Radar Trends to Watch: July 2025

While there are many copyright cases working their way through the court system, we now have an important decision from one of them. Judge William Alsup ruled that the use of copyrighted material for training is “transformative” and, hence, fair use; that converting books from print to digital form was fair use; but that the use of pirated books in building a library for training AI was not.

Now that everyone is trying to build intelligent agents, we have to think seriously about agent security—which is doubly problematic because we already haven’t thought enough about AI security and issues like prompt injection. Simon Willison has coined the term “lethal trifecta” to describe the combination of problems that make agent security particularly difficult: access to private data, exposure to untrusted content, and the ability to communicate with external services.

Artificial Intelligence

Researchers have fine-tuned a model for locating deeds that include language to prevent sales to Black people and other minorities. Their research shows that, as of 1950, roughly a quarter of the deeds in Santa Clara county included such language. The research required analyzing millions of deeds, many more than could have been analyzed by humans.
Google has released its live music model, Magenta RT. The model is intended to synthesize music in real time. While there are some restrictions, the weights and the code are available on Hugging Face and GitHub.
OpenAI has found that models that develop a misaligned persona can be retrained to bring their behavior back inline.
The Flash and Pro versions of Gemini 2.5 have reached general availability. Google has also launched a preview of Gemini 2.5 Flash-Lite, which has been designed for low latency and cost.
The site lowbackgroundsteel.ai is intended as a repository for pre-AI content—i.e., content that could not have been generated by AI.
Are the drawbridges going up? Drew Breunig compares the current state of AI to Web 2.0, when companies like Twitter started to restrict developers connecting to their platforms. Drew points to Anthropic cutting off Windsurf, Slack blocking others from searching or storing messages, and Google cutting ties with Scale after Meta’s investment.
Simon Willison has coined the phrase “lethal trifecta” to describe dangerous vulnerabilities in AI agents. The lethal trifecta arises from the combination of private data, untrusted content, and external communication.
Two new papers, “Design Patterns for Securing LLM Agents Against Prompt Injections” and “Google’s Approach for Secure AI Agents,” address the problem of prompt injection and other vulnerabilities in agents. Simon Willison’s summaries are excellent. Prompt injection remains an unsolved (and perhaps unsolvable) problem, but these papers show some progress.
Google’s NotebookLM can turn your search results into a podcast based on the AI overview. The feature isn’t enabled by default; it’s an experiment in search labs. Be careful—listening to the results may be fun, but it takes you further from the actual results.
AI-enabled Barbie? This I have to see. Or maybe not.
Institutional Books is a 242B token dataset for training LLMs. It was created from public domain/out-of-copyright books in Harvard’s library. It includes over 1M books in over 250 languages.
Mistral has launched their first reasoning model, Magistral, in two versions: a Small version (open source, 24B) and a closed Medium version for enterprises. The announcement stresses traceable reasoning (for applications like law, finance, and healthcare) and creativity.
OpenAI has launched o3-pro, its newest high-end reasoning model. (It’s probably the same model as o3, but with different parameters controlling the time it can spend reasoning.) LatentSpace has a good post on how it’s different. Bring lots of context.
At WWDC, Apple announced a public API for its on-device foundation models. Otherwise, Apple’s AI-related announcements at WWDC are unimpressive.
Simon Willison’s “The Last Six Months in LLMs” is worth reading; his personal benchmark (asking an LLM to generate a drawing of a pelican riding a bicycle) is surprisingly useful!
Here’s a description of tool poisoning attacks (TPA) against systems using MCP. TPAs were first described in a post from Invariant Labs. Malicious commands can be included in the tool metadata that’s sent to the model—usually (but not exclusively) in the description field.
As part of the New York Times copyright trial, OpenAI has been ordered to retain ChatGPT logs indefinitely. The order has been appealed.
Sandia’s new “brain-inspired” supercomputer, designed by SpiNNcloud, is worth watching. There’s no centralized memory; memory is distributed among processors (175K cores in Sandia’s 24-board system), which are designed to mimic neurons.
Google has updated Gemini 2.5 Pro. While we wouldn’t normally get that excited about an update, this update is arguably the best model available for code generation. And an even more impressive model, Gemini Kingfall, was (briefly) seen in the wild.
Here’s an MCP connector for humans! The idea is simple: When you’re using LLMs to program, the model will often go off on a tangent if it’s confused about what it needs to do. This connector tells the model how to ask the programmer whenever it’s confused, keeping the human in the loop.
Agents appear to be even more vulnerable to security vulnerabilities than the models themselves. Several of the attacks discussed in this paper involve getting an agent to read malicious pages that corrupt the agent’s output.
OpenAI has announced the availability of ChatGPT’s Record mode, which records a meeting and then generates a summary and notes. Record mode is currently available for Enterprise, Edu, Team, and Pro users.
OpenAI has made its Codex agentic coding tool available to ChatGPT Plus users. The company’s also enabled internet access for Codex. Internet access is off by default for security reasons.
Vision language models (VLMs) see what they want to see; they can be very accurate when answering questions about images containing familiar objects but are very likely to make mistakes when shown counterfactual images (for example, a dog with five legs).
Yoshua Bengio has announced the formation of LawZero, a nonprofit AI research group that will create “safe-by-design” AI. LawZero is particularly concerned that the latest models are showing signs of “self-preservation and deceptive behavior,” no doubt referring to Anthropic’s alignment research.
Chat interfaces have been central to AI since ELIZA. But chat embeds the results you want, in lots of verbiage, and it’s not clear that chat is at all appropriate for agents, when the AI is kicking off lots of new processes. What’s beyond chat?
Slop forensics uses LLM “slop” to figure out model ancestry, using techniques from bioinformatics. One result is that DeepSeek’s latest model appears to be using Gemini to generate synthetic data rather than OpenAI. Tools for slop forensics are available on GitHub.
Osmosis-Structure-0.6b is a small model that’s specialized for one task: extracting structure from unstructured text documents. It’s available from Ollama and Hugging Face.
Mistral has announced an Agents API for its models. The Agents API includes built-in connectors for code execution, web search, image generation, and a number of MCP tools.
There is now a database of court cases in which AI-generated hallucinations (citations of nonexistent case law) were used.

Programming

Martin Fowler and others describe the “expert generalist” in an attempt to counter increasing specialization in software engineering. Expert generalists combine one (or more) areas of deep knowledge with the ability to add new areas of depth quickly.
Duncan Davidson points out that, with AI able to crank out dozens of demos in little time, the “art of saying no” is suddenly critical to software developers. It’s too easy to get lost in a flood of decent options while trying to pick the best one.
You’ll probably never need to compute a billion factorials. But even if you don’t, this article nicely demonstrates optimizing a tricky numeric problem.
Rust is seeing increased adoption for data engineering projects because of its combination of memory safety and high performance.
The best way to make programmers more productive is to make their job more fun by encouraging experimentation and rest breaks and paying attention to issues like appropriate tooling and code quality.
What’s the next step after platform engineering? Is it platform democracy? Or Google Cloud’s new idea, internal development platforms?
A study by the Enterprise Strategy Group and commissioned by Google claims that software developers waste 65% of their time on problems that are solved by platform engineering.
Stack Overflow is taking steps to preserve its relevance in the age of AI. It’s considering incorporating chat, paying people to be helpers, and adding personalized home pages where you can aggregate important technical information.

Web

Is it time to implement HTTP/3? This standard, which has been around since 2022, solves some of the problems with HTTP/2. It claims to reduce wait and load times, especially when the network itself is lossy. The Nginx server, along with the major browsers, all support HTTP/3.
Monkeon’s WikiRadio is a website that feeds you random clips of Wikipedia audio. Check it out for more projects that remind you of the days when the web was fun.

Security

Cloudflare has blocked a DDOS attack that peaked at 7.3 terabits/second; the peak lasted for about 45 seconds. This is the largest attack on record. It’s not the kind of record we like to see.
How many people do you guess would fall victim to scammers offering to ghostwrite their novels and get them published? More than you would think.
ChainLink Phishing is a new variation on the age-old phish. In ChainLink Phishing, the victim is led through documents on trusted sites, well-known verification techniques like CAPTCHA, and other trustworthy sources before they’re asked to give up private and confidential information.
Cloudflare’s Project Galileo offers free protection against cyberattacks for vulnerable organizations, such as human rights and relief organizations that are vulnerable to denial-of-service (DOS) attacks.
Apple is adding the ability to transfer passkeys to its operating systems. The ability to import and export passkeys is an important step toward making passkeys more usable.
Matthew Green has an excellent post on cryptographic security in Twitter’s (oops, X’s) new messaging system. It’s worth reading for anyone interested in secure messaging. The TL;DR is that it’s better than expected but probably not as good as hoped.
Toxic agent flows are a new kind of vulnerability in which an attacker takes advantage of an MCP server to hijack a user’s agent. One of the first instances forced GitHub’s MCP server to reveal data from private repositories.

Operations

Databricks announced Lakeflow Designer, a visually oriented drag-and-drop no code tool for building data pipelines. Other announcements include Lakebase, a managed Postgres database. We have always been fans of Postgres; this may be its time to shine.
Simple instructions for creating a bootable USB drive for Linux—how soon we forget!
An LLM with a simple agent can greatly simplify the analysis and diagnosis of telemetry data. This will be revolutionary for observability—not a threat but an opportunity to do more. “The only thing that really matters is fast, tight feedback loops.”
DuckLake combines a traditional data lake with a data catalog stored in an SQL database. Postgres, SQLite, MySQL, DuckDB, and others can be used as the database.

Quantum Computing

IBM has committed to building a quantum computer with error correction by 2028. The computer will have 200 logical qubits. This probably isn’t enough to run any useful quantum algorithm, but it still represents a huge step forward.
Researchers have claimed that 2,048-bit RSA encryption keys could be broken by a quantum computer with as few as a million qubits—a factor of 20 less than previous estimates. Time to implement postquantum cryptography!