The Week AI Broke Both Ways

Photo: Possessed Photography / Unsplash

Sometime in the last few weeks, a cybercrime group sat down with an AI model and asked it to write a zero-day exploit. The resulting code, a Python script designed to bypass two-factor authentication on an open source system administration tool, contained telltale signs: educational docstrings explaining every function, a hallucinated CVSS severity score, and the clean, structured formatting of a textbook example. It was competent enough to work. And Google's Threat Intelligence Group found it before it could be deployed at scale.

This is the first confirmed instance of an AI-generated zero-day exploit detected in the wild. It happened the same week that the criminal group ShinyHunters breached Instructure's Canvas platform, potentially compromising data belonging to 275 million users across 9,000 educational institutions. It happened the same week OpenAI launched a $4 billion company to embed AI into every enterprise workflow on Earth, while Anthropic partnered with SpaceX to access 300 megawatts of GPU compute. And it happened the same week Baidu released a model that achieves competitive performance at 6% of the training cost, proving that the compute arms race has a fast-approaching efficiency endgame.

The convergence is not subtle. AI is now simultaneously a weapon, a target, an infrastructure build-out, and a cost-reduction engine. Every single one of these vectors is accelerating, and they are feeding into each other in ways that the individual companies involved do not seem to fully grasp.

The First AI-Generated Zero-Day

Google's report, published May 12, is careful with its language. The company says it has "high confidence" that the exploit was AI-assisted, not that it was fully AI-autonomous. The distinction matters. A human attacker still directed the operation, chose the target, and decided how to deploy the vulnerability. But the code itself, the actual weapon, shows clear markers of large language model generation.

Photo: Christophe Gateau / Unsplash

What makes this different from previous AI-assisted attacks is the nature of the output. Previous uses of AI in cybercrime were largely social engineering: generating phishing emails, crafting convincing impersonation texts, automating reconnaissance. This is the first time AI has been used to create a genuine zero-day vulnerability exploit, the most valuable class of offensive tool in cybersecurity.

Google's report goes further than the single incident. It identifies Chinese and North Korean state-sponsored groups actively using AI for vulnerability discovery. UNC2814, a Chinese group, used persona-driven jailbreaks, instructing AI to act as a "senior security auditor" to analyze firmware vulnerabilities in TP-Link routers. North Korea's APT45 sent thousands of repetitive prompts to recursively analyze CVEs and validate proof-of-concept exploits, building what Google describes as "a more robust arsenal of exploit capabilities that would be impractical to manage without AI assistance."

The exploit Google discovered targeted an open source web-based system administration tool and was designed to bypass 2FA, the single most recommended defense against credential theft. Google worked with the affected vendor to patch the vulnerability before mass exploitation could begin. But this is one instance that was caught. The question that should keep security teams awake at night is how many similar exploits are being generated, tested, and deployed by groups that are not being monitored by Google's Threat Intelligence Group.

The Canvas Breach: Vendor Concentration as Single Point of Failure

On April 30, 2026, ShinyHunters exploited a vulnerability in Instructure's production systems. By May 2, they had posted their claim on a dark web forum: 3.65 terabytes of data, 275 million user records, 8,809 educational institutions. The data included names, email addresses, student ID numbers, and, most critically, private Canvas Inbox and Discussion messages between students and educators.

Photo: Jeswin Thomas / Unsplash

This is the largest education data breach in history, and it was not an attack on any single school. It was an attack on a vendor. The schools did not choose to be attacked, and they could not have prevented it, because the decision to entrust student data to a single company was made years ago, and the vendor's security was never theirs to control.

Instructure, valued at $4.8 billion after its acquisition by KKR and Dragoneer in 2024, serves approximately 200 million learners across more than 100 countries. Canvas holds 31% of the North American higher education LMS market. This is vendor concentration weaponized, not by the vendor itself, but against everyone who depends on it.

This is Instructure's second breach in eight months. The first, in September 2025, was a social engineering attack against the company's Salesforce environment, also by ShinyHunters. The group's pattern is consistent: identify a vendor with access to massive data volumes, exploit a vulnerability or social engineering vector, exfiltrate the data, and demand payment under threat of public release. ShinyHunters previously orchestrated the Snowflake supply chain attacks that compromised Ticketmaster (560 million records) and AT&T (110 million customers). AT&T paid $370,000 in ransom. The European Commission was hit in March 2026, leaking 350 GB from 29 EU entities.

On May 7, ShinyHunters escalated the pressure by defacing Canvas login pages worldwide, disrupting finals week at Harvard, Penn, Duke, and Virginia Tech. The group then extended its ransom deadline to May 12 and began telling individual schools they could negotiate separately. Instructure confirmed on May 12 that it had reached an "agreement" with ShinyHunters to prevent the data from being leaked. The terms have not been disclosed.

The Private Message Problem

Instructure has stated that dates of birth, government identifiers, financial information, and passwords were not compromised. But the inclusion of Canvas Inbox and Discussion messages fundamentally changes the breach's character. These messages can contain phone numbers, home addresses, medical information, emotional disclosures between students and counselors, and sensitive academic discussions. This is not a contact list leak. It is the exposure of the private conversations of millions of students and educators across the world.

The structural problem is vendor concentration. Canvas dominates because it is well-designed and deeply integrated into institutional workflows. But dominance means that a single security failure at a single company, now privately owned by KKR, one of the world's largest alternative asset managers, can compromise the academic records and private communications of students across 9,000 institutions in dozens of countries simultaneously. The schools are, in cybersecurity terms, downstream. They cannot independently audit the systems that hold their students' data. They were not consulted about the vulnerability that was exploited.

OpenAI's $4 Billion Enterprise Deployment Play

On May 11, OpenAI launched the OpenAI Deployment Company, a new entity with more than $4 billion in initial investment from a syndicate of 19 firms. TPG leads, with Advent, Bain Capital, and Brookfield as co-lead founding partners. Goldman Sachs, SoftBank, Warburg Pincus, and WCAS are founding partners. Bain & Company, Capgemini, and McKinsey & Company are consulting partners. The company is also acquiring Tomoro, an applied AI consulting firm, bringing approximately 150 Forward Deployed Engineers (FDEs) on day one.

Photo: NASA / Unsplash

The structure is revealing. OpenAI is majority owner and controller. The Deployment Company is technically a standalone business unit, but it is designed as an extension of OpenAI's research and product teams. Its FDEs will embed inside client organizations to redesign workflows around AI capabilities, connecting OpenAI models to a company's data, tools, and processes.

This is the Palantir play. Palantir built its business by embedding Forward Deployed Engineers inside government and enterprise clients, learning their workflows, and building bespoke solutions on top of its platforms. OpenAI is replicating this model but with a crucial difference: the underlying technology is a general-purpose frontier model that improves on its own, and the FDEs are there to accelerate adoption of capabilities that OpenAI has not yet fully built.

"As models become more capable, businesses can apply AI to larger, more important parts of how they operate. The work now is helping organizations rethink critical workflows around intelligence that can reason, act, and deliver measurable results." - OpenAI, announcement blog post

The $4 billion number is not random. It is the size of Instructure's acquisition, coincidentally. It is also roughly the same as Anthropic's total funding just two years ago. The capital acceleration in AI is now so extreme that what was once a company's entire valuation is now a single product launch's initial investment round.

The Compute Arms Race: Anthropic Goes to Space

On May 6, Anthropic announced a partnership with SpaceX to use the entire compute capacity at the Colossus 1 data center, over 220,000 NVIDIA GPUs and more than 300 megawatts of power, available within the month. This joins Anthropic's existing compute deals: up to 5 GW with Amazon (including nearly 1 GW by end of 2026), 5 GW with Google and Broadcom (coming online in 2027), and a $30 billion strategic partnership with Microsoft and NVIDIA for Azure capacity. Anthropic has also committed $50 billion to American AI infrastructure with Fluidstack.

The immediate effect: Anthropic doubled Claude Code's rate limits for Pro, Max, Team, and Enterprise users, removed peak-hour reductions, and significantly raised API rate limits for Claude Opus models. But the strategic signal is what matters. Anthropic is not just buying compute. It is securing supply chains across multiple hardware vendors (AWS Trainium, Google TPUs, NVIDIA GPUs) and geographic locations, including plans for orbital compute capacity with SpaceX.

Orbital. Compute. The phrase "multiple gigawatts of orbital AI compute capacity" appears in the announcement as a line item, not a research initiative. The company is expressing interest, not commitment, but the direction is clear: if the energy and cooling constraints of terrestrial data centers are the binding bottleneck, then the next frontier is above the atmosphere.

Baidu's 94% Cost Cut: The Efficiency Endgame

While Western AI giants pour billions into compute and deployment infrastructure, Baidu released ERNIE 5.1 on May 8, a model that achieves competitive performance at approximately 6% of the industry standard pre-training cost. ERNIE 5.1 ranked #4 globally on LMArena's Search Arena with a score of 1223, making it the top Chinese model. It compresses total parameters to roughly one-third of ERNIE 5.0's while activating only a fraction per token through a hybrid Mamba-Transformer architecture.

Photo: Luke Chesser / Unsplash

The significance is not that Baidu has caught up with OpenAI or Anthropic on raw capability. It has not. The significance is that the cost curve for frontier-level performance is collapsing. When a model at 6% of training cost can rank in the global top 5, the implications for the economics of AI are profound:

• The moat of "we spent more on compute" is getting shallower every quarter
• Chinese AI companies can achieve near-parity at a fraction of the cost, which matters enormously in markets where cost sensitivity trumps performance optimization
• The compute arms race Anthropic and OpenAI are running may be a necessary condition for frontier capability, but it is not sufficient for competitive advantage if efficiency gains like ERNIE 5.1's can close most of the gap

This is the same dynamic that played out in semiconductor manufacturing: the company that spends the most on fabs does not always win. TSMC wins because it achieves better yield per dollar. Baidu's efficiency play is the AI equivalent of process node optimization, getting more performance out of less silicon.

NVIDIA's Omnimodel Gambit: One Model to Rule All Modalities

NVIDIA, which supplies the GPUs that all of these companies are fighting over, is also shaping the model landscape. On April 28, NVIDIA launched Nemotron 3 Nano Omni, a 31-billion-parameter multimodal model that processes video, audio, images, and text in a single inference pass. Only 3 billion parameters activate per token through a hybrid Mamba-Transformer mixture-of-experts architecture, making it up to 9x more efficient for AI agents than running separate vision, speech, and language models.

The model is open-weight, available on HuggingFace and NVIDIA's API catalog. It supports a 256,000-token context window. The bet NVIDIA is making is that the future of AI agents is not in chaining specialized models together but in running a single efficient model that handles all modalities natively. If agents need to understand a screen recording, transcribe a conversation, read a document, and reason about all of it simultaneously, the current approach of piping data between separate models is a latency and context nightmare. Nemotron 3 Nano Omni eliminates that pipeline tax.

For the enterprise market that OpenAI's Deployment Company is targeting, this is a critical capability. An FDE embedded at a financial services firm does not want to deploy six models to handle different input types. They want one model that works everywhere. NVIDIA is providing the hardware (the GPUs Anthropic and OpenAI are leasing by the hundred thousand) and the reference software (the omnimodel architecture that makes those GPUs more productive per dollar).

What Happens When All Three Vectors Collide

Here is the convergence that matters. AI is now simultaneously:

1. A weapon (AI-generated zero-day exploits, state-sponsored AI vulnerability discovery, ShinyHunters operating at unprecedented scale)
2. A target (the Canvas breach exploited vendor infrastructure holding 275 million user records; AI companies themselves are high-value targets)
3. An infrastructure build-out (OpenAI's $4B deployment company, Anthropic's multi-gigawatt compute portfolio, SpaceX orbital data centers)
4. A cost-reduction engine (Baidu's 94% training cost cut, NVIDIA's 9x efficiency gain for multimodal agents)

Photo: compare fibe / Unsplash

Each vector accelerates the others. Cheaper training (Baidu) means more actors can build capable models, which means more actors can generate zero-days. More enterprise deployment (OpenAI) means more attack surface for AI systems and the data they access. More compute (Anthropic/SpaceX) means more powerful models that can be used for both offense and defense. And the breaches (Canvas) demonstrate that the defensive side is not keeping pace.

The Google zero-day report illustrates this perfectly. Google found the exploit because Google has one of the most sophisticated threat intelligence operations on Earth, backed by AI-powered detection systems. Most organizations do not. The exploit was caught before mass deployment because it targeted a system Google was already monitoring. If the same AI-generated exploit had targeted a less well-defended system, a small business SaaS tool, a municipal government portal, a university LMS, it would likely have gone undetected until damage was irreversible.

The Canvas breach proves the point. Instructure is a $4.8 billion company owned by one of the world's largest private equity firms, and it was breached twice in eight months by the same group. If this is the security posture of a well-resourced, well-insured platform, what is the posture of the thousands of smaller vendors that hold equally sensitive data across healthcare, finance, and government?

The Regulatory Gap

The regulatory frameworks are not ready for this convergence. Europe's AI Act focuses on model safety and transparency, not on the security of the infrastructure that runs AI models. The NIS2 Directive requires incident reporting, but it does not address the structural risk of vendor concentration that the Canvas breach exposes. The United States has no comprehensive federal AI legislation at all. And no major jurisdiction has rules specifically addressing AI-generated offensive cyber capabilities.

Instructure's breach demonstrates the regulatory gap in stark terms. Schools are subject to data protection obligations under GDPR and, in the Netherlands, the new Cybersecurity Act transposing NIS2. But their ability to meet those obligations depends on the security practices of a private company owned by a private equity firm that they cannot audit, cannot monitor, and cannot leave without catastrophic disruption to their academic operations. The law holds the schools responsible for data they do not control.

Looking Ahead

The week of May 5-12, 2026 will be remembered as the moment AI's dual-use nature stopped being theoretical. Google's discovery of an AI-generated zero-day is a proof of concept for offensive AI capabilities that have been discussed in security circles for years but never confirmed in the wild. The Canvas breach is a demonstration that the structural vulnerabilities created by vendor concentration in critical infrastructure are not abstract risks but immediate, ongoing crises affecting hundreds of millions of people. And OpenAI's $4 billion deployment company is a declaration that the race to embed AI in every enterprise process is accelerating faster than the security, regulatory, or ethical frameworks needed to govern it.

The second-order effects are what should concern policymakers most. When AI can generate zero-day exploits, the value of traditional perimeter defense drops. When a single vendor breach can compromise 275 million records across 9,000 institutions, the value of individual institutional security drops. When enterprise AI deployment accelerates through dedicated companies with billions in backing, the attack surface grows faster than the defensive capabilities can scale. And when training costs drop by 94%, the democratization of AI capability includes the democratization of offensive capability.

This is not a call for pessimism. The same AI that can generate exploits can detect them. The same models that can automate vulnerability discovery can automate defense. Google's detection of the AI-generated zero-day proves that the defensive applications are real and effective. But the economics are asymmetric: offense scales more cheaply than defense, and the attackers do not have to comply with regulations, procurement processes, or board-level risk committees.

The infrastructure is being built. The weapons are being generated. The defenses are being deployed. All three are accelerating. What is not accelerating fast enough is the governance that connects them.