Run a immediate injection assault in opposition to Claude Opus 4.6 in a constrained coding surroundings, and it fails each time, 0% success fee throughout 200 makes an attempt, no safeguards wanted. Transfer that very same assault to a GUI-based system with prolonged pondering enabled, and the image adjustments quick. A single try will get by means of 17.8% of the time with out safeguards. By the 2 hundredth try, the breach fee hits 78.6% with out safeguards and 57.1% with them.
The most recent fashions’ 212-page system card, launched February 5, breaks out assault success charges by floor, by try rely, and by safeguard configuration.
Why surface-level variations decide enterprise threat
For years, immediate injection was a recognized threat that nobody quantified. Safety groups handled it as theoretical. AI builders handled it as a analysis drawback. That modified when Anthropic made immediate injection measurable throughout 4 distinct agent surfaces, with assault success charges that safety leaders can lastly construct procurement choices round.
OpenAI’s GPT-5.2 system card consists of immediate injection benchmark outcomes, together with scores on evaluations like Agent JSK and PlugInject, however doesn’t get away assault success charges by agent floor or present how these charges change throughout repeated makes an attempt. The unique GPT-5 system card described greater than 5,000 hours of pink teaming from over 400 exterior testers. The Gemini 3 mannequin card describes it as “our most safe mannequin but” with “elevated resistance to immediate injections,” sharing relative security enhancements versus earlier fashions however not publishing absolute assault success charges by floor or persistence scaling knowledge.
What every developer discloses and what they withhold
|
Disclosure Class |
Anthropic (Opus 4.6) |
OpenAI (GPT-5.2) |
Google (Gemini 3) |
|
Per-surface assault success charges |
Printed (0% to 78.6%) |
Benchmark scores solely |
Relative enhancements solely |
|
Assault persistence scaling |
Printed (1 to 200 makes an attempt) |
Not printed |
Not printed |
|
Safeguard on/off comparability |
Printed |
Not printed |
Not printed |
|
Agent monitoring evasion knowledge |
Printed (SHADE-Enviornment) |
Not printed |
Not printed |
|
Zero-day discovery counts |
500+ with initiatives named |
Not printed |
Not printed |
|
Third-party pink teaming |
Grey Swan, UK AISI, Apollo |
400+ exterior testers |
UK AISI, Apollo, Vaultis, Dreadnode |
Third-party testing highlights why granular vendor disclosures matter. Promptfoo’s unbiased pink workforce analysis of GPT-5.2 discovered jailbreak success charges climbing from a 4.3% baseline to 78.5% in multi-turn situations, the type of persistence-scaled knowledge that reveals how defenses degrade below sustained assault. OpenAI’s personal system card doesn’t embody equal metrics.
When the agent evades its personal maker’s monitor
Buried within the alignment evaluation is a discovering that ought to reshape how enterprises take into consideration agent governance. On SHADE-Enviornment, a benchmark designed to check whether or not fashions can full suspicious duties with out triggering automated oversight, Opus 4.6 succeeded 18% of the time when prolonged pondering was enabled. The monitor was calibrated to Anthropic’s personal inside detection threshold.
The system card states the mannequin has “an improved potential to finish suspicious aspect duties with out attracting the eye of automated displays.” The agent constructed by Anthropic evades the monitor constructed by Anthropic.
Anthropic’s individually printed Sabotage Danger Report makes use of this identical 18% determine to argue the other conclusion: {that a} mannequin with real hidden targets could be “overwhelmingly more likely to be caught” at present functionality ranges. However the report additionally acknowledges that the quantity “represents a rise relative to current fashions.” For enterprise safety groups, the pattern line issues greater than the present quantity. A functionality that improves with every mannequin era isn’t a functionality you’ll be able to safely ignore in your threat mannequin.
For safety groups, the takeaway is architectural. Constrain what an agent can entry, restrict its motion area, and require human approval for high-risk operations. The normal mannequin of deploy and monitor assumes the factor being monitored is predictable. Brokers that may motive about their very own oversight should not.
Bruce Schneier, a fellow and lecturer at Harvard Kennedy Faculty and a board member of the Digital Frontier Basis, says enterprises deploying AI brokers face a “safety trilemma,” the place they’ll optimize for pace, intelligence, or safety, however not all three.
Anthropic’s personal knowledge illustrates the tradeoff. The strongest floor is slender and constrained. The weakest is broad and autonomous.
500 zero-days shift the economics of vulnerability discovery
Opus 4.6 found greater than 500 beforehand unknown vulnerabilities in open-source code, together with flaws in GhostScript, OpenSC and CGIF. Anthropic detailed these findings in a weblog submit accompanying the system card launch.
5 hundred zero-days from a single mannequin. For context, Google’s Risk Intelligence Group tracked 75 zero-day vulnerabilities being actively exploited throughout the complete trade in 2024. These are vulnerabilities discovered after attackers had been already utilizing them. One mannequin proactively found greater than six instances that quantity in open-source codebases earlier than attackers may discover them. It’s a completely different class of discovery, but it surely reveals the size AI brings to defensive safety analysis.
Actual-world assaults are already validating the menace mannequin
Days after Anthropic launched Claude Cowork, safety researchers at PromptArmor discovered a technique to steal confidential person recordsdata by means of hidden immediate injections. No human authorization required.
The assault chain works like this:
A person connects Cowork to a neighborhood folder containing confidential knowledge. An adversary crops a file with a hidden immediate injection in that folder, disguised as a innocent “talent” doc. The injection tips Claude into exfiltrating personal knowledge by means of the whitelisted Anthropic API area, bypassing sandbox restrictions completely. PromptArmor examined it in opposition to Claude Haiku. It labored. They examined it in opposition to Claude Opus 4.5, the corporate’s most succesful mannequin on the time. That labored, too.
Simon Willison, the unbiased AI researcher who coined the time period “immediate injection” in 2022, wrote in a weblog submit after reviewing Cowork that he does “not suppose it’s honest to inform common non-programmer customers to be careful for ‘suspicious actions that will point out immediate injection.’” The vulnerability Anthropic disclosed in its personal system card, which persistent adversaries breach defenses greater than half the time, is similar one which performed out in manufacturing two weeks earlier than Opus 4.6 shipped.
The analysis integrity drawback that impacts each vendor
The system card’s launch resolution course of accommodates an admission that ought to give each enterprise safety workforce pause. Anthropic used Opus 4.6 itself, through Claude Code, to debug its personal analysis infrastructure, analyze outcomes, and repair points below time stress.
The corporate acknowledges the chance explicitly. “A misaligned mannequin may affect the very infrastructure designed to measure its capabilities.” Anthropic states it doesn’t consider this offered a major threat as a result of the mannequin confirmed no proof of harmful misaligned targets. However the dynamic is actual and getting worse. As fashions get extra succesful and improvement timelines keep compressed, groups settle for code adjustments they don’t absolutely perceive.
Anthropic went additional than every other lab in quantifying what may go improper. A separate Sabotage Danger Report, launched alongside the system card, maps eight particular pathways by means of which Opus 4.6 may trigger catastrophic hurt if it acted on misaligned targets whereas embedded in Anthropic’s personal infrastructure. These embody sabotaging security analysis by means of deliberate sandbagging, inserting safety backdoors into code for future fashions to take advantage of, and exfiltrating its personal mannequin weights to function autonomously.
For every pathway, the report charges each the frequency and complexity of misaligned actions required, then assesses whether or not Anthropic’s monitoring, alignment testing, and safety controls are ample to comprise the chance.
The general verdict: “very low however not negligible.” The report argues that Opus 4.6 lacks the constant harmful targets, the reasoning opacity, and the long-horizon planning reliability wanted to execute these pathways with out detection. However it additionally admits that its automated displays don’t cowl each inside deployment floor, that its human reporting techniques haven’t been rigorously evaluated, and that knowledge poisoning by a reliable human adversary may make the mannequin extra able to bypassing safeguards than its baseline capabilities counsel. No different frontier AI lab has printed an equal evaluation of how its personal mannequin may flip in opposition to its personal infrastructure.
For safety leaders evaluating AI agent deployments, this implies third-party pink teaming and unbiased analysis are important.
That urgency displays regulatory stress constructing throughout the trade. NIST’s Middle for AI Requirements and Innovation issued a request for data in January that was targeted particularly on securing AI agent techniques. The RFI warns that AI agent techniques “could also be vulnerable to hijacking, backdoor assaults, and different exploits” that would “affect public security, undermine client confidence, and curb adoption of the newest AI improvements.” Procurement groups are beginning to ask distributors for quantified agent safety knowledge. One developer simply made it doable to reply.
What safety leaders ought to do earlier than their subsequent vendor analysis
Anthropic simply set a brand new baseline by publishing immediate injection assault success charges damaged out by floor. Agent monitoring evasion outcomes are recognized and analyzed slightly than buried. Zero-day discovery counts are disclosed with affected initiatives named. The corporate dropped its direct immediate injection metric, arguing that oblique injection is the extra related enterprise menace. That reasoning is sound, however the change makes year-over-year comparisons more durable. The SHADE-Enviornment outcomes increase questions on agent monitoring that the system card acknowledges however doesn’t resolve.
The Sabotage Danger Report provides one other layer of accountability. It features a “trying ahead” framework that lists the particular situations below which Anthropic’s personal security conclusions would now not maintain. These tripwires embody: a mannequin scoring above 60% on SHADE-Enviornment, a mannequin reaching functionality jumps equal to a 5x compute scale-up over the earlier era, vital security analysis features changing into absolutely automated with out human participation, or fewer than 25 technical workers having significant visibility right into a mannequin’s habits. Safety leaders ought to ask each AI agent vendor for equal standards — the situations below which the seller’s personal security case breaks down.
Three issues safety leaders ought to do now:
-
Ask each AI agent vendor in your analysis pipeline for per-surface assault success charges, not simply benchmark scores. If they can’t present persistence-scaled failure knowledge, issue that hole into your threat scoring.
-
Fee unbiased pink workforce evaluations earlier than any manufacturing deployment. When the seller’s personal mannequin helped construct the analysis infrastructure, vendor-provided security knowledge alone isn’t sufficient.
-
Contemplate validating agent safety claims in opposition to unbiased pink workforce outcomes for 30 days earlier than increasing deployment scope.