A rogue AI agent at Meta passed every identity check and still exposed sensitive data to unauthorized employees in March. Two weeks later, Mercor, a $10 billion AI startup, confirmed a supply-chain breach through LiteLLM. Both are traced to the same structural gap. Monitoring without enforcement, enforcement without isolation. A VentureBeat three-wave survey of 108 qualified enterprises found that the gap is not an edge case. It is the most common security architecture in production today.

Gravitee’s State of AI Agent Security 2026 survey of 919 executives and practitioners quantifies the disconnect. 82% of executives say their policies protect them from unauthorized agent actions. Eighty-eight percent reported AI agent security incidents in the last twelve months. Only 21% have runtime visibility into what their agents are doing. Arkose Labs’ 2026 Agentic AI Security Report found 97% of enterprise security leaders expect a material AI-agent-driven incident within 12 months. Only 6% of security budgets address the risk.

VentureBeat’s survey results show that monitoring investment snapped back to 45% of security budgets in March after dropping to 24% in February, when early movers shifted dollars into runtime enforcement and sandboxing. The March wave (n=20) is directional, but the pattern is consistent with February’s larger sample (n=50): enterprises are stuck at observation while their agents already need isolation. CrowdStrike’s Falcon sensors detect more than 1,800 distinct AI applications across enterprise endpoints. The fastest recorded adversary breakout time has dropped to 27 seconds. Monitoring dashboards built for human-speed workflows cannot keep pace with machine-speed threats.

The audit that follows maps three stages. Stage one is observe. Stage two is enforce, where IAM integration and cross-provider controls turn observation into action. Stage three is isolate, sandboxed execution that bounds blast radius when guardrails fail. VentureBeat Pulse data from 108 qualified enterprises ties each stage to an investment signal, an OWASP ASI threat vector, a regulatory surface, and immediate steps security leaders can take.

The threat surface stage-one security cannot see

The OWASP Top 10 for Agentic Applications 2026 formalized the attack surface last December. The ten risks are: goal hijack (ASI01), tool misuse (ASI02), identity and privilege abuse (ASI03), agentic supply chain vulnerabilities (ASI04), unexpected code execution (ASI05), memory poisoning (ASI06), insecure inter-agent communication (ASI07), cascading failures (ASI08), human-agent trust exploitation (ASI09), and rogue agents (ASI10). Most have no analog in traditional LLM applications. The audit below maps six of these to the stages where they are most likely to surface and the controls that address them.

Invariant Labs disclosed the MCP Tool Poisoning Attack in April 2025: malicious instructions in an MCP server’s tool description cause an agent to exfiltrate files or hijack a trusted server. CyberArk extended it to Full-Schema Poisoning. The mcp-remote OAuth proxy patched CVE-2025-6514 after a command-injection flaw put 437,000 downloads at risk.

Merritt Baer, CSO at Enkrypt AI and former AWS Deputy CISO, framed the gap in an exclusive VentureBeat interview: “Enterprises believe they’ve ‘approved’ AI vendors, but what they’ve actually approved is an interface, not the underlying system. The real dependencies are one or two layers deeper, and those are the ones that fail under stress.”

CrowdStrike CTO Elia Zaitsev put the visibility problem in operational terms in an exclusive VentureBeat interview at RSAC 2026: “It looks indistinguishable if an agent runs your web browser versus if you run your browser.” Distinguishing the two requires walking the process tree, tracing whether Chrome was launched by a human from the desktop or spawned by an agent in the background. Most enterprise logging configurations cannot make that distinction.

The regulatory clock and the identity architecture

Auditability priority tells the same story in miniature. In January, 50% of respondents ranked it a top concern. By February, that dropped to 28% as teams sprinted to deploy. In March, it surged to 65% when those same teams realized they had no forensic trail for what their agents did.

HIPAA’s 2026 Tier 4 willful-neglect maximum is $2.19M per violation category per year. In healthcare, Gravitee’s survey found 92.7% of organizations reported AI agent security incidents versus the 88% all-industry average. For a health system running agents that touch PHI, that ratio is the difference between a reportable breach and an uncontested finding of willful neglect. FINRA’s 2026 Oversight Report recommends explicit human checkpoints before agents that can act or transact execute, along with narrow scope, granular permissions, and complete audit trails of agent actions.

Mike Riemer, Field CISO at Ivanti, quantified the speed problem in a recent VentureBeat interview: “Threat actors are reverse engineering patches within 72 hours. If a customer doesn’t patch within 72 hours of release, they’re open to exploit.” Most enterprises take weeks. Agents operating at machine speed widen that window into a permanent exposure.

The identity problem is architectural. Gravitee’s survey of 919 practitioners found only 21.9% of teams treat agents as identity-bearing entities, 45.6% still use shared API keys, and 25.5% of deployed agents can create and task other agents. A quarter of enterprises can spawn agents that their security team never provisioned. That is ASI08 as architecture.

Guardrails alone are not a strategy

A 2025 paper by Kazdan and colleagues (Stanford, ServiceNow Research, Toronto, FAR AI) showed a fine-tuning attack that bypasses model-level guardrails in 72% of attempts against Claude 3 Haiku and 57% against GPT-4o. The attack received a $2,000 bug bounty from OpenAI and was acknowledged as a vulnerability by Anthropic. Guardrails constrain what an agent is told to do, not what a compromised agent can reach.

CISOs already know this. In VentureBeat’s three-wave survey, prevention of unauthorized actions ranked as the top capability priority in every wave at 68% to 72%, the most stable high-conviction signal in the dataset. The demand is for permissioning, not prompting. Guardrails address the wrong control surface.

Zaitsev framed the identity shift at RSAC 2026: “AI agents and non-human identities will explode across the enterprise, expanding exponentially and dwarfing human identities. Each agent will operate as a privileged super-human with OAuth tokens, API keys, and continuous access to previously siloed data sets.” Identity security built for humans will not survive this shift. Cisco President Jeetu Patel offered the operational analogy in an exclusive VentureBeat interview: agents behave “more like teenagers, supremely intelligent, but with no fear of consequence.”

VentureBeat Prescriptive Matrix: AI Agent Security Maturity Audit

Sources: OWASP Top 10 for Agentic Applications 2026; Invariant Labs MCP Tool Poisoning (April 2025); CrowdStrike RSAC 2026 Fortune 50 disclosure; Meta March 2026 incident (The Information/Engadget); Mercor/LiteLLM breach (Fortune, April 2, 2026); Arkose Labs 2026 Agentic AI Security Report; VentureBeat Pulse Q1 2026.

The stage-one attack scenario in this matrix is not hypothetical. Unauthorized tool or data access ranked as the most feared failure mode in every wave of VentureBeat’s survey, growing from 42% in January to 50% in March. That trajectory and the 70%-plus priority rating for prevention of unauthorized actions are the two most mutually reinforcing signals in the entire dataset. CISOs fear the exact attack this matrix describes, and most have not deployed the controls to stop it.

Hyperscaler stage readiness: observe, enforce, isolate

The maturity audit tells you where your security program stands. The next question is whether your cloud platform can get you to stage two and stage three, or whether you are building those capabilities yourself. Patel put it bluntly: “It’s not just about authenticating once and then letting the agent run wild.” A stage-three platform running a stage-one deployment pattern gives you stage-one risk.

VentureBeat Pulse data surfaces a structural tension in this grid. OpenAI leads enterprise AI security deployments at 21% to 26% across the three survey waves, making the same provider that creates the AI risk also the primary security layer. The provider-as-security-vendor pattern holds across Azure, Google, and AWS. Zero-incremental-procurement convenience is winning by default. Whether that concentration is a feature or a single point of failure depends on how far the enterprise has progressed past stage one.

Status as of April 15, 2026. GA = generally available. Preview/Beta = not production-hardened. “What’s Missing” column reflects VentureBeat’s analysis of publicly documented capabilities; gaps may narrow as vendors ship updates.

No provider in this grid ships a complete stage-three stack today. Most enterprises assemble isolation from existing cloud building blocks. That is a defensible choice if it is a deliberate one. Waiting for a vendor to close the gap without acknowledging the gap is not a strategy.

The grid above covers hyperscaler-native SDKs. A large segment of AI builders deploys through open-source orchestration frameworks like LangChain, CrewAI, and LlamaIndex that bypass hyperscaler IAM entirely. These frameworks lack native stage-two primitives. There is no scoped agent identity, no tool-call approval workflow, and no built-in audit trails. Enterprises running agents through open-source orchestration need to layer enforcement and isolation on top, not assume the framework provides it.

VentureBeat’s survey quantifies the pressure. Policy enforcement consistency grew from 39.5% to 46% between January and February, the largest consistent gain of any capability criterion. Enterprises running agents across OpenAI, Anthropic, and Azure need enforcement that works the same way regardless of which model executes the task. Provider-native controls enforce policy within that provider’s runtime only. Open-source orchestration frameworks enforce it nowhere.

One counterargument deserves acknowledgment: not every agent deployment needs stage three. A read-only summarization agent with no tool access and no write permissions may rationally stop at stage one. The sequencing failure this audit addresses is not that monitoring exists. It is that enterprises running agents with write access, shared credentials, and agent-to-agent delegation are treating monitoring as sufficient. For those deployments, stage one is not a strategy. It is a gap.

Allianz shows stage-three in production

Allianz, one of the world’s largest insurance and asset management companies, is running Claude Managed Agents across insurance workflows, with Claude Code deployed to technical teams and a dedicated AI logging system for regulatory transparency, per Anthropic’s April 8 announcement. Asana, Rakuten, Sentry, and Notion are in production on the same beta. Stage-three isolation, per-agent permissioning, and execution-chain auditability are deployable now, not roadmap. The gating question is whether the enterprise has sequenced the work to use them.

The 90-day remediation sequence

Days 1–30: Inventory and baseline. Map every agent to a named owner. Log all tool calls. Revoke shared API keys. Deploy read-only monitoring across all agent API traffic. Run mcp-scan against every registered MCP server. CrowdStrike detects 1,800 AI applications across enterprise endpoints; your inventory should be equally comprehensive. Output: agent registry with permission matrix, MCP scan report.

Days 31–60: Enforce and scope. Assign scoped identities to every agent. Deploy tool-call approval workflows for write operations. Integrate agent activity logs into existing SIEM. Run a tabletop exercise: What happens when an agent spawns an agent? Conduct a canary-token test from the prescriptive matrix. Output: IAM policy set, approval workflow, SIEM integration, canary-token test results.

Days 61–90: Isolate and test. Sandbox high-risk agent workloads (PHI, PII, financial transactions). Enforce per-session least privilege. Require human sign-off for agent-to-agent delegation. Red-team the isolation boundary using the stage-three detection test from the matrix. Output: sandboxed execution environment, red-team report, board-ready risk summary with regulatory exposure mapped to HIPAA tier and FINRA guidance.

What changes in the next 30 days

EU AI Act Article 14 human-oversight obligations take effect August 2, 2026. Programs without named owners and execution trace capability face enforcement, not operational risk.

Anthropic’s Claude Managed Agents is in public beta at $0.08 per session-hour. GA timing, production SLAs, and final pricing have not been announced.

OpenAI Agents SDK ships TypeScript support for sandbox and harness capabilities in a future release, per the company’s April 15 announcement. Stage-three sandbox becomes available to JavaScript agent stacks when it ships.

What the sequence requires

McKinsey’s 2026 AI Trust Maturity Survey pegs the average enterprise at 2.3 out of 4.0 on its RAI maturity model, up from 2.0 in 2025 but still an enforcement-stage number; only one-third of the ~500 organizations surveyed report maturity levels of three or higher in governance. Seventy percent have not finished the transition to stage three. ARMO’s progressive enforcement methodology gives you the path: behavioral profiles in observation, permission baselines in selective enforcement, and full least privilege once baselines stabilize. Monitoring investment was not wasted. It was stage one of three. The organizations stuck in the data treated it as the destination.

The budget data makes the constraint explicit. The share of enterprises reporting flat AI security budgets doubled from 7.9% in January to 16% in February in VentureBeat’s survey, with the March directional reading at 20%. Organizations expanding agent deployments without increasing security investment are accumulating security debt at machine speed. Meanwhile, the share reporting no agent security tooling at all fell from 13% in January to 5% in March. Progress, but one in twenty enterprises running agents in production still has zero dedicated security infrastructure around them.

About this research

Total qualified respondents: 108. VentureBeat Pulse AI Security and Trust is a three-wave VentureBeat survey run January 6 through March 15, 2026. Qualified sample (organizations 100+ employees): January n=38, February n=50, March n=20. Primary analysis runs from January to February; March is directional. Industry mix: Tech/Software 52.8%, Financial Services 10.2%, Healthcare 8.3%, Education 6.5%, Telecom/Media 4.6%, Manufacturing 4.6%, Retail 3.7%, other 9.3%. Seniority: VP/Director 34.3%, Manager 29.6%, IC 22.2%, C-Suite 9.3%.

There are two UNIVAC 1219B computers that have survived since the 1960s and one of them is even operational. [Nathan Farlow] wanted to run a Minecraft server on it, so he did. After a lot of work, of course, which is described in a detailed blog post, and, a YouTube video by [TheScienceElf] we’ve embedded below.

The UNIVAC is a seriously weird architecture by modern standards: it’s got eighteen-bit words — yeah, not even a power of two — and one’s compliment arithmatic with a weird signed zero thing going on. There’s one 36-bit and one 18-bit register, and only 40,960 words of memory. Eighteen-bit words. Yeah, it was the 1960s and they were making it up as they went along.

[Nathan] wasn’t, entirely, as this weird system is both well-documented and already had an emulator — in BASIC, of all things. [TheScienceElf] used the docs and the existing emulator to recreate his own in Rust so he could test their somewhat crazy plan without wasting cycles on real hardware. The plan? Well, there are really only two options if you want to build modern software for a niche architecture: one is to add niche support to something like GCC, and the other is to write a RISC V emulator and compile to that. We’ve seen that second one before, and that’s the route [Nathan] took.

Of course, [Nathan] is a machine learning guy, so he made the best possible use of LLMs — though it’s interesting to see that unlike Z80 Assembly, Claude Code really couldn’t wrap its virtual head around the UNIVAC’s assembly language, and [Nathan] had to bang out the RISC V emulator himself. Emulator in hand, [Nathan] and friends had code to run on the museum UNIVAC. A single frame of an NES game took 40 minutes, but hey, at least it finished before they got back from lunch.

[TheScienceElf]’s YouTube treatment teases hosting Minecraft, but it wasn’t a full server, just the login portion. That they were able to get TCP/IP over serial and set up a handshake between a 2020s laptop and a 1960s computer is still mighty impressive. Just the work the Vintage Computer Federation put in to get and keep this antique running is mighty impressive all on its own, but it’s wonderful they let people play with it.

People who are visually impaired rely on reliable assistance to gain an understanding of their environment without fear of colliding with something. Guide dogs have been doing this for a long time using tiny signs like yanking on the leash or altering their body weight, but engineers have now added spoken information to the mix, creating a system that responds ordinary queries and communicates what’s ahead.

Shiqi Zhang, the project’s leader at Binghamton University, and his colleagues outfitted a robot with large language models, allowing it to understand what humans are saying and engage in real-world conversations. Users simply tell the robot where they want to travel, and the robot will map out all feasible routes, including how long each one will take. When you choose one, the robot begins to move and continues to inform you of doors, passageways, and any other obstacles.

Unitree Go2 Robot Dog Quadruped Robotics for Adults Embodied AI (Go2 X) Built for Developers

• 【Next-Generation Robotic Companion: Meet the Unitree Go2 Robotic Dog】 The Unitree Go2 X is a powerful and intelligent quadruped robot designed for…
• 【Intelligent Navigation with 3D LiDAR & Obstacle Avoidance】 Featuring ultra-wide 3D LiDAR with 360°x96° perception, the Go2 X detects obstacles…
• 【High-Definition Vision & Seamless App Integration】 A front HD camera streams 1280×720 video to the app. Control the robot, view real-time data…

First, you plan your path, and the robot simply walks you through all of the alternatives so you can choose one without guessing. Then you can begin traveling, while the robot provides live narration of all the data that your eyes would typically detect, such as how long a hallway is or whether a corner is approaching. This two-part back-and-forth allows consumers to be in control of their decisions and feel confident when on the move.

Photo credit: Jonathan Cohen
Testing was held in one of the larger office areas, which had numerous rooms connected. Seven legally blind individuals directed the robot to a conference room, but they all communicated with it in different ways, asking it to outline routes and then providing live updates. Every single one of them claimed that using both oral plans and live updates was the greatest option because it eliminated ambiguity before you even started moving and provided new information while you were in motion. This resulted in improved communication and a greater understanding of your surroundings.

Earlier versions responded exclusively to physical tugs on the leash. However, the updated version retains the fundamental direction while giving it a voice, since the robot can now communicate to you and handle a wide range of demands that go much beyond “go left” or “go right”. The larger language models allow it to engage in real conversations rather than simply answering pre-programmed inquiries. Participants departed with a lot of questions and a visible hope for expanded use. Real guide dogs rarely master more than a few basic commands. This robot, on the other hand, can use considerably more complex language skills to provide you with flexible answers and continue to discuss what you observe. The difference manifests itself in a variety of common situations, such as when someone needs a sip of water or simply wants to know what’s beyond the next doorway. When information flows freely rather than being locked away behind invisible signals, both safety and independence improve significantly.
[Source]

We’ve had good reasons to look up at the skies lately: the pink moon earlier this month and the launch and splashdown of the Orion spacecraft, which carried humans to the moon for the first time in more than 50 years on the Artemis II mission. 

And now we have two meteor showers.

The first is the Lyrids, which began on Tuesday and continues until the end of the month. It’s a relatively minor meteor shower fed by the C/1861 G1 comet, also known as Thatcher after its discoverer, A.E. Thatcher, in 1861. It’s a long-period comet that takes 415.5 years to orbit the sun.

The Lyrids meteor shower peaks between April 21 and April 22 and will produce somewhere between 15 and 20 meteors per hour under optimal conditions. Per the American Meteor Society, the peak should occur on the evening of April 22, so if you can only make it out for one of the two nights, the second night is expected to be the better viewing experience. 

The second meteor shower starting this weekend is the Eta Aquariids. This meteor shower begins on Sunday, April 19 and spans for over a month, wrapping up on May 28. This is the stronger of the two meteor showers with an expected peak of roughly 50 meteors per hour, depending on where you view them from. The Eta Aquariids shower is known for its fast meteors and persistent tails that stick around for a little longer after the meteor has disappeared. 

The 1P/Halley comet feeds it, the same one that feeds the Orionids meteor shower every October. Its peak should be between May 5 and May 6. The further south you are, the more meteors you can expect to see, and the opposite is true the further north you go. The best place to view this meteor shower is in the tropics.

Advertisement

How to see Lyrids and Eta Aquariids

Meteor showers come with a built-in trick for finding them. They are named for the constellations where the meteors appear to originate. This origin point, known as the radiant, is where you want to be looking. 

The Lyrids meteor shower originates from the Lyra constellation, which is close to the larger Hercules constellation. Both of them rise from the eastern sky shortly around 11 p.m. local time. It will then follow a similar trajectory to the sun, streaking overhead before setting in the west. Sunrise happens long before the constellations actually set, so if you’re waking up early to view these, you’ll want to look high in the western sky. 

The Eta Aquariids shower is more difficult to view. It originates from the Aquarius constellation, which spends most of the night of May 5-6 below the eastern horizon. The constellation rises around 3 a.m. local time and will only barely breach the horizon before sunrise a few hours later. If you go out to view the eta Aquariids, get up high and point yourself east. 

If you’re having trouble finding the constellations, your best bet is using a sky map app like StarWalk (Android and iOS) or using web tools like Stellarium’s Sky Map. Such tools can help you identify where the constellations will be. For meteor shower viewing, all you really need is the general direction, but there’s no harm in knowing how to find the constellation. 

Tips for viewing meteor showers

The advice for viewing meteor showers is the same, no matter how big or small the shower is. The single biggest advantage you can give yourself is getting as far away from light pollution as you can. This means leaving the city and the suburbs behind in favor of greener, dimmer pastures. 

The moon can significantly impact viewing. This won’t be a problem for Lyrids since the moon is expected to be about a quarter full during Lyrids’ peak. Eta Aquariids viewers aren’t so lucky since the moon will be about 80% full that night, which will cause significant light pollution. The American Meteor Society says that the shower’s peak may be up to 50 meteors per hour, but with the moon that close to full, people can expect closer to 10. 

Other than light pollution, the advice is pretty simple. Make sure to get out there early so your eyes can adjust, and avoid using any bright lights that could affect your night vision. Since meteor shower watching can be a multihour activity, make sure to dress appropriately for the weather and abstain from alcohol, since it acts as a vasodilator and can cause you to lose body heat more quickly on cold evenings. 

You won’t need any equipment since meteors are visible to the naked eye. Telescopes and binoculars will reduce your field of view, which may cause you to miss meteors.

The standard guidelines for building large language models (LLMs) optimize only for training costs and ignore inference costs. This poses a challenge for real-world applications that use inference-time scaling techniques to increase the accuracy of model responses, such as drawing multiple reasoning samples from a model at deployment.

To bridge this gap, researchers at University of Wisconsin-Madison and Stanford University have introduced Train-to-Test (T²) scaling laws, a framework that jointly optimizes a model’s parameter size, its training data volume, and the number of test-time inference samples.

In practice, their approach proves that it is compute-optimal to train substantially smaller models on vastly more data than traditional rules prescribe, and then use the saved computational overhead to generate multiple repeated samples at inference.

For enterprise AI application developers who are training their own models, this research provides a proven blueprint for maximizing return on investment. It shows that AI reasoning does not necessarily require spending huge amounts on frontier models. Instead, smaller models can yield stronger performance on complex tasks while keeping per-query inference costs manageable within real-world deployment budgets.

Conflicting scaling laws

Scaling laws are an important part of developing large language models. Pretraining scaling laws dictate the best way to allocate compute during the model’s creation, while test-time scaling laws guide how to allocate compute during deployment, such as letting the model “think longer” or generating multiple reasoning samples to solve complex problems.

The problem is that these scaling laws have been developed completely independently of one another despite being fundamentally intertwined.

A model’s parameter size and training duration directly dictate both the quality and the per-query cost of its inference samples. Currently, the industry gold standard for pretraining is the Chinchilla rule, which suggests a compute-optimal ratio of roughly 20 training tokens for every model parameter.

However, creators of modern AI model families, such as Llama, Gemma, and Qwen, regularly break this rule by intentionally overtraining their smaller models on massive amounts of data.

As Nicholas Roberts, co-author of the paper, told VentureBeat, the traditional approach falters when building complex agentic workflows: “In my view, the inference stack breaks down when each individual inference call is expensive. This is the case when the models are large and you need to do a lot of repeated sampling.” Instead of relying on massive models, developers can use overtrained compact models to run this repeated sampling at a fraction of the cost.

But because training and test-time scaling laws are examined in isolation, there is no rigorous framework to calculate how much a model should be overtrained based on how many reasoning samples it will need to generate during deployment.

Consequently, there has previously been no formula that jointly optimizes model size, training data volume, and test-time inference budgets.

The reason that this framework is hard to formulate is that pretraining and test-time scaling speak two different mathematical languages. During pretraining, a model’s performance is measured using “loss,” a smooth, continuous metric that tracks prediction errors as the model learns.

At test time, developers use real-world, downstream metrics to evaluate a model’s reasoning capabilities, such as pass@k, which measures the probability that a model will produce at least one correct answer across k independent, repeated attempts.

Train-to-test scaling laws

To solve the disconnect between training and deployment, the researchers introduce Train-to-Test (T²) scaling laws. At a high level, this framework predicts a model’s reasoning performance by treating three variables as a single equation: the model’s size (N), the volume of training tokens it learns from (D), and the number of reasoning samples it generates during inference (k).

T² combines pretraining and inference budgets into one optimization formula that accounts for both the baseline cost to train the model (6ND) and the compounding cost to query it repeatedly at inference (2Nk). The researchers tried different modeling approaches: whether to model the pre-training loss or test-time performance (pass@k) as functions of N, D, and k.

The first approach takes the familiar mathematical equation used for Chinchilla scaling (which calculates a model’s prediction error, or loss) and directly modifies it by adding a new variable that accounts for the number of repeated test-time samples (k). This allows developers to see how increasing inference compute drives down the model’s overall error rate.

The second approach directly models the downstream pass@k accuracy. It tells developers the probability that their application will solve a problem given a specific compute budget.

But should enterprises use this framework for every application? Roberts clarifies that this approach is highly specialized. “I imagine that you would not see as much of a benefit for knowledge-heavy applications, such as chat models,” he said. Instead, “T² is tailored to reasoning-heavy applications such as coding, where typically you would use repeated sampling as your test-time scaling method.”

What it means for developers

To validate the T² scaling laws, the researchers built an extensive testbed of over 100 language models, ranging from 5 million to 901 million parameters. They trained 21 new, heavily overtrained checkpoints from scratch to test if their mathematical forecasts held up in reality. They then benchmarked the models across eight diverse tasks, which included real-world datasets like SciQ and OpenBookQA, alongside synthetic tasks designed to test arithmetic, spatial reasoning, and knowledge recall.

Both of their mathematical models proved that the compute-optimal frontier shifts drastically away from standard Chinchilla scaling. To maximize performance under a fixed budget, the optimal choice is a model that is significantly smaller and trained on vastly more data than the traditional 20-tokens-per-parameter rule dictates.

In their experiments, the highly overtrained small models consistently outperformed the larger, Chinchilla-optimal models across all eight evaluation tasks when test-time sampling costs were accounted for.

For developers looking to deploy these findings, the technical barrier is surprisingly low.

“Nothing fancy is required to perform test-time scaling with our current models,” Roberts said. “At deployment, developers can absolutely integrate infrastructure that makes the sampling process more efficient (e.g. KV caching if you’re using a transformer).”

KV caching helps by storing previously processed context so the model doesn’t have to re-read the initial prompt from scratch for every new reasoning sample.

However, extreme overtraining comes with practical trade-offs. While overtrained models can be notoriously stubborn and harder to fine-tune, Roberts notes that when they applied supervised fine-tuning, “while this effect was present, it was not a strong enough effect to pull the optimal model back to Chinchilla.” The compute-optimal strategy remains definitively skewed toward compact models.

Yet, teams pushing this to the absolute limit must be wary of hitting physical data limits. “Another angle is that if you take our overtraining recommendations to the extreme, you may actually run out of training data,” Roberts said, referring to the looming “data wall” where high-quality internet data is exhausted.

These experiments confirm that if an application relies on generating multiple test-time reasoning samples, aggressively overtraining a compact model is practically and mathematically the most effective way to spend an end-to-end compute budget.

To help developers get started, the research team plans to open-source their checkpoints and code soon, allowing enterprises to plug in their own data and test the scaling behavior immediately. Ultimately, this framework serves as an equalizing force in the AI industry. 

This is especially crucial as the high price of frontier models can become a barrier as you scale agentic applications that rely on reasoning models.

“T² fundamentally changes who gets to build strong reasoning models,” Roberts concludes. “You might not need massive compute budgets to get state-of-the-art reasoning. Instead, you need good data and smart allocation of your training and inference budget.”

Warning: This article contains spoilers for season 3 of From. You can catch up with MGM Plus.

Three mysterious and terrifying seasons in, MGM’s popular series From continues to put its unwitting residents through unimaginable horrors. The town, known to fans as Fromville, has a sick way of teasing hope and taking it away, with characters seeming to escape or kill one of its monsters only to end up right back where they were before.

Last season, town sheriff and decision-maker Boyd Stevens, played by Harold Perrineau, watched as one of Fromville’s seemingly dead creatures returned with its signature creepy grin intact.

“I think it splintered his brain,” Perrineau told CNET. “I think when we start at the beginning of season 4, that’s where Boyd is. Like, I think his mind is splintered into pieces and he’s either got to pick up those pieces or just lay down and give up because it’s just unfathomable.”

Perrineau’s Boyd is a source of hope and resilience for the people in Fromville, but monsters torture him continuously, and he revealed in season 3 that he’s dealing with worsening Parkinson’s while stuck in the nightmarish town. According to Perrineau, Boyd and the other characters we root for in From are in for a “really hard” fourth season.

“In season 4, the town becomes more present as a character, if that makes sense,” Perrineau said. “You actually recognize, ‘Oh, this town is pushing back … and it is so mean and so ruthless, and it’s doing things that are, I mean, just despicable.”

From as a character study

From is the most-viewed series in MGM Plus’ (formerly Epix) history, according to the network. Perrineau said while From is billed as a horror series, “I think at the end of the day it’s more of a character study.”

“It doesn’t surprise me that people will … find characters that they identify with and they think, ‘Oh my God, what would I do if I were in that position?’ If I were Donna, what, would I just go and drink?” Perrineau said. “I think that’s the thing that we want from our entertainment, from art, and all those kind of things.”

Earlier this week, fans learned that From has a confirmed final season, with season 4 as the penultimate. From will end with season 5, which is expected to debut in 2027.

In a joint statement, executive producers John Griffin, Jeff Pinkner and Jack Bender said they “will get the chance to see our story to its conclusion. Which means questions will be answered. Answers will be questioned. And there will surely be a cascade of tears and terrors in between.”

If you want to tune in as it airs on MGM Plus, stream it, or need a refresher on previous petrifying events in From, keep reading.

What happened in the season 3 finale of From?

From’s season 3 finale was a doozy. I’m hesitant to try to recap the episode because it still feels like we can say a few things with certainty about this show. But characters like Fatima, Jade and Tabitha appeared to piece together some pivotal parts of the endlessly dark puzzle.

In the final episode, we saw the Fromville monster Smiley again (more specifically — and gruesomely — Fatima gave birth to the creature). Sara did some serious damage to Elgin to get him to give up information. Also, Jade and Tabitha seemed to realize they had set foot in Fromville before as other people, including Fromville denizens Miranda and Christopher. They both were in Fromville at the beginning, when they tried to save their daughter and failed. According to Fatima, the town’s monsters sacrificed their children because they were promised they would live forever. 

Am I misunderstanding or leaving out key details? Probably. For example, Julie is a “story walker,” which will probably play a part in the events to come. But the fun is in at least trying to decipher the From mystery.

I asked Perrineau what he could tease about the Man in Yellow, who appeared at the end of season 3 and shockingly ripped out the throat of a major character, Jim. He cryptically said Man in Yellow is “the most unexpected character you’ll see all year.”

From season 4 release schedule on MGM Plus

From season 4 premieres on the MGM Plus linear channel on April 19 at 9 p.m. ET and 9 p.m. PT. You can also access new episodes in the MGM Plus streaming app or with the Prime Video add-on for MGM Plus. In general, you can watch one new episode of From each Sunday night through June 28. 

• Episode 1: April 19
• Episode 2: April 26
• Episode 3: May 3
• Episode 4: May 10
• Episode 5: May 17
• Episode 6: May 31
• Episode 7: June 7
• Episode 8: June 14
• Episode 9: June 21
• Episode 10: June 28

If you don’t have cable, you can sign up to watch From season 4 on MGM Plus directly from its website for $8 per month or $62 per year. Your MGM Plus subscription includes ad-free streaming and the ability to download titles to watch offline.

Despite recently being designated a supply-chain risk by the Pentagon, Anthropic is still talking to high-level members of the Trump administration.

There were earlier signs of a thawing relationship — or a sense that not every part of the administration wanted to cut off Anthropic — with reports saying that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell were encouraging the heads of major banks to test out Anthropic’s new Mythos model.

Anthropic co-founder Jack Clark seemed to confirm this, claiming that the ongoing fight over the supply-chain risk designation is a “narrow contracting dispute” that would not interfere with the company’s willingness to brief the government about its latest models.

Then on Friday, Axios reported that Bessent and White House Chief of Staff Susie Wiles had met with Anthropic CEO Dario Amodei. In a statement, the White House described this as an “introductory meeting” that was “productive and constructive.”

“We discussed opportunities for collaboration, as well as shared approaches and protocols to address the challenges associated with scaling this technology,” the White House said.

Similarly, Anthropic issued a statement confirming that Amodei had met with “senior administration officials for a productive discussion on how Anthropic and the U.S. government can work together on key shared priorities such as cybersecurity, America’s lead in the AI race, and AI safety.”

The company added that it’s “looking forward to continuing these discussions.”

The dispute between Anthropic and the Pentagon seemingly began after failed negotiations over the military’s use of Anthropic’s models; the AI company sought to maintain safeguards around the use of its technology for fully autonomous weapons and mass domestic surveillance. (OpenAI quickly announced a military deal of its own, leading to some consumer backlash.)

The Pentagon subsequently declared Anthropic a supply-chain risk — a label that’s generally reserved for foreign adversaries and could severely limit the use of Anthropic’s models by the government. The company is challenging that designation in court. 

But it sounds like the rest of the Trump administration doesn’t share the Pentagon’s hostility, with an administration source telling Axios that “every agency” except the Department of Defense wants to use the company’s technology.