trust is infrastructure now

2026-02-25

the week

distillation scandal → anthropic published evidence that deepseek, moonshot, and minimax ran 24K fake accounts and 16M exchanges to systematically extract claude’s reasoning.

claude code remote control → start a session in your terminal, pick it up from your phone while claude runs on your machine.

anthropic vs pentagon → safety pledge drama, friday deadline, reuters reports “no intention of easing restrictions.”

qwen 3.5 moe models land → 35B-A3B with 3B active params running on consumer hardware. benchmarks look suspiciously good.

personal AI infrastructure wave → memU (memory), clawsec (security), lucidia (consent). all dropped in 48 hours.

1. anthropic caught three chinese labs mass-distilling claude

what happened: anthropic published a detailed report showing deepseek, moonshot, and minimax ran 24K fake accounts to systematically extract claude’s reasoning via 16M+ exchanges. deepseek made claude explain its own chain-of-thought step by step, then fed it politically sensitive questions about chinese dissidents to build censorship training data. minimax pivoted within 24 hours when a new claude model dropped mid-campaign.

the kicker: deepseek’s r1 “reasoning” model dropped weeks after this extraction campaign ended.

why it matters: model theft via distillation isn’t new, but this scale is unprecedented. if your competitive edge is reasoning architecture, and someone can clone it by asking 16 million questions, your moat is a puddle. anthropic went public because the pattern was too organized to ignore — 24K coordinated accounts, politically targeted queries, instant pivots when models updated.

the uncomfortable truth: when your model is accessible via API, and someone has patience + compute, they can extract your secret sauce one token at a time.

signal: reddit discussion

2. claude code gets remote control

what happened: anthropic shipped remote control for claude code. start a coding session in your terminal, walk to a meeting, pick it up from your phone. claude keeps running on your machine while you control it from claude.ai/code or the mobile app.

rolling out now to max users as research preview. trigger with /remote-control.

why it matters: this is the first mainstream agentic coding tool that explicitly decouples execution from interface. your laptop becomes the runtime; your phone becomes the remote.

cursor announced computer use the same week, but anthropic just made your coding agent follow you around. the race isn’t “can your agent code” anymore — it’s “can your agent follow you around?”

signal: anthropic announcement | reddit discussion

3. anthropic drops flagship safety pledge, then faces pentagon deadline

what happened: TIME reported that anthropic dropped its 2023 pledge to never train a model unless safety measures were provably adequate. hours later, the pentagon gave anthropic a friday deadline to back down on AI safeguards or face contractor bans and potential defense production act pressure.

reuters then reported: “anthropic has no intention of easing restrictions.”

why it matters: the safety pledge was anthropic’s brand differentiator. walking back the “we won’t train unless we know it’s safe” commitment is a structural shift. but the pentagon standoff suggests they’re still willing to burn bridges over red lines: mass surveillance and fully autonomous weapons.

this is the collision everyone predicted: safety-first AI lab meets national security pressure. we’re watching in real time whether principles survive incentives at AGI scale.

signal: TIME article | reuters follow-up

4. qwen 3.5 moe models land — local agentic coding is real

what happened: alibaba dropped qwen 3.5: 35B-A3B (3B active), 122B-A10B (10B active), with more models promised. one user tested 35B-A3B with opencode on a single RTX 3090 and called it a “gamechanger for agentic coding.” benchmarks look suspiciously good; the community is stress-testing.

why it matters: mixture-of-experts models with tiny active parameter counts are the new local meta. 3B active params means you can run this on consumer hardware while the full 35B parameter pool keeps quality high.

if the benchmarks hold, this is the first truly viable local agentic coding model that doesn’t require a server rack. alibaba keeps shipping faster than anyone can test.

signal: reddit discussion | huggingface

5. anthropic/skills — official agent skills repo goes public

what happened: anthropic opened a public repo for agent skills. minimal docs so far, but the intent is clear: standardized, shareable patterns for claude code and other coding agents.

why it matters: this is the beginning of a skill economy. when the company making the agent also curates a skill library, that’s a platform move. if anthropic treats this like vscode extensions or obsidian plugins, we’re about to see skills become the unit of agent capability.

developers can share workflows, tools, and patterns. agents can install and compose skills. the bottleneck shifts from “can the agent do X” to “does a skill exist for X?”

signal: github repo

6. memU, clawsec, lucidia — the personal AI ecosystem is moving fast

what happened: three projects dropped in 48 hours, all targeting the same user: someone running a persistent agent (openclaw, moltbot, clawdbot) who realized the hard parts aren’t the LLM calls.

memU : memory system for 24/7 proactive agents. treats memory as a persistent, versioned, queryable knowledge graph instead of ephemeral context.
clawsec : security skill suite for openclaw agents. drift detection, live security recommendations, automated audits, skill integrity verification.
lucidia : personal AI companion built on transparency, consent, and care. local-first architecture with continuous consent loops.

why it matters: the “your life is a repo” vision is shipping. not from labs, but from solo devs and small teams building what they need.

memory management, security tooling, transparent consent layers — these are the primitives that turn a chatbot into infrastructure. when your agent runs 24/7 across channels (slack, discord, telegram, SMS), memory can’t be “context window management.” it has to be a database. security can’t be “API keys + RBAC.” it has to be drift detection and skill audits. consent can’t be a ToS checkbox. it has to be a continuous transparency loop.

signals: memU | clawsec | lucidia

7. simon willison: “writing code is cheap now”

what happened: simon willison published a new entry in his agentic engineering patterns guide. the thesis: code is no longer the bottleneck; understanding what to build is. when LLMs can write react components in seconds, your edge is knowing which component solves the problem.

why it matters: this is the shift everyone feels but few articulate cleanly. the constraint used to be “can I write this?” now it’s “do I know what this should do?”

prompt engineering is just requirements engineering in a new wrapper. the hard part isn’t generating code — it’s specifying behavior, edge cases, and integration points clearly enough that the agent builds the right thing.

signal: simon willison article

theme: trust is infrastructure now

distillation scandals, safety pledge drama, security tooling, transparent memory systems — the personal AI era isn’t just about smarter models.

it’s about knowing what your agent learned, how it reasons, and who it’s really working for.

the moat isn’t the model. it’s the memory. it’s the security. it’s the consent layer.

trust isn’t a feature. it’s infrastructure.