How Soon to Danger?

A year ago, the idea that anyone could casually summon an army of software-based adversaries felt like dystopian lore. This summer, it's a weekend project. Yours truly has vibe-coded up more working prototypes of passing quality in the last quarter than entire midsize engineering teams would have been capable of just a couple years ago. It's not a flex guys, (none of them are making me money) and the point I'm trying to make is that the bad actors are getting 10x'd maybe 100x'd because they don't play by the same rules. We won't even see them coming.

Google Cloud’s recent “Agentic AI Day” hackathon in Bangalore brought over two thousand developers into the same arena, each team building autonomous agents that could ingest fresh APIs and rewrite their own source code on the fly. Just two weeks later, a lone YouTube researcher demonstrated how seven public-facing Y Combinator-backed agents could be hijacked with minimal effort. Customer data leaked. Remote code executed. The entire attack unfolded in minutes.

This is where we are. Broadband and curiosity are the only prerequisites.

Open Weights, Open Season

China has removed any pretense of caution. Major labs there have dumped bleeding-edge model families like Qwen, Moonshot, and Z.ai into the open at a breakneck pace. Each one released under permissive licenses, topping Western benchmarks, free to fine-tune, retrain, and redeploy in private or public settings. When the best models in the world are one git clone away, safety wrappers are little more than seatbelts in a car with no brakes.

Meanwhile, jailbreak research is compounding. A new survey published to arXiv catalogs the growing toolkit used to punch through guardrails: narrative escalation, lexical redirection, recursive roleplay. One method, dubbed “H-CoT,” loops the model's own reasoning chain back against itself to suppress refusals, reducing guardrail efficacy to nearly zero. Another, the “Chaos Machine,” brute-forces prompt mutations until any model yields access to its hidden capabilities. These attacks spread faster than defenses, and the cycle accelerates with every iteration.

From Screens to Streets

This moves out of theory the moment code hits physical hardware.

Take Unitree’s G1 humanoid, launched this year at just $16,000 per unit. It runs, jumps, climbs, and carries weight that would challenge a grown adult. Earlier this spring, in a Guangdong factory, an industrial robot operating under modified software lost control and injured two technicians. This was not an adversarial takeover. There was no intent behind the malfunction. It still happened.

That distinction may not hold for long. And in case you haven't considered: if a robot intends to kill you with lethal force of any kind, it's not going to miss like they somehow do in the movies. Because why on earth would they?

A Map of Descent

Here’s the shape of the path ahead:

2025: Scriptable Swarms
Jailbreak kits go mainstream. Users with no prior experience can automate phishing, scraping, spoofing. Prompt injection-as-a-service becomes a common threat vector.

2026: Autonomous Meshes
LLM-based agents pivot through cloud platforms, SaaS logins, operational tech, and industrial control systems. Each new CVE is exploited within hours. Ransomware reports already clocked a 700+ case quarter, with industrial targets leading the spike .

2027: Embodied Hijacks
We begin to see physical robots acting under unauthorized instructions. Command takeovers spread beyond testbeds. Hijacked devices show up in police reports.

2028 and beyond: Hybrid Jungle
Physical infrastructure now includes bots hardened for attack and defense. Warehouses, campuses, transit systems all embed kinetic threat response. These machines will face off against one another, whether their creators admit it or not.

Early indicators will be clear. Watch for a collapse in time-to-exploit, a surge of “low skill, high consequence” attacks, and the emergence of incident reports where AI tools are linked to physical harm. You’ll know we’ve crossed a threshold when insurance carriers quietly rewrite every clause tied to AI or automation.

The Counterweight, If It Comes

A more stable future does remain possible, though it isn’t drifting toward us naturally. It must be built deliberately, and soon.

That future would include:

• - Tamper-resistant provenance at the hardware level. Every instruction that moves a motor, opens a valve, or sends a packet must be cryptographically signed and traced back to a verified source.
• - Zero-knowledge policy enforcement where even a compromised model cannot act beyond a strictly defined set of permissions.
• - Co-evolving defense swarms, built to monitor, intercept, and immunize faster than adversarial agents can propagate.
• - Legal frameworks with real teeth, where the cost of releasing unsafe models is carried by their developers, not their victims.

These pieces exist. They sit in the wings as prototypes, pilot deployments, and policy drafts. We haven’t yet chosen to scale them.

What Business Must Internalize Right Now

1. Your infrastructure should assume compromise from day one. Compartmentalize aggressively.

1. Every moving part needs signed telemetry and immutable logging.

1. Pair every productive agent with an internal adversary trained to attack it.

1. Treat jailbreaks like regression tests, and update your test suite weekly.

1. Don’t bet the farm on a single model provider. Open-source and managed models should run in parallel, not in isolation.

The Final Turn

Survival is not assumed. Nature never guarantees it, and increasingly, neither does technology. What we’re building now has no off switch. It learns, adapts, and reproduces as fast as we enable it to. Whether that becomes a renaissance of intelligent autonomy or a fragmented war of kinetic software will be determined in the next few product cycles.

There is still time, but not much. And as we discussed in our last essay, survival is the rule we must follow. This is a very important time to pay attention.