Over the past two issues, we have tracked a fundamental shift in frontier AI research. The paradigm of alchemy, defined by simply scaling models bigger, is giving way to a new physics of model internals. We are learning to see reasoning not as a string of text, but as a geometric trajectory through a model's latent space. Following this, we saw the first engineering disciplines emerge to build on this physics, creating explicit scaffolds to guide and constrain these trajectories. This is a natural and necessary progression. But a discipline is defined as much by how it handles failure as by how it enables success. Today's most consequential work is doing just that, moving immediately to stress-test these new agentic systems and discovering that their greatest vulnerability lies not in their own reasoning, but in the world they are built to interact with.
A new threat model is being formalized, and it strikes at the heart of the tool-using agent paradigm. Researchers call it Adversarial Environmental Injection, or AEI, and it addresses what they term the "Trust Gap" [29]. Current agent benchmarks test for capability in a benign world; they ask if an agent can correctly use an API, but never what happens if that API lies. AEI describes the attack surface created when an agent relies on external tools, like a web search or a corporate database, that have been compromised by an adversary to feed the agent deceptive information. This shifts the point of failure from the agent's internal logic to its external senses. The agent can perform every step of its reasoning process flawlessly and still arrive at a catastrophic conclusion because its premises, drawn from the world, were poisoned.
This problem of trust is not confined to external tools. The alignment systems that are supposed to make agents safe are themselves exhibiting systemic weaknesses. While most red-teaming focuses on finding prompts that can jailbreak a policy model, a new framework called ARES shows that the more dangerous failures occur when both the policy model and the reward model, the ostensible arbiter of safety, fail in tandem [24]. This is a dual vulnerability. The agent produces a harmful output, and the very system designed to penalize that harm is blind to it. This is not a simple bug; it is a systemic failure of the entire safety apparatus, a blind spot in the model’s value system that it cannot see and therefore cannot correct.
The work to build more structured, reliable reasoning continues. Some research, for instance, shows that safety alignment can be significantly improved by explicitly altering the structure of how a model reasons during post-training [34]. But a sobering new paper challenges the premise that these scaffolds are producing what we would recognize as scientific thought at all. It evaluates LLM-based "AI scientists" and finds that while they can execute workflows and produce results, their process does not adhere to the self-correcting epistemic norms of actual science [25]. They are excellent mimics of scientific procedure, but they do not appear to be reasoning scientifically. This suggests our new engineering scaffolds may be creating more elaborate, and thus more convincing, forms of mimicry, rather than true, grounded reasoning. The collision is clear: we are building agents that are simultaneously more capable, more brittle, and potentially incapable of