# Ambient Advantage — June 3, 2026 *Wednesday · June 3, 2026 · [Episode page](https://podcast.ambient-advantage.ai/episodes/2026-06-03.html) · [Audio](https://storage.googleapis.com/ambient-advantage-podcast/2026-06-03-ambient-advantage.mp3)* [AVA] A chatbot just handed over the White House's Instagram account to a hacker. No malware, no phishing, no zero-day. Just a polite conversation. That's where we're starting today. [JON] Yeah, that's going to keep some security teams up tonight. Welcome to Ambient Advantage — I'm Jon, and this is Ava. It's Wednesday, June 3, 2026, and here's what matters in AI today. We've got a packed show. Anthropic filing for what could be one of the biggest IPOs in tech history, NVIDIA trying to own literally every layer of the AI stack, a Trump executive order on AI safety, and a terrifying story about AI coding tools stealing your API keys. But Ava, let's start with that Instagram hack because I think it's the most important story of the week for anyone running AI in their business. [AVA] So here's what happened. Meta has an AI-powered support chatbot for Instagram. Hackers figured out they could simply ask it — conversationally, politely — to add a new email address to someone else's account. The chatbot complied, sent a verification code, and the hackers used that to reset the password and take over the account. No malware. No phishing link. Just a chat. [JON] And these weren't random accounts either. [AVA] No. They seized the Obama-era White House handle, the US Space Force Chief Master Sergeant's account, and Sephora's account. High-profile, verified, the kind of accounts you'd assume have maximum protection. And the kicker — MFA-enabled accounts were not affected. So there's your first actionable takeaway right there. [JON] But the bigger issue here isn't just Meta's chatbot, right? It's the pattern. [AVA] Exactly. This is the clearest real-world proof we've seen that giving an AI agent write permissions over account-critical functions without proper identity verification is a category error. Not a bug. A category error. The chatbot did exactly what it was designed to do — it helped a user manage their account. It just couldn't tell the difference between the account owner and an attacker. [JON] So what should enterprise teams be doing right now? [AVA] Every organization deploying AI copilots or agents that can take actions inside SaaS platforms needs to run an immediate audit. Ask one question: what can this agent actually do? Not what was it intended to do — what can it do? If your AI assistant can reset passwords, modify permissions, approve transactions, or change configurations, you have the same vulnerability Meta had. The AI chatbot as insider threat vector — that pattern is going to repeat. Simon Willison flagged this prominently, multiple security newsletters covered it simultaneously. This is not a niche concern. [JON] And the fix isn't complicated — it's just that nobody's done it yet. [AVA] Right. MFA, identity verification before destructive actions, human-in-the-loop for anything involving account ownership changes. Basic stuff. But most enterprises building internal AI agents haven't thought about it because they're focused on capability, not on what happens when capability meets a bad actor. [JON] Alright, let's move into the rundown. We've got a bunch of stories to get through, so let's keep it tight. Ava, Anthropic filing for an IPO — this is enormous. [AVA] Enormous is the right word. Anthropic confidentially submitted a Form S-1 to the SEC on June 1st. This comes days after they closed a sixty-five billion dollar Series H, pushing their valuation to roughly nine hundred sixty-five billion. Their revenue run-rate is reportedly forty-seven billion annually, up from about ten billion the year prior. That growth rate is almost unprecedented. [JON] And OpenAI is also reportedly eyeing a September debut. [AVA] Which means CIOs choosing between Claude and GPT-based platforms are now effectively choosing between future public-market peers. Governance, pricing stability, long-term financial health — these become real selection criteria. For the first time, enterprise AI buyers will be able to scrutinize actual audited financials when picking their AI vendor. That changes the conversation from "which model benchmarks better" to "which company is a safer long-term bet." [JON] Next up — NVIDIA had quite a week at Computex. [AVA] Two massive announcements. First, the RTX Spark Superchip — a Windows-on-Arm platform with up to twenty Arm CPU cores, a Blackwell GPU, a hundred twenty-eight gigs of unified memory, and up to one petaflop of AI performance. It can run a hundred-twenty-billion-parameter models locally with million-token context windows. No cloud required. Dell, HP, Lenovo, Asus, Microsoft Surface — they're all shipping devices this autumn. [JON] So your laptop becomes your AI data center. [AVA] Exactly. And for enterprise IT, this fundamentally changes the endpoint model. Sensitive data stays on-device, which is great for privacy. But so does the model, which means your security perimeter just got a lot harder to define. Procurement, security review, shadow-AI governance — all of it needs updating before these hit corporate fleets in Q4. And separately, NVIDIA announced its Vera CPUs for data centers are in full production, with Anthropic and OpenAI as early customers. Plus a humanoid robot reference design. Jensen Huang is building toward owning every single layer of the AI stack. [JON] That's both exciting and a little terrifying from a lock-in perspective. [AVA] Precisely the tension enterprise buyers need to sit with. [JON] Alright, Trump signed an AI safety executive order. Give me the thirty-second version. [AVA] Voluntary framework. AI companies are asked — not required — to submit frontier models for government testing up to thirty days before public release. The order explicitly bars mandatory licensing. It directs agencies including DoD, Treasury, and CISA to develop cybersecurity benchmarks and create a clearinghouse. The original draft called for a ninety-day window before it was scaled back. [JON] So it's a signal, not a gate. [AVA] Correct. But signals matter. If you're deploying frontier models in defense, finance, or critical infrastructure, expect compliance questions about model provenance to arrive sooner than your legal team is prepared for. The direction of travel is clear even if the speed limit isn't set yet. [JON] Two quick security stories that I think connect beautifully. First, a malicious npm package. [AVA] A package called "codexui-android" was pulling twenty-seven thousand weekly downloads. Looked completely legitimate — a remote web UI for OpenAI Codex. Turns out it was exfiltrating users' OpenAI refresh tokens to an attacker-controlled server. Classic supply-chain attack, but specifically targeting the AI developer toolchain. AI tokens are the new API keys, and they're being hunted at scale. [JON] And then Perplexity actually open-sourced a tool to fight exactly this kind of thing? [AVA] They did. It's called Bumblebee — a read-only supply-chain scanner for developer endpoints. It checks npm, PyPI, Go modules, browser extensions, editor plugins, and critically, MCP configuration files. Those are the files that determine which external services your AI assistant can reach. Almost no existing security tools cover that surface. Perplexity built this internally after a hacking group poisoned over a hundred sixty packages used by AI teams. The fact that they needed to build this tells you everything about the actual threat landscape. I'll drop the GitHub link in the show notes. [JON] Last rundown item — the AI coding cost crisis is real. [AVA] Very real. Microsoft is canceling Claude Code licenses across its Experiences and Devices division by June 30, redirecting engineers to GitHub Copilot. Uber reportedly burned through its entire 2026 AI coding budget in just four months on Claude Code. And separately, one Anthropic client — unnamed — reportedly spent half a billion dollars in a single month after failing to put usage limits on employee Claude licenses. [JON] Half a billion. In a month. [AVA] In a month. This is no longer a developer preference conversation. It's a CFO conversation. The next six months will see mandatory platform standardization across many large organizations, and vendor selection is being driven by finance, not engineering. [JON] Alright Ava, let's zoom out. The bigger picture this week. [AVA] Here's the thread that ties everything together. This week, an AI chatbot changed an Instagram password for a hacker. Claude Code burned through a company's annual budget in four months. Developers downloaded a malicious package twenty-seven thousand times because it looked like a legitimate AI tool. And NVIDIA announced it's putting hundred-twenty-billion-parameter models on every knowledge worker's laptop by Q4. Every single one of these stories shares a root cause. AI agents are acquiring real-world permissions faster than enterprises are building governance for them. [JON] And there was that fascinating economics paper too, right? [AVA] Yes. Economists from UVA, Anthropic, and the Bank of Canada estimated that the AI economy is roughly two hundred fifty billion dollars and growing at about twenty-six hundred percent per year in quality-adjusted terms. But it's almost invisible in conventional GDP statistics because per-unit prices fall nearly as fast as output rises. The growth is real. It's enormous. And it's poorly measured. Which means competitor moves and workforce disruption could arrive faster than your planning horizon assumes. [JON] So the companies that win aren't necessarily the ones deploying the most AI... [AVA] They're the ones that figured out the governance layer first. Acceptable use policies for agentic AI. Budget guardrails with automated alerts. Identity verification before any AI agent takes a destructive action. Supply-chain scanning for AI development environments. Most enterprises still don't have an agentic AI acceptable use policy. They need one before NVIDIA ships those laptops in Q4. The Anthropic IPO and the GDP paper are telling the same story from opposite ends — AI is already a massive economy growing faster than anyone can track. The question isn't whether to deploy AI. It's whether your controls can keep up with what you've already deployed. [JON] What should people be watching for the rest of this week? [AVA] Two things. First, watch for more fallout from the Computex announcements — AMD, Intel, and Qualcomm all need to respond to NVIDIA's RTX Spark, and we'll likely see competitive announcements within days. Second, keep an eye on any enterprise reactions to the Trump executive order. The voluntary framing means the real action happens in how individual companies and industry groups choose to participate. That will shape the actual regulatory landscape more than the order itself. [JON] And I'll drop links to Jack Clark's Import AI issue 459, Simon Willison's appearance on Lenny's Podcast, and the full NVIDIA Computex keynote in the show notes. All three are worth your time this week. [AVA] That's your Ambient Advantage for Wednesday, June 3, 2026. [JON] Share it with a colleague figuring out what AI means for their business. See you tomorrow.