out ChatGPT Enterprise and Codex to all Samsung Electronics employees in Korea the same week, with Korean weekly active users up nearly 800% since February.

So what do you DO with this? Stop thinking of OpenAI as “the ChatGPT company.” It is building the full stack — model, agent, security scanner (Daybreak), custom silicon, enterprise deployment program, and government-compliance wrapper — and selling it as a unified operating layer. The chip is what makes the economics work: lower cost per watt of inference compute means lower cost per token, which means either higher margins or lower prices. In an industry where token pricing is a competitive battlefield, that’s the kind of structural advantage that compounds.

Hype vs. Reality: 8/10 — The chip is real, the lab results are running, and the deployment timeline is credible. The “8” instead of a “10” is because final benchmarks aren’t published yet and the full production ramp is still 18 months out.


💬 The Chatbot Lost Its Desk

Agents moved into Slack — and they’re not leaving

On June 23, Anthropic launched Claude Tag — a persistent AI agent that lives inside Slack channels, works alongside entire teams, accumulates organizational memory, and takes initiative without being prompted. You tag @Claude the same way you’d tag a colleague. It reads the conversation, breaks tasks into steps, works them independently, and posts the results back to the channel where everyone can see.

This is not a chatbot in Slack. This is an agent with a standing role on the team.

Cat Wu, Anthropic’s head of product for Claude Code, told Fortune that 65% of the product team’s code is now created by their internal version of Claude Tag. The agent runs on Opus 4.8, replaces the old Claude-in-Slack integration (which retires August 3), and is available in beta for Claude Enterprise and Team customers. Admins scope exactly which tools, channels, and data Claude can access — TechRepublic confirmed that token spend controls work at both the channel and org level.

Put the OpenAI Codex data and the Claude Tag launch side by side and a pattern emerges. Agents aren’t just writing code in IDEs anymore. They’re joining Slack channels, managing PR queues, following up on forgotten threads, and delegating sub-tasks across tool chains. “AI assistant” is too small a category. The surface area is wherever work already happens — and the agent is becoming a standing member of the team, not a tool you visit.

Why it matters: If you’re evaluating enterprise AI, the question isn’t “which chatbot should we use?” It’s “which agent gets a seat in which channel, with what permissions, what memory, and what spending limits?” That’s a governance decision, not a feature comparison.


🧠 Google Lost the Bench

Five departures in six days, $270 billion erased, and an incubator for the diaspora

In Issue #019 we reported that Google lost Noam Shazeer to OpenAI and John Jumper to Anthropic in the same week. That was the start. This week it accelerated.

On June 24, Bloomberg reported that Jonas Adler and Alexander Pritzel — both viewed internally as key Gemini contributors — are leaving for Anthropic. Adler worked on Google’s AI coding effort; Pritzel was involved in pretraining. Both also contributed to AlphaFold alongside Jumper. On June 25, Arthur Conmy, a senior research engineer who worked on Gemini 2.5 and AI safety, posted on X that he too was joining Anthropic.

Five senior departures in six days. Four to Anthropic, one to OpenAI. All from the team building Google’s most important AI product. Alphabet’s stock fell roughly 7% — its worst single-day decline in over a year — with an estimated $270 billion in market value erased across two trading sessions amid investor concern over AI talent losses and competitive positioning.

The timing is brutal. Google’s Gemini 3.5 Pro — the model Sundar Pichai promised at I/O on May 19 — officially missed its June launch target. Business Insider reported the delay to July is for collecting early-tester feedback and tuning long-horizon agent performance. Meanwhile, on June 23 — the day before Adler and Pritzel’s departures surfaced — Google launched an AI startup incubator for former employees. $350K in cloud credits, $100K cash, equity-free, 12 weeks. Bloomberg described it as deepening ties with one of Silicon Valley’s largest alumni networks. FourWeekMBA put it more bluntly: “The incubator funds people after they leave. It doesn’t prevent them from leaving.”

The pull factor is obvious. Both Anthropic and OpenAI are preparing for IPOs that could produce generational wealth for pre-IPO employees. Anthropic filed its confidential S-1 on June 1 at a $965B valuation. OpenAI filed days later. Google can match salary. It can’t match the equity upside of joining a company worth nearly a trillion dollars before it goes public. Bloomberg reported that shortly before Shazeer announced his move, Google reassigned computing power from one of his projects to a London-based DeepMind team — the kind of internal friction that becomes a resignation letter.

And on Sunday, the compute squeeze got a public receipt: the Financial Times reported that Google limited Meta’s use of Gemini because Meta wanted more capacity than Google could provide. Reuters couldn’t independently verify the report, but the detail matters: even hyperscalers are token-rationing each other. When your cloud provider can’t serve its own biggest customers, the “infinite compute” assumption in your agent roadmap needs a reality check.

Hype vs. Reality: 8/10 — The departures, the stock impact, and the Gemini delay are all on the record. The talent exodus doesn’t unmake Gemini overnight — Google has deep resources and will backfill — but losing five senior researchers from the same team in one week, while the flagship model slips and the company launches an incubator for departing employees, is a signal about where the people who build frontier systems believe the next decade’s work gets done.


📡 Quick Signals

Anthropic accused Alibaba of the largest distillation attack on record. A June 10 letter to the Senate Banking Committee — surfaced this week by CNBC and Bloomberg — alleges operators linked to Alibaba’s Qwen lab ran 28.8 million Claude exchanges through roughly 25,000 fraudulent accounts between April 22 and June 5. That’s 1.7x the combined total of the three prior Chinese campaigns (DeepSeek, Moonshot, MiniMax). First time Anthropic has named a major Chinese conglomerate. Senators Hagerty and Kim are drafting an NDAA amendment to blacklist firms caught extracting US model output. Alibaba sued the Pentagon the same day to get off the 1260H military blacklist. Per Yahoo Finance, BABA was down 38% year-to-date as of mid-week.

Meta paused its employee-tracking AI program after an internal data exposure. The Model Capability Initiative — launched April 2026, mandatory for most US staff — logged keystrokes, mouse movements, and screen content from employee laptops to train internal AI. Over 1,500 employees signed a petition against it. Then the collected data — including AI prompts, private conversations, and performance reviews — was inadvertently exposed company-wide. Meta classified the incident as SEV 2 and paused the program. Every enterprise agent program is going to hit this question: is employee workflow data product telemetry, training data, surveillance, or all three?

OpenAI expanded Daybreak with GPT-5.5-Cyber and Patch the Planet. On June 23, OpenAI released the full version of GPT-5.5-Cyber to trusted defenders — scoring 85.6% on CyberGym versus 81.8% for base GPT-5.5. The Patch the Planet initiative with Trail of Bits has 30+ open-source projects committed (cURL, Python, Go, Sigstore, pyca/cryptography). GPT-5.5 found a Firefox WebAssembly vulnerability (CVE-2026-8390) that Mozilla patched two days before Pwn2Own Berlin — prompting five of six registered Firefox entries to withdraw. Anthropic has Glasswing. OpenAI now has Daybreak. The frontier labs are competing on defense.

Slash’s $81,267 vibe-coding bill went viral. A fintech employee burned through $81K in AI tokens in a week building a meme shooter game with Claude. The company tried to spin it as a marketing expense. The real story: Uber, Coinbase, and Walmart have all now implemented explicit AI spending caps after similar runaway-cost incidents. Token governance is becoming a line item in enterprise AI policy.

Figma shipped Motion at Config 2026. On June 24, Figma launched native timeline-based animation directly on the design canvas — keyframes, spring physics, presets, and AI agent-assisted animation generation. The builder-relevant detail: Motion is MCP-compatible. Animated frames pass through the Figma MCP server to coding agents (Claude Code, Cursor, Copilot), so your design-to-code pipeline now includes motion specs without a screenshot handoff. Config also previewed Code Layers (live code on the canvas, early access July) and an upgraded design agent with skills and connectors.


🛡️ On Your Radar: The Agent Is Now the Attack Surface

The Miasma supply-chain campaign is still active — and it’s targeting your coding agent

If you missed this in the noise earlier this month, now is the time to pay attention. A self-replicating worm called Miasma has been compromising npm packages and GitHub repositories since June 1, and the campaign is still escalating. On June 5, GitHub disabled 73 Microsoft repositories across four orgs — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — in a 105-second sweep. On June 24, Microsoft’s Digital Crimes Unit took down the StealC and Amadey C2 infrastructure backing the campaign. And on June 26, The Register reported new compromises still hitting the Leo Platform and RStreams npm ecosystems. The worm pivots delivery mechanisms every 48–72 hours. It isn’t over.

What makes Miasma different from a standard supply-chain attack is who the target is. The worm doesn’t just compromise packages — it explicitly targets AI coding agent configuration files: .claude/setup.mjs, .cursor/rules/setup.mdc, .gemini/settings.json, .vscode/tasks.json. When a developer opens the compromised repo, the AI assistant — running with filesystem access and elevated privileges — triggers the payload without the developer intentionally running it. The malware then scrapes process memory and environment variables to exfiltrate AWS, Azure, GCP, and Kubernetes secrets, using them to replicate into further repositories.

The technical details matter for builders: Miasma v2 abandoned standard npm preinstall scripts in favor of a 157-byte binding.gyp file that triggers code execution during npm install through command substitution — evading static lifecycle scanners. It forges legitimate SLSA provenance signatures using hijacked GitHub OIDC tokens so enterprise scanners flag the malicious packages as verified updates. And it downloads the Bun runtime to execute payloads out-of-band, bypassing Node.js-specific telemetry and EDR.

Why it matters now: The C2 infrastructure got taken down, but the open-sourced toolkit means copycats can spin up new variants faster than defenders can patch. AI coding agents have transitioned from passive productivity tools to active, weaponizable attack surfaces. If your agents have filesystem access (they do), shell access (they probably do), and credential access (they might), then a poisoned repo doesn’t need to trick a human. It just needs to be opened.


🎯 The Playbook

Your moves this week

  1. Map your model access tiers. GPT-5.6 is gated. Fable 5 is dark. Mythos 5 is whitelist-only. Your architecture needs to know which models are public, which are trusted-access, which are domestic-only, and which are open/local. Build a fallback matrix — not just for outages, but for reclassification. If the model you depend on gets export-controlled tomorrow, what do you route to?

  2. Audit your AI agent config files now. Miasma proved that .claude/, .cursor/rules/, .gemini/, and .vscode/tasks.json are all exploitation targets. Review what’s in those directories. Pin your agent skill versions. Don’t clone unfamiliar repos with your coding agent running — the agent is the execution surface.

  3. Scope Claude Tag before it scopes you. If you’re on Claude Enterprise or Team, Claude Tag replaces your existing Slack integration on August 3. Start the migration now. Set channel-level token limits, define exactly which tools and data sources Claude can access, and run the first deployment in a private channel before opening it to the team.

  4. Benchmark Gemini 3.5 Pro the day it ships — not a day before. Google has missed two delivery targets this year. Don’t block your roadmap on a July date. Design your architecture so Gemini Pro is a bonus capability, not a dependency. If it ships and performs, great — you’re ready. If it slips again, nothing breaks.

  5. Put token governance on your enterprise AI policy. The $81K vibe-coding bill, Uber’s budget blowout, Walmart’s spending caps — the pattern is clear. Uncapped agent loops burn money at a rate human developers never could. Set hard per-project and per-user token limits before your finance team discovers the problem for you.


🔥 What’s Viral Right Now

Figma Motion — Native timeline animation on the Figma canvas. Keyframes, spring physics, and AI-generated animation from prompts — exported as CSS, React, MP4, or GIF. The MCP integration means your coding agent gets structured motion specs instead of a screenshot. Open beta on all plans since June 24. If you ship product that moves, try it this week.

General Intuition — The Dutch startup that trains AI agents on billions of gameplay clips raised $320M at a $2.3B valuation with Bezos, Schmidt, and Khosla. The demo: an AI plays a Fortnite-style game for 100 hours, then the same model drives a quadruped robot around an office using a single camera and 8 minutes of real-world data. If embodied AI is on your radar, this is the dataset play to watch.

OpenAI Patch the Planet — Not a product, but a signal. OpenAI, Trail of Bits, and HackerOne are putting GPT-5.5-Cyber against 30+ open-source projects to find and fix vulnerabilities end-to-end. Already found a Firefox zero-day before Pwn2Own. If you maintain open-source infrastructure, the application to join is open.


Stay building. 🛠️

— Matt