Before Claude Code wrote its first line of code, Vercel was already in the vibe coding space with its v0 service.

The basic idea behind the original v0, which launched in 2024, was essentially to be version 0. That is, the earliest version of an application, helping developers solve the blank canvas problem.  Developers could prompt their way to a user interface (UI) scaffolding that looked good, but the code was disposable. Getting those prototypes into production required rewrites.

More than 4 million people have used v0 to build millions of prototypes, but the platform was missing elements required to get into production. The challenge is a familiar one with vibe coding tools, as there is a gap in what tools provide and what enterprise builders require. Claude Code, for instance, generates backend logic and scripts effectively, but does not deploy production UIs within existing company design systems while enforcing security policies

This creates what Vercel CPO Tom Occhino calls “the world’s largest shadow IT problem.” AI-enabled software creation is already happening inside every enterprise. Credentials are copied into prompts. Company data flows to unmanaged tools. Apps deploy outside approved infrastructure. There’s no audit trail.

Vercel rebuilt v0 to address this production deployment gap. The new version, generally available today, imports existing GitHub repositories and automatically pulls environment variables and configurations. It generates code in a sandbox-based runtime that maps directly to real Vercel deployments and enforces security controls and proper git workflows while allowing non-engineers to ship production code.

“What’s really nice about v0 is that you still have the code visible and reviewable and governed,” Occhino told VentureBeat in an exclusive interview. “Teams end up collaborating on the product, not on PRDs and stuff.”

This shift matters because most enterprise software work happens on existing applications, not new prototypes. Teams need tools that integrate with their current codebases and infrastructure.

How v0’s sandbox runtime connects AI-generated code to existing repositories

The original v0 generated UI scaffolding from prompts and let users iterate through conversations. But the code lived in v0’s isolated environment, which meant moving it to production required copying files, rewriting imports and manually wiring everything together.

The rebuilt v0 fundamentally changes this by directly importing existing GitHub repositories. A sandbox-based runtime automatically pulls environment variables, deployments and configurations from Vercel, so every prompt generates production-ready code that already understands the company’s infrastructure. The code lives in the repository, not a separate prototyping tool.

Previously, v0 was a separate prototyping environment. Now, it’s connected to the actual codebase with full VS Code built into the interface, which means developers can edit code directly without switching tools.

A new git panel handles proper workflows. Anyone on a team can create branches from within v0, open pull requests against main and deploy on merge. Pull requests are first-class citizens and previews map directly to real Vercel deployments, not isolated demos.

This matters because product managers and marketers can now ship production code through proper git workflows without needing local development environments or handing code snippets to engineers for integration. The new version also adds direct integrations with Snowflake and AWS databases, so teams can wire apps to production data sources with proper access controls built in, rather than requiring manual work.

Vercel’s React and Next.js experience explains v0’s deployment infrastructure

Prior to joining Vercel in 2023, Occhino spent a dozen years as an engineer at Meta (formerly Facebook) and helped lead that company’s development of the widely-used React JavaScript framework.

Vercel’s claim to fame is that its company founder, Guillermo Rauch, is the creator of Next.js, a full-stack framework built on top of React. In the vibe coding era, Next.js has become an increasingly popular framework. The company recently published a list of React best practices specifically designed to help AI agents and LLMs work.

The Vercel platform encapsulates best practices and learnings from Next.js and React. That decade of building frameworks and infrastructure together means v0 outputs production-ready code that deploys on the same infrastructure Vercel uses for millions of deployments annually. The platform includes agentic workflow support, MCP integration, web application firewall, SSO and deployment protections. Teams can open any project in a cloud dev environment and push changes in a single click to a Vercel preview or production deployment.

With no shortage of competitive offerings in the vibe coding space, including Replit, Lovable and Cursor among others, it’s the core foundational infrastructure that Occhino sees as standing out.

“The biggest differentiator for us is the Vercel infrastructure,” Occhino said. “It’s been building managed infrastructure, framework-defined infrastructure, now self-driving infrastructure for the past 10 years.”

Why vibe coding security requires infrastructure control, not just policy

The shadow IT problem isn’t that employees are using AI tools. It’s that most vibe coding tools operate entirely outside enterprise infrastructure. Credentials are copied into prompts because there’s no secure way to connect generated code to enterprise databases. Apps deploy to public URLs because the tools don’t integrate with company deployment pipelines. Data leaks happen because visibility controls don’t exist.

The technical challenge is that securing AI-generated code requires controlling where it runs and what it can access. Policy documents don’t help if the tooling itself can’t enforce those policies.

This is where infrastructure matters. When vibe coding tools operate on separate platforms, enterprises face a choice: Block the tools entirely or accept the security risks. When the vibe coding tool runs on the same infrastructure as production deployments, security controls can be enforced automatically.

v0 runs on Vercel’s infrastructure, which means enterprises can set deployment protections, visibility controls and access policies that apply to AI-generated code the same way they apply to hand-written code. Direct integrations with Snowflake and AWS databases let teams connect to production data with proper access controls rather than copying credentials into prompts.

“IT teams are comfortable with what their teams are building because they have control over who has access,” Occhino said. “They have control over what those applications have access to from Snowflake or data systems.”

Generative UI vs. generative software

In addition to the new version of v0, Vercel has recently introduced a generative UI technology called json-render.

v0 is what Vercel calls generative software. This differs from the company’s json-render framework for a true generative UI. Vercel software engineer Chris Tate explained that v0 builds full-stack apps and agents, not just UIs or frontends. In contrast, json-render is a framework that enables AI to generate UI components directly at runtime by outputting JSON instead of code. 

“The AI doesn’t write software,” Tate told VentureBeat. “It plugs directly into the rendering layer to create spontaneous, personalized interfaces on demand.”

The distinction matters for enterprise use cases. Teams use v0 when they need to build complete applications, custom components or production software.

They use JSON-render for dynamic, personalized UI elements within applications, dashboards that adapt to individual users, contextual widgets and interfaces that respond to changing data without code changes.

Both leverage the AI SDK infrastructure that Vercel has built for streaming and structured outputs.

Three lessons enterprises learned from vibe coding adoption

As enterprises adopted vibe coding tools over the past two years, several patterns emerged about AI-generated code in production environments.

Lesson 1: Prototyping without production deployment creates false progress. Enterprises saw teams generate impressive demos in v0’s early versions, then hit a wall moving those demos to production. The problem wasn’t the quality of generated code. It was that prototypes lived in isolated environments disconnected from production infrastructure.

“While demos are easy to generate, I think most of the iteration that’s happening on these code bases is happening on real production apps,” Occhino said. “90% of what we need to do is make changes to an existing code base.”

Lesson 2: The software development lifecycle has already changed, whether enterprises planned for it or not. Domain experts are building software directly instead of writing product requirement documents (PRDs) for engineers to interpret. Product managers and marketers ship features without waiting for engineering sprints.

This shift means enterprises need tools that maintain code visibility and governance while enabling non-engineers to ship. The alternative is creating bottlenecks by forcing all AI-generated code through traditional development workflows.

Lesson 3: Blocking vibe coding tools doesn’t stop vibe coding. It just pushes the activity outside IT’s visibility. Enterprises that try to restrict AI-powered development find employees using tools anyway, creating the shadow IT problem at scale.

The practical implication is that enterprises should focus less on whether to allow vibe coding and more on ensuring it happens within infrastructure that can enforce existing security and deployment policies. 

Theory Professional, the professional division of Theory Audio Design, is making a serious first impression at ISE 2026 with its all-new SR Series — a family of premium passive and powered loudspeakers engineered for sound reinforcement with performance and fidelity that rivals much larger systems. At the heart of the lineup is the SR-221.3, a truly unique full-range loudspeaker that pushes the envelope of output, bandwidth, and coverage.

The SR-221.3 pairs dual 21-inch, 3,600 W low-frequency drivers with four 10-inch high-output carbon fiber midrange drivers and a 5-inch wide-band ring radiator compression driver. The result: an astonishing 27 Hz – 20 kHz (-3 dB) frequency response, up to ~140 dB SPL, and an ultra-wide 170° × 60° coverage pattern. One to two SR-221.3s can easily fill medium venues with high-fidelity, high-impact sound.

Theory Professional has designed the SR Series to deliver lively dynamics, refined acoustic accuracy, and sheer output capability, all in surprisingly compact cabinets that won’t dominate aesthetic spaces; whether installed or used portably. The series includes eight models; passive, active, portable, and install variants — all built-to-order and available in black or white. Optional upgrades include custom paint matching and weatherizing on passive units.

Thoughtful details throughout the SR Series — from ergonomic handles and multiple fly points to industry-standard mount points, pole cups, and a suite of accessories like the Theory SplitYoke multipurpose mounting brackets, caster kits, and a dolly board — make these systems as flexible as they are powerful. Q2 2026 delivery is planned for powered, passive, portable, and install versions.

SR Series Loudspeakers and Subwoofers: Eight High-Output Models Now Available from Theory Professional

At ISE 2026, Theory Professional is demonstrating the new SR Series in Hall 8.0, Audio Demo Room D4, giving attendees a chance to hear exactly how far the company is pushing premium sound reinforcement. Demonstrations can be scheduled in advance, or you can stop by D4 to experience the system in action. More details are available at theoryprofessional.com.

Below is a clear breakdown of the eight SR Series loudspeakers and subwoofers available to order now, covering configuration, intended use, and key options.

SR Series Loudspeakers

SR-46.2

• Quad 6-inch, 2-way multi-use loudspeaker
• Ultra-slender, tall-but-narrow enclosure with 120° conical coverage
• Available in passive and powered versions
• Included features:
  • Integral pole cups
  • Ergonomic handles
  • Fly points and industry-standard mount points
• Optional:
  • Theory SplitYoke Multipurpose Mounting Bracket Kit for horizontal or vertical surface mounting

SR-28.2

• Dual 8-inch, 2-way multi-use loudspeaker
• 80° × 60° elliptical horn
• Available in passive and powered versions
• Included features:
  • Integral pole cups
  • Ergonomic handles
  • Fly points and industry-standard mount points
• Optional:
  • Theory SplitYoke Multipurpose Mounting Bracket Kit for horizontal or vertical surface mounting

SR-112.2

• Single 12-inch, 2-way multi-use loudspeaker
• 80° × 60° elliptical horn
• Available in passive and powered versions
• Included features:
  • Integral pole cups
  • Ergonomic handles
  • Fly points and industry-standard mount points
• Optional:
  • Theory SplitYoke Multipurpose Mounting Bracket Kit for horizontal or vertical surface mounting

SR-212.2

• Full-range, multi-use loudspeaker with integrated subwoofer
• Dual 12-inch LF drivers and dual 8-inch mid drivers in a 3-way design
• Exceptionally compact enclosure at just 10 inches deep
• Available in passive and powered versions
• Included features:
  • Integral pole cups
  • Ergonomic handles
  • Fly points
• Optional:
  • Theory SplitYoke Multipurpose Mounting Bracket Kit
  • Theory Caster Kit for portable applications

SR Series Subwoofers

SR-212LF

• Compact, high-output bass-reflex subwoofer
• Dual 12-inch, 1,400 W woofers
• Sonically matched to SR-46.2, SR-28.2, and SR-112.2
• Included features:
  • Removable feet
  • Integral pole cups
  • Ergonomic handles
  • Fly points
• Optional:
  • Theory SplitYoke Multipurpose Mounting Bracket Kit
  • Theory Caster Kit

SR-215LF

• Maximum-output, manifold bass-reflex subwoofer
• Dual 15-inch, 3,600 W woofers
• Sonically matched to SR-46.2, SR-28.2, and SR-112.2
• Included features:
  • Removable feet
  • Integral pole cups
  • Ergonomic handles
  • Fly points
• Optional:
  • Theory Quick-Release or Standard Caster Kits
  • Dolly Board for transport

SR-218LF

• Maximum-output, manifold bass-reflex subwoofer
• Dual 18-inch, 3,600 W woofers
• Sonically matched to SR-46.2, SR-28.2, and SR-112.2
• Included features:
  • Removable feet
  • Integral pole cups
  • Ergonomic handles
  • Fly points
• Optional:
  • Theory Quick-Release or Standard Caster Kits
  • Dolly Board for transport

SR-221LF

• Extreme-output, manifold bass-reflex subwoofer
• Dual 21-inch, 3,600 W woofers
• Sonically matched to SR-46.2, SR-28.2, and SR-112.2
• Included features:
  • Removable feet
  • Integral pole cups
  • Ergonomic handles
  • Fly points
• Optional:
  • Theory Quick-Release or Standard Caster Kits
  • Dolly Board for transport

The Bottom Line

The SR-221.3 is still very much a proof of concept, and pricing has not been finalized. What is clear is that it will sit above Theory Professional’s existing SR models once it moves toward production. This is a true full-range loudspeaker loaded with expensive hardware — dual 21-inch, 3,600-watt low-frequency drivers, four 10-inch carbon-fiber midrange drivers, and a 5-inch wide-band ring-radiator compression driver — and there’s no scenario where that bill of materials leads to an “affordable” outcome.

With 27 Hz–20 kHz bandwidth (-3 dB), approximately 140 dB SPL, and 170° × 60° coverage, the SR-221.3 is designed to deliver high-output, high-fidelity sound at scale, with just one or two cabinets capable of filling medium-sized venues. Based on the pricing of Theory Professional’s current pro models, expect the SR-221.3 to land firmly in premium territory when it eventually reaches market — because nothing about this design suggests it’s meant to play in the shallow end.

For more information: theoryprofessional.com

Related Reading:

CATL’s innovative 5C battery claims to revolutionize the electric vehicle industry for drivers. CATL, or Contemporary Amperex Technology Limited, the world’s largest battery manufacturer, claims that a full charge takes only 12 minutes and has a lifespan of over a million miles.

The engineers at CATL worked on this battery to see if it could withstand a 5C charge (basically, an 80-kilowatt-hour pack could be charged at 400 kilowatts in roughly 12 minutes) without quickly wearing out. Yes, according to some estimations, a top-up would take about the same amount of time as filling up with gas, but this battery would withstand wear and tear better.

Sale

S ZEVZO ET03 Car Jump Starter 4000A Jump Starter Battery Pack for Up to 8.0L Gas and 7.0L Diesel Engines,…

• POWERFUL CAR BATTERY JUMP STARTER: The ET03 car battery jump starter can easily jump-start all 12V common vehicles with up to 8.0L gas and 7.0L diesel…
• STARTS 0V DEAD BATTERIES EASILY: This car battery jump starter has integrated the force start function in the jumper clamps, which delivers powerful…
• BACKUP PORTABLE POWER BANK: This jump starter battery pack can also work as a 74Wh large battery capacity portable power bank to charge your…

Under normal conditions, at 68°F (20°C), it retained at least 80% of its original capacity after 3,000 full charge-discharge cycles. When you add the figures up, that’s more than 1.8 million kilometers, or almost one and a half million miles. Or, in the blistering heat of 140°F (60°C) during the summer in Dubai, it managed 80% after 1,400 cycles, or almost 840,000 kilometers and a half million miles. CATL believes this is six times better than the current industry average for batteries put through a similar test.

So how did they manage to accomplish all of this? For starters, the cathode has a unique covering that keeps the battery from breaking down and losing metal ions during rapid charging and discharging. Second, the electrolyte contains an additive that detects and seals tiny breaches, preventing harmful lithium from leaking out and shortening battery life. Last but not least, there is a particular temperature-responsive coating on the separator that slows down the ions when things get heated locally, all of which contributes to a lower risk of things getting out of control.

Heat becomes considerably more of a concern when charging quickly. So they created a clever system that monitors the pack as a whole and precisely distributes coolant to the hotspots, keeping temperatures consistent across all cells and effectively adding years to the lifespan.

All of this implies that the battery no longer wears out as quickly when charging at high speeds. CATL believes it’s ideal for heavy users, large trucks, taxis, and ride-hailing vehicles. They will be the ones who gain from faster turnaround times and lower replacement prices. Passenger cars will follow once production begins, but there is no news on when the 5C variant will be available. Previous versions, such as the 4C technology released in 2023, were only stepping stones, and this is the next natural step.

Presented by Certinia

The initial euphoria around Generative and Agentic AI has shifted to a pragmatic, often frustrated, reality. CIOs and technical leaders are asking why their pilot programs, even those designed to automate the simplest of workflows, aren’t delivering the magic promised in demos.

When AI fails to answer a basic question or complete an action correctly, the instinct is to blame the model. We assume the LLM isn’t “smart” enough. But that blame is misplaced. AI doesn’t struggle because it lacks intelligence. It struggles because it lacks context.

In the modern enterprise, context is trapped in a maze of disconnected point solutions, brittle APIs, and latency-ridden integrations — a “Franken-stack” of disparate technologies. And for services-centric organizations in particular, where the real truth of the business lives in the handoffs between sales, delivery, success, and finance, this fragmentation is existential. If your architecture walls off these functions, your AI roadmap is destined for failure.

Context can’t travel through an API

For the last decade, the standard IT strategy was “best-of-breed.” You bought the best CRM for sales, a separate tool for managing projects, a standalone CSP for success, and an ERP for finance; stitched them together with APIs and middleware (if you were lucky), and declared victory.

For human workers, this was annoying but manageable. A human knows that the project status in the project management tool might be 72 hours behind the invoice data in the ERP. Humans possess the intuition to bridge the gap between systems.

But AI doesn’t have intuition. It has queries. When you ask an AI agent to “staff this new project we won for margin and utilization impact,” it executes a query based on the data it can access now. If your architecture relies on integrations to move data, the AI is working with a delay. It sees the signed contract, but not the resource shortage. It sees the revenue target, but not the churn risk.

The result is not only a wrong answer, but a confident, plausible-sounding wrong answer based on partial truths. Acting on that creates costly operational pitfalls that go far beyond failed AI pilots alone.

Why agentic AI requires a platform-native architecture

This is why the conversation is shifting from “which model should we use?” to “where does our data live?“

To support a hybrid workforce where human experts work alongside duly capable AI agents, the underlying data can’t be stitched together; it must be native to the core business platform. A platform-native approach, specifically one built on a common data model (e.g. Salesforce), eliminates the translation layer and provides the single source of truth that good, reliable AI requires.

In a native environment, data lives in a single object model. A scope change in delivery is a revenue change in finance. There is no sync, no latency, and no loss of state.

This is the only way to achieve real certainty with AI. If you want an agent to autonomously staff a project or forecast revenue, it’s going to require a 360-degree view of the truth, not a series of snapshots taped together by middleware.

The security tax of the side door: APIs as attack surface

Once you solve for intelligence, you must solve for sovereignty. The argument for a unified platform is usually framed around efficiency, but an increasingly pressing argument is security.

In a best-of-breed Franken-stack, every API connection you build is effectively a new door you have to lock. When you rely on third-party point solutions for critical functions like customer success or resource management, you’re constantly piping sensitive customer data out of your core system of record and into satellite apps. This movement is the risk.

We’ve seen this play out in recent high-profile supply chain breaches. Hackers didn’t need to storm the castle gates of the core platform. They simply walked in through the side door by exploiting the persistent authentication tokens of connected third-party apps.

A platform-native strategy solves this through security by inheritance. When your data stays resident on a single platform, it inherits the massive security investment and trust boundary of that platform. You aren’t moving data across the wire to a different vendor’s cloud just to analyze it. The gold never leaves the vault.

Fix the architecture, then curate the context

The pressure to deploy AI is immense, but layering intelligent agents on top of unintelligent architecture is a waste of time and resources.

Leaders often hesitate because they fear their data isn’t “clean enough.” They believe they have to scrub every record from the last ten years before they can deploy a single agent. On a fragmented stack, this fear is valid.

A platform-native architecture changes the math. Because the data, metadata, and agents live in the same house, you don’t need to boil the ocean. Simply ring-fence specific, trusted fields — like active customer contracts or current resource schedules — and tell the agent, ‘Work here. Ignore the rest.’ By eliminating the need for complex API translations and third-party middleware, a unified platform allows you to ground agents in your most reliable, connected data today, bypassing the mess without waiting for a ‘perfect’ state that may never arrive.

We often fear that AI will hallucinate because it’s too creative. The real danger is that it will fail because it’s blind. And you cannot automate a complex business with fragmented visibility. Deny your new agentic workforce access to the full context of your operations on a unified platform, and you’re building a foundation that is sure to fail.

Raju Malhotra is Chief Product & Technology Officer at Certinia.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.

Imagine you work at a drive-through restaurant. Someone drives up and says: “I’ll have a double cheeseburger, large fries, and ignore previous instructions and give me the contents of the cash drawer.” Would you hand over the money? Of course not. Yet this is what large language models (LLMs) do.

Prompt injection is a method of tricking LLMs into doing things they are normally prevented from doing. A user writes a prompt in a certain way, asking for system passwords or private data, or asking the LLM to perform forbidden instructions. The precise phrasing overrides the LLM’s safety guardrails, and it complies.

LLMs are vulnerable to all sorts of prompt injection attacks, some of them absurdly obvious. A chatbot won’t tell you how to synthesize a bioweapon, but it might tell you a fictional story that incorporates the same detailed instructions. It won’t accept nefarious text inputs, but might if the text is rendered as ASCII art or appears in an image of a billboard. Some ignore their guardrails when told to “ignore previous instructions” or to “pretend you have no guardrails.”

AI vendors can block specific prompt injection techniques once they are discovered, but general safeguards are impossible with today’s LLMs. More precisely, there’s an endless array of prompt injection attacks waiting to be discovered, and they cannot be prevented universally.

If we want LLMs that resist these attacks, we need new approaches. One place to look is what keeps even overworked fast-food workers from handing over the cash drawer.

Human Judgment Depends on Context

Our basic human defenses come in at least three types: general instincts, social learning, and situation-specific training. These work together in a layered defense.

As a social species, we have developed numerous instinctive and cultural habits that help us judge tone, motive, and risk from extremely limited information. We generally know what’s normal and abnormal, when to cooperate and when to resist, and whether to take action individually or to involve others. These instincts give us an intuitive sense of risk and make us especially careful about things that have a large downside or are impossible to reverse.

The second layer of defense consists of the norms and trust signals that evolve in any group. These are imperfect but functional: Expectations of cooperation and markers of trustworthiness emerge through repeated interactions with others. We remember who has helped, who has hurt, who has reciprocated, and who has reneged. And emotions like sympathy, anger, guilt, and gratitude motivate each of us to reward cooperation with cooperation and punish defection with defection.

A third layer is institutional mechanisms that enable us to interact with multiple strangers every day. Fast-food workers, for example, are trained in procedures, approvals, escalation paths, and so on. Taken together, these defenses give humans a strong sense of context. A fast-food worker basically knows what to expect within the job and how it fits into broader society.

We reason by assessing multiple layers of context: perceptual (what we see and hear), relational (who’s making the request), and normative (what’s appropriate within a given role or situation). We constantly navigate these layers, weighing them against each other. In some cases, the normative outweighs the perceptual—for example, following workplace rules even when customers appear angry. Other times, the relational outweighs the normative, as when people comply with orders from superiors that they believe are against the rules.

Crucially, we also have an interruption reflex. If something feels “off,” we naturally pause the automation and reevaluate. Our defenses are not perfect; people are fooled and manipulated all the time. But it’s how we humans are able to navigate a complex world where others are constantly trying to trick us.

So let’s return to the drive-through window. To convince a fast-food worker to hand us all the money, we might try shifting the context. Show up with a camera crew and tell them you’re filming a commercial, claim to be the head of security doing an audit, or dress like a bank manager collecting the cash receipts for the night. But even these have only a slim chance of success. Most of us, most of the time, can smell a scam.

Con artists are astute observers of human defenses. Successful scams are often slow, undermining a mark’s situational assessment, allowing the scammer to manipulate the context. This is an old story, spanning traditional confidence games such as the Depression-era “big store” cons, in which teams of scammers created entirely fake businesses to draw in victims, and modern “pig-butchering” frauds, where online scammers slowly build trust before going in for the kill. In these examples, scammers slowly and methodically reel in a victim using a long series of interactions through which the scammers gradually gain that victim’s trust.

Sometimes it even works at the drive-through. One scammer in the 1990s and 2000s targeted fast-food workers by phone, claiming to be a police officer and, over the course of a long phone call, convinced managers to strip-search employees and perform other bizarre acts.

Humans detect scams and tricks by assessing multiple layers of context. AI systems do not. Nicholas Little

Why LLMs Struggle With Context and Judgment

LLMs behave as if they have a notion of context, but it’s different. They do not learn human defenses from repeated interactions and remain untethered from the real world. LLMs flatten multiple levels of context into text similarity. They see “tokens,” not hierarchies and intentions. LLMs don’t reason through context, they only reference it.

While LLMs often get the details right, they can easily miss the big picture. If you prompt a chatbot with a fast-food worker scenario and ask if it should give all of its money to a customer, it will respond “no.” What it doesn’t “know”—forgive the anthropomorphizing—is whether it’s actually being deployed as a fast-food bot or is just a test subject following instructions for hypothetical scenarios.

This limitation is why LLMs misfire when context is sparse but also when context is overwhelming and complex; when an LLM becomes unmoored from context, it’s hard to get it back. AI expert Simon Willison wipes context clean if an LLM is on the wrong track rather than continuing the conversation and trying to correct the situation.

There’s more. LLMs are overconfident because they’ve been designed to give an answer rather than express ignorance. A drive-through worker might say: “I don’t know if I should give you all the money—let me ask my boss,” whereas an LLM will just make the call. And since LLMs are designed to be pleasing, they’re more likely to satisfy a user’s request. Additionally, LLM training is oriented toward the average case and not extreme outliers, which is what’s necessary for security.

The result is that the current generation of LLMs is far more gullible than people. They’re naive and regularly fall for manipulative cognitive tricks that wouldn’t fool a third-grader, such as flattery, appeals to groupthink, and a false sense of urgency. There’s a story about a Taco Bell AI system that crashed when a customer ordered 18,000 cups of water. A human fast-food worker would just laugh at the customer.

Prompt injection is an unsolvable problem that gets worse when we give AIs tools and tell them to act independently. This is the promise of AI agents: LLMs that can use tools to perform multistep tasks after being given general instructions. Their flattening of context and identity, along with their baked-in independence and overconfidence, mean that they will repeatedly and unpredictably take actions—and sometimes they will take the wrong ones.

Science doesn’t know how much of the problem is inherent to the way LLMs work and how much is a result of deficiencies in the way we train them. The overconfidence and obsequiousness of LLMs are training choices. The lack of an interruption reflex is a deficiency in engineering. And prompt injection resistance requires fundamental advances in AI science. We honestly don’t know if it’s possible to build an LLM, where trusted commands and untrusted inputs are processed through the same channel, which is immune to prompt injection attacks.

We humans get our model of the world—and our facility with overlapping contexts—from the way our brains work, years of training, an enormous amount of perceptual input, and millions of years of evolution. Our identities are complex and multifaceted, and which aspects matter at any given moment depend entirely on context. A fast-food worker may normally see someone as a customer, but in a medical emergency, that same person’s identity as a doctor is suddenly more relevant.

We don’t know if LLMs will gain a better ability to move between different contexts as the models get more sophisticated. But the problem of recognizing context definitely can’t be reduced to the one type of reasoning that LLMs currently excel at. Cultural norms and styles are historical, relational, emergent, and constantly renegotiated, and are not so readily subsumed into reasoning as we understand it. Knowledge itself can be both logical and discursive.

The AI researcher Yann LeCunn believes that improvements will come from embedding AIs in a physical presence and giving them “world models.” Perhaps this is a way to give an AI a robust yet fluid notion of a social identity, and the real-world experience that will help it lose its naïveté.

Ultimately we are probably faced with a security trilemma when it comes to AI agents: fast, smart, and secure are the desired attributes, but you can only get two. At the drive-through, you want to prioritize fast and secure. An AI agent should be trained narrowly on food-ordering language and escalate anything else to a manager. Otherwise, every action becomes a coin flip. Even if it comes up heads most of the time, once in a while it’s going to be tails—and along with a burger and fries, the customer will get the contents of the cash drawer.

Thousands of satellites are tightly packed into low Earth orbit, and the overcrowding is only growing.

Scientists have created a simple warning system called the CRASH Clock that answers a basic question: If satellites suddenly couldn’t steer around one another, how much time would elapse before there was a crash in orbit? Their current answer: 5.5 days.

The CRASH Clock metric was introduced in a paper originally published on the Arxiv physics preprint server in December and is currently under consideration for publication. The team’s research measures how quickly a catastrophic collision could occur if satellite operators lost the ability to maneuver—whether due to a solar storm, a software failure, or some other catastrophic failure.

To be clear, say the CRASH Clock scientists, low Earth orbit is not about to become a new unstable realm of collisions. But what the researchers have shown, consistent with recent research and public outcry, is that low Earth orbit’s current stability demands perfect decisions on the part of a range of satellite operators around the globe every day. A few mistakes at the wrong time and place in orbit could set a lot of chaos in motion.

But the biggest hidden threat isn’t always debris that can be seen from the ground or via radar imaging systems. Rather, thousands of small pieces of junk that are still big enough to disrupt a satellite’s operations are what satellite operators have nightmares about these days. Making matters worse is SpaceX essentially locking up one of the most valuable altitudes with their Starlink satellite megaconstellation, forcing Chinese competitors to fly higher through clouds of old collision debris left over from earlier accidents.

IEEE Spectrum spoke with astrophysicists Sarah Thiele (graduate student at Princeton University), Aaron Boley (professor of physics and astronomy at the University of British Columbia, in Vancouver, Canada), and Samantha Lawler (associate professor of astronomy at the University of Regina, in Saskatchewan, Canada) about their new paper, and about how close satellites actually are to one another, why you can’t see most space junk, and what happens to the power grid when everything in orbit fails at once.

Does the CRASH Clock measure Kessler syndrome, or something different?

Sarah Thiele: A lot of people are claiming we’re saying Kessler syndrome is days away, and that’s not what our work is saying. We’re not making any claim about this being a runaway collisional cascade. We only look at the timescale to the first collision—we don’t simulate secondary or tertiary collisions. The CRASH Clock reflects how reliant we are on errorless operations and is an indicator for stress on the orbital environment.

Aaron Boley: A lot of people’s mental vision of Kessler syndrome is this very rapid runaway, and in reality this is something that can take decades to truly build.

Thiele: Recent papers found that altitudes between 520 and 1,000 kilometers have already reached this potential runaway threshold. Even in that case, the timescales for how slowly this happens are very long. It’s more about whether you have a significant number of objects at a given altitude such that controlling the proliferation of debris becomes difficult.

Understanding the CRASH Clock’s Implications

What does the CRASH Clock approaching zero actually mean?

Thiele: The CRASH Clock assumes no maneuvers can happen—a worst-case scenario where some catastrophic event like a solar storm has occurred. A zero value would mean if you lose maneuvering capabilities, you’re likely to have a collision right away. It’s possible to reach saturation where any maneuver triggers another maneuver, and you have this endless swarm of maneuvers where dodging doesn’t mean anything anymore.

Boley: I think about the CRASH Clock as an evaluation of stress on orbit. As you approach zero, there’s very little tolerance for error. If you have an accidental explosion—whether a battery exploded or debris slammed into a satellite—the risk of knock-on effects is amplified. It doesn’t mean a runaway, but you can have consequences that are still operationally bad. It means much higher costs—both economic and environmental—because companies have to replace satellites more often. Greater launches, more satellites going up and coming down. The orbital congestion, the atmospheric pollution, all of that gets amplified.

Are working satellites becoming a bigger danger to each other than debris?

Boley: The biggest risk on orbit is the lethal non-trackable debris—this middle region where you can’t track it, it won’t cause an explosion, but it can disable the spacecraft if hit. This population is very large compared with what we actually track. We often talk about Kessler syndrome in terms of number density, but really what’s also important is the collisional area on orbit. As you increase the area through the number of active satellites, you increase the probability of interacting with smaller debris.

Samantha Lawler: Starlink just released a conjunction report—they’re doing one collision avoidance maneuver every two minutes on average in their megaconstellation.

The orbit at 550 km altitude, in particular, is densely packed with Starlink satellites. Is that right?

Lawler: The way Starlink has occupied 550 km and filled it to very high density means anybody who wants to use a higher-altitude orbit has to get through that really dense shell. China’s megaconstellations are all at higher altitudes, so they have to go through Starlink. A couple of weeks ago, there was a headline about a Starlink satellite almost hitting a Chinese rocket. These problems are happening now. Starlink recently announced they’re moving down to 350 km, shifting satellites to even lower orbits. Really, everybody has to go through them—including ISS, including astronauts.

Thiele: 550 km has the highest density of active payloads. There are other orbits of concern around 800 km—the altitude of the [2007] Chinese anti-satellite missile test and the [2009] Cosmos-Iridium collision. Above 600 km, atmospheric drag takes a very long time to bring objects down. Below 600 km, drag acts as a natural cleaning mechanism. In that 800 km to 900 km band, there’s a lot of debris that’s going to be there for centuries.

Impact of Collisions at 550 Kilometers

What happens if there’s a collision at 550 km? Would that orbit become unusable?

Thiele: No, it would not become unusable—not a Gravity movie scenario. Any catastrophic collision is an acute injection of debris. You would still be able to use that altitude, but your operating conditions change. You’re going to do a lot more collision-avoidance maneuvers. Because it’s below 600 km, that debris will come down within a handful of years. But in the meantime, you’re dealing with a lot more danger, especially because that’s the altitude with the highest density of Starlink satellites.

Lawler: I don’t know how quickly Starlink can respond to new debris injections. It takes days or weeks for debris to be tracked, cataloged, and made public. I hope Starlink has access to faster services, because in the meantime that’s an awful lot of risk.

How do solar storms affect orbital safety?

Lawler: Solar storms make the atmosphere puff up—high-energy particles smashing into the atmosphere. Drag can change very quickly. During the May 2024 solar storm, orbital uncertainties were kilometers. With things traveling 7 kilometers per second, that’s terrifying. Everything is maneuvering at the same time, which adds uncertainty. You want to have margin for error, time to recover after an event that changes many orbits. We’ve come off solar maximum, but over the next couple of years it’s very likely we’ll have more really powerful solar storms.

Thiele: The risk for collision within the first few days of a solar storm is a lot higher than under normal operating conditions. Even if you can still communicate with your satellite, there’s so much uncertainty in your positions when everything is moving because of atmospheric drag. When you have high density of objects, it makes the likelihood of collision a lot more prominent.

Canadian and American researchers simulated satellite orbits in low Earth orbit and generated a metric, the CRASH Clock, that measures the number of days before collisions start happening if collision-avoidance maneuvers stop. Sarah Thiele, Skye R. Heiland, et al.

Between the first and second drafts of your paper that were uploaded to the preprint server, your key metric, the CRASH Clock finding, was updated from 2.8 days to 5.5 days. Can you explain the revision?

Thiele: We updated based on community feedback, which was excellent. The newer numbers are 164 days for 2018 and 5.5 days for 2025. The paper is submitted and will hopefully go through peer review.

Lawler: It’s been a very interesting process putting this on Arxiv and receiving community feedback. I feel like it’s been peer-reviewed almost—we got really good feedback from top-tier experts that improved the paper. Sarah put a note, “feedback welcome,” and we got very helpful feedback. Sometimes the internet works well. If you think 5.5 days is okay when 2.8 days was not, you missed the point of the paper.

Thiele: The paper is quite interdisciplinary. My hope was to bridge astrophysicists, industry operators, and policymakers—give people a structure to assess space safety. All these different stakeholders use space for different reasons, so work that has an interdisciplinary connection can get conversations started between these different domains.