Security Theatre, Memory Hype, and a Data Centre Backlash

Most of this week was noise — model launches dressed up as breakthroughs and another round of "AI will remember you" marketing. But three threads actually matter for leaders: agentic security is failing in production, the economics of inference are about to get worse, and the social licence for AI infrastructure is fraying in public. Here's what's worth your attention.

1. Agents are leaking access — and the fixes are bolt-ons, not solutions

What happened: 404 Media reported attackers used Meta's AI customer support agent to hijack Instagram accounts simply by asking it to relink them to attacker-controlled emails — including a break-in to the dormant Obama White House account. The same week, OpenAI launched "Lockdown Mode" to reduce prompt injection risk, while admitting ChatGPT could still be vulnerable.

Why it matters: This is the real story of the week. Any agent you give write-access or account-management permissions is an attack surface, and the vendors themselves are telling you their mitigations are partial. If you've deployed customer-facing agents with the ability to take actions — relink accounts, issue refunds, change records — assume they can be talked into doing it by anyone. Revisit what your agents are actually allowed to do, not just say, before you scale them.

2. Inference prices are heading up, not down

What happened: TechCrunch flagged a likely wave of AI price increases — a "Tokenpocalypse" — as the big labs prepare to go public and need to show margins. Separately, the S&P 500 declined to waive its profitability rule for OpenAI and Anthropic, a reminder that these firms are still burning cash.

Why it matters: The era of subsidised tokens is ending. If your business case assumed today's per-token prices hold or fall, stress-test it against a 2–3x increase. The teams that win will be the ones who measured cost-per-task early and built the option to swap models — open weights like Nemotron on SageMaker now get you 30% lower cost on agentic workloads. Lock-in to a single frontier provider is now a financial risk, not just a technical one.

3. The social licence for AI infrastructure is cracking in public

What happened: A $2bn data centre plan was cut 50% after community protests, with the developer admitting "we pissed off a lot of people." In Shelbyville, Indiana, a mayor was caught on camera saying only people in "shitty houses" oppose a proposed data centre. The UK, meanwhile, is pushing its sovereign-AI "maker not taker" agenda with NVIDIA.

Why it matters: Compute is becoming a political problem, not just a procurement one. Power, water and land are now contested locally, and the reputational risk attaches to the firms buying the capacity, not only those building it. If your AI roadmap assumes cheap, abundant compute on tap, factor in delay and public scrutiny. Sovereign-AI initiatives are partly a response to exactly this — control over where and how your workloads run is becoming a board-level question.

4. "ChatGPT remembers you better" — mostly marketing

What happened: OpenAI announced a new memory system called "Dreaming" to keep context fresh across conversations, while a senior employee declared "chat is dead" as the firm works on a "super app."

Why it matters: Treat this as incremental, not transformational. Better consumer memory is a UX tweak — but it raises a governance flag: if staff use ChatGPT with persistent memory, your sensitive context is being retained and re-surfaced in ways you don't control. The enterprise question isn't whether memory is impressive; it's whether your data-handling policy has caught up with tools that now remember by default.

The bottom line: Strip the launches and the week tells one coherent story: AI is moving from demo to deployment, and the hard parts — security, cost, and consent — are surfacing exactly where you'd expect. The agent-hijack stories are the clearest warning yet that giving AI the power to act without tight permissioning is a liability, not a feature. My advice this week is unglamorous: audit what your agents can do, model your token costs against a price rise, and don't assume compute or community goodwill is unlimited. Everything else was noise.

Working on something hard in AI? Just reply to the email — Daniel reads and answers every one.

Get Squared in your inbox each week

Free. The few things that actually matter, and what they mean for you.