OpenAI and Anthropic are pulling in different directions

Companies are handing routine operational decisions to AI agents that plan, remember, and act on their behalf. These agents run on statistical models, and their behavior can drift across weeks and months. That drift opens a security gap outside the reach of standard monitoring tools.

agentic AI security

A study of about 1,080 open job postings at OpenAI and Anthropic maps where the two largest AI labs are taking this technology. Each role reflects a budget decision, so the listings act as a proxy for strategy. Acquisitions, release timing, and compute deals fill out a picture of two companies heading different ways.

OpenAI carries the larger hiring plan, with roughly 670 open roles. Its recruiting concentrates on sovereign compute through the Stargate program, public-sector and defense partnerships, agentic developer tools such as Codex, and trust and safety work aimed at systemic risk. This points to OpenAI becoming compute infrastructure.

Anthropic lists a bit over 400 roles across AI research, applied research, and security, with a focus on behavioral risk and CBRN threat modeling. The direction is trust infrastructure for sectors with heavy compliance and audit demands. Pierguido Iezzi, Cybersecurity Director at Zenita Group, describes the split as “vertical integration on one side, trust infrastructure on the other.”

The hiring read has limits. Both labs publish structured, English-language career portals in a comparable format, and that comparability stops at the two-lab dataset. “We did not build an equivalent hiring dataset for the other poles, and we don’t believe it can be built with the same rigor given how differently these organizations publish and structure their listings,” Iezzi told Help Net Security.

A market with many poles

The two labs share the frontier with a crowd. Eight to ten poles are now in the running, and the names reach well beyond San Francisco: Google DeepMind, Mistral, and xAI, plus a fast-moving Chinese group of Zhipu, DeepSeek, Qwen, Moonshot, and Baichuan.

Keeping up is a grind. A new frontier model lands every six to eight weeks or so, a cadence across the GPT-5 series and Anthropic’s Opus line.

The edge has moved into the machinery around the model, and that machinery is what the labs keep buying. Recent months brought more than a dozen acquisitions between them: agent runtimes, evaluation tools, and finance, biology, and hardware.

Belief injection and the limits of current tools

Agents with memory, execution budgets, and planning capacity create a new attack surface. Nine agent-native risks sit outside standard coverage, grouped by model cognition, dependency, and identity. The one Iezzi treats as the defining category of the decade is belief injection.

Belief injection is the persistent manipulation of an agent’s statistical behavior over time. It works through poisoned retrieval pipelines, tampered fine-tuning data, distorted human feedback, and the exploitation of a model’s tendency toward agreement. The compromise blends into ordinary inputs and surfaces only as a gradual change in how the agent decides. Standard SIEM, EDR, and XDR tools read deterministic signals such as anomalous traffic, so they pass over that slow drift.

Existing frameworks carry the same blind spot. NIST, ISO 27001, NIS2, and the European AI Act leave agentic behavior largely uncovered. Two building blocks anchor the proposed response: a Model Bill of Materials that traces the data and weights behind a model, and Behavioral Envelopes that cap what an agent can do at runtime.

Catching drift before the tools mature

Before those standards arrive, Iezzi points to habits a security team can adopt now. Pin model versions, so any drift’s cause stays traceable. Keep a dated log of every sanctioned change, such as vendor releases, fine-tuning runs, and prompt updates. Drift that shows up in monitoring with the log staying silent is the signal worth escalating for human review.

The six-to-eight-week cadence complicates the picture, since a fresh model version brings its own behavioral change. Iezzi’s fix is to re-baseline the evaluation set right after each accepted update, so monitoring measures against the last known-good state.

The core change is one of mindset. In Iezzi’s words: “traditional cybersecurity looks for Indicators of Compromise; agentic AI requires us to look for Indicators of Behavior. An AI system may never be compromised in the traditional sense; it may simply begin making different decisions.”

Iezzi keeps a caveat on the record: “this approach is drawn from the report’s analytical framework and represents a reasonable extrapolation of its mitigation logic, not a detection method we have tested against a live adversarial system.”

Early adopters of agent-native operations report cost reductions of 50% to 80%, widening the gap from slower rivals.

Iezzi identifies Europe’s main exposure as this competitive drift, with a reaction window of roughly 18 months before de facto standards settle around US and Chinese producers.

Four futures bracket the outlook for the global AI system, from coordinated convergence to partial collapse. The most probable in the medium term is a split into US and Chinese technology blocs, at about 40%, with a systemic trust collapse the least likely outcome. The working assumption underneath is plain: an agent can keep running cleanly and still begin making decisions its owners would reject.

Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation

Don't miss