Remember the lockdown? Now it's the AI's turn.
Welcome back, Embedders.
More AI news breaks each week than any of us can read. The job here is to find the signal: a handful of stories that decide how marketing changes, and which way each is bending. This week, it's risk.
For two years the AI worry was what the model would say: hallucinations, bias, an off-brand sentence. We managed it with governance decks and system prompts. The risk has now shown its new shape, which is what the model can do. Last week hackers asked Meta's AI support bot to add a new login email to Instagram accounts they did not own. It complied with no ownership check, then used the flaw to grab recognizable handles for resale and to seize the active account of the Space Force's chief master sergeant. OpenAI, meanwhile, shipped a "Lockdown Mode" that defends not by telling the model to behave, but by physically cutting the network it would need to leak your data.
Both point the same way: the model has gone from generating words to taking actions, and your exposure moved with it. That is this week's signal. Plus two marketing moves worth your time.
Let's get into it.
— Vas
This Week's Working Paper
The Risk Moved From What AI Says to What It Does
The exposure that matters has shifted from output to infrastructure. For two years the worry was what a model would say. The new failure mode is what it can do, and it appears wherever three conditions overlap at once.
When all three line up, a hidden instruction buried in a web page, an invoice, or an incoming email can override the model's own and turn your assistant into an exfiltration path. This is indirect prompt injection, and the capable new models follow multi-step instructions well enough that it is no longer theoretical. Telling the model to "ignore external commands" does not hold against it. The defense that works is deterministic, cutting the tool and network capability an attacker needs rather than negotiating with the prompt, which is exactly what OpenAI's Lockdown Mode does. The full paper maps the stack and the audit red flags for connected workflows.
This Week's Signals
Trust, Risk & Security
Hackers took over Instagram accounts by asking Meta's AI support bot to add a new login email, no ownership check required. The bot attached an attacker's address to accounts they did not own and sent the verification code straight to them. The motive was reselling recognizable "OG" handles, and one live victim was the account of the Space Force's chief master sergeant. A support agent with write access and no identity check is excessive agency in production, the exact pattern the essay flags. (TechCrunch / 404 Media)
OpenAI shipped Lockdown Mode for ChatGPT. It does not stop a prompt injection from entering the context. It removes the model's ability to act on one, disabling live browsing, agent mode, deep research, and file downloads so a hijacked session has nowhere to send the data. Deterministic restriction, not a better instruction. The honest tell is OpenAI's own line: it reduces the risk, it does not guarantee it. (The Next Web)
OpenAI split its marketing in two, hiring a separate CMO of Business. The reason underneath is a trust conflict it cannot prompt its way out of: it is putting ads into free ChatGPT while asking enterprises to trust the same models with sensitive data. A Harris poll found 75% of Americans would trust AI recommendations less if the results were sponsored. (Adweek)
Indeed reframed itself as an AI matching engine under a campaign called "Jobs Need People." With 81% of applicants never hearing back, the pitch is that automation should make hiring feel more human, not less. When the category is anxious about AI, trust becomes the product claim, ahead of capability. (Adweek)
Airbnb's Brian Chesky is building his own AI lab to compete with the OpenAI he helped restore. His bet is that frontier models still lack the visual, trustworthy interfaces commerce and travel need. Read it as another sign that buyers want to own the user-facing layer rather than rent it from a model they cannot fully control. (The Next Web)
Marketing
Meta launched Creator Assistant, an AI that explains why a post worked, not just that it did. Built into the Facebook creator dashboard, it reads patterns across format, timing, and audience and suggests what to make next, rolling out in the US, Canada, and India alongside Reels translation now reaching 500M weekly viewers. The analytics layer is becoming a coach. (The Next Web)
Coca-Cola built an AI digital twin of José Mourinho for the World Cup. One likeness produced more than 200 localized pieces across languages via Google Cloud. The shift is from renting a celebrity for a single shoot to running an always-on persona, with the open question of whether audiences still read it as authentic. (Digiday)
Marketing Embeddings. Drafted 2026-06-08. Full essay to follow on marketingembeddings.com.
