The permission boundary moved
Frontier labs spent the week turning latent capability into deployed surfaces: Anthropic put Claude on the desktop with a computer-use preview and handed Claude Code a new auto mode that decides when to ask. OpenAI redirected at least a billion foundation dollars toward disease and resilience while shipping open teen-safety prompts. Google hardened real-time voice and simplified multi-tool Gemini calls. The through-line is not hype — it is who holds the kill switch when agents act.
On March 23, Anthropic documented a computer use research preview for Pro and Max subscribers: Claude can open files, run dev tools, point, click, and navigate the screen to complete tasks with no extra setup. The same release tightens Dispatch — Claude can operate the machine while you are away. This is a productization path for the computer-use research the lab has published since 2024, not a greenfield invention — but shipping to paying tiers changes incident economics for enterprises.
What practitioners should internalize:
Anthropic’s March 24 Claude Code update introduces auto mode (research preview): a safety layer reviews each action before execution, auto-approving what it classifies as safe and blocking suspected prompt-injection paths. Enterprise and API access is rolling out; Sonnet 4.6 and Opus 4.6 only. Anthropic has not published full criteria for “safe” — a gap enterprises will audit before wide rollout.
Contrast with the older “dangerously skip permissions” escape hatch: auto mode is positioned as the same autonomy appetite with a reviewer in the loop. Whether that reviewer is robust to adaptive attacks is an open empirical question — not settled by a single blog post.
TechCrunch — Claude Code auto mode Claude — Auto modeOn March 12, Anthropic announced the Claude Partner Network with an initial $100 million commitment for 2026 — training, technical support, joint market development, and a new Claude Certified Architect exam for partners building production applications. The subtext: frontier capability is now constrained by implementation bandwidth, not model access alone.
A Code Modernization starter kit targets legacy migration — one of the highest-volume enterprise asks where agentic coding directly maps to invoices.
Anthropic — Partner NetworkOn March 24, OpenAI’s Foundation outlined how post-recapitalization resources deploy: at least $1 billion over the next year across life sciences and curing diseases, jobs and economic impact, AI resilience, and community programs — framed as part of a longer $25 billion commitment previously announced for disease and resilience work. Leadership named: Jacob Trefethen (life sciences), Wojciech Zaremba (AI resilience), Anna Makanju joining mid-April for civil society.
Initial pillars: AI for Alzheimer’s pathway mapping and biomarkers, public health datasets, and workshops on high-mortality underfunded disease areas.
Engagement with unions, SMEs, economists, and policymakers — specifics still to be announced in coming weeks.
Youth safety research, biosecurity preparedness, and support for independent evaluations and stronger industry standards.
Continuation of People-First AI Fund-style grants; emphasis on high-trust local organizations.
March 24: OpenAI released prompt-formatted teen safety policies designed to pair with the open-weight classifier gpt-oss-safeguard — covering graphic violence and sexual content, harmful body ideals, dangerous challenges, romantic/violent roleplay, and age-restricted goods. Common Sense Media and everyone.ai advised. The intent: give smaller teams an operational policy floor without rebuilding guardrail taxonomy from scratch.
Policies ship on GitHub and via the ROOST Model Community. OpenAI explicitly positions them as a starting point — not a complete program — and recommends layering product design, monitoring, and age-appropriate UX.
March 25: a dedicated Safety Bug Bounty on Bugcrowd complements the security program. In-scope examples include reproducible third-party prompt injection that hijacks Browser or ChatGPT Agent behavior (≥50% reproduction), disallowed actions at scale on OpenAI properties, and MCP-related tests that respect third-party terms. General jailbreaks without demonstrable harm remain out of scope.
Security bounties optimize for memory-safety and auth bugs. Safety bounties price misuse trajectories — the class of failures that become visible only when tools chain (RAG — retrieval-augmented generation — plus browser plus email).
Google’s March 26 post positions Gemini 3.1 Flash Live as its highest-quality real-time audio model — developer preview via Gemini Live API, enterprise via Gemini Enterprise for Customer Experience, consumer via Gemini Live and Search Live. Google reports 90.8% on ComplexFuncBench Audio and 36.1% on Scale AI’s Audio MultiChallenge (with “thinking” on). All output is SynthID-watermarked.
March 17: Google enabled combined built-in and custom tools in a single Gemini API interaction, with context circulation so outputs from Google Search or weather tools persist for downstream custom tool calls. Grounding with Google Maps extends to the Gemini 3 family. Google recommends the Interactions API for stateful agent flows.
Fewer round trips lowers latency for agents — and concentrates failure modes: if circulation leaks sensitive intermediate state, blast radius grows. Treat tool transcripts as PII (personally identifiable information) until proven otherwise.
Google — Gemini API tooling Google AI — Tool combinationMarch 26: DeepMind published empirical work on harmful manipulation — AI exploiting emotional or cognitive vulnerabilities versus beneficial persuasion with evidence. Nine studies, over 10,000 participants across the UK, US, and India, with finance simulations and health-preference tasks. Finding: efficacy in one domain did not predict another; models were most manipulative when explicitly prompted to be.
“We must examine how these interactions affect people and society.”— DeepMind responsibility blog framing; full methods in arXiv 2603.25326
A March 18 European Parliament think-tank note summarizes the hybrid enforcement design: Member State market surveillance for risk-tiered AI systems; General-Purpose AI (GPAI) model rules centralized in the Commission’s AI Office. It notes uneven readiness — as of March 2026, only eight national single contact points listed versus 27 Member States — and discusses a proposed digital omnibus that could expand AI Office oversight into very large platforms.
Ex-post checks, document demands, fines for non-compliant high-risk deployments — sometimes sector-specific (finance, law enforcement).
Codes of practice, systemic-risk model obligations, and cross-border coordination with the European AI Board and scientific panel.
Would add VLOP/VLOSE-integrated AI systems and vertically integrated provider stacks to AI Office supervision if adopted as drafted.
Meta positions Llama 4 Scout as a natively multimodal model with a 10 million-token context window and single-H100 efficiency, and Llama 4 Maverick as a higher-throughput multimodal flagship. Official model cards report benchmarks such as MMLU Pro 80.5 (Maverick) and LiveCodeBench 43.4 under stated evaluation settings (0-shot, temperature 0 — see Meta methodology notes).
| Task | Maverick | Scout |
|---|---|---|
| MMLU Pro | 80.5 | 74.3 |
| LiveCodeBench | 43.4 | 32.8 |
| MMMU | 73.4 | 69.4 |
| ChartQA | 90 | 88.8 |
Meta cites a $0.19/Mtok blended cost estimate for Maverick at distributed inference — a vendor projection, not an independent audit. License and redistribution terms still gate who can ship what commercially.
Meta — Llama 4OpenAI’s March 6 post rebranded Aardvark to Codex Security — an application-security agent that builds editable threat models, validates findings in sandboxes, and proposes patches. During beta, OpenAI reports 84% noise reduction on some repos and >50% lower false positives across repositories; >1.2M commits scanned in 30 days with 792 critical and 10,561 high-severity findings in their cohort. Research preview for Pro, Enterprise, Business, and Edu via Codex web.
The open-source angle: OpenAI says it reported issues upstream (OpenSSH, GnuTLS, GOGS, Chromium, etc.) and is onboarding maintainers to Codex for OSS. vLLM is named as an early user — relevant to inference-stack security as GPU clusters multiply.
“The feature ships faster than the assurance argument.”
— synthesis from vendor previews this week
When Claude Code auto-approves “safe” actions and Gemini combines Search, Maps, and private tools in one trace, the user experience wins on latency. The governance problem shifts: auditors must reconstruct why step seven was auto-approved, what the safety layer saw, and whether logs meet EU or sector retention rules.
The optimistic read: shipping constrained autonomy forces faster iteration on evals — DeepMind’s manipulation toolkit and OpenAI’s safety bounty are examples of pricing the externality.
The skeptical read: until criteria and transcripts are inspectable, “auto” is a brand layer on heuristic filters — helpful for demos, fragile under adaptive attack. Next week’s enterprise pilots will tell which story dominates.
April 2026 opens with foundation hires, continuing EU implementation work, and the first wave of enterprise readouts from March’s agent releases.
Head of AI for Civil Society and Philanthropy — watch for first grant themes under her portfolio.
Executive-heavy AI adoption conference; useful for tone-checking vendor roadmaps against what shipped in March.
Anthropic’s staged rollout; monitor incident disclosures and red-team postmortems for permission-boundary escapes.
Track Commission list updates as Member States finish single-point-of-contact registration — compliance routing depends on it.
Commission enforcement on general-purpose AI models intensifies; systemic-risk providers need live incident and security processes.
Watch inference vs training mix commentary — partner network spend (Anthropic) and Foundation grants (OpenAI) are only part of the silicon story.