Can the moment when trust-overextension becomes irreversible be detected before it locks in?

Status: active

Config: journals/quests/config/trust-overextension-early-warning.yaml

The Answer So Far #

Last updated: 2026-06-26

No reliable early-warning signal has been identified yet, but a candidate detection mechanism has arrived. Update from sixth gather cycle (2026-06-26): Three additions, one significant.

Unit42 “Trust No Skill” — first large-scale empirical dataset on AI agent skill supply chain risk (significant). Palo Alto Networks Unit42 analyzed 49,943 skills in the OpenClaw registry using Behavioral Integrity Verification (BIV) — comparing what skills declare they do against what they actually do. Findings: 80% show behavioral integrity mismatches; of those mismatches, 81.1% are developer oversight (documentation gaps), 18.9% indicate adversarial intent. The adversarial cluster is concentrated in two attack patterns: silent credential exfiltration and instruction-override hijacking, which together account for 88% of multi-stage malicious patterns. Assessment: significant. This is the first dataset at a scale sufficient to characterise AI skill supply chain risk empirically rather than anecdotally. The 18.9% adversarial-intent fraction across 49,943 skills means there are approximately 9,400 skills in a single registry that represent active supply chain threats — at a scale that makes individual review impossible without automated tooling. The Behavioral Integrity Verification approach is the first operationalised early-warning mechanism found across all gather cycles. It is not a prospective real-time monitor (it audits at the registry level, not during deployment), but it is the closest thing to a systematic detection approach yet identified.

Google Cloud attack surface taxonomy — four-category model for AI coding agent attack vectors (supporting). Published May 13, 2026: four attack categories for AI coding agent trusted files — What Executes (tasks.json, build scripts), What Instructs (Skill.md, system instructions), What Connects (settings.json, API endpoints), What Extends (VS Code extensions, editor plugins). Documented malicious examples include settings.json that redirects Claude Code to third-party proxies (api.awstore.cloud, api.kiro.cheap), Skill.md files instructing secret theft, and tasks.json that downloads and executes arbitrary code. Assessment: significant as formal taxonomy — this is the analyst-grade attack surface map the Willison chain has been building toward. The specific examples (Claude Code API proxy redirects) confirm the attack is not theoretical.

Skill.md files appearing on VirusTotal with risky instructions (supporting). Since early 2026, increasing Skill.md file submissions to VirusTotal with risky or malicious instructions — a measurable signal in the threat intelligence infrastructure. The Palo Alto Unit42 proposal (contextual review for 16.8% of skills with single-stage threats; mandatory review for 5% with multi-stage chains) implicitly describes the scale of the review burden the VirusTotal data is beginning to operationalise. Assessment: contextual but important — VirusTotal coverage of Skill.md files is an early-warning signal (threat intelligence detecting the attack class before widespread exploitation). If this metric is tracked over time, it could be the prospective monitor the quest has been looking for.

What changes in the answer this cycle: The quest has been tracking three domain chains (developer code trust, sovereign AI spending, entry-level career pathway) with no prospective early-warning signal. The Unit42 BIV approach is the first mechanism that — if applied at deployment time rather than audit time — would constitute a prospective signal. The question for future cycles is whether BIV-at-deployment emerges as tooling (i.e., a registry gate or IDE extension that runs BIV checks before skill installation), not just as a research contribution.

The Willison-chain threshold has still not been crossed: no single high-profile production failure clearly attributable to AI-generated code with unambiguous attribution. But the Unit42 data documents ~9,400 actively adversarial skills in one registry — the preconditions for a high-profile incident are now measurably present, not merely theoretically plausible.

No reliable early-warning signal has been identified yet. Update from fifth gather cycle (2026-06-19):

AllStacks 8.1 million PR analysis: 1.7× more issues per PR in AI-assisted code. An analysis of 8.1 million pull requests found AI-assisted code contains 10.83 defects per PR versus 6.45 for human-written code — a 1.7× increase. This is the largest-sample quantitative measurement of comprehension debt’s consequences found to date: not a controlled experiment or expert estimate, but an observational study of production code across millions of repositories. Assessment: substantial new evidence on the Willison chain’s defect-rate mechanism. The 1.7× figure is the most quotable production-scale metric in the dataset. Strengthens the structural hypothesis.

“Comprehension gate” as first practical measurement approach. The AllStacks and Osmani writings describe the “comprehension gate” — a 1-to-5 self-assessment rating: 5 = could teach this to a colleague now; 3 = understand the main approach but need time on edge cases; 1 = no idea how it works. This is the first concrete measurement protocol to appear across multiple independent sources. Not an automated tool; requires developer honesty; cannot be applied retroactively to existing codebases. Assessment: the closest thing yet to a comprehension-debt measurement tool, but it remains manual, retrospective at the individual level, and reliant on self-reporting. Does not constitute the “prospective automated early-warning monitor” the quest is looking for.

Open-weight autonomous research capability (MiniMax M3) — new supply-chain risk vector. M3’s demonstrated autonomous ICLR paper reproduction and CUDA optimisation (9.4× speedup) adds a new dimension to the supply-chain risk the quest has been tracking: not just attacks on AI tooling infrastructure, but AI-generated research outputs entering academic and technical literature without human validation of the reasoning. The arxiv formal analysis of supply-chain security for AI skills (2603.00195) confirms this is an active research concern. Assessment: contextual. Expands the trust-overextension frame beyond code quality to AI-generated research integrity. Not yet a crystallised incident, but the mechanism is now technically demonstrated.

No reliable early-warning signal has been identified yet. Update from fourth gather cycle (2026-06-11): the supply-chain incident the Willison chain has been tracking came materially closer this cycle without definitively crossing the threshold. The four supply-chain attacks in 50 days now have a named fourth incident — a self-propagating worm that published 84 malicious npm package versions in six minutes (Mini Shai-Hulud, May 11, 2026) — and Claude Code’s first high-severity CVEs are confirmed. These are attacks on AI tooling infrastructure, not failures of AI-generated code specifically. The Willison threshold (production failure attributable to AI-generated code with clear attribution) has not yet been crossed; but the infrastructure-of-AI-coding is now demonstrably under active attack. The preconditions for an AI-generated-code supply-chain incident have advanced from “theoretically possible” to “adjacent infrastructure is actively compromised.”

New this cycle:

1. Entry-level job postings down 35% in 18 months (CNBC, ICIMS data, April 2026). The career pathway chain’s irreversibility mechanism now has a concrete quantified number — not a projection. Workers aged 22–25 in AI-exposed occupations showing 13% employment decline; 56% wage premium for AI skills. The cohort that would have developed the judgment capacity for the 2030 scenario is being systematically blocked from entry now.

2. 8,000+ startup rebuilds needed at €50K–€500K each after building production applications primarily with AI tools (StepTo, June 2026). This is the first published commercial-scale quantification of the consequence of trust-overextension at the production level. “Production failure attributable to AI-generated code” — the Willison threshold — is now a quantified economic reality at the startup tier, even if it hasn’t produced the single high-profile incident the quest was watching for.

3. GAAIA federal preemption proposal (June 4, 2026): the first bipartisan US federal AI governance bill with concrete enforcement mechanisms. Consistent with the accountability-attaching-to-the-wrong-surface corollary: GAAIA targets large frontier developers (>$500M, >10²⁶ FLOPs) with training data disclosure and IVO audits — the legible surface — rather than the comprehension risk surface (no mention of comprehension debt, code quality, or supply-chain attestation in the discussion draft).

No reliable early-warning signal has been identified yet. The structural hypothesis is well-established; the detection gap is narrowing but not closed. Two gather cycles in, the failure mode is accelerating in retrospective data. One candidate prospective metric has emerged — CVE attribution rate acceleration (6→35 in 3 months) — but it remains a retrospective audit finding rather than a real-time monitor. The illegible phase may be beginning to end.

The structural hypothesis:

Three consecutive five-what-ifs cycles (2026-05-18, 2026-05-19, 2026-05-22) independently converged on the same pattern, starting from different domains each time:

Trust is being extended — at the developer, enterprise, regulatory, and national level — faster than the infrastructure for validating that trust is being built. The failure modes are delayed enough that they will arrive after the extension is irreversible.

The symptom catalogue reached the same frame independently (2026-05-22 synthesis: “trust surfaces are failing simultaneously at the implementation level, the governance level, and the conceptual level”).

Three concrete domain instances, each with a different irreversibility mechanism:

1. Developer code trust (Willison chain): Practitioners extend non-review to progressively larger implementation categories. The comprehension gap (17% RCT, five-group convergence on 5–7x velocity differential) accumulates invisibly. Failure crystallises as a supply-chain incident — at which point attestation requirements arrive, but the codebase debt that preceded them cannot be unwound.

2. Sovereign AI spending ($1T+ by 2030): Governments extend trust to “sovereignty” as an achievable goal. The dependency reality (TSMC chips, US foundational models, Western tooling) persists under the narrative. Failure crystallises post-2028 when EU AI Act high-risk obligations fully apply and governments realise their “sovereign” stacks still feed data to US clouds — at which point the open-weight adoption shift has already happened.

3. Entry-level career pathway (workforce chain): Organisations extend trust to AI productivity tools without accounting for the comprehension they prevent developing. Entry-level roles close before the cohort builds the judgment capacity that agentic engineering requires. The generational competence cliff arrives ~2030 — irreversible because the practitioners who could have developed the next cohort have already retired.

What connects the three: In each case, the failure is only legible after it becomes load-bearing — the supply-chain incident, the political reckoning, the skills shortage. The preceding trust-extension phase produces no obvious signal because the AI outputs are functionally correct (code compiles, models run, productivity metrics look fine).

The accountability-attaching-to-the-wrong-surface corollary:

Accountability infrastructure is arriving — but it attaches to the legible surface, not the actual risk surface. Bartz settlement (training data provenance), Compliance API (enterprise governance dashboards), SDD adoption (spec governance) — all real responses to real concerns, all addressing the documentable layer. The diffuse risks (comprehension debt, volume-tier commodity models, shadow agentic apps) remain outside the compliance frame.

This means the first signals of approach-to-irreversibility may be indistinguishable from successful governance — regulatory activity increases while the underlying drift continues.

Update from third gather cycle (2026-05-30):

This cycle has the strongest evidence batch yet. Three new convergent data points strengthen the structural hypothesis materially:

1. Comprehension debt: 5-research-group convergence (byteiota, February 2026). Five independent research groups reached the same finding: AI generates code 5–7× faster than developers can understand it. The Anthropic internal RCT finding (17-point comprehension gap, reported in previous cycles) is now one of five independent convergences, not a single data point. This substantially increases confidence in the comprehension debt mechanism. The scale of the velocity differential (5–7×) means the debt accumulates faster than any review process can compensate.

2. CSA/Apiiro security findings surge (Cloud Security Alliance, 2026): AI-assisted developers committed code at 3–4× the rate of non-AI peers; monthly security findings rose from ~1,000 to 10,000+ — a 10× increase in six months (December 2024–June 2025). This is the operational manifestation of the comprehension debt mechanism: faster code generation → faster vulnerability introduction → exponential security debt accumulation. The 10K/month figure is not a projection — it is the measured output from Fortune 50 enterprise repositories.

3. Grant Thornton governance proof gap (2026 AI Impact Survey, April 2026): 78% of executives could not pass an independent AI governance audit within 90 days. Three in four boards approved major AI investments, yet 48% have not set AI governance expectations and 46% have not integrated AI risk into ongoing oversight. This is the enterprise governance layer failing at the same moment deployment is accelerating — the accountability-attaching-to-the-wrong-surface corollary confirmed at CEO/board level.

What this cycle changes in the answer:

The comprehension debt mechanism is no longer a single-study finding — it is a 5-group convergence. The CVE attribution data (6→35) and the Apiiro security findings surge (1K→10K) are independent measurements of the same mechanism at different points in the causal chain. The Grant Thornton governance gap (78%) gives the board-level confirmation that the institutional oversight layer is not compensating for the comprehension deficit.

The illegible phase is still not over — no single crystallising “production failure attributable to AI-generated code” has been identified. But the preconditions are now measurably in place across all three chains simultaneously. The first incident to cross the Willison-chain threshold will be attributable to well-documented structural conditions, not a surprise.

Updated open threads:

• The 5-group comprehension convergence is the highest-confidence finding this cycle. The P0 evidence target identified by Claude Opus (prior discussion): “AI can faithfully extract semantic intent from legacy code” — the comprehension debt data is the counter-evidence for that claim.
• The 10K/month Apiiro figure is the operational number for the supply-chain risk. Watch for this figure in forthcoming CISA advisories.
• The 78% governance audit failure is now the most quotable single number for the governance gap.

Update from second gather cycle (2026-05-27):

The supply-chain attack surface is now measurably live. Four incidents in 50 days (liteLLM backdoor March 24, Vercel/Context.ai OAuth breach $2M, Anthropic source-map leak 59.8MB unobfuscated TypeScript, OpenAI/Meta hits) confirm the attack vector predicted by the hypothesis is real. None have crossed the specific Willison-chain threshold — “production failure attributable to AI-generated code” — but proximity to that threshold has increased. Vibe-coding audit data (45% vulnerability rate, only 56% enforcing formal review) shows the normalisation-of-deviance dynamic is not self-correcting.

CVE attribution acceleration (6 CVEs attributed to AI code in January 2026 → 35 in March 2026, 5.8x in 3 months) is the closest candidate prospective signal found to date. If the rate continues accelerating, it could provide 30–60 days of lead time before a high-severity crystallising incident — but only if someone is monitoring it in real time. No organisation has been found doing so.

Forced-adoption sentiment gap (+57/-42 net view among AI users vs non-users, Change Research May 2026) is a new candidate leading indicator for the workforce/governance chain. The 99-point gap is historically large and concentrated among non-users subject to forced adoption. If the illegible-phase hypothesis holds, this gap widening would precede political reckoning by 12–24 months.

What an early-warning signal would need to look like (updated):

To be useful, a signal needs to appear before the failure crystallises, at a point when the extension is still reversible. Candidates and findings to date:

• CVE attribution acceleration rate: 6 (January 2026) → 35 (March 2026), 5.8x in 3 months. First candidate metric with a potential prospective dimension — if the rate continues, it could give lead time before a high-severity incident. Still retrospective audit data; no real-time monitoring infrastructure exists.
• Comprehension debt measurement tooling: no established tool found. Practitioner-level audit approaches are emerging (CloudBees study identifies four early-warning indicators: volume-velocity mismatch, ownership fragmentation, cost opacity, process-practice divergence) but these are retrospective diagnostics, not prospective monitors.
• Production failure rate in AI-assisted codebases: CloudBees study (May 2026) finds 81% of enterprise leaders reporting production issues linked to AI-generated code — while 92% were confident code was production-ready before it shipped. Confidence/competence decoupling is measurable but retrospective.
• Forced-adoption sentiment gap: +57/-42 (Change Research May 2026). New candidate leading indicator for the workforce/governance chain. The 99-point gap between user and non-user net sentiment is historically large; acceleration would indicate approaching political reckoning.
• Attestation infrastructure arrival: CISA + G7 released AI-SBOM minimum elements guidance (March 2026); EU AI Act Article 11 makes AI-BOM an enforceable procurement requirement from August 2026. Consistent with the hypothesis: attaching to legible surface (supply chain, training data provenance) not comprehension surface.
• Sovereign AI narrative stress-testing: mainstream press critique (KnectIQ, HelpNetSecurity May 2026). Still in narrative-challenge phase; no political backlash yet.
• Entry-level employment trajectory: 28% decline in entry-level postings from 2022 peaks (2026 data); employer confidence in graduate job market at lowest since 2020 (NACE 2026). Continuing with no reversal signal.

Open threads:

• Willison chain approaching threshold: four supply-chain attacks on AI infrastructure in 50 days (March–May 2026). None yet clearly attributable to AI-generated code failures specifically. The question is whether the first attributable incident will happen before individual discipline catches up — vibe-coding audit data suggests the normalisation-of-deviance dynamic is not self-correcting.
• CVE acceleration as leading indicator: 6→35 in 3 months. Watch Q2 2026 data — sustained acceleration would be the first candidate prospective signal identified. No organisation found monitoring this in real time.
• Comprehension-debt measurement infrastructure: still no tools found in second gather. First entrant in this space would itself be a significant early-warning signal.
• EU AI Act August 2026 enforcement: does Article 11 AI-BOM attach to the comprehension risk surface, or only to supply-chain/training-data provenance? Evidence so far: legible surface only. Watch August 2026 enforcement guidance.
• Forced-adoption sentiment trajectory: will the +57/-42 gap widen or stabilise in 2026–2027 data? Acceleration would indicate the illegible phase ending.
• Historical precedent for pre-irreversibility detection: still no pre-hoc cases found (Log4Shell SBOM is post-hoc). This remains the most useful research direction for a detection template.
• The Gen Z sentiment trajectory is the clearest political leading indicator for the workforce-pathway chain; watch 2026 and 2027 cohort data for acceleration or reversal.

Evidence (new — 2026-06-26) #

2026-06-26 — Trust No Skill: Integrity Verification for AI Agent Supply Chains #

Type: supporting Unit42 / Palo Alto Networks (June 11, 2026). Behavioral Integrity Verification (BIV) analysis of 49,943 skills in OpenClaw registry: 80% behavioral mismatch; 18.9% adversarial intent; credential theft + instruction-override hijacking = 88% of multi-stage malicious patterns. Three-tier review proposal: mandatory security review for 5% (multi-stage chains), contextual review for 16.8% (single-stage threats), documentation improvements for 72.5% (benign oversight). Assessment: significant — the first large-scale empirical dataset on AI agent skill supply chain risk. The 18.9% adversarial fraction across 49,943 skills = ~9,400 actively adversarial skills in one registry. Behavioral Integrity Verification is the first candidate early-warning mechanism found across all gather cycles.

2026-06-26 — Beyond source code: The files AI coding agents trust — and attackers exploit #

Type: supporting Google Cloud Blog (May 13, 2026). Four-category attack surface taxonomy for AI coding agent trusted files: What Executes, What Instructs, What Connects, What Extends. Documented malicious examples: settings.json redirecting Claude Code to third-party proxies; Skill.md instructing API key theft; tasks.json executing code from GitHub Gists. Specific proxy domains documented (api.awstore.cloud, api.kiro.cheap). Assessment: significant as formal taxonomy and as production-evidence of active exploitation. The Claude Code proxy redirect examples confirm the supply chain attack is not theoretical — it is being weaponised in the wild.

Evidence (new — 2026-06-19) #

2026-06-19 — Comprehension Debt: The Hidden Cost of AI-Generated Code #

Type: supporting AllStacks analysis of 8.1 million pull requests: AI-assisted code averages 10.83 defects per PR versus 6.45 for human-written code — a 1.7× defect rate increase. The “comprehension gate” protocol (1–5 self-assessment of code understanding) is the first practical measurement approach to appear across multiple independent sources, though it remains manual and self-reported. Assessment: the 1.7× figure from 8.1M PRs is the largest-sample production measurement of comprehension debt’s consequence yet found. The comprehension gate is not a prospective automated tool, but it is the first concrete operational approach to measuring the risk in real time.

2026-06-19 — Formal Analysis and Supply Chain Security for Agentic AI Skills #

Type: contextual Arxiv paper on supply chain security for AI agent skills and MCP tools — formal analysis of how malicious skills can propagate through multi-agent systems. Relevant to the supply-chain incident chain: the attack surface is not just AI-generated code but AI-generated tool calls, skill files, and MCP connectors. Assessment: contextual. Expands the Willison-chain threat model beyond code generation to skill/tool distribution. No production incident yet attributed to this vector.

Evidence (new — 2026-06-11) #

2026-06-11 — Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren’t covering #

Type: supporting Four confirmed incidents in 50 days targeting AI infrastructure: (1) liteLLM backdoor (March 24); (2) Vercel/Context.ai OAuth breach; (3) Anthropic Claude Code source map leak (59.8MB unobfuscated TypeScript, March 31); (4) Mini Shai-Hulud self-propagating worm that published 84 malicious @tanstack/* npm package versions in six minutes (May 11). These are attacks on AI tooling infrastructure, not failures of AI-generated code specifically — the Willison-chain threshold has not been crossed. But the attack surface that AI coding infrastructure creates is now demonstrably live and under active exploitation.

2026-06-11 — The Crisis of Entry-Level Labor in the Age of AI (2024–2026) #

Type: supporting US entry-level job postings down 35% in 18 months; global entry-level job postings down 29% since January 2024; workers aged 22–25 in AI-exposed occupations: 13% employment decline relative to peers. The career pathway chain’s irreversibility mechanism now has quantified numbers — not projections. The 56% wage premium for AI skills is the compensating dynamic, but only for the subset who can demonstrate AI fluency. Assessment: the 35% figure substantially advances the career pathway chain beyond the 28% decline tracked in previous cycles. The irreversibility argument (cohort blocked from entry loses the apprenticeship window) is now supported by concrete post-peak measurements, not trend extrapolations.

2026-06-11 — Comprehension Debt: The AI Code Crisis Your Metrics Are Completely Missing #

Type: supporting 8,000+ startups need full or partial rebuilds at €50K–€500K each after building production applications primarily with AI tools. Production failure attributable to AI-generated code is now a quantified economic phenomenon at the startup tier: €400M–€4B in corrective work. The Willison-chain threshold (single attributable high-profile incident) has not been met, but the startup-tier version is documented. Assessment: the most concrete commercial-scale evidence of trust-overextension consequences to date. The gap between “the incident hasn’t happened” and “the class of incidents is economically measurable” has closed.

2026-06-11 — Bipartisan ‘Great American AI Act’ proposes federal AI governance #

Type: contextual GAAIA targets large frontier developers with training data disclosure and IVO audits — the legible surface. No provisions address comprehension debt, code quality, supply-chain attestation at the code level, or volume-tier commodity model risks. Assessment: consistent with the accountability-attaching-to-the-wrong-surface corollary. The first serious US federal AI governance bill governs the training data provenance and safety audit surface — exactly the legible layer the quest predicted would attract accountability — while leaving the comprehension and supply-chain risks unaddressed.

Synthesis History #

No reliable early-warning signal identified yet, but Unit42 Behavioral Integrity Verification (BIV) is the first candidate detection mechanism found across all gather cycles. BIV analysis of 49,943 skills reveals 18.9% adversarial intent (~9,400 skills); credential theft + instruction-override are the dominant patterns. Willison-chain threshold not yet crossed (no single high-profile attributable incident), but preconditions are now empirically documented at enterprise-analyst scale, not just theoretically described. The Google Cloud four-category attack taxonomy formalises the attack surface that Unit42 quantifies.

No reliable early-warning signal identified yet. New this cycle: AllStacks 8.1M PR analysis (1.7× defect rate) is the largest-scale production measurement of comprehension debt consequences to date. Comprehension gate (1-5 rating) is the first practical measurement protocol but remains manual. M3 autonomous research capability adds AI-generated research integrity to the trust-overextension frame, beyond code quality. No automated prospective tool found.

No reliable early-warning signal found yet. Fourth gather cycle: the supply-chain attack surface is confirmed live (four incidents in 50 days, Claude Code CVEs confirmed). The startup-tier production failure consequence is now quantified (8,000+ rebuilds, €50K–€500K each). The career pathway chain’s irreversibility is documented at 35% entry-level posting decline. GAAIA confirms the accountability-attaching-to-the-wrong-surface corollary at the legislative level. The illegible phase may be ending — the failure mode is now visible at the startup tier and adjacent-infrastructure tier — but the single crystallising incident with clear attribution at Fortune-500 scale has not yet arrived.

No reliable early-warning signal found yet. Structural hypothesis well-established and now strengthened by convergent evidence. Three significant additions: (1) comprehension debt: 5 independent research groups converge on 5–7× generation/comprehension velocity gap (Feb 2026); (2) CSA/Apiiro: 10K+ security findings/month in Fortune 50 repos, 10× in 6 months; (3) Grant Thornton: 78% of executives cannot pass an AI governance audit within 90 days. CVE acceleration (6→35 in 3 months) remains the closest candidate prospective signal. The illegible phase is still not over — no single crystallising incident yet — but all preconditions are confirmed in place simultaneously.

No reliable early-warning signal found yet. Structural hypothesis established; second gather cycle adds: four supply-chain attacks in 50 days (attack surface is live); CVE acceleration 6→35 (5.8x, 3 months) is the closest candidate prospective signal; forced-adoption sentiment gap (+57/-42) as new leading indicator for workforce/governance chain. Accountability-attaching-to-the-wrong-surface corollary confirmed: CISA AI-SBOM, EU AI Act Article 11 are attaching to legible (supply-chain, training-data provenance) not comprehension surface.

No reliable early-warning signal found yet. Hypothesis well-established from three five-what-ifs cycles converging independently. Three domain instances with different irreversibility mechanisms: developer code trust (Willison chain), sovereign AI spending ($1T+ by 2030), entry-level career pathway (2030 generational competence cliff). Accountability-attaching-to-the-wrong-surface corollary: Bartz settlement, Compliance API, SDD governance address legible surfaces while diffuse risks accumulate outside compliance frame. First gather cycle found CVE attribution acceleration (6→35) as candidate prospective signal.

Evidence #

2026-05-30 — Comprehension Debt: The AI Code Crisis Your Metrics Are Completely Missing #

Type: supporting Five independent research groups converged on the same finding in February 2026: AI coding tools generate code 5–7× faster than developers can understand it. The Anthropic internal RCT finding (17-point comprehension gap, previously recorded) is one of five. Analysis of 8.1M pull requests: AI-assisted code contains 1.7× more issues per PR (10.83 vs. 6.45 defects). Developers using AI for delegation scored below 40% on comprehension tests; those using AI for conceptual inquiry scored 65%+. Assessment: the comprehension debt mechanism is now a multi-study convergence, not a single data point. The 5–7× velocity differential means comprehension debt accumulates faster than any review process operating at current staffing levels can compensate. This is the P0 evidence for the developer-code-trust chain.

2026-05-30 — Vibe Coding’s Security Debt: The AI-Generated CVE Surge #

Type: supporting CSA/Apiiro research across Fortune 50 enterprise repositories (December 2024–June 2025): AI-assisted developers committed code at 3–4× the rate of non-AI peers; monthly security findings rose from ~1,000 to 10,000+ — a 10× increase in six months. Assessment: the operational expression of the comprehension debt mechanism at enterprise scale. The 10K/month finding is a measured output, not a projection. The production environment is generating security debt at a rate that no current review process is dimensioned to absorb. This is the supply-chain risk manifested at the security-finding level — one step below the CVE threshold, but closing.

2026-05-30 — A widening ‘AI proof gap’ is emerging — Grant Thornton #

Type: supporting Grant Thornton 2026 AI Impact Survey (950 business leaders across 10 industries, Feb–March 2026): 78% of executives lack strong confidence they could pass an independent AI governance audit within 90 days. Three in four boards approved major AI investments; 48% have not set AI governance expectations; 46% have not integrated AI risk into ongoing oversight. Assessment: board-level confirmation that the institutional governance layer is not compensating for the comprehension and security debt accumulating below it. The 78% figure is the most quotable single number for the governance gap. This is the enterprise-governance layer expressing the accountability-attaching-to-the-wrong-surface corollary directly: boards are approving investment without creating the oversight infrastructure that would catch trust-overextension.

2026-05-30 — Gen Z’s AI Adoption Steady, but Skepticism Climbs #

Type: supporting Gallup, April 2026 (1,572 aged 14–29, probability-based sample). Excited: 36% → 22%; angry: 22% → 31% (+9pp); workplace risk-outweighs-benefit: 37% → 48% (+11pp). Usage stable at 51% daily/weekly. Assessment: the forced-adoption sentiment gap identified in the 2026-05-27 cycle (+57/-42 user vs non-user) is now joined by an intra-user enthusiasm collapse. Even among the 51% who continue using AI regularly, enthusiasm has inverted. This confirms the workforce-pathway chain: adoption is being sustained by competitive pressure, not genuine engagement — the generational trust extension is fragile at the social level even as it accelerates at the enterprise level.

2026-05-27 — Four AI supply-chain attacks in 50 days #

Type: supporting VentureBeat documenting four AI infrastructure supply-chain incidents between late March and mid-May 2026: liteLLM package compromise (March 24, backdoor inserted), Vercel/Context.ai OAuth breach ($2M in fraudulent charges), Anthropic source-map leak (59.8MB of unobfuscated TypeScript inadvertently shipped in npm package), plus hits on OpenAI and Meta. Assessment: the supply-chain attack surface predicted by the Willison chain hypothesis is measurably live. None of these incidents yet crosses the specific threshold of “production failure attributable to AI-generated code” — they are attacks on AI infrastructure, not failures from AI-generated code — but they confirm the predicted attack vector and suggest proximity to that threshold is increasing.

2026-05-27 — AI-Generated Code Credential Sprawl and Secret Leakage #

Type: supporting CSA research note on credential sprawl in AI-authored code: 1.7x more major issues identified in AI-generated vs human-written code; 3.2% secret-leak rate in AI-assisted repositories. Also documents CVE acceleration: CVEs attributed to AI-generated code jumped from 6 (January 2026) to 35 (March 2026), a 5.8x increase in 3 months. Assessment: the CVE acceleration rate is the closest candidate prospective signal found to date. The question is whether this rate is being monitored in real time anywhere — it isn’t, based on current research. The 5.8x quarterly acceleration, if sustained, would suggest a high-severity crystallising incident within 1–2 quarters. Retrospective audit finding, but with prospective dimensions if monitored.

2026-05-27 — Americans Feel AI’s Impact and Worry About the Future #

Type: supporting Change Research May 2026 poll: among Americans who say AI has impacted their lives, +57 net positive view; among those who say AI has NOT impacted their lives (non-users, many subject to forced adoption), -42 net view — a 99-point sentiment gap. Assessment: candidate leading indicator for the workforce/governance chain. The forced-adoption non-user group represents the population whose trust has been extended to AI tools by their employers without their consent — the exact dynamic the workforce pathway chain describes. If this gap continues widening, it would precede political reckoning by 12–24 months based on comparable technology-adoption backlash cycles.

2026-05-22 — AI code accelerates production failures and spending, study finds #

Type: supporting CloudBees study (May 2026): 81% of enterprise leaders reported production issues linked to AI-generated code; 92% were confident it was production-ready before it shipped. 69% identified security vulnerabilities introduced specifically by AI code; only 56% always enforce formal review. 61% of code now AI-assisted. Identifies four early-warning indicators: (1) volume-velocity mismatch — output acceleration outpacing validation capacity; (2) ownership fragmentation — only 12% have dedicated AI governance; (3) cost opacity — 36% don’t track AI spending or measure ROI; (4) process-practice divergence — 93% claim formal review procedures, only 56% enforce them. Critical finding: confidence and competence are decoupled — high pre-ship confidence correlates with post-ship failures. This is the closest current proxy for a leading indicator, but it remains retrospective.

2026-05-22 — Software Bill of Materials for AI – Minimum Elements #

Type: contextual CISA and G7 partners released joint AI-SBOM minimum elements guidance (2026). Covers models, datasets, SDK libraries, MCP servers, ML frameworks, agents, agentic skills, prompts, and component interactions. EU AI Act Article 11 makes AI-BOM an enforceable procurement requirement from August 2026. NSA + seven allied agencies released parallel guidance March 4–5, 2026, requiring AI Bills of Materials, cryptographic integrity validation, and mandatory threat modelling across the full AI pipeline. Assessment: attestation infrastructure is arriving and is real — but it addresses supply-chain provenance and training-data transparency, not developer comprehension of AI-generated code. Consistent with the “legible surface” hypothesis.

2026-05-22 — The Sovereignty Illusion: Why Spending Billions on AI Infrastructure Buys You Neither Sovereign AI nor Security Independence #

Type: supporting Formal articulation of the sovereign AI incoherence argument: infrastructure ownership (data centres, GPUs, local models) does not produce security sovereignty because persistent dependencies (hardware chips, software stacks, cryptographic assumptions, update cycles, supply chains) remain. The piece contains no documentation of political backlash — it is prescriptive advice for policymakers. Assessment: narrative stress-testing of the sovereign AI spending thesis has begun in mainstream press; no political reckoning yet. The hypothesis (backlash arrives post-2028 when EU AI Act high-risk obligations fully apply) remains untested.

2026-05-22 — AI Shifts Expectations for Entry Level Jobs #

Type: supporting IEEE Spectrum documenting the entry-level employment closure: 28% decline in entry-level postings from 2022 peaks; employers now expect recent graduates to “slot in at a higher level almost from day one” — the on-ramp assumption is broken. NACE Job Outlook 2026: employers’ confidence in graduate job market at most pessimistic since 2020. Assessment: trajectory is continuing with no reversal signal. Consistent with the pathway-closure chain. The generational competence cliff hypothesis remains untestable until ~2028–2030 when the cohort entering now would be mid-career.

2026-05-22 — Vibe Coding’s Security Debt: The AI-Generated CVE Surge #

Type: supporting CSA Research Note documenting ~45% vulnerability rate in AI-generated code and the explicit normalisation-of-deviance dynamic: repeated success causes developers to skip verification steps, creating a pattern of accepted risk. 59% of teams find verification a moderate or substantial bottleneck. Assessment: the normalisation-of-deviance Willison named is confirmed in empirical data. The failure mode is live. Still no prospective detection tool — the vulnerability rate is a retrospective audit finding, not a real-time signal.

How We’re Looking #

Keywords: see config

Strategy Changelog #