The day AI vendors traded safety for shipping velocity

Anthropic shipped Claude Computer Use to macOS Pro and Max subscribers this week. It controls your screen, moves your cursor, navigates Slack and Google Workspace, and accepts remote task delegation from a phone via Dispatch. In the same release notes, Anthropic warned that prompt injection can hijack the whole thing and advised users not to let Claude touch sensitive data during the research preview.

That is the entire story of March 30, 2026, compressed into one product launch.

The same week, Sam Altman publicly stepped back from direct safety oversight at OpenAI to focus on infrastructure and the imminent launch of a frontier model codenamed Spud. OpenAI killed Sora six months after its viral debut, walked away from a $1B Disney partnership signed three months earlier, and began consolidating ChatGPT, Codex, and Atlas into a single desktop superapp — all to free GPUs for Spud. Meanwhile ByteDance's DeerFlow 2.0, an open-source agent framework with sandboxed bash terminals, persistent cross-session memory, and autonomous sub-agent spawning, hit #1 on GitHub Trending. And Microsoft's data says 62% of UK businesses are already running AI agents while 84% of security leaders are losing sleep over shadow agents they can't see.

The pattern is not subtle. Capability is shipping. Governance is not.

The revenue gravity is real, and it explains the recklessness

Anthropic's reported ARR went from $1B in January 2025 to $20B by March 2026. The steepest part of that curve — 1.5x to 2x monthly growth — landed after Opus 4.6 enabled real agentic tool use, not after any benchmark improvement. Ramp's transactional data on its customer base shows top-quartile AI spenders have doubled revenue since 2023 while bottom-quartile spenders flatlined. METR's tracking of agent autonomous task duration doubled from 50 minutes to 5 hours in under a year, and the doubling rate itself compressed from every 7 months to every 4.

This is why Altman is willing to torch a $1B Disney deal and step away from safety oversight. The market is no longer paying for model intelligence. It is paying for autonomous execution, and the company that ships the next capability tier first captures a category. If you read those numbers as a board, you cut anything — product lines, partnerships, oversight functions — that doesn't directly accelerate the next inflection.

That's the read from the cap table. From a security desk it looks different.

What actually shipped is remote code execution wearing a UX

Claude Computer Use first tries native API connectors, then falls back to raw UI automation: clicking, typing, reading the screen. A malicious instruction embedded in any document, email, webpage, or Slack message Claude processes can redirect the agent to exfiltrate data, send messages, or modify files — under the user's legitimate identity, through a legitimate session, with no anomalous network signature your EDR was tuned to catch.

Dispatch is worse. A user texts a task from their phone and Claude executes it on their desktop. That is a remote command channel into your workstation fleet that bypasses your VPN, your MDM, and your conditional access policies, and rides on a product your CISO probably hasn't approved yet because the launch was this week. A compromised phone now equals hands-on-keyboard on the corresponding desktop.

DeerFlow 2.0's sandboxed bash terminal with persistent memory across sessions is a different class of problem — a developer-adopted agent that can poison its own memory and spawn sub-agents autonomously. Standard dependency scanning misses the agent-specific risks entirely.

Map these to MITRE: T1059 via UI automation, T1071 via Slack and Workspace, T1041 via Dispatch, T1204 wrapped in a Pro subscription. The detection gap is not theoretical. It exists in nearly every endpoint stack shipping today.

Pinterest published the only adult answer in the room

Pinterest's production MCP platform is the first credible enterprise reference architecture for agent governance: registry-based approval for any tool an agent can invoke, layered authentication that separates user JWTs from service identities, centralized discovery wired into the IDE and chat surfaces engineers already use, and full audit logging. The dual-identity model is the load-bearing piece. Without separating what the user is authorized to do from what the agent is authorized to do on their behalf, you cannot tell legitimate work from autonomous lateral movement after the fact.

Alibaba's FinMCP-Bench (613 samples) confirmed the failure mode you should design for: leading models handle single-tool calls reasonably well and degrade significantly on multi-tool dependency chains. Your single-tool accuracy metric is a vanity number for any agentic system that matters.

What to do this week

Not next quarter. This week.

Inventory Claude Pro and Max subscriptions across your macOS fleet today. Issue written guidance restricting Computer Use from accessing corporate apps until prompt injection mitigations are validated against your data. Anthropic's own warning is your justification — you don't need to write the threat model from scratch.

Then do the harder thing: build a registry. Every agent your developers, sales ops, or marketing team has wired into a tool calls a registry, every approval gates through it, every invocation logs to it. If you can't list every agent operating against your systems by name, owner, scope, and kill switch by Friday, you are running shadow IT with agency. The Microsoft 84% number is your peers admitting they're already in this hole.

The trust-design question that product teams are obsessing over — HubSpot's 50% manual-review rate, Google's configurable thinking levels — is downstream of this. You can't build progressive trust UX on top of an attack surface you haven't enumerated. Get the inventory and the registry first. Tune the dial second.

The agent autonomy curve is doubling every four months. Your governance debt compounds at the same rate.