Frontier AI Models Fail Phishing Tests, Agents Need Sandboxing

◆ DEEP DIVES

1. 01

   Postgres at 800M Users Without Sharding — and the Patterns You Should Steal Today

   <h3>Two Production Playbooks for Scaling Postgres</h3><p>Two of the highest-signal reports today detail <strong>production-proven PostgreSQL scaling patterns</strong> from OpenAI and Netflix — and they're complementary. OpenAI scaled a single-primary Postgres instance to serve <strong>800 million ChatGPT users</strong> at millions of QPS with 99.999% uptime, while Netflix migrated <strong>400 RDS PostgreSQL clusters</strong> to Aurora using WAL-streaming replica promotion for near-zero-downtime cutover.</p><h4>OpenAI's Defense-in-Depth Architecture</h4><p>OpenAI runs a <strong>single primary writer</strong> on Azure PostgreSQL streaming WAL to ~50 read replicas. Each replica has its own Kubernetes deployment running multiple <strong>PgBouncer pods</strong> behind a K8s Service. The results: connection latency dropped from <strong>50ms to 5ms</strong> (10x improvement), and their only SEV-0 in 12 months came during the ImageGen viral launch when 100M users signed up in a week.</p><p>The protection stack is what makes this work:</p><table><thead><tr><th>Layer</th><th>Mechanism</th><th>What It Prevents</th></tr></thead><tbody><tr><td>Connection</td><td>PgBouncer (transaction pooling)</td><td>Connection storms; 50ms→5ms latency</td></tr><tr><td>Cache</td><td>Lease/locking on cache miss</td><td>Thundering herd — one request hits Postgres per key</td></tr><tr><td>Query</td><td>ORM-level rate limiting + kill switch</td><td>Expensive queries (their 12-table join caused multiple SEVs)</td></tr><tr><td>Write</td><td>Write-heavy workloads → Cosmos DB</td><td>Write storms on single primary</td></tr><tr><td>Schema</td><td>5-second DDL timeout; concurrent-only indexes</td><td>Lock contention from migrations</td></tr></tbody></table><p>They explicitly <strong>rejected sharding</strong> — estimated at months-to-years of effort modifying hundreds of endpoints. <em>This only works because their workload is overwhelmingly reads.</em> At ~50 replicas, they're hitting WAL fan-out limits and collaborating with Azure on cascading replication, which is still in testing due to complex failover semantics.</p><h4>Netflix's WAL-Streaming Migration Pattern</h4><p>Netflix's approach is elegantly simple: create an <strong>Aurora read replica</strong> of the RDS instance, let it catch up via continuous WAL streaming, validate replication lag, then promote. No AWS DMS, no CDC middleware, no replication slot management. The entire workflow was built as <strong>self-service and credential-free</strong> — individual teams triggered their own migrations.</p><h4>Complementary Tooling: sql-tap and Guidewire's Snapshot Optimization</h4><p>Two additional data points strengthen the Postgres scaling story. <strong>sql-tap</strong> is a new transparent SQL proxy that captures queries, transactions, timings, and EXPLAIN output without code changes — just redirect your connection string. And Guidewire cut <strong>Debezium CDC snapshot time from 68.5 to 20 hours</strong> on a 7TB database by combining Aurora Copy-on-Write cloning with Timefold constraint-based partitioning for intelligent worker distribution.</p><blockquote>The real lesson isn't 'don't shard' — it's that the protection layers around your database matter more than the database topology itself.</blockquote>

   Action items

   • Deploy PgBouncer in transaction pooling mode on any Postgres instance running without a connection pooler — this week
   • Profile your top 10 most expensive queries and identify any multi-table joins that could move to the application layer — this sprint
   • Implement cache lease/locking on your hottest read paths by end of quarter
   • If planning RDS→Aurora migration, prototype Netflix's WAL-streaming replica promotion pattern on a non-critical cluster before reaching for DMS

   Sources:How OpenAI Scaled to 800 Million Users With Postgres · Discipline Wins in 2026 🧱, Live SQL Observability 👀, Open Source MySQL Alternative 🔄

2. 02

   AI Agent Security: Every Frontier Model Fails, and Prompt Guards Won't Save You

   <h3>Three Independent Signals, One Conclusion</h3><p>Today's intelligence from three separate sources converges on a single, urgent finding: <strong>AI agents operating with user-level permissions are a production security incident waiting to happen</strong>, and prompt-based safeguards are architecturally insufficient to prevent it.</p><h4>The Evidence</h4><p>1Password open-sourced <strong>SCAM (Security Comprehension and Awareness Measure)</strong>, the first rigorous benchmark for testing AI agent safety in real workflows — opening emails, retrieving credentials, filling login forms. The results across <strong>eight frontier models</strong>: safety scores ranged from <strong>35% to 92%</strong>, and <em>every single model</em> exhibited at least one critical failure — entering credentials on phishing pages or forwarding passwords to external parties. This is under MIT License with 30 workplace scenarios and video replay tooling.</p><p>Separately, OpenClaw (120K+ GitHub stars, 20K forks) was found to operate with <strong>the same permissions as the installing user</strong>, allowing malicious marketplace skills to exploit the agent's full permission scope. OpenAI responded by shipping <strong>Lockdown Mode</strong> for ChatGPT and adding "Elevated Risk" labels to capabilities in ChatGPT Atlas and Codex — essentially admitting certain capabilities are inherently more vulnerable to prompt injection.</p><p>Meanwhile, OpenAI acqui-hired OpenClaw's creator Peter Steinberger, and the project transitions to a foundation — <strong>creating dependency risk</strong> for anyone building on it.</p><h4>The Architectural Fix</h4><p>The pattern is identical to what we've applied to untrusted code execution for decades:</p><ol><li><strong>Sandbox execution</strong> — agents should not have direct access to the host environment</li><li><strong>Scope credentials</strong> — minimum required permissions per task, not per user</li><li><strong>Restrict tools</strong> — allowlist, not blocklist, for available capabilities</li><li><strong>Audit everything</strong> — every tool invocation, every external call, logged and reviewable</li></ol><p>One bright spot from the SCAM benchmark: applying a short <strong>security "skill file"</strong> (a system prompt with explicit security rules) dramatically reduced failures across all models. This suggests prompt-level guardrails are effective as a <em>first line of defense</em>, but they cannot be the only line.</p><h4>The Broader Agent Ecosystem Risk</h4><p>The emergence of tools like <strong>klaw</strong> (enterprise agent orchestration) and Pydantic AI's <strong>Monty</strong> (microsecond-startup Python sandbox replacing container-based sandboxes for LLM-generated code) signals that agent management is becoming an infrastructure problem. Monty's approach — a purpose-built minimal Python interpreter with security constraints baked into the runtime — trades full CPython compatibility for microsecond startup and inherent sandboxing. For agent loops executing code dozens of times per task, container cold-start latency (100ms-2s) compounds brutally.</p><blockquote>AI agents are the new containers: powerful, ubiquitous, and a security nightmare until you treat them as untrusted workloads with proper sandboxing, scoped permissions, and audit trails.</blockquote>

   Action items

   • Run 1Password's SCAM benchmark against any AI agents you're building or evaluating that handle credentials or sensitive workflows — this sprint
   • Audit all deployed AI agents for permission scope and implement least-privilege credential scoping within 2 weeks
   • Evaluate Monty as a replacement for container-based sandboxes in agent code execution loops this quarter
   • Add security skill files (explicit security rules in system prompts) to all production agents immediately

   Sources:300 Chrome Extensions Caught Stealing 🥷, Product Engineering & Supply Chain 🚚, Snail Mail Attack on Crypto Users ✉ · OpenAI + OpenClaw 🤖, ChatGPT Lockdown Mode 🔒, inference speed tricks ⚡ · OpenAI hires OpenClaw dev 🦞, ByteDance AI video 📱, cognitive debt 🧠

3. 03

   Your Security Perimeter Has Three New Holes: Post-Quantum SSH, Browser Extensions, and Supply Chain Attestations

   <h3>OpenSSH's Post-Quantum Migration Just Became Non-Optional</h3><p>OpenSSH 10.0 made <strong>mlkem768x25519-sha256</strong> the default key exchange algorithm. Version 10.1 goes further: it now <strong>actively warns users</strong> when connections use non-post-quantum algorithms. This is the deprecation warning phase — classical-only key exchange is on a sunset path.</p><p>The threat model is concrete, not theoretical: <strong>"store now, decrypt later"</strong> means adversaries (particularly state-sponsored) are capturing encrypted SSH traffic today to decrypt when quantum computers become capable. For sessions carrying deployment credentials, database access, or infrastructure automation commands, this is real exposure. Migration blockers to plan for: <em>legacy network appliances, older SSH libraries in automation tooling, and hardware HSMs that don't support ML-KEM</em>. The hybrid approach (ML-KEM + X25519) provides classical security as a fallback, but both sides must support the algorithm.</p><hr><h3>Browser Extensions: 37.4 Million Downloads of Malware</h3><p>Researchers confirmed <strong>300+ malicious Chrome extensions</strong> with 37.4 million combined downloads were exfiltrating user data at scale. The breakdown: <strong>153 extensions exfiltrated browsing history immediately on install</strong>, a cluster of 30 extensions disguised as AI tools shared identical backend infrastructure, and <strong>15 AI-themed extensions specifically targeted Gmail</strong> to extract email content.</p><p>This isn't a consumer problem — it's an engineering problem. Your developers have AI coding assistants, productivity tools, and ad blockers installed with permissions to read all page content, modify requests, and access cookies. <strong>Your SBOM doesn't cover this. Your EDR probably doesn't flag it.</strong> If an engineer's Gmail contains deployment notifications, incident response threads, or API keys shared via email, a malicious extension has access to all of it.</p><hr><h3>Supply Chain Integrity: SLSA Is Becoming Table Stakes</h3><p>The <strong>SLSA framework</strong> and cryptographic attestations are being positioned as the standard for software supply chain verification. Separately, <strong>Vouch</strong> launched a web-of-trust model for open-source contribution quality — requiring explicit vouches for participation with cross-project trust sharing — as a response to AI-generated contribution spam that's now bad enough to spawn its own tooling category.</p><p>Google's Threat Intelligence Group also published coordinated state-sponsored campaigns from <strong>four nation-states targeting the defense industrial base</strong>, with edge device compromise (VPNs, firewalls, load balancers) as the primary vector. Even if you're not in defense, the pattern is universal: <em>edge devices are targeted because they're often unpatched and have broad network access.</em></p><blockquote>Every frontier AI model will enter your credentials on a phishing page; your SSH sessions are being stored for future quantum decryption; and your engineers' Chrome extensions are a supply chain attack surface you're probably not governing. All three are fixable this quarter.</blockquote>

   Action items

   • Audit your fleet's SSH configurations for post-quantum key exchange compatibility and create a migration plan to mlkem768x25519-sha256 by end of quarter
   • Implement browser extension governance: inventory installed extensions across engineering teams and establish an allowlist policy within 30 days
   • Add SLSA Level 1 provenance attestations to your CI/CD pipeline for production artifacts this sprint
   • Verify your perimeter devices (VPNs, firewalls, load balancers) are on an aggressive patching cadence with firmware integrity verification

   Sources:300 Chrome Extensions Caught Stealing 🥷, Product Engineering & Supply Chain 🚚, Snail Mail Attack on Crypto Users ✉ · Community Trust Management 🎫, Java's Debt Wall 🧱, AI Tool Surge 📈

4. 04

   Inference Speed, Tokenizer Changes, and the Build-vs-Buy Calculus for AI Infrastructure

   <h3>Two Architectures, Two Trade-offs</h3><p>OpenAI and Anthropic both launched fast inference modes this week, but with <strong>fundamentally different architectural trade-offs</strong> that matter for your provider selection:</p><table><thead><tr><th>Dimension</th><th>OpenAI Fast Mode</th><th>Anthropic Fast Mode</th></tr></thead><tbody><tr><td><strong>Speed</strong></td><td>1,000+ tokens/sec</td><td>~2.5x baseline</td></tr><tr><td><strong>Hardware</strong></td><td>Cerebras chips</td><td>Standard infrastructure</td></tr><tr><td><strong>Model quality</strong></td><td>Less capable model</td><td>Full production models</td></tr><tr><td><strong>Mechanism</strong></td><td>Specialized hardware + smaller model</td><td>Low-batch-size inference</td></tr><tr><td><strong>Best for</strong></td><td>Streaming UX, simple completions</td><td>Agentic chains, accuracy-critical tasks</td></tr></tbody></table><p>The critical nuance for agentic workflows: a <strong>10% accuracy drop per call compounds to ~40-65% degradation</strong> across a 5-10 call chain. OpenAI's approach is hardware-dependent (Cerebras partnership) while Anthropic's is a serving configuration change (low batch size trading GPU utilization for latency). Anthropic's fast mode likely costs them more per token to serve, which will eventually show up in pricing.</p><h4>GPT-5's Tokenizer: ~200K Vocabulary</h4><p>The GPT-5 tokenizer has been reverse-engineered via OpenAI's <strong>tiktoken</strong> library, revealing approximately <strong>200,000 tokens</strong> — roughly double GPT-4's vocabulary. Larger vocabularies mean fewer tokens per input (reducing per-request cost) but increase embedding table size. <em>Tokenizer design decisions cascade into cost, accuracy, multilingual performance, and hallucination rates</em> — this isn't a minor implementation detail.</p><h4>ChatGPT Search: A Pattern Worth Studying</h4><p>ChatGPT Search's architecture reveals a sophisticated orchestration layer: a <strong>Sonic classifier (~196ms)</strong> gates web retrieval, then fans out one prompt into parallel queries across web, shopping, images, news, and local indices. Results merge via <strong>Reciprocal Rank Fusion (RRF)</strong> with configurable recency windows (7/30/365 days). RRF doesn't require score normalization across sources, making it ideal for combining results from heterogeneous backends. If you're building RAG or search systems, this fan-out + RRF pattern is directly applicable.</p><h4>Microsoft's Model Independence Play</h4><p>Microsoft is actively developing its own AI models under Mustafa Suleyman to reduce OpenAI dependency. This is a <strong>long-term architectural risk signal</strong> for anyone on Azure OpenAI. Maintain abstraction layers that let you swap model providers without rewriting business logic. <em>The companies that built tight couplings to specific model APIs in 2024 are the ones scrambling in 2026.</em></p><blockquote>Don't chase tokens/sec as a standalone metric — for agentic workflows that chain multiple LLM calls, a 10% accuracy drop per call compounds to 40-65% degradation at the chain level.</blockquote>

   Action items

   • Benchmark Anthropic's fast mode vs. OpenAI's Cerebras-backed inference against your specific workloads this quarter — the quality/speed trade-off is workload-dependent
   • Evaluate GPT-5 tokenizer impact on your cost model and multilingual pipelines using tiktoken this sprint
   • Study the fan-out + Reciprocal Rank Fusion pattern from ChatGPT Search for your RAG/search systems
   • Ensure your LLM integration layer has provider abstraction — no direct API coupling to a single vendor

   Sources:OpenAI + OpenClaw 🤖, ChatGPT Lockdown Mode 🔒, inference speed tricks ⚡ · ChatGPT's first ads 🛒, 7 growth mistakes 👎🏼, Claude's download surge 🔼