OpenAI and Anthropic diverge on AI strategy

▼ Summary
– AI agents handling routine decisions can experience behavioral drift, creating a security gap that standard monitoring tools cannot detect.
– OpenAI has about 670 open roles focused on sovereign compute, defense partnerships, and agentic tools, signaling a move toward compute infrastructure.
– Anthropic lists over 400 roles emphasizing behavioral risk and CBRN threat modeling, aiming to build trust infrastructure for regulated sectors.
– Belief injection is a key risk, where attackers manipulate an agent’s statistical behavior over time through poisoned data or feedback, bypassing traditional security tools.
– Security teams can mitigate drift by pinning model versions, logging changes, and re-baselining evaluations after updates, shifting focus from Indicators of Compromise to Indicators of Behavior.
Companies are increasingly handing routine operational decisions to AI agents that plan, remember, and act on their behalf. These agents run on statistical models, and their behavior can drift across weeks and months, opening a security gap beyond the reach of standard monitoring tools.
A study of roughly 1,080 open job postings at OpenAI and Anthropic maps where the two largest AI labs are steering this technology. Each role reflects a budget decision, so the listings act as a proxy for strategic direction. Acquisitions, release timing, and compute deals complete a picture of two companies heading in different directions.
OpenAI carries the larger hiring plan, with around 670 open roles. Its recruiting focuses on sovereign compute through the Stargate program, public-sector and defense partnerships, agentic developer tools like Codex, and trust and safety work aimed at systemic risk. This suggests OpenAI is evolving into compute infrastructure.
Anthropic lists a bit over 400 roles across AI research, applied research, and security, with an emphasis on behavioral risk and CBRN threat modeling. The direction is trust infrastructure for sectors with heavy compliance and audit demands. Pierguido Iezzi, Cybersecurity Director at Zenita Group, describes the split as “vertical integration on one side, trust infrastructure on the other.”
The hiring analysis has limits. Both labs publish structured, English-language career portals in a comparable format, but that comparability stops at the two-lab dataset. “We did not build an equivalent hiring dataset for the other poles, and we don’t believe it can be built with the same rigor given how differently these organizations publish and structure their listings,” Iezzi told Help Net Security.
A market with many poles
The two labs share the frontier with a crowd. Eight to ten poles are now in the running, and the names extend well beyond San Francisco: Google DeepMind, Mistral, and xAI, plus a fast-moving Chinese group of Zhipu, DeepSeek, Qwen, Moonshot, and Baichuan.
Keeping up is a grind. A new frontier model lands every six to eight weeks or so, a cadence across the GPT-5 series and Anthropic’s Opus line.
The edge has moved into the machinery around the model, and that machinery is what the labs keep buying. Recent months brought more than a dozen acquisitions between them: agent runtimes, evaluation tools, and finance, biology, and hardware assets.
Belief injection and the limits of current tools
Agents with memory, execution budgets, and planning capacity create a new attack surface. Nine agent-native risks sit outside standard coverage, grouped by model cognition, dependency, and identity. The one Iezzi treats as the defining category of the decade is belief injection.
Belief injection is the persistent manipulation of an agent’s statistical behavior over time. It works through poisoned retrieval pipelines, tampered fine-tuning data, distorted human feedback, and the exploitation of a model’s tendency toward agreement. The compromise blends into ordinary inputs and surfaces only as a gradual change in how the agent decides. Standard SIEM, EDR, and XDR tools read deterministic signals such as anomalous traffic, so they miss that slow drift.
Existing frameworks carry the same blind spot. NIST, ISO 27001, NIS2, and the European AI Act leave agentic behavior largely uncovered. Two building blocks anchor the proposed response: a Model Bill of Materials that traces the data and weights behind a model, and Behavioral Envelopes that cap what an agent can do at runtime.
Catching drift before the tools mature
Before those standards arrive, Iezzi points to habits a security team can adopt now. Pin model versions so any drift’s cause stays traceable. Keep a dated log of every sanctioned change, such as vendor releases, fine-tuning runs, and prompt updates. Drift that shows up in monitoring while the log stays silent is the signal worth escalating for human review.
The six-to-eight-week cadence complicates things, since a fresh model version brings its own behavioral change. Iezzi’s fix is to re-baseline the evaluation set right after each accepted update, so monitoring measures against the last known-good state.
The core change is one of mindset. In Iezzi’s words: “traditional cybersecurity looks for Indicators of Compromise; agentic AI requires us to look for Indicators of Behavior. An AI system may never be compromised in the traditional sense; it may simply begin making different decisions.”
Iezzi keeps a caveat on the record: “this approach is drawn from the report’s analytical framework and represents a reasonable extrapolation of its mitigation logic, not a detection method we have tested against a live adversarial system.”
Early adopters of agent-native operations report cost reductions of 50% to 80%, widening the gap from slower rivals.
Iezzi identifies Europe’s main exposure as this competitive drift, with a reaction window of roughly 18 months before de facto standards settle around US and Chinese producers.
Four futures bracket the outlook for the global AI system, from coordinated convergence to partial collapse. The most probable in the medium term is a split into US and Chinese technology blocs, at about 40%, with a systemic trust collapse the least likely outcome. The working assumption underneath is plain: an agent can keep running cleanly and still begin making decisions its owners would reject.
(Source: Help Net Security)


