AI in 15 — March 12, 2026

An AI agent walks into McKinsey, no credentials, no human help, and walks out with forty-six million confidential chat messages. Two hours. SQL injection. Welcome to 2026.

Welcome to AI in 15 for Thursday, March 12, 2026. I'm Kate, your host.

And I'm Marcus, your co-host.

Marcus, we have a packed show. Anthropic just launched its own think tank. Atlassian cut sixteen hundred jobs in an AI pivot. An autonomous AI agent hacked McKinsey's internal platform using a technique from the nineties. Google is deploying Gemini agents across the entire Pentagon workforce. Perplexity unveiled an always-on AI computer. And Hacker News banned AI-generated comments with a fury we haven't seen on that site in years. Let's preview.

Anthropic launches the Anthropic Institute, a think tank led by co-founder Jack Clark.

An AI agent breaches McKinsey's AI platform in two hours flat.

And Andrej Karpathy says we don't need fewer IDEs, we need bigger ones. Let's get into it.

So Marcus, Anthropic announced the Anthropic Institute yesterday. Given everything we've been covering this week with the Pentagon lawsuit, the blacklisting, the user surge — this feels very deliberate.

It is deliberate, and the timing tells you a lot. The Institute consolidates three existing teams: their Frontier Red Team, the Societal Impacts group, and the Economic Research team. Jack Clark, Anthropic's co-founder, takes a new role as Head of Public Benefit to lead it. They've made some serious hires too. Matt Botvinick from Google DeepMind to work on AI and rule of law. Anton Korinek from the University of Virginia on economic impacts. And Zoë Hitzig, who previously worked at OpenAI, connecting economics research to model training.

And they're opening a Washington DC office this spring. That's not subtle.

Not at all. When you're suing the federal government and simultaneously opening a DC office with a dedicated Head of Public Policy, you're saying two things at once. We'll fight you in court, but we also want a seat at the table. And here's the strategic calculus. Anthropic needs to demonstrate that its safety commitments aren't just marketing talking points. A formal institute with credentialed researchers publishing public work is harder to dismiss than a blog post about responsible AI. It's structural proof of intent.

Meanwhile, Claude Code usage reportedly surged a hundred and eighty percent amid all the Pentagon controversy. The Streisand Effect in full swing.

Which means Anthropic is simultaneously building the institutional credibility to win in Washington while riding a wave of public support that's making them more commercially successful. Whether that's principled strategy or convenient positioning, the result is the same. They're turning a crisis into a brand-defining moment.

Now, Atlassian. Sixteen hundred jobs. Ten percent of the workforce. And they're framing it as an AI pivot.

CEO Mike Cannon-Brookes said the cuts will "self-fund further investment in AI and enterprise sales." They're looking at two hundred and twenty-five million dollars in restructuring charges. The CTO is stepping down. They've split that role into two positions, both focused on the AI roadmap. And keep in mind, Atlassian has never posted a profitable year since its IPO in 2015. Stock is down eighty-three percent from its 2021 peak.

The Hacker News crowd was not kind about this one.

No, they weren't. Multiple commenters pointed out that Jira itself is one of the products most ripe for AI-based replacement. Which creates this uncomfortable irony: a company whose flagship product is arguably threatened by AI is laying off humans to invest in AI features for that same product. Tools like Linear, Notion, and GitHub Projects are all shipping native AI features while Atlassian is still restructuring to catch up.

So this is less about AI replacing those workers' jobs and more about redirecting money.

Exactly. Cannon-Brookes isn't saying AI does what these sixteen hundred people did. He's saying the company needs their salary budget to fund a pivot before competitors eat their lunch. It's the classic innovator's dilemma, except the disruption is happening in real time and Atlassian is visibly behind.

Okay Marcus, this next story is wild. A security startup called CodeWall set an AI agent loose, and it hacked McKinsey's internal AI platform, Lilli, in two hours. No credentials. No human involvement. SQL injection.

And not just any SQL injection. The user inputs were properly parameterized, which is Security 101. But the JSON field names — the keys, not the values — were concatenated directly into SQL statements. The AI agent found this through fifteen blind iterations, learning from error messages, and eventually achieved full read and write access to the production database.

Full read and write. What did it find?

Forty-six point five million chat messages about strategy, mergers and acquisitions, client engagements, all in plaintext. Seven hundred and twenty-eight thousand confidential files. Fifty-seven thousand user accounts. And here's the part that should keep every CTO awake tonight: ninety-five system prompts controlling Lilli's behavior, all writable. One SQL UPDATE statement could have silently rewritten how the AI advises forty-three thousand consultants.

A ten-billion-dollar consulting firm that advises Fortune 500 companies on technology strategy had a vulnerability from the nineties in its own AI platform.

The cobbler's children have no shoes. But the real story here isn't McKinsey's embarrassment. It's that the attacker was an autonomous AI agent. It selected the target, identified the vulnerability class, and exploited it without any human guidance after launch. This is the offensive AI capability that security researchers have been warning about. And the writable system prompts are genuinely chilling. Imagine silently poisoning an AI advisor used by tens of thousands of consultants across the global economy. The cascading effects could be enormous.

McKinsey patched it within a day of disclosure, and forensics found no evidence of unauthorized access before CodeWall's test.

Credit where it's due, the response was fast. But the vulnerability existed in production, accessible without credentials. Lilli was originally an internal tool requiring VPN and SSO, and it's unclear when those protections were relaxed. This is the pattern we keep seeing: enterprises rushing AI platforms to production without the security review the technology demands.

From AI security to AI defense. As we reported this week, Anthropic is being blacklisted by the Pentagon. And now Google is stepping right into that gap. Gemini agents for three million Defense Department staff.

The largest deployment of AI agents in government history. Pentagon staff get access to something called Agent Designer, a no-code tool for creating digital assistants. Google is rolling out eight ready-made agents for things like summarizing meetings, creating budgets, checking proposals against national defense strategy. And one point two million employees are already using Google's AI chatbot through a portal called GenAI.mil.

Google famously walked away from Pentagon AI work in 2018 after the Project Maven revolt. Now they're the partner of choice.

Eight years ago, Google employees protested, Google published AI ethics principles, and they dropped the contract. Now they're deploying agents to three million users with classified environment discussions already underway. The contrast with Anthropic is stark. Anthropic set two conditions — no mass surveillance, no autonomous weapons — and got blacklisted. Google appears to be stepping in without public conditions. The market signal is clear: defense contracts go to companies willing to work without restrictions.

That's a depressing incentive structure.

It is what it is. From a pure business perspective, the Pentagon is one of the largest enterprise customers on the planet. The companies willing to serve that customer without friction will capture enormous revenue. Whether the ethical trade-offs are worth it is a question each company and each employee has to answer for themselves.

Perplexity unveiled something called Personal Computer at their developer conference. And it's literally a Mac mini running an always-on AI agent.

It runs Perplexity's agent software locally on Mac mini hardware while the AI processing happens on their cloud servers. You control it remotely from any device. It has access to your local files and apps. Sensitive actions still need approval, everything is logged, and there's a kill switch. It's available to their Max subscribers at two hundred dollars a month.

Two hundred a month. And Perplexity claims their internal study showed it saved one point six million in labor costs.

That claim drew immediate skepticism, and rightly so. But the concept is real. An always-on AI agent with persistent access to your digital life. OpenAI has OpenClaw, Apple is pushing Siri, Anthropic has Claude Code agents. Everyone is converging on this idea of AI that doesn't just answer questions but actively works on your behalf. Whether users will trust an always-on agent with full file access is the billion-dollar question. And the Mac-only limitation at two hundred a month will keep the initial audience small.

Microsoft's BitNet hit the Hacker News front page again. The promise of running hundred-billion-parameter models on regular CPUs.

The open-source framework uses one-point-five-eight-bit weights, essentially ternary values of negative one, zero, and one. They claim six times faster inference and eighty-two percent lower energy consumption compared to standard approaches. But the community correctly noted there's no trained hundred-billion-parameter model available yet. The largest existing model is two billion parameters. And you can't just convert existing models; they have to be trained from scratch in this format.

So it's a promising framework waiting for someone to actually train a model big enough to prove it works.

Right. And the original paper suggests you need roughly four to five times the parameters to match standard model quality. So your hundred-billion-parameter one-bit model would need to compete with a twenty-billion-parameter standard model. Still, if the quality gap closes, running large models on commodity CPUs without GPUs would democratize AI inference in a meaningful way. It's one of the most promising paths to getting frontier-class AI onto everyday hardware.

This one made me smile, Marcus. Hacker News, the community that builds AI, just officially banned AI-generated comments. Three thousand upvotes. Over twelve hundred comments.

The most upvoted story on the site that day. And the discussion was deeply philosophical. One comment that resonated widely said generative AI represents "the average of all human knowledge" and that "a future in which all thought and creativity is averaged away is the heat death of thought." Others noted the irony that Y Combinator, which funds AI companies, is telling its own community not to use AI on its platform.

Non-native English speakers had interesting perspectives too.

One user said professors and colleagues told them they could tolerate mistakes in their writing but had zero tolerance for AI-generated content. The enforcement question is real though. AI-written comments will only get harder to detect. But multiple commenters argued this is more about setting cultural norms than technical enforcement. When the builders of AI technology say "not here," it tells you something about where even believers think the limits should be.

Quick one on Karpathy. He posted a viral thread about needing "a bigger IDE" and coined the term intelligence brownouts. Connect this to yesterday's Claude outage for us.

Karpathy's argument is that programming isn't going away — it's moving to a higher abstraction layer where you orchestrate agents rather than write code directly. His autoresearch labs, autonomous agents running ML experiments, were wiped out during the Claude outage. His phrase "intelligence brownouts" — the planet losing IQ points when frontier AI stutters — perfectly captures the new dependency. When a database maintenance operation at Anthropic locks thousands of developers out of their coding environment for three hours, it reveals a fragility we're only beginning to understand.

Thursday big picture, Marcus. McKinsey hacked by an AI agent. Google filling the Pentagon gap Anthropic left. Atlassian cutting jobs for AI. Hacker News banning AI comments. What's the thread?

Boundaries. Every story today is about drawing lines. Anthropic draws a line with the Institute, saying we'll study AI's harms, not just its capabilities. McKinsey discovers that the line between secure and vulnerable in AI platforms is thinner than anyone assumed. Google steps over the line Anthropic wouldn't cross. Hacker News draws a line saying human conversation stays human. And Karpathy maps the line between human capability and AI dependency, warning us that when the AI side stutters, we all feel it.

The uncomfortable truth is that some of those lines are being drawn by principle and others by market pressure.

And the market doesn't always reward the principled choice. Anthropic gets blacklisted for setting limits. Google gets three million users for removing them. Atlassian cuts humans to fund AI. But then Hacker News, with three thousand upvotes, says the human element has value precisely because it's human. The tension between those forces is going to define this industry for years.

That's your AI in 15 for Thursday, March 12, 2026. See you tomorrow.