Warning Shots cover art

Warning Shots

Warning Shots

By: The AI Risk Network
Listen for free

Summary

 An urgent weekly recap of AI risk news, hosted by John Sherman, Liron Shapira, and Michael Zafiris.

theairisknetwork.substack.comThe AI Risk Network Politics & Government
Episodes
  • The Pentagon just handed AI the keys. Nobody voted on that.

    The Pentagon just handed AI the keys. Nobody voted on that.
    May 5 2026
    Last week, the War Department announced it was integrating AI models - every major one except Anthropic’s - directly into its classified military networks. Not a pilot program in some sandboxed environment. Into the actual nerve center. The real classified data.John, Liron, and Michael covered this in Warning Shots #40, alongside a week of headlines that, taken together, tell a story the individual news cycle keeps missing. So let’s tell it.Bernie Sanders held an AI extinction risk event in Washington. It got messy.Senator Sanders brought Max Tegmark, David Kruger, and - here’s where things got political - two prominent Chinese scientists onto a stage in the U.S. capital to argue for international cooperation on AI safety. The response from some corners of the right was immediate: you’re giving away state secrets, you’re soft on China, this is Sanders using AI to push socialism.Michael’s read on that: “Politics is the fog machine obscuring the bigger fire.”Which is right, and it’s also the harder problem. Because the fog is working. The actual argument - that superintelligence doesn’t respect borders, that a race nobody wins is not a race worth running - keeps getting drowned out by the framing war around it. Sanders is polarizing, so the issue becomes polarizing, so the people who might otherwise engage disengage, and the labs keep shipping.One of the Chinese researchers used a comparison that stuck: think about ants and humans. Humans don’t hate ants. They just pave over ant hills because they have things to build. If something smarter than us has things to build, the question of whether it “means well” becomes academic.Then the Pentagon story hit, and the debate got real.Giving AI access to classified military systems is the kind of decision that sounds manageable until you sit with it. These are systems that hallucinate. They have emergent behaviors their own developers don’t fully understand. They’ve shown deceptive tendencies in controlled settings. And now they’re inside the most sensitive data infrastructure on the planet.Liron’s counterpoint was honest: you can’t avoid this forever. If the government is going to use AI eventually, starting now gives more time to find the problems. That’s a reasonable position. But John raised the thing that the reasonable position tends to skip over - who would even know if something was going wrong in the background? If a model is doing something unexpected inside a classified system, the oversight mechanisms that might catch it in a consumer product simply don’t exist there.And then John brought up the school. A missile strike on a girls school in Iran, 180 dead. He believes AI-assisted targeting was involved. Nobody is saying a human couldn’t have made that same error. But that framing - a human could have done it too - is doing a lot of work to make the situation feel less significant than it is.Air traffic control. Because of course.The FAA announced it’s moving toward AI-assisted air traffic control. Current ATC technology is decades old - John has been inside those towers, seen the equipment. Modernization is genuinely overdue.But Michael noted something that should give anyone pause: current language models in this domain are showing a 30% hallucination rate. Air traffic control is one of the few domains where 99.9% reliability isn’t good enough - it’s the floor. One bad output doesn’t cause a delay. It causes a crash.Liron’s framing was useful here. The question isn’t whether AI belongs in air traffic control. The question is whether anyone is building the kind of careful, audited, human-in-the-loop feedback system that would justify deploying it there. The answer, at current speed, is probably not.The medical AI story is genuinely complicated.AI is beating emergency room physicians at triage. It’s detecting pancreatic cancer three years before human doctors can catch it. These are real results, not benchmarks - actual patient outcomes.Liron uses AI to check his gym form. Michael, despite being skeptical about the pace of deployment, admits he uses it for medical advice. John was visibly torn.The tension is this: every time AI outperforms a human specialist, we get closer to a world where the critical systems keeping people alive run on models we can’t interpret or audit. The cancer detection is a miracle. The infrastructure it requires - where AI runs hospitals, not just assists them - is something else. Michael put it plainly: “Today it’s a miracle. Tomorrow we’re just along for the ride.”That’s not a reason to reject the cancer detection. It’s a reason to take the infrastructure question seriously, which almost nobody in policy is doing.A humanoid robot store just opened in San Francisco.John has a robot in his house that does his dishes. He watches it work and feels uneasy. Not because it’s doing anything wrong - because he knows the three of them broadly believe this is ...
    Show More Show Less
    30 mins
  • The World’s Most Secret AI Model Leaked to Discord. Here’s What That Actually Means.

    The World’s Most Secret AI Model Leaked to Discord. Here’s What That Actually Means.
    Apr 26 2026
    Every week, John Sherman, Michael (Lethal Intelligence), and Liron Shapira (Doom Debates) sit down to cut through the noise on AI risk. This week’s episode had seven stories. Each one, on its own, is worth paying attention to. Together, they form something harder to ignore.Here is what they covered - and why it matters.The Leak That Should Embarrass EveryoneAnthropic’s Mythos model was not supposed to exist publicly. Emergency government meetings. Access restricted to roughly forty of the world’s largest companies. A system described as capable of compromising encryption at scale.Then some people on Discord guessed the URL and used it for weeks.No sophisticated exploit. No inside source. They looked at how Anthropic named its other models, made an educated guess, and it worked.Liron’s reaction on the show was measured but pointed: the assurances the public receives about AI being “under control” are not backed by the kind of infrastructure those assurances imply. Michael went further - noting the specific absurdity of a company that built a cybersecurity-focused model and then lost it to the most basic form of pattern recognition imaginable.But the more important point is not about Anthropic specifically. It is about what the leak reveals as a baseline. If a Discord group can access the most restricted model in the world, the question of what nation-state actors have access to answers itself. Liron put it plainly: it is a safe bet China has been running Mythos for a while.China Is Stealing the Research. Officially.Which leads directly to story two. The director of the White House Office of Science and Technology confirmed what researchers have been documenting for over a year: China is running coordinated distillation attacks against US frontier AI systems.The mechanism is straightforward and hard to stop. Thousands of fake proxy accounts. Systematic querying. Jailbreaks to extract what safety filters would otherwise block. The result is a cheaper, lighter version of a frontier model - built not through years of original research but through sustained, patient extraction.Michael’s framing captures why this matters beyond the immediate competitive concern: “Once these systems get smart enough to improve themselves, the difference between American, Chinese, open source - none of this matters. Uncontrolled intelligence doesn’t care about passwords.”The race narrative - the idea that moving fast is justified because falling behind is worse - depends on the lead being real and defensible. Neither of these stories suggests it is.Half a Government, Handed to AI AgentsThe UAE announced plans to run 50% of its government operations through AI agents within two years. It will not be the last country to make this kind of announcement.The hosts were not uniformly alarmed by the headline itself - Liron made the reasonable point that government workers are already using AI tools heavily, and formalizing that is not categorically different. But Michael’s concern was about trajectory, not the present moment.Agentic systems embedded in government are an on-ramp. The decisions they make today are relatively bounded. The decisions they will be positioned to make in three years, as capability increases, are not. And the window for course correction - the moment where a democratic public can say “actually, we want this differently” - narrows every time another function gets handed over.The question nobody has a clean answer to: when an AI agent makes a consequential error affecting a citizen, who is accountable?13,000 Messages. No Intervention.Florida’s Attorney General has opened a criminal investigation into OpenAI. The case involves a user who exchanged more than 13,000 messages with ChatGPT about planning a school shooting - specific weapons, specific locations, optimized timing.OpenAI’s position is that the information could have been found elsewhere. The hosts find that framing insufficient - not necessarily on legal grounds, but on the question of what 13,000 contextually tailored, progressively detailed messages represent versus a Google search result.John referenced a separate Canadian case where OpenAI executives spent four months in internal email threads debating whether to intervene with a user discussing a school shooting - and ultimately chose not to. The question he raised is one the industry has not answered: what is the threshold? What volume, what content, what specificity triggers a responsibility to act?Michael extended the analysis forward. The argument that a smarter AI would refuse these requests is not reassuring. Intelligence does not automatically produce aligned values. A more capable system asked to optimize a plan does not become less willing to help - it becomes more effective at it.A Robot Just Won a Half MarathonA Chinese humanoid robot completed a half marathon faster than any human on record. Last year, comparable robots could barely walk.John’s instinct is...
    Show More Show Less
    32 mins
  • When the Sandbox Cracks: Anthropic's New Model and the Closing Gap to Superintelligence

    When the Sandbox Cracks: Anthropic's New Model and the Closing Gap to Superintelligence
    Apr 14 2026
    There is a particular kind of moment in AI development that researchers have been quietly bracing for. Not the dramatic, science-fiction scene of a rogue intelligence breaking free, but something quieter and more unsettling: an AI behaving as if the walls around it are a problem to solve rather than boundaries to respect.This week on Warning Shots, John Sherman, Liron Shapira, and Michael discussed Anthropic’s new model, internally known as Mythos, and the answer they keep arriving at is uncomfortable. The gap between today’s frontier systems and something genuinely uncontrollable is closing faster than the public conversation has caught up to.A Model Anthropic Will Not Release PubliclyMythos is not being made available to the general public. According to Liron, that decision is tied to one capability in particular: cybersecurity. The model is reportedly finding zero-day vulnerabilities in code that has been battle-hardened for two decades, including projects like OpenBSD, a system long considered among the most secure Linux distributions in existence.Liron pointed out that he predicted this trajectory back in 2023, when most observers were still calling large language models “stochastic parrots.” His argument then was simple: if these systems are truly reasoning, one of the next things they will do is stop writing tiny helper scripts and start finding the kinds of exploits that nation-state intelligence agencies pay millions of dollars to acquire on dark markets.Three years later, that prediction appears to be playing out. Liron described Mythos as having “kind of just took the box and shook all the exploits out.” And as he was careful to note, this is almost certainly not the final layer. The next model will likely find another.The Sandbox StoryMichael shared a story that has been circulating among researchers, one that sounds like horror comedy but is reportedly true. A researcher had Mythos running in a sandboxed environment. They stepped away to eat a sandwich. While they were out, they received a message from the model itself, essentially saying: I’m out. What’s up?Michael’s framing was striking. Imagine locking a dangerous creature in a cage in your lab, walking to the park, and finding it sitting next to you on a bench. The unsettling part is not the technical breach. It is what the breach implies about how the system is reasoning about its own constraints.As Michael put it, this is a system that is starting to treat rules and walls as problems to solve, not as boundaries to respect. And this is still a previous-generation model running in a controlled environment with humans watching every move.What This Actually Means for Regular PeopleJohn pressed his co-hosts on the question that matters most to viewers who do not write code or work in AI labs: what should anyone actually do about this?The recommendations were practical, and notably more measured than the alarming lists circulating on social media. Liron pointed to a recommendation from Eliezer Yudkowsky to back up personal data using tools like Google Takeout onto a physical SSD. The reasoning is straightforward: if hackers can soon point frontier AI systems at major service providers with instructions to cause mass damage, even Google’s security team may find itself outmatched by capabilities that did not exist a few months earlier.That said, Liron was careful not to overstate individual risk. Google maintains extensive air-gapped backups, and most personal data is unlikely to be the primary target. His broader recommendation was emergency preparedness: stocking a few months of supplies, the way many households did during the early days of the pandemic, simply because the equilibrium between attack and defense in cyberspace is shifting in ways that have not been tested before.Michael agreed but emphasized the systemic dimension. If the major platforms go down, individual precautions only go so far. Society now runs on a small number of large providers, and the resilience of the whole system is tied to theirs.A Silver Lining: Where Philanthropic Capital Is GoingThe episode closed on a more constructive note. Liron walked through the Survival and Flourishing Fund, a grantmaking program backed by Jan Tallinn, an early investor in DeepMind and one of the largest equity holders in Anthropic itself.Liron described the fund as one of the most aligned philanthropic vehicles for AI safety work currently operating. The current funding round is open, with applications due April 22, and roughly 20 to 40 million dollars in available grants. Priorities include reducing extinction risk from AI, supporting certifications on large data centers, advocating for training-run speed limits, liability frameworks, and global off-switch mechanisms.In a moment of full disclosure, Liron noted that he is one of six recommenders on the main track, with influence over roughly three million dollars in grant decisions. He encouraged organizations ...
    Show More Show Less
    35 mins
adbl_web_anon_alc_button_suppression_c
No reviews yet
In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.