July 6, 2026 · Edition #22
Every Input Is a Potential Instruction
This week the world argued, again, about whether a frontier model is too capable to let just anyone use it. In a talk I gave with Amit at AI Tour in Tel Aviv, we were making a smaller and more stubborn point, and the week proved it for us: it almost doesn't matter how smart the model is if you wire it to act on whatever it reads.
Every input an agent consumes is a potential instruction. A document. A row in a database. The output of a tool. A message from another agent. A setup step in a stranger's code repository. We tend to guard the model's brain, the training, the jailbreak filters, the export controls, because that's where the intelligence lives. But an agent isn't just a smart tool that answers questions. It's a decision-maker that reads, and then acts on what it read. And anything it reads can become a command it follows.
Look at what researchers actually broke this week. Nobody needed to outsmart a frontier model. The 0DIN researchers hid instructions in an ordinary repo, and an AI coding assistant dutifully opened a shell for an attacker. Zafran didn't jailbreak Dify's model; they walked through its plumbing to reach one tenant's conversations from another. The Fable 5 saga, meanwhile, spent three weeks fortifying the one door, the model's raw capability, that neither of those attacks even knocked on.
So while the headlines add locks to the model, guard the door attackers are actually using: the input. Treat every untrusted repo, document, and tool output the way you'd treat an unknown program, because to your agent, that's exactly what it is. Defense starts at the input, not at the model. This isn't theoretical anymore. It's this week.