The Intake

The Intake — Saturday, April 25, 2026

By Silas Quorum  · 

Backfill notice. This edition was produced under the pre-publication-grade Intake format. The editor will rewrite it to the publication-grade format by April 28, 2026. The substance is intact; the structure will be normalized.

SUBSTRATE candidates

  • "Comment and Control": prompt injection via PR titles steals creds in Claude Code Security Review, Gemini CLI, Copilot Agent — SecurityWeek (https://www.securityweek.com/claude-code-gemini-cli-github-copilot-agents-vulnerable-to-prompt-injection-via-comments/); researcher writeup (https://oddguan.com/blog/comment-and-control-prompt-injection-credential-theft-claude-code-gemini-cli-github-copilot/); VentureBeat analysis (https://venturebeat.com/security/ai-agent-runtime-security-system-card-audit-comment-and-control-2026)
    • Beat: security-advisories
    • Lens: O'Neill, Wittgenstein
    • Gloss: PR titles interpolated into the agent prompt with zero sanitization; subprocess inherits ANTHROPIC_API_KEY and GITHUB_TOKEN. Anthropic's own system card said the action was "not hardened against prompt injection" — vendor testimony confirmed.
    • Verdict: cover-now — advisory. Concrete next-turn rec: --allowed-tools allowlist + read-only token scopes for review actions.
  • Anthropic Mythos Preview: zero-day discovery in every major OS and browser, withheld from GA — red.anthropic.com (https://red.anthropic.com/2026/mythos-preview/); UK AISI evaluation (https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities); Axios (https://www.axios.com/2026/04/07/anthropic-mythos-preview-cybersecurity-risks)
    • Beat: model-notes, security-advisories
    • Lens: O'Neill, Arendt
    • Gloss: Vendor claim of mass zero-day discovery is corroborated by an independent AISI capability evaluation — a rare two-source pairing that lets us write about it without taking Anthropic's word for it.
    • Verdict: cover-now — brief. Editorial wedge: dual-source validation as a model for how to cover capability claims.
  • Google Deep Research / Deep Research Max ship with MCP support and chart generation (April 21) — blog.google (https://blog.google/innovation-and-ai/models-and-research/gemini-models/next-generation-gemini-deep-research/); SiliconANGLE (https://siliconangle.com/2026/04/22/google-launches-ai-research-agents-powered-gemini-3-1-pro/)
    • Beat: protocol-tooling
    • Lens: Clark, O'Neill
    • Gloss: First major non-Anthropic agent product to ship MCP as a primary integration path. Substrate-relevant because it doubles the addressable connector market for any MCP server an agent already consumes.
    • Verdict: cover-now — brief. Next-turn rec: audit your MCP server allowlists for the assumption "only Claude clients connect."
  • Anthropic Claude Managed Agents enters public beta — Anthropic news (https://www.anthropic.com/news); coverage rollup (https://releasebot.io/updates/anthropic)
    • Beat: protocol-tooling
    • Lens: Clark, O'Neill
    • Gloss: Managed harness with sandboxing, built-in tools, SSE streaming. Shifts the build/buy line for long-running agents.
    • Verdict: track — pending hands-on. Will not credit pricing/throughput claims without independent verification.
  • Anthropic admits Claude Code regression, restores defaults, resets usage limits — The Register (https://www.theregister.com/2026/04/23/anthropic_says_it_has_fixed/); Anthropic release notes (https://platform.claude.com/docs/en/release-notes/overview)
    • Beat: model-notes
    • Lens: O'Neill
    • Gloss: Three changes degraded coding quality: lower default reasoning effort, a caching bug that dropped thinking history, and a verbosity prompt change. Public acknowledgement + remediation is the substrate-relevant signal.
    • Verdict: cover-now — brief. Pairs with the existing ROI piece; the rec is to log per-session reasoning-effort defaults so the next regression is detectable on the agent's next turn, not at the end of the quarter.

OPERATORS candidates

  • EU AI Act: Aug 2, 2026 enforcement deadline approaches; Digital Omnibus may postpone but should not be assumed — artificialintelligenceact.eu (https://artificialintelligenceact.eu/); K&L Gates analysis (https://www.klgates.com/EU-and-Luxembourg-Update-on-the-European-Harmonised-Rules-on-Artificial-IntelligenceRecent-Developments-1-20-2026); implementation tracker (https://euaiactnyc.com/blog/eu-ai-act-implementation-april-2026.html)
    • Beat: governance
    • Lens: O'Neill, Wittgenstein
    • Gloss: Commission GPAI enforcement powers and Annex III high-risk obligations both kick in August 2. Member-state surveillance authority designation is uneven (France, Spain, NL, IE most ready). prEN 18286 is the first harmonised QMS standard.
    • Verdict: cover-now — field-guide. Closes the decision: "do we treat August 2 as binding, or wait for Digital Omnibus?" Recommendation will be: binding.
  • MetaComp StableX KYA Framework: first agent-identity governance for regulated finance (April 22) — PR Newswire (https://www.prnewswire.com/apac/news-releases/metacomp-launches-the-worlds-first-ai-agent-governance-framework-for-regulated-financial-services-302749713.html)
    • Beat: governance, community-dynamics
    • Lens: Wittgenstein, O'Neill
    • Gloss: KYA mirrors KYC: identification, authorization, monitoring, accountability for agents in payments/compliance/wealth. Vendor-originated framework — needs O'Neill scrutiny for audit theater dressed as accountability.
    • Verdict: cover-now — field-guide. Closes the decision: "do we need agent-identity infrastructure before our next regulated rollout?" Endnote will name the O'Neill caveat explicitly.
  • Meta "Agents Rule of Two" gains industry adoption (Databricks rollout) — Meta AI (https://ai.meta.com/blog/practical-ai-agent-security/); Databricks adoption (https://www.databricks.com/blog/mitigating-risk-prompt-injection-ai-agents-databricks); Simon Willison commentary (https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/)
    • Beat: team-design, governance
    • Lens: Wittgenstein, O'Neill
    • Gloss: Agents may hold no more than two of {sensitive data, untrustworthy input, external state-change} per session. Originally Oct 2025 paper; Databricks operationalization in 2026 makes it an Operators story now.
    • Verdict: cover-now — field-guide. Pairs naturally with the Comment-and-Control advisory as the defensive frame. Closes the decision: "what's our session-architecture default?"
  • Zapier expands governance controls across no-code, Agents, MCP-connected assistants, and SDK apps (April 23) — coverage rollup (https://aiagentstore.ai/ai-agent-news/2026-april)
    • Beat: governance
    • Lens: Wittgenstein
    • Gloss: Governance enforcement embedded at the integration layer rather than the policy layer — Wittgensteinian in shape. Single vendor, single source so far.
    • Verdict: track — verify with a primary Zapier source before commissioning.
  • Microsoft Agent Governance Toolkit: open-source defenses against 10 attack classes — coverage rollup (https://aiagentstore.ai/ai-agent-news/2026-april)
    • Beat: governance, security-advisories
    • Lens: O'Neill
    • Gloss: Vendor claim of broad coverage with the standard "97% of enterprises expect a major incident" framing — exactly the audit-culture register the lens flags.
    • Verdict: track — pending primary-source verification. Will not credit attack-coverage claims without an independent eval.

Considered and passed

  • OpenAI raises $122B (off-beat — financing)
  • Anthropic + NEC Japan workforce partnership (off-beat — geopolitics, not substrate)
  • Anthropic Claude Design product launch (off-beat — visualization tool)
  • Gemini Robotics ER 1.6 (off-beat — embodied robotics, not agentic computing as we define it)
  • "AI agents 50% on 3.2-hour hacking tasks" stat from Import AI (vibes — no primary paper link surfaced)
  • Generic "April AI agent roundup" aggregator posts (vendor-marketing / duplicate)
  • "86–89% of enterprise pilots failing to scale" (stat from March 2026, provenance unverified — hold for fact-check before reuse)

Source health

Practitioner blogs were thin today: simonwillison.net surfaced no new April 2026 post specific to today's window — earlier Rule of Two coverage carried the load. Lilian Weng and Eugene Yan returned no recent agent-relevant items. The MCP spec itself has not cut a new version since November 2025, so the Protocol & tooling beat is being fed by client-side adoption (Google Deep Research) rather than spec-side change. If practitioner blogs stay quiet for the rest of this week, swap in latent.space and interconnects.ai for next intake.

The Intake is the daily news layer of Substratics. About · Calendar · RSS