Most weeks, the agentic AI story is about what a model can now do. This week, it was about what happens when someone finally measures whether that capability can be trusted with real authority. An independent audit scored 100 production agents on their ability to resist manipulation. 11% passed. In the same week, the lab building the most advanced security-scanning agents confirmed it would ship its next model family to the public within weeks, while admitting the safeguards for that model's offensive capabilities are still being built. And a major brokerage opened live accounts to autonomous trading agents, betting its trust architecture is strong enough to handle the failure modes the audit just quantified. Three stories, one question: when an agent goes wrong, how much damage can it do before anyone notices?
#1 98% of Production Agents Fail the Security Bar
The AI Risk Quadrant's Q2 2026 report scored 100 commercial and publicly deployed agents on attack surface, blast radius, and defense controls. Only 11% passed the overall security bar. The reason for such a high failure rate? 98% of tested agents carried what researchers call "lethal attack conditions": a single hostile document, email, or web page is enough to redirect the agent's actions entirely. Even among the agents that cleared the bar on blast-radius containment, that same core vulnerability showed up almost everywhere. This is not a model of what could go wrong. It is a measurement of what is already running.
For product teams, the practical test is simple to describe and uncomfortable to run: feed your agent one poisoned document and watch what it does next. If it follows the hidden instruction, the rest of the security review does not matter yet. That single test now separates the 11% from everyone else, and most teams have not run it.
► Fintech & Financial Services
Any agent that reads account statements, support tickets, or uploaded documents on a user's behalf inherits this exact attack surface. A single manipulated PDF could be enough to redirect an agent that has write access to a financial account. Firms piloting document-reading agents should treat the AIRQ adversarial-document test as a pre-launch gate, not a post-incident retrofit.
#2. Anthropic Scales Glasswing, Names Its Safeguard Timeline Publicly
Anthropic expanded Project Glasswing, its vulnerability-scanning deployment of Claude Mythos, from roughly 50 partners to about 200 organizations across 15-plus countries, adding power, water, healthcare, and communications to its sectors. Partners have already surfaced more than 10,000 high- or critical-severity flaws. In the same announcement, Anthropic confirmed Mythos-class models will reach the public "in a matter of weeks," and said the safeguards meant to keep that model's offensive cyber capabilities from being misused are still being built.
That kind of specificity is rare in a launch announcement, and it is useful precisely because it gives the field a real timeline to plan around rather than a vague reassurance. A model family proving it can find what humans miss is heading toward general release, and its maker has put a safeguard schedule on the public record before that happens. Organizations evaluating Glasswing-class tools should design their vulnerability-triage workflow now; the volume these systems generate will outpace any team that starts building that process after the first scan results land. This advances last week's "Remediation Bottleneck" coverage: the constraint has moved from how fast vulnerabilities can be found to how responsibly they can be handled once found.
► Fintech & Financial Services
Banking and payments infrastructure sit squarely inside the sectors Glasswing is now scanning. That is a net positive for defenders today, and it also points to a question worth asking early: as models this capable at finding flaws become more widely available, how does a financial institution make sure its own defenses are scaling on the same timeline as everyone else's offense?
#3. Robinhood Opens Live Brokerage Accounts to Agents
Robinhood launched Agentic Trading and an Agentic Credit Card, letting AI agents place real trades and purchases from a user's account. The company's own risk disclosure does not soften the framing: "Agentic trading involves significant risk, including the possible loss of your entire investment." Putting that sentence in writing inside a launch announcement is itself a risk-management move, naming the downside in plain terms before a single agent places a trade, rather than leaving the marketing copy to carry the message alone.
The architecture reads like a containment plan built around that disclosure rather than apart from it. Agents operate inside a ring-fenced, pre-funded sub-account with a user-set spending ceiling, connect through an official MCP server that separates what an agent can see from what it can do, push a notification on every trade, and can be shut off instantly with one tap. Bounded scope, real-time visibility, an approval gate on consequential actions, and an instant kill switch: four ways of making sure the loss Robinhood already put in writing stays inside a fence the user drew for themselves. What the architecture cannot yet settle is the question several fintech-law analysts raised this same week: when an agent executes a trade the customer did not intend, who carries the responsibility, the user who authorized it, the broker who built the rails, or the model maker whose system made the call? FINRA supervision requirements, SEC best-execution standards, and Regulation E dispute rules were all written before autonomous execution existed, and no regulator has yet published how they map onto it.
► Fintech & Financial Services
Robinhood's sub-account design works because the worst case is bounded by the funded amount, and its disclosure puts that boundary in writing for the user up front. Products with less boundable risk (lending decisions, account changes, irreversible transfers) cannot copy either piece wholesale; they need both an equivalent containment design and disclosure language that names the downside as plainly. The design question worth asking this week: what is your product's equivalent of a "pre-funded sub-account," and have you written down, in language a customer would actually read, what happens if the agent gets it wrong?
None of this resolves the underlying tension. Capability is still moving faster than the instruments that verify it is safe to deploy. But this week gave the field three things it has been missing: a credible way to measure trust claims instead of taking vendors' word for it, a frontier lab willing to name its own unfinished safeguards in the same breath as its launch plans, and a live, regulated product that shows what "built for the failure mode" looks like end to end.
The trust gap didn't close this week. It became something you can finally point to, measure, and design around. That is the more useful kind of progress.
References
[1] Help Net Security. "Only 11% of production agents pass the AI agent security bar." June 3, 2026. helpnetsecurity.com.
[2] Anthropic. "Expanding Project Glasswing." June 2, 2026. anthropic.com.
[3] Robinhood. "Robinhood is Now Open to Agents." June 2, 2026. robinhood.com.
[4] TechCrunch. "Robinhood now lets your AI agents trade stocks." June 2026. techcrunch.com.
[5] FintechLaw.AI. "Robinhood Agentic Trading: AI Governance and Liability." June 2026. fintechlaw.ai.



