Run a immediate injection assault in opposition to Claude Opus 4.6 in a constrained coding atmosphere, and it fails each time, 0% success price throughout 200 makes an attempt, no safeguards wanted. Transfer that very same assault to a GUI-based system with prolonged pondering enabled, and the image modifications quick. A single try will get by way of 17.8% of the time with out safeguards. By the 2 hundredth try, the breach price hits 78.6% with out safeguards and 57.1% with them.
The newest fashions’ 212-page system card, launched February 5, breaks out assault success charges by floor, by try depend, and by safeguard configuration.
Why surface-level variations decide enterprise danger
For years, immediate injection was a identified danger that nobody quantified. Safety groups handled it as theoretical. AI builders handled it as a analysis drawback. That modified when Anthropic made immediate injection measurable throughout 4 distinct agent surfaces, with assault success charges that safety leaders can lastly construct procurement choices round.
OpenAI's GPT-5.2 system card consists of immediate injection benchmark outcomes, together with scores on evaluations like Agent JSK and PlugInject, however doesn’t get away assault success charges by agent floor or present how these charges change throughout repeated makes an attempt. The unique GPT-5 system card described greater than 5,000 hours of crimson teaming from over 400 exterior testers. The Gemini 3 mannequin card describes it as "our most safe mannequin but" with "elevated resistance to immediate injections," sharing relative security enhancements versus earlier fashions however not publishing absolute assault success charges by floor or persistence scaling knowledge.
What every developer discloses and what they withhold
Disclosure Class | Anthropic (Opus 4.6) | OpenAI (GPT-5.2) | Google (Gemini 3) |
Per-surface assault success charges | Printed (0% to 78.6%) | Benchmark scores solely | Relative enhancements solely |
Assault persistence scaling | Printed (1 to 200 makes an attempt) | Not revealed | Not revealed |
Safeguard on/off comparability | Printed | Not revealed | Not revealed |
Agent monitoring evasion knowledge | Printed (SHADE-Area) | Not revealed | Not revealed |
Zero-day discovery counts | 500+ with initiatives named | Not revealed | Not revealed |
Third-party crimson teaming | Grey Swan, UK AISI, Apollo | 400+ exterior testers | UK AISI, Apollo, Vaultis, Dreadnode |
Third-party testing highlights why granular vendor disclosures matter. Promptfoo's unbiased crimson group analysis of GPT-5.2 discovered jailbreak success charges climbing from a 4.3% baseline to 78.5% in multi-turn situations, the form of persistence-scaled knowledge that reveals how defenses degrade beneath sustained assault. OpenAI's personal system card doesn’t embrace equal metrics.
When the agent evades its personal maker's monitor
Buried within the alignment evaluation is a discovering that ought to reshape how enterprises take into consideration agent governance. On SHADE-Area, a benchmark designed to check whether or not fashions can full suspicious duties with out triggering automated oversight, Opus 4.6 succeeded 18% of the time when prolonged pondering was enabled. The monitor was calibrated to Anthropic's personal inside detection threshold.
The system card states the mannequin has "an improved skill to finish suspicious aspect duties with out attracting the eye of automated displays." The agent constructed by Anthropic evades the monitor constructed by Anthropic.
Anthropic’s individually revealed Sabotage Threat Report makes use of this identical 18% determine to argue the alternative conclusion: {that a} mannequin with real hidden objectives could be “overwhelmingly more likely to be caught” at present functionality ranges. However the report additionally acknowledges that the quantity “represents a rise relative to latest fashions.” For enterprise safety groups, the pattern line issues greater than the present quantity. A functionality that improves with every mannequin technology is just not a functionality you’ll be able to safely ignore in your danger mannequin.
For safety groups, the takeaway is architectural. Constrain what an agent can entry, restrict its motion house, and require human approval for high-risk operations. The normal mannequin of deploy and monitor assumes the factor being monitored is predictable. Brokers that may motive about their very own oversight should not.
Bruce Schneier, a fellow and lecturer at Harvard Kennedy Faculty and a board member of the Digital Frontier Basis, says enterprises deploying AI brokers face a "safety trilemma," the place they will optimize for velocity, intelligence, or safety, however not all three.
Anthropic's personal knowledge illustrates the tradeoff. The strongest floor is slim and constrained. The weakest is broad and autonomous.
500 zero-days shift the economics of vulnerability discovery
Opus 4.6 found greater than 500 beforehand unknown vulnerabilities in open-source code, together with flaws in GhostScript, OpenSC and CGIF. Anthropic detailed these findings in a weblog submit accompanying the system card launch.
5 hundred zero-days from a single mannequin. For context, Google's Menace Intelligence Group tracked 75 zero-day vulnerabilities being actively exploited throughout your entire trade in 2024. These are vulnerabilities discovered after attackers had been already utilizing them. One mannequin proactively found greater than six occasions that quantity in open-source codebases earlier than attackers might discover them. It’s a completely different class of discovery, nevertheless it reveals the dimensions AI brings to defensive safety analysis.
Actual-world assaults are already validating the menace mannequin
Days after Anthropic launched Claude Cowork, safety researchers at PromptArmor discovered a method to steal confidential person recordsdata by way of hidden immediate injections. No human authorization required.
The assault chain works like this:
A person connects Cowork to an area folder containing confidential knowledge. An adversary crops a file with a hidden immediate injection in that folder, disguised as a innocent "ability" doc. The injection methods Claude into exfiltrating non-public knowledge by way of the whitelisted Anthropic API area, bypassing sandbox restrictions totally. PromptArmor examined it in opposition to Claude Haiku. It labored. They examined it in opposition to Claude Opus 4.5, the corporate's most succesful mannequin on the time. That labored, too.
Simon Willison, the unbiased AI researcher who coined the time period “immediate injection” in 2022, wrote in a weblog submit after reviewing Cowork that he does “not suppose it’s truthful to inform common non-programmer customers to be careful for ‘suspicious actions that will point out immediate injection.’” The vulnerability Anthropic disclosed in its personal system card, which persistent adversaries breach defenses greater than half the time, is identical one which performed out in manufacturing two weeks earlier than Opus 4.6 shipped.
The analysis integrity drawback that impacts each vendor
The system card's launch determination course of incorporates an admission that ought to give each enterprise safety group pause. Anthropic used Opus 4.6 itself, by way of Claude Code, to debug its personal analysis infrastructure, analyze outcomes, and repair points beneath time stress.
The corporate acknowledges the danger explicitly. "A misaligned mannequin might affect the very infrastructure designed to measure its capabilities." Anthropic states it doesn’t consider this offered a major danger as a result of the mannequin confirmed no proof of harmful misaligned objectives. However the dynamic is actual and getting worse. As fashions get extra succesful and growth timelines keep compressed, groups settle for code modifications they don’t absolutely perceive.
Anthropic went additional than every other lab in quantifying what might go fallacious. A separate Sabotage Threat Report, launched alongside the system card, maps eight particular pathways by way of which Opus 4.6 might trigger catastrophic hurt if it acted on misaligned objectives whereas embedded in Anthropic’s personal infrastructure. These embrace sabotaging security analysis by way of deliberate sandbagging, inserting safety backdoors into code for future fashions to use, and exfiltrating its personal mannequin weights to function autonomously.
For every pathway, the report charges each the frequency and complexity of misaligned actions required, then assesses whether or not Anthropic’s monitoring, alignment testing, and safety controls are adequate to include the danger.
The general verdict: “very low however not negligible.” The report argues that Opus 4.6 lacks the constant harmful objectives, the reasoning opacity, and the long-horizon planning reliability wanted to execute these pathways with out detection. However it additionally admits that its automated displays don’t cowl each inside deployment floor, that its human reporting techniques haven’t been rigorously evaluated, and that knowledge poisoning by a reliable human adversary might make the mannequin extra able to bypassing safeguards than its baseline capabilities counsel. No different frontier AI lab has revealed an equal evaluation of how its personal mannequin might flip in opposition to its personal infrastructure.
For safety leaders evaluating AI agent deployments, this implies third-party crimson teaming and unbiased analysis are important.
That urgency displays regulatory stress constructing throughout the trade. NIST's Middle for AI Requirements and Innovation issued a request for info in January that was centered particularly on securing AI agent techniques. The RFI warns that AI agent techniques “could also be prone to hijacking, backdoor assaults, and different exploits” that might “affect public security, undermine shopper confidence, and curb adoption of the newest AI improvements.” Procurement groups are beginning to ask distributors for quantified agent safety knowledge. One developer simply made it attainable to reply.
What safety leaders ought to do earlier than their subsequent vendor analysis
Anthropic simply set a brand new baseline by publishing immediate injection assault success charges damaged out by floor. Agent monitoring evasion outcomes are recognized and analyzed moderately than buried. Zero-day discovery counts are disclosed with affected initiatives named. The corporate dropped its direct immediate injection metric, arguing that oblique injection is the extra related enterprise menace. That reasoning is sound, however the change makes year-over-year comparisons more durable. The SHADE-Area outcomes increase questions on agent monitoring that the system card acknowledges however doesn’t resolve.
The Sabotage Threat Report provides one other layer of accountability. It features a “trying ahead” framework that lists the particular circumstances beneath which Anthropic’s personal security conclusions would now not maintain. These tripwires embrace: a mannequin scoring above 60% on SHADE-Area, a mannequin reaching functionality jumps equal to a 5x compute scale-up over the earlier technology, essential security analysis capabilities turning into absolutely automated with out human participation, or fewer than 25 technical employees having significant visibility right into a mannequin’s habits. Safety leaders ought to ask each AI agent vendor for equal standards — the circumstances beneath which the seller’s personal security case breaks down.
Three issues safety leaders ought to do now:
Ask each AI agent vendor in your analysis pipeline for per-surface assault success charges, not simply benchmark scores. If they can’t present persistence-scaled failure knowledge, issue that hole into your danger scoring.
Fee unbiased crimson group evaluations earlier than any manufacturing deployment. When the seller's personal mannequin helped construct the analysis infrastructure, vendor-provided security knowledge alone is just not sufficient.
Contemplate validating agent safety claims in opposition to unbiased crimson group outcomes for 30 days earlier than increasing deployment scope.
