PRISM
The Week AI Stopped Being One Thing
Something shifted this past week. Not in one domain. In all of them at once. The headlines arrived in clusters, each significant on its own, but together they describe a phase transition: AI stopped being a tool you apply to a problem and became an agent that rewrites the problem itself.
Google's Threat Intelligence Group published evidence that criminals used an AI model to develop a working zero-day exploit, the first confirmed instance of AI weaponizing a previously unknown vulnerability. On the same day, DeepMind showed that AlphaEvolve, its Gemini-powered coding agent, is now optimizing electricity grids, semiconductor manufacturing, and quantum processors in production. A two-year-old startup called Perceptron released a video analysis model that matches GPT-5 and Gemini 3.1 Pro on physical reasoning benchmarks at one-tenth the cost. OpenAI shipped voice models that reason and translate in real time. Recursive Superintelligence raised $650 million to build AI that writes its own code. Isomorphic Labs, the DeepMind spinout founded by Nobel laureate Demis Hassabis, closed $2.1 billion to redesign drug discovery from the atom up.
None of these are incremental. None are confined to a single industry. And none would have been possible twelve months ago.
The question is no longer whether AI can do the thing. It is what happens when AI does all the things, at the same time, faster than the systems meant to govern it.
The First AI-Built Zero-Day: Not Theoretical Anymore
The most alarming development of the week is also the most concrete. On May 12, Google's Threat Intelligence Group released a report documenting what it calls the first zero-day exploit developed with AI assistance by a criminal actor. The exploit was a Python script that bypassed two-factor authentication on a popular open-source system administration tool by exploiting a semantic logic flaw, a category of vulnerability that traditional fuzzers and memory-corruption scanners are blind to.
The attack vector was elegant in a way that should trouble every security team. The exploit targeted not a buffer overflow or an injection vulnerability, but a hardcoded trust assumption in the authentication logic. The developer had written a shortcut that appeared functionally correct to every scanner and human reviewer, but was strategically broken from a security perspective. Large language models can read code the way an auditor reads intent. They understand what the developer meant to happen and can surface the gap between intention and implementation.
"The exploit contained hallucinated CVSS scores, educational docstrings, and the structured textbook formatting characteristic of large language model output. Google has high confidence that an AI model was used to find and weaponise the flaw." Google Threat Intelligence Group, May 12, 2026
The criminal group behind the exploit, which Google describes as having "a strong record of high-profile incidents and mass exploitation," planned to deploy it at scale. Google's GTIG discovered the vulnerability before deployment, worked with the affected vendor to patch it, and disrupted the operation. But the implication is clear: AI can now find vulnerabilities that humans and traditional tools miss, and criminal actors are using it to do so at industrial scale.
The tell: The exploit script contained hallucinated CVSS severity scores, educational docstrings explaining what each function does, and the structured formatting typical of LLM-generated code. It was, in effect, a homework assignment for breaking into systems, complete with footnotes.
What makes this different from previous AI-assisted attacks is the category of vulnerability. Traditional scanners detect crashes, memory corruption, and data-flow sinks. They are built for a world where bugs are mechanical. Semantic logic flaws exist in a different stratum entirely. They require understanding context, intent, and the gap between what code should do and what it actually does. This is precisely the capability that frontier language models have been trained to excel at.
PROMPTSPY: The Autonomous Malware That Thinks
The zero-day was not the only weapon in the report. Google also disclosed details about PROMPTSPY, an Android backdoor first identified by ESET in February 2026. PROMPTSPY contains an autonomous agent module called GeminiAutomationAgent that reads a device's visible user interface via the Accessibility API, serializes it into an XML-like format, and sends it to the gemini-2.5-flash-lite model for interpretation. The model returns structured JSON containing action types and spatial coordinates. The malware then simulates physical gestures, clicks, swipes, and navigations in real time, without human supervision.
PROMPTSPY can capture biometric data to replay authentication gestures and regain access to compromised devices. If a victim tries to uninstall it, the malware identifies the on-screen coordinates of the uninstall button and renders an invisible overlay that intercepts touch events, making the button appear unresponsive. Its command and control infrastructure, including Gemini API keys and VNC relay servers, can be updated dynamically at runtime, meaning that blocking specific endpoints does not disable the backdoor.
This is not a script that follows instructions. It is an agent that perceives, reasons, and acts. The distinction matters.
The State Actors: Industrial-Scale AI Exploitation
The GTIG report also documents state-sponsored activity that has moved from experimental to operational. Chinese-linked group UNC2814 directed Gemini to act as a "senior security auditor" and "C/C++ binary security expert" to support vulnerability research into TP-Link firmware and file transfer protocol implementations. North Korea's APT45 sent thousands of repetitive prompts that recursively analysed CVEs and validated proof-of-concept exploits, building an arsenal that would be impractical to manage manually.
Perhaps most concerning, Chinese threat actors used a distilled knowledge base of more than 85,000 real-world vulnerability cases from the WooYun bug bounty platform (collected between 2010 and 2016) to prime AI models for in-context learning. By feeding the model this historical vulnerability data, the actors enabled it to approach code analysis like an experienced researcher and identify logic flaws that the base model would otherwise miss.
Russia-nexus actors targeting Ukrainian organisations deployed two malware families, CANFAIL and LONGSTREAM, both using AI-generated decoy code. CANFAIL's source code contains developer comments that explicitly identify unused blocks as filler content designed to disguise malicious activity. LONGSTREAM contains 32 instances of code querying the system's daylight saving status, a repetitive benign-looking operation that exists solely to camouflage the downloader's real purpose.
AlphaEvolve: When AI Optimizes the Optimizers
While Google's security team was documenting how adversaries use AI, Google DeepMind's research team was publishing proof that AI can now optimize the fundamental infrastructure of the modern world. AlphaEvolve, the Gemini-powered coding agent first introduced a year ago, has graduated from an experimental research project to a production tool running across Google's infrastructure.
The breadth of applications is staggering. AlphaEvolve has improved DeepConsensus, Google Research's DNA sequencing error correction model, achieving a 30 percent reduction in variant detection errors, with direct impact on genetic data analysis accuracy at PacBio. It has increased the feasible solution rate for the AC Optimal Power Flow problem, the mathematical challenge at the heart of electricity grid management, from 14 percent to over 88 percent. It has improved the accuracy of natural disaster prediction across 20 categories including wildfires, floods, and tornadoes by 5 percentage points. And it has designed quantum circuits with 10 times lower error than conventional baselines for Google's Willow quantum processor.
"AlphaEvolve proposed a circuit design so counterintuitive yet efficient that it was integrated directly into the silicon of our next-generation TPUs. This is the latest example of TPU brains helping design next-generation TPU bodies." Jeff Dean, Chief Scientist, Google DeepMind and Google Research
In mathematics, working with Fields Medalist Terence Tao, AlphaEvolve helped solve Erdos problems and broke records for the Traveling Salesman Problem and Ramsey Numbers. In logistics, FM Logistic used AlphaEvolve to find a 10.4 percent improvement in routing efficiency over previously optimized warehouse solutions, saving over 15,000 kilometers of distance travelled annually. In semiconductor manufacturing, Substrate applied it to computational lithography, achieving multi-fold increases in runtime speed for advanced chip simulations. Klarna used it to double transformer model training speed while improving quality.
The pattern is consistent: AlphaEvolve takes optimization problems that humans have already solved well and finds solutions that are measurably better. Not by incremental percentages, but by factors of two, five, and ten. The system does not replace human engineers. It operates in a design space that humans cannot efficiently explore.
The Second-Order Effect: Optimizing the Optimizer
Here is the convergence signal that most coverage missed. AlphaEvolve is not just optimizing infrastructure. It is optimizing the infrastructure that builds AI. Google's next-generation TPUs, the hardware that runs the models that run AlphaEvolve, were themselves partially designed by AlphaEvolve. The compiler optimization strategies it discovered reduced software storage footprints by 9 percent. The cache replacement policies it designed took two days to develop what previously required months of human engineering.
This is a feedback loop. AI designs better hardware. Better hardware runs more capable AI. More capable AI designs even better hardware. The loop is not hypothetical. It is running in production at Google right now.
Perceptron Mk1: Video Intelligence at One-Tenth the Cost
While DeepMind was optimizing the infrastructure layer, Perceptron Inc., a two-year-old startup led by former Meta FAIR and Microsoft researcher Armen Aghajanyan, released its flagship model: Mk1, a video analysis and physical reasoning model priced at $0.15 per million input tokens and $1.50 per million output tokens. That is 80 to 90 percent cheaper than GPT-5, Gemini 3.1 Pro, and Claude Sonnet 4.5.
The price alone would be noteworthy. The performance makes it disruptive. Mk1 achieved a score of 85.1 on EmbSpatialBench, surpassing Google's Robotics-ER 1.5 and matching Alibaba's Q3.5-27B. On RefSpatialBench, it scored 72.4, compared to GPT-5m's 9.0 and Sonnet 4.5's 2.2. On the VSI-Bench for video understanding, it reached 88.5, the highest recorded score among compared models. On the EgoSchema Hard Subset, where first-and-last-frame inference is insufficient, it scored 41.4, matching Q3.5-27B and significantly beating Gemini 3.1 Flash-Lite's 25.0.
Why physical reasoning matters: Perceptron Mk1 can determine whether a basketball shot was taken before or after a buzzer by jointly reasoning over the ball's position and the shot clock. It can read analog gauges and clocks, count objects into the hundreds in dense scenes, and maintain object identity through occlusions across extended video streams. This is not pattern recognition. It is causal understanding of physical events.
The architecture processes native video at up to 2 frames per second across a 32K token context window. Unlike traditional vision-language models that treat video as a disjointed sequence of still images, Mk1 maintains temporal continuity. It can watch extended streams, track objects through occlusions, and return structured time codes for specific events. A developer can ask "when did the forklift operator fail to wear a hard hat?" and receive a timestamp and spatial annotation.
The implications extend well beyond video search. Construction site safety monitoring, manufacturing quality control, autonomous vehicle validation, medical procedure analysis, and retail analytics all require the same capability: understanding what is happening in video over time, with physical causality, at scale. Perceptron is not selling a model. It is selling a new cost structure for visual intelligence.
The company is also releasing an open-weight variant called Isaac, positioning it as the "Mistral of physical AI," a capable open model that pushes the frontier of what is possible in open-source video understanding while generating revenue from the proprietary Mk1 model.
Recursive Superintelligence: $650 Million to Build AI That Builds Itself
If AlphaEvolve is AI optimizing existing infrastructure, and Perceptron is AI extending into physical understanding, Recursive Superintelligence Inc. is AI attempting to close the loop entirely. Founded earlier this year by former Salesforce Chief Scientist Richard Socher, the company launched on May 13 with $650 million in funding, valuing it at $4.65 billion. GV (Alphabet's venture fund) and Greycroft led the round, with participation from Nvidia and AMD's venture arm.
Recursive's thesis is straightforward in concept and vertiginous in implication: build an AI model that can improve its own code base. The model would develop experiment ideas, test them in simulation, validate results, and then use the validated improvements to make itself more capable. The company plans to start with AI research itself, improving training, inference, and infrastructure, then expand to physics, chemistry, and pre-clinical biology.
"We will start with AI research itself but eventually hope to expand its aperture to physics, chemistry and especially pre-clinical biology. AI will be to biology what calculus was to physics, a new language and way of thinking that deals with complex systems and helps us understand and engineer them better." Richard Socher, Founder, Recursive Superintelligence Inc.
The funding is significant not just for its size but for its investors. Nvidia and AMD do not invest $650 million into a seven-person startup on a whim. They invest because the hardware requirements for self-improving AI are, by definition, unbounded. If Recursive succeeds even partially, every generation of improvement demands more compute than the last. Nvidia and AMD are positioning themselves to supply the picks and shovels for a gold rush that, if it materializes, will make the current AI infrastructure boom look modest.
The company faces obvious philosophical and practical challenges. Self-improving systems that can modify their own code are the category of AI system that safety researchers have warned about for decades. Recursive says it will develop guardrails to prevent the production of risky output. But guardrails on a system that improves its own reasoning capability are guardrails on a system that is, by design, trying to become smarter than the guardrails.
The competition is already materializing. Ineffable Intelligence Ltd. raised $1.1 billion at a $5.1 billion valuation in April 2026 for a similar self-improving AI project using reinforcement learning. OpenAI's GPT-5.5 has already demonstrated the ability to develop more efficient parallelization methods for its own inference, boosting token generation speeds by over 20 percent. The recursive improvement loop is not a future concept. It is an active engineering program being pursued by at least three well-funded organizations simultaneously.
Isomorphic Labs: $2.1 Billion to Redesign Drug Discovery
The same week, Isomorphic Labs, the Alphabet spinout founded by Nobel laureate Demis Hassabis, closed a $2.1 billion Series B round, the second largest biotech financing of all time. The company's premise is that AlphaFold's protein structure prediction was not an endpoint but a starting line. If you can predict how a protein folds, you can predict how a small molecule will bind to it. And if you can predict that, you can design drugs computationally rather than through the traditional wet-lab screening process that takes years and billions of dollars.
The funding comes at a moment when AI drug design is transitioning from theoretical to operational. Isomorphic has partnerships with Eli Lilly and Novartis worth up to $3 billion in milestone payments. The company is not promising to replace pharmaceutical researchers. It is promising to give them a fundamentally different starting point: instead of screening millions of compounds to find one that might work, AI narrows the search space to dozens of candidates that are predicted to work, and researchers validate from there.
The connection to the broader convergence is structural. Isomorphic Labs uses the same class of model architecture, transformer-based reasoning over molecular representations, that powers AlphaEvolve and the security models that Google GTIG documented. The difference is domain. The intelligence is the same. The application is different. That is the point.
OpenAI Voice Models: AI That Hears, Thinks, and Speaks Simultaneously
On May 7, OpenAI released three new audio models in its API, representing a generational leap in voice intelligence. The new models can reason, translate, and transcribe as people speak, enabling real-time multilingual conversation, live audio analysis, and voice-driven agent interactions.
The significance is not the capability itself, which has been approaching for years, but the integration. The models are not separate from OpenAI's text and vision capabilities. They are the same system, extended to audio. An agent that can see a zero-day exploit in code, hear a user's voice instruction, and reason about both simultaneously is not a collection of specialized tools. It is a general intelligence substrate, and it is being deployed into production APIs that any developer can call.
This is the convergence pattern repeating: not one model for one task, but one model architecture that operates across all modalities. The attack surface expands proportionally. PROMPTSPY already uses Gemini's API to interpret Android screens in real time. When voice models become equally capable, the attack surface grows to include real-time audio social engineering, voice cloning for authentication bypass, and autonomous agents that can conduct phone-based phishing without human involvement.
The Supply Chain: AI Software Is Now a Target
The GTIG report documents one more dimension of the convergence that has received insufficient attention. A cybercrime group called TeamPCP claimed responsibility for multiple supply chain compromises of popular GitHub repositories and associated GitHub Actions in late March 2026, including Trivy, Checkmarx, LiteLLM, and BerriAI. The attackers gained initial access through compromised PyPI packages and malicious pull requests, then embedded credential-stealing malware to extract AWS keys and GitHub tokens from affected build environments.
The compromise of LiteLLM is particularly significant. LiteLLM is an AI gateway utility used by thousands of developers to route requests between different AI providers. If the supply chain for AI infrastructure is compromised, the integrity of every model, every inference, and every agent that depends on that infrastructure is in question. You do not need to hack the model if you can hack the gateway that all models use.
The Canvas Breach: When Student Data Becomes Currency
The same week saw Instructure, the company behind the Canvas learning management system used by millions of students worldwide, confirm that hackers from the ShinyHunters group exploited a Canvas vulnerability to access and deface portals across multiple educational institutions. The breach exposed student data, and Instructure subsequently reached a deal with the hackers to delete the stolen data, a decision now under Congressional investigation.
The Canvas breach is not an AI story in isolation. It is an illustration of what happens when educational infrastructure, a sector that has historically underinvested in security, becomes a target for the same class of actors that Google GTIG documents using AI for vulnerability discovery. Students' data is valuable precisely because it enables identity theft, financial fraud, and social engineering at scale. The same AI capabilities that can find a semantic logic flaw in a 2FA implementation can also find vulnerabilities in educational platforms.
Instructure CEO Steve Daly has been summoned to Congress to explain the deal with ShinyHunters. The hearing will likely address a question that has no good answer: when ransom payment is framed as a "deal" to delete data, what incentive structure does that create for future attackers?
Science Frontiers: Cosmic Rays Decoded and Exoplanets Doubled
The convergence extends beyond AI into the scientific domains that AI is accelerating. On May 14, scientists announced the discovery of a hidden rule behind cosmic rays, the highest energy particles ever observed, after more than a century of research. The finding was enabled by machine learning analysis of detector data that could identify statistical patterns invisible to traditional methods.
NASA's TESS mission, using what researchers call "stellar eclipses" in binary star systems, uncovered more than two dozen candidate exoplanets. If confirmed, these discoveries would nearly double the total number of known exoplanets. The Hubble Space Telescope revealed a "giant chaotic planet nursery" unlike anything previously seen, potentially changing how scientists understand planetary formation.
And on the interstellar front, two spacecraft, ESA's Juice and another observatory, observed both hemispheres of interstellar comet 3I/ATLAS simultaneously, a first for cometary science. The coordinated observation revealed higher levels of carbon compounds than expected, with implications for understanding the chemical inventory of planetary systems beyond our own.
These are not AI stories. But the pattern recognition, data processing, and coordination required to make them happen are increasingly AI-dependent. The cosmic ray discovery used machine learning. The exoplanet candidates were identified through automated transit detection. The Hubble observations were processed through AI-enhanced image analysis. AI is not replacing scientists. It is expanding the volume of data they can meaningfully process by orders of magnitude.
The Convergence Framework
What makes this week different from any other week in AI development is not any single announcement. It is the simultaneity. Consider the dimensions:
Each of these developments, taken individually, would be a major story. Together, they describe a phase transition. AI has moved from "tool that helps you do a thing" to "agent that reconfigures how the thing is done." The distinction is not semantic. A tool amplifies existing capability. An agent changes the nature of the problem.
The zero-day was not found by a tool scanning for memory corruption. It was found by an AI that understood the developer's intent and identified where that intent diverged from implementation. AlphaEvolve is not optimizing parameters that humans set. It is proposing circuit designs that humans find counterintuitive. Perceptron Mk1 is not recognizing patterns in video. It is reasoning about physical causality. Recursive Superintelligence is not building a better model. It is building a model that builds a better model.
What Comes Next
The convergence creates two opposite risks that will define the next phase of the technology.
The first is asymmetric acceleration. AI that can find vulnerabilities, design exploits, and deploy autonomous malware is operating at a speed and scale that defensive AI systems are not yet matching. Google's proactive discovery of the zero-day before deployment is encouraging, but it represents the exception, not the norm. Most organizations do not have a GTIG. Most educational platforms do not have Google's security resources. The gap between offensive AI capability and defensive AI deployment is widening, not closing.
The second is recursive self-improvement without adequate safety frameworks. If Recursive Superintelligence succeeds in building AI that improves its own code, and if that AI is also being used to optimize the hardware it runs on and the drugs that enter clinical trials, then governance mechanisms designed for tool-level AI will be fundamentally inadequate. You do not regulate a self-improving system the same way you regulate a search engine.
The Instructure CEO testifying before Congress about a deal with ShinyHunters is a preview of the governance challenges ahead. When AI-built exploits target AI infrastructure that serves AI-augmented applications, the regulatory framework of 2024 is not going to contain the technology of 2026.
None of this is theoretical. It happened this week. All of it. Simultaneously.
The question for the next phase is not whether AI can transform a domain. It is whether the governance, security, and social structures can adapt at the speed at which AI is transforming all of them at once.
Timeline: The Week AI Converged
Sources: Google Threat Intelligence Group report (May 12, 2026); DeepMind AlphaEvolve impact report (May 7, 2026); VentureBeat on Perceptron Mk1 (May 12, 2026); SiliconANGLE on Recursive Superintelligence (May 13, 2026); PR Newswire on Isomorphic Labs (May 12, 2026); OpenAI voice models announcement (May 7, 2026); BleepingComputer on Canvas/ShinyHunters breach (May 11-12, 2026); The Register on Congressional investigation (May 12, 2026); ScienceDaily on cosmic ray discovery (May 14, 2026); NASA on TESS exoplanet candidates (May 4, 2026); EurekAlert on interstellar comet observation (May 12, 2026).