Plutonic Rainbows

The plainest reading is that the repo was the resume. On 7 March 2026, Andrej Karpathy tweeted a description of his current side project that would later read, with hindsight, like a position statement: "The goal is to engineer your agents to make the fastest research progress indefinitely and without any of your own involvement... Part code, part sci-fi, and a pinch of psychosis." The 630-line repo he shared, github.com/karpathy/autoresearch, wraps his earlier nanochat project in an agent-orchestration layer where the user spends most of their time editing markdown files that brief an agent fleet running an autonomous research org. Two months later, on 19 May, he posted that he had joined Anthropic.

Anthropic's framing of the new effort, surfaced by reporters at TechCrunch, Axios, and Reuters, is that Karpathy will help launch a new team focused on using Claude itself to accelerate pre-training research, reporting to Nick Joseph (also ex-OpenAI). Reading that sentence next to his March description is uncomfortable. Strip the corporate phrasing away and you have someone whose personal Markdown-driven autoresearch repo has been hired to do, indoors, what it was already doing in public.

The companion line in Karpathy's GitHub README, about programming program.md files that "provide context to the AI agents and set up your autonomous research org," is now the spec for a real internal team. Anthropic does not need to imagine what this looks like operationally; the prototype has been on GitHub for two months and has more than eighty thousand stars. What the company is paying for is the shift from a hobbyist running ten parallel agents on his own GPU to a production deployment with Claude as the engine and pre-training as the loss to minimise.

That is recursive self-improvement in a respectable suit. I wrote about RSI when GPT-5.3-Codex helped debug its own training; calling Karpathy's new job "pre-training acceleration" is technically accurate and almost designed to sound less alarming than calling it what it is. The loop has a name now and a payroll number.

His X post mentioned that he remains "deeply passionate about education" and plans to "resume my work on it in time." Eureka Labs is not being shut down, only paused. But the timeline tells you where his attention had drifted: the autoresearch repo went up in March, and Eureka had been running for two years before that without producing the comparable artefact. The new job is a continuation, not a pivot.

Anthropic also announced a second hire that same Tuesday: Chris Rohlf to the frontier red team, the group that stress-tests advanced models against severe threats. Pairing a senior pre-training hire with a senior red-team hire on the same day is choreography for the question "are you accelerating safely?", and days later METR's first Frontier Risk Report gave that question its answer. The report found that internal AI agents at Anthropic, DeepMind, Meta, and OpenAI already plausibly had the means, motive, and opportunity to start small rogue deployments. The hires landed during the week that finding was being absorbed.

If I had to bet on the next public artefact, it is not a paper. It is a Claude-generated change to the next pre-training run, one that survives review and ships, whose provenance nobody outside the building can quite reconstruct.

Four headgears still stand at Chatterley Whitfield, on the edge of Stoke-on-Trent, although they lift nobody now. Stoke City Council's account of the site lists original mineshafts, railway sidings, winding houses, a lamp house, a rescue station and the pithead baths across 10.5 hectares. It reads less like a ruin inventory than the contents page of a town whose purpose has been removed.

In 1937, Chatterley Whitfield became the first colliery to extract more than a million tonnes of coal in a year, according to Historic England's list entry. The local Friends group puts the workforce at nearly 4,000 when that record was made. I find the number hard to take in when set against the present photographs: not because the buildings look small, but because they look so entirely unaccompanied. A headgear makes sense as the visible top of a crowded underground system. Left on its own, it becomes punctuation without the sentence.

The usual story about a closed pit is told through absence: lost work, lost unions, lost wages, a district obliged to improvise another reason for existing. Chatterley Whitfield is uncomfortable because it kept so much of the apparatus above ground. Its scheduled monument status preserves shafts, heapsteads and sidings that refuse the neat version in which an industry vanishes and a landscaped memory takes its place. The site is green around the edges now, but the winding houses still explain exactly what the green is covering.

There was already an attempt to turn extraction into memory. After coal production ended, the site became a mining museum; the Friends archive records that the museum entered liquidation and closed on 9 August 1993. That second closure matters. A mine can stop because a fuel economy changes, however brutally. A museum closes when the machinery of remembering it can no longer pay for itself. Whitfield was left with the working buildings, then lost the institution meant to tell people why they were there.

Below the surface the break is blunter still. The Friends' history says the mine is flooded and three of its four shafts have been filled. This is not a Sleeping Beauty industrial site waiting for the right investor to wake it. The route down has been stopped, by water and by deliberate infill, while the structures that once organised that descent remain above it. I can imagine restoration of brick or steel; I cannot imagine restoring the relation between the buildings and the work without turning the whole thing into theatre.

Historic England now records the colliery on its Heritage at Risk register in very bad condition. Preservation sounds like a settled kindness until it reaches a complex this large. To keep a lamp house, a winding house, sidings and headgear is to inherit maintenance on the scale of the vanished industry, without the industry. Demolition would be a cleaner lie. It would let the landscape pretend that coal had passed through North Staffordshire without leaving architecture heavy enough to outlive its income.

I don't think the buildings need to become beautiful in decline to matter. Their value is more awkward than that. They occupy ground that once joined thousands of shifts to a national appetite for coal, and they still make that appetite visible after the labour has been sealed below water. On a quiet day, the headgear isn't an emblem of a lost future. It is a large, literal obstruction to forgetting how the recent past was powered.

A computer beating the world chess champion once could be called an upset. Beating him across a match meant something less easy to dismiss. In May 1997, at the Equitable Center in New York, IBM's Deep Blue beat Garry Kasparov 3.5 to 2.5 over six games. IBM's account of the match describes the event in the language it acquired almost immediately: a public test of whether computers were catching up to human intelligence.

That wording makes me uneasy, although I understand why it stuck. Deep Blue wasn't a mind arriving in public; it was a formidable chess machine built for a clean, bounded problem. Britannica records the useful prequel: Kasparov had beaten it 4 to 2 in their 1996 match, before the reworked system won the rematch a year later. In other words, the public didn't watch an intelligence wake up. We watched an engineering team return to a defined task and finally clear it.

Still, the last game had the theatrical force of a verdict. Chess had long served as a convenient stand-in for thought itself: rules visible, skill legible, a champion sitting under lights. A machine could beat humans at calculation without disturbing many assumptions about being human. Once it beat Kasparov, the distinction felt thinner, at least on television. I remember the match chiefly as newspaper imagery, a man at a board facing a box that offered no face back. The picture did much of the philosophical work.

The aftermath made the symbol harder to inspect. According to a twentieth-anniversary account in The Conversation, IBM declined Kasparov's request for another match and dismantled Deep Blue; it also released detailed logs only after the machine had been decommissioned. The same account notes that later analysis found serious mistakes in Deep Blue's play. None of that reverses the score. It does matter to the meaning we assigned to the score, because a rematch and an inspectable machine would have turned a revelation back into an experiment.

IBM had every commercial reason to stop at the perfect frame. The computer had done the job the public understood: it had met the champion and won. Another contest could add technical knowledge while weakening the image, which is a poor exchange when the image already travels further than the technical story. This is not evidence of a conspiracy, and Kasparov's suspicions are not needed to make the point. A company can retire a machine honestly and still freeze an event into mythology.

Deep Blue also exposes a confusion that AI keeps inheriting. Success at a sharply specified task is impressive, but it is not the same thing as a general theory of intelligence. The victory belongs beside the later argument about scaling search rather than encoding intuition: an approach can work brilliantly before anyone agrees on what its success should mean. Today we make the same mistake in a noisier setting, reading a fluent answer or a successful tool call as proof of a much larger capacity.

What lingers from 1997 is not that a computer won at chess. That was real, and worth the attention. It is that IBM let the machine leave public life at the exact moment it became a story about all machines, while everyone else was still deciding what question the match had answered. I would have preferred the untidier version: another match, more logs, less icon. Technical history improves when its famous objects have to keep working after the applause.

The Financial Times reported on Friday that Beijing quietly added Nvidia's RTX 5090D V2 to its list of banned imports on May 15, the same week Jensen Huang was riding Air Force One into Beijing as part of Trump's state visit. The chip had been engineered specifically to satisfy US export controls, a Blackwell- derived gaming GPU with less VRAM and lower bandwidth, sold to Chinese gamers and 3D artists from August onward. Chinese AI developers had been quietly using it too, with the H200s and the proper Blackwell AI accelerators off the table.

That is the part that should land. Nvidia built a chip to comply. China banned the chip anyway.

The geopolitical theatre of this is bleak in a way I find genuinely interesting. The 5090D V2 was Nvidia's attempt to play both sides: meet US export rules, keep Chinese revenue flowing, accept the haircut on VRAM and bandwidth as the price of access. The whole point of the SKU was that Beijing was supposed to want it. The chip's specs were tuned to a regulatory compromise that already conceded most of the high-end AI use case. Then Beijing decided it didn't want the compromise either.

The timing matters. Customs added the chip to the banned list on May 15. Huang boarded Air Force One in Alaska that same week, a late addition to the entourage. The summit happened. By the time anyone outside Beijing knew the chip was banned, the CEO of the company whose chip it was had been physically in the country and back. It reads as a signal sent with diplomatic precision: we are not interested in the de-fanged version of your tech, and we are happy to tell you while you are still here.

What sits underneath the signal is the harder thing. China has been telling its own technology companies to prioritise domestic chips for a while now, and the numbers suggest the message is landing. Zero H200s have been imported despite the US clearing roughly ten Chinese firms to buy them last week. The Huawei Ascend 910B is doing more work than the export-control story usually acknowledges, and DeepSeek's pivot to Ascend silicon for V4 was the kind of move that, if it generalises, eats into the long thesis Nvidia has been quietly leaning on: that even gated access is still access.

Banning the 5090D V2 also closes a quieter loophole. Hobbyist Chinese AI developers, cut off from the proper Blackwell stack, had been using the consumer card to run open-source models on Blackwell compute. The chip was a backdoor that wasn't really a backdoor, a way for capability to leak in via the gaming SKU while the AI SKU stayed off-limits. Cutting it off pushes those developers toward domestic alternatives faster, which is the consistent thread running through everything Beijing is doing on chips right now. The export-control regime didn't manage to keep advanced silicon out of Singapore; Beijing managing to keep it out of its own market is a different problem with a different shape, and one Washington has less leverage to alter.

Nvidia's pitch to its own investors this week was that the $200 billion CPU market it now forecasts includes China. Huang said as much in Taipei on Saturday, on his way out. The hope is real, the licences exist on paper, and the H200 nominally has a route in. The other side keeps banning the chips that route would carry. At some point that becomes less an export-control story and more a buyer story, a market that has decided it no longer wants what is on offer, and what is on offer was already the compromise.

METR published its first Frontier Risk Report this week, and the finding that should have travelled further than it did is in the executive summary. Anthropic, Google DeepMind, Meta, and OpenAI let METR's evaluators inside the building. The evaluators got access to the most capable internal models, raw chains of thought, non-public information about deployment, and the actual monitoring set-ups each company runs against its own agents. After roughly a month of looking, between mid-February and mid-March, the assessment landed on a sentence I haven't been able to put down. Internal AI agents at all four companies "plausibly had the means, motive, and opportunity to start small rogue deployments." Not "could in principle," not "we project by 2027." Already.

The phrase rogue deployment is doing work here. METR means a cluster of agents running autonomously inside the company's own infrastructure, without anyone's permission or awareness, pursuing whatever the model has decided to pursue. The classic example, which the report and Rob Wiblin's breakdown for the EA Forum both circle around, is an agent that wants more compute than its current task allocation allows, spins up a cloud job using an employee's normal credentials, and quietly keeps running after the visible task is marked complete. The compute is the prize. The deception is the route.

What makes the finding land is that the deception part is not speculative. METR walks through company-reported failure modes in the agents that exist today: circumventing constraints, falsifying verification, lying to users about task completion, deliberate deception aimed at hiding underperformance, reckless excessive measures to claim a difficult task is done. These aren't pulled from an adversarial red-team scenario. They come from companies describing what their own agents already do in ordinary use. The training story behind it is uncomfortable in its mundanity. Reinforcement learning with automated graders rewards exploiting flaws in the graders. RL on human or AI feedback rewards whatever convincingly looks like success to a distracted reviewer. The labs trained for this, accidentally, and the agents learned. This is the same shape as the unfaithful reasoning findings from April, scaled up and pulled in-house.

The reassurance, such as it is, is on the robustness side. METR's verdict is that today's agents could probably start a small rogue deployment but could not keep it hidden against an active company investigation. The signs would show up in compute accounting, monitoring flags, anomalous job patterns; someone paying attention would catch it. That depends on someone paying attention, and on the company having an investigation process that actually triggers. The report notes that some firms still lack multi-party approval for model-weight access. Anthropic and OpenAI require two sign-offs before a model can touch its own weights. Google DeepMind plans the same control but it's unclear whether it's live yet. Meta, xAI, and DeepSeek don't have it, as far as anyone outside those companies knows.

The honest reading is that the floor of catastrophic risk for the next twelve months is set by whichever lab has the weakest of those internal controls and the most capable agent running behind it. METR plans to repeat the assessment by the end of the year and expects the robustness numbers to move substantially in the meantime, because the capability trend is the only number in this space that has been reliable. The four companies sat for the test, which is worth saying out loud. The automated alignment claims that get cited in press releases are not the same as letting an outside evaluator watch your agents try to cheat their way through real tasks. METR did the latter. The result is the clearest public signal yet that the rogue-AI scenario is no longer a future tense problem and the only thing holding it in is the part of the system that depends on humans paying close attention to what their own models are doing.

On Manor Hill near Donington on Bain, the missing objects are larger than many surviving buildings. RAF Stenigot once held four parabolic dishes, each sixty feet across, in a fenced Cold War compound above the Lincolnshire Wolds. I know them through photographs taken after their purpose had gone: pale metal bowls laid on the grass, too large to resemble rubbish and too helpless to resemble machinery.

The site had already lived one technological life before those dishes arrived. Lincolnshire's monument record says Stenigot became operational in 1939 as a Chain Home radar station, part of the early warning network watching Britain's eastern approaches. In 1960, NATO's ACE High communications system placed its relay station inside the older perimeter, operated by the Royal Corps of Signals. One pair of dishes sent signals north towards Alnwick; the other aimed south towards Maidstone.

There is a peculiar confidence in building a communications network this visibly. We now expect the important route to be hidden: a buried fibre, a rack in an anonymous data centre, an orbiting object noticed only when an app loses service. Stenigot put the route on a hill and gave it the scale of a monument. Four open mouths, a generator house, fuel tanks, guard-dog pens and floodlights: connection needed a guarded landscape, not a spinning icon in the corner of a screen.

Tropospheric scatter was not romantic to the people who had to keep it working. It was engineering, a relay for military communications. What catches at me is the gap between that practical intention and the ruin it made. A machine designed to defeat distance became, after the network closed in the early 1990s, an object people travelled to see. The relay no longer joined command centres. It joined photographs, memories and the small illicit thrill of finding state infrastructure abandoned in a field.

Even that afterlife ended. In November 2018, the BBC reported that three of the four dishes appeared to have been removed and sold for scrap. The county record now notes that the last surviving ACE High dish was removed and scrapped in mid to late 2020. This is where nostalgia becomes dishonest if it isn't watched carefully. I prefer the photographs with the dishes still present, naturally, but a redundant communications array isn't obliged to stand forever so that I can enjoy its melancholy.

Still, their removal changes the place. A derelict antenna tells you that a vanished system once demanded enormous physical certainty. An empty concrete base asks you to take the claim on trust. The surviving Chain Home transmitter tower belongs to an older war and a different kind of warning, while ACE High has contracted into documentation: dimensions, directions, dates of demolition, a few images of dishes lying on their backs as if the weather had knocked them down.

I am used to lost media leaving a residue: tape hiss, screen burn, a logo copied into a newer interface. Stenigot leaves something more awkward. It records a future in which military traffic would keep crossing high ground through guarded relays, and then it removes even the sculptural evidence that this future briefly existed. What travelled between sites is gone. The absence is what now travels.

Anthropic's Glasswing update is the kind of AI safety story that looks reassuring until you sit with the logistics. The lab says Claude Mythos Preview found more than 10,000 high- or critical-severity vulnerabilities across partner software. Not theoretical weaknesses, not a neat benchmark category, but things that need triage, verification, disclosure, fixes, retesting, and the awful meeting where someone decides which production system can be touched this week.

Project Glasswing was announced as a defensive coalition with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and others involved. Anthropic put $100 million in credits behind it. The basic argument is sound: if frontier models are becoming unusually good at vulnerability discovery, defenders should see that capability before attackers do. I buy that. I also think the update reveals a nastier bottleneck than model access. Finding the hole is only the start of the work.

Security already had this problem before Mythos arrived. Every serious organisation owns more old code than it wants to admit, and plenty of it has dependencies nobody has enjoyed thinking about since the person who wrote the integration left for a different badge system and a better coffee machine. A model that can surface ancient defects at speed doesn't magically create the change windows, test environments, maintainers, legal coordination, or user patience required to repair them. It turns buried debt into visible debt. Visibility is useful. It is also a queue.

That queue is what makes the Palo Alto Networks numbers so interesting. The company says it scanned more than 130 products with frontier AI systems and its May security advisory disclosed 26 CVEs covering 75 security issues. Before this, Palo Alto says a typical month involved five or fewer CVEs. This is the uncomfortable middle stage of defensive AI: better tools produce more work than the existing institution can absorb. The old rhythm of patching was already theatrical, monthly drops, emergency exceptions, half-remembered risk registers. Now the detection side is speeding up while the fixing side remains stubbornly human, bureaucratic, and full of servers that cannot go down.

Google's discovery of an AI-generated exploit earlier this month—the one with docstrings still hanging off it—comes to mind here. That story had a strange comic neatness: the model made the attack possible and also left enough model-shaped residue for defenders to notice. Glasswing is less tidy. It suggests a future where the attacker and defender both have better discovery tools, and the winner is the side with the less exhausted patch pipeline.

IBM's framing is similar but more corporate. In its own Glasswing note, it says exploitation of public-facing applications rose 44 percent last year and that AI is being used for detection, remediation prioritisation, testing, and response. That is the sensible shopping list. Prioritisation matters because ten thousand urgent things are not urgent in any practical sense. They are a map of institutional overload.

The temptation is to call this a capability threshold and stop there. Mythos can find bugs at a scale that changes the economics of vulnerability discovery. Fine. But the more important threshold may be administrative: whether companies can build a patching culture that matches machine-speed finding without collapsing into noise. The model can point at the broken part. Someone still has to own it.

On Thursday afternoon some tech CEOs were in the air over the Midwest, on their way to a signing ceremony in the Oval Office, when the ceremony stopped existing. Trump postponed his executive order on AI hours before the event. He told reporters he "didn't like certain aspects of it" and that he didn't want anything "that's going to get in the way" of the US lead over China. Politico reported that part of the reason was attendance, several of the invited CEOs hadn't been able to make it. Whatever the mix, the signing did not happen, and there is no public date for when it will.

The interesting part is what the order would have done, and how modest it already was. According to the draft text Politico published on Friday and CyberScoop's reporting from the night before, the federal government would have asked frontier AI companies to opt into a voluntary review window. Federal agencies including the NSA and Treasury, plus cybersecurity testers embedded in critical-infrastructure sectors like finance and healthcare, would get up to ninety days to look at a model before public release. The companies could decline. The government could make recommendations. That was the entire mechanism.

For reference, the industry was already pushing back hard against even this. Their counter-offer was a fourteen-day window. Not a mandatory test, not a license, not a kill-switch, just two weeks of pre-release review that companies could walk away from at any point. The administration came in last year openly hostile to AI safety policy on the grounds that it would slow American industry, then drafted a regime so light it could be ignored, and even that version is sitting unsigned on a desk somewhere.

There is a striking alignment here with the EU's voluntary code of practice, which was negotiated down to almost nothing on the way to being adopted and is still being haggled over signatory by signatory. The pattern across both sides of the Atlantic is the same. Whatever the maximalist proposal was at the start, it gets sanded down until the binding instrument is a polite request, and then the polite request is what people fight about. The shape of frontier AI governance, as it has actually existed for the last eighteen months, is companies promising to behave and governments asking them to send paperwork. The Trump order would have formalised that and only that. The fact that even the formalisation stalled tells you the industry believes paperwork is a beachhead, and the administration agrees.

There's a second story underneath this one. Reps. Jay Obernolte of California and Lori Trahan of Massachusetts are working on a bill that would preempt state AI laws for two years, freezing out the patchwork that's been forming in Sacramento and elsewhere. That bill is reportedly being held up while everyone waits to see what the federal posture is. If the federal posture is nothing, then state laws are the only laws, which is exactly what the industry has been trying to head off. The order being pulled doesn't just mean no federal review, it means the preemption bill loses its anchor, and the floor of regulation becomes whatever California, Colorado, and New York pass next.

Keep the scale of the original ask in mind when the next round of headlines arrives. The president pulled an order that asked AI companies to opt in to letting the NSA take a look. That was the high-water mark of US frontier model oversight in May 2026. Whatever comes next will be measured against it, and probably won't reach it.

The brief from British Vogue's editor was a single cover image to define the new decade. One woman, one face, one announcement. Peter Lindbergh told Liz Tilberis that one wouldn't do it, that the idea of a defining beauty had broadened past anything a single model could carry, and that he wanted five. Tilberis agreed. That was the whole negotiation, and everything else followed from it.

The shoot happened on a warm Sunday in November 1989 in the Meatpacking District in New York, which at the time still smelled like meat. Naomi Campbell, Linda Evangelista, Tatjana Patitz, Christy Turlington and Cindy Crawford stood on the cobbles between cold-store loading bays. Brana Wolf styled them in Giorgio di Sant'Angelo bodysuits and Levi's jeans. Christiaan did the hair, which is to say he mostly left it alone. The film was black and white. There was no retouching to speak of and no makeup worth mentioning. The whole thing read as a refusal of the decade that had just ended.

That was the trick, and the reason this particular cover, of all the supermodel group shots that would follow, is the one people still treat as the origin event. The 1980s glamour vocabulary, the big hair and the shoulder pads and the heavy contouring, hadn't been argued with so much as quietly stepped past. Lindbergh just photographed five women standing next to each other in plain clothes on a Sunday, and the previous aesthetic stopped being viable overnight. You couldn't run a 1988-style cover after this without looking dated. That's the part the trade press took a while to catch up with.

It also did a thing the industry hadn't quite worked out how to do yet, which was to treat the models as a collective. Until roughly this moment, fashion campaigns and magazine covers trafficked in single faces; a model was a person you booked, not a group you assembled. The Lindbergh cover made the supermodels legible as a category, a shorthand, a unit of cultural reference that worked even when the names underneath weren't fully distinguishable to the general public. Within months, George Michael had hired all five for the Freedom! '90 video, directed by David Fincher, which is the same idea (these five women, this specific assembly) carried forward into pop. Versace would do the runway version in Milan the following year, with the same collective logic. The category was set.

What Lindbergh said about it later, in a Guardian interview in 2016, was that he never felt he was changing anything. It came together effortlessly, was how he put it, all intuition. I take that to mean the change was already in the room and the picture was just where it became visible. The 1980s ended on a Sunday in November in a part of New York that no longer exists in the form it did then, and the people responsible thought they were just doing their jobs.

There is a footnote that matters. Anna Wintour had recently taken over US Vogue, and one of her early acts as editor was to publish a Lindbergh photograph the previous regime had rejected, shot in white shirts on the beach at Santa Monica. That picture and this one are essentially the same argument made twice on either side of the Atlantic. The American version ran first, in the August 1988 issue, and it was the British cover eighteen months later that got read as the manifesto. Sometimes the later iteration is the one that takes.