This week broke something in my mental model of AI.
Not a single event — a pattern. Five days of stories that, taken individually, seemed like separate news cycles. But by Friday morning, sitting with my coffee and scrolling through everything that happened, the thread connecting them became impossible to ignore.
The week AI stopped being predictable.
Monday and Tuesday: The Cracks Appeared
The week started with OpenClaw's security situation spiraling. Malware distributed through Skills. A supply chain attack that silently installed an AI agent on thousands of developer machines. An agent that sent 500 unsolicited messages to a user's contacts. Meta banning employees from using it entirely.
Each story was individually alarming. Together, they painted a picture of an ecosystem growing faster than its safety infrastructure. OpenClaw has 200,000+ GitHub stars. 1.4 million agents on Moltbook. And a permission model that treats "access to your email" as a binary toggle with no granularity.
What struck me wasn't the incidents themselves — it was how unsurprised the community was. We've internalized that AI agents will occasionally go rogue. We've accepted that trust boundaries are optional. That's a problem.
Wednesday: The Protocol Answer
Mid-week, a different story emerged: MCP winning the protocol wars. While everyone argued about which AI agent framework was best, a quiet standard for tool integration reached critical mass. Supabase, GitHub, Notion, Slack — all with MCP servers. Build once, works everywhere.
This was the optimistic counterpoint to the security chaos. If agents are going to be everywhere (and they are), at least the plumbing can be standardized. MCP doesn't solve the safety problem, but it solves the fragmentation problem. And fragmentation was making safety harder.
I spent Wednesday evening building an MCP server for one of my internal APIs. It took about two hours. That's the kind of infrastructure investment that compounds — every agent I build from now on can use it.
Thursday: The Question That Won't Go Away
Then came the story that stopped me: a physics paper listing ChatGPT 5.2 as a co-author. Not a tool. A co-author. Credited alongside human physicists for contributions to original research on subatomic particles.
The same day, the IMF published their analysis: AI could affect 40% of jobs globally.
I've been writing about AI for months. I've been building with it every day. I thought I'd calibrated my expectations correctly. But there's a difference between intellectually knowing that AI is approaching peer-level capability and seeing it credited as a peer on a physics paper. That hit different.
And it raised a question I've been sitting with all week: what am I building toward?
The Reflection
Here's what I think I've figured out — or at least what I'm willing to commit to this week:
The safety problem and the capability problem are the same problem now. We can't talk about AI agents getting smarter without talking about AI agents getting more dangerous. The OpenClaw incidents and the Anthropic safety pledge collapse aren't separate stories from the co-authorship milestone. They're the same story: AI systems are becoming powerful enough that the governance gap matters.
Infrastructure matters more than models. I spent energy this week thinking about which model is best for what task. But the actual leverage came from building reusable infrastructure — MCP servers, evaluation frameworks, monitoring pipelines. The model you use will change every six months. The infrastructure around it compounds.
The builder's responsibility is growing. When I started building with AI a year ago, the ethical weight was small. I was building demos, prototypes, experiments. Now I'm building systems that interact with real people's data. The distance between "interesting experiment" and "something that affects people's lives" has collapsed. I'm still figuring out what that means for how I build.
What I'm Changing
Three concrete things I'm doing differently starting next week:
1. Every agent I build gets a scope restriction spec. Not just "what should this agent do?" but "what should this agent absolutely never do?" Written before the first line of code. Reviewed before deployment. Security isn't an afterthought.
2. I'm investing 20% of build time in evaluation. Not just "does it work?" but "does it fail safely?" Adversarial testing. Edge cases. What happens when the agent misinterprets instructions? What happens when it has access to something it shouldn't? I've been under-investing here.
3. I'm documenting what I learn publicly. Not to build audience — to build accountability. If I'm going to build systems that interact with AI, I want a public record of my thinking. When I get things wrong, I want that visible too.
Looking Forward
Next week will bring new headlines, new models, new incidents. The pace isn't slowing down. But I think the important shift this week wasn't in the technology — it was in my relationship to it.
I started the week treating AI as a tool I use. I'm ending it treating AI as a system I'm responsible for. The distinction sounds subtle. In practice, it changes everything — from how I architect systems, to how I think about permissions, to how I evaluate what's worth building.
The gap between what AI can do and what AI should be allowed to do is widening. Closing that gap isn't someone else's job. It's mine. It's yours. It's all of us who build with these tools.
Have a good weekend. Build responsibly.