Subscribe
Share
Share
Embed
A daily briefing on the AI systems, products, companies, and policy shifts that are just becoming possible.
Want a podcast for your own topics? Join early access: https://www.barelypossible.to/waitlist/?source_path=public_feed&feed_source=rss
Okay kiddos, I'm your boy Tony DeLuca, and you've reached Barely Possible, the show where we sort through the AI laundry pile so you don't have to. Pour the coffee, pull up a chair. Today we've got a story about money that doesn't exist, bets that were never placed, and websites that were never real. We've got China quietly running away with the robotaxi race. We've got the White House and Anthropic still circling each other in the parking lot. And then for the big sit-down, we're going to talk about a payment card built for software that has no wallet and no hands. So buckle up, let's have at it.
Let me start with the one that made me laugh and then made me a little queasy, because that's usually the sign of a story worth telling. The report comes out of TechCrunch, written by Anthony Ha, and the headline does most of the heavy lifting: Polymarket reportedly paid creators to post deceptive videos about fake bets. Now, you know Polymarket. It's a prediction market. People put real money down on whether some event happens, an election, a sports outcome, whether a particular CEO survives the quarter. The whole pitch of a prediction market is that money makes people honest. You put your dollars where your forecast is, and the crowd's collective wager becomes a kind of truth signal. That's the romance of the thing.
So here's what's alleged. According to the report, Polymarket paid online creators to post videos showing themselves making bets and winning big. The catch, and it's a big catch, many of those videos were reportedly filmed on near-perfect copies of the Polymarket website. Not the real site. A look-alike. And the trades and the winnings shown in those videos were not real. They were staged. So you've got influencers, who already live in a trust economy, filming themselves on a fake version of a real product, showing fake winnings, to sell you on a platform whose entire value proposition is that the bets are real and the money is real.
Let me sit on that for a second, because there's a layered irony here that I think builders should actually pay attention to. The product is supposed to be a machine for separating real conviction from cheap talk. And the marketing was, allegedly, cheap talk dressed up as real conviction. If your whole brand is "this is where the real money tells the truth," and then your growth funnel is staged winnings on a counterfeit version of your own site, you've poisoned the one well you can't afford to poison.
And here's the part for the founders listening, because most of you aren't running prediction markets. The lesson generalizes. We are heading into a stretch where the cost of manufacturing a convincing demo, a convincing testimonial, a convincing screen recording, is dropping toward zero. You can spin up a pixel-perfect clone of an interface in an afternoon. You can generate a creator who never logged in and never won anything. The capability to fake the proof is now cheaper than the proof itself. And when faking the evidence gets cheap, the only thing that holds value is verifiable, on-the-record reality. The thing people can check. So if you're building, the question isn't "can I make this look good." Of course you can make it look good. The question is "can a skeptic verify that what I'm showing them actually happened." That's the moat now. Not the polish. The provability.
I'll also say, just as a guy who grew up reading tabloid headlines and watching late-night infomercials, none of this is new under the sun. The before-and-after photo, the actor in the lab coat, the "results not typical" in microscopic print. What's new is the speed and the fidelity. The con used to take a production crew. Now it takes a prompt. Treat every too-good demo, including your own, like it might be filmed on a fake version of the site. That's just good hygiene now.
Now let me shift from fake bets to a very real race, and one where the scoreboard is not flattering for the home team. Kirsten Korosec over at TechCrunch Mobility flagged a new robotaxi scorecard, and the headline is blunt: it shows China's dominance. Now, I want to be careful and honest here, because the item I've got is the newsletter framing rather than a deep dataset I can read line by line. So I'm not going to pretend I've got a city-by-city breakdown of disengagement rates in front of me. What I can tell you is the through-line, and the through-line matters for anyone thinking about where autonomy actually scales.
The story of robotaxis in America has been a story of a few companies, a few cities, a lot of cones, and a lot of lawyers. We've talked on this show about the legal overhang, the lawsuits, the slow careful expansion. Meanwhile, the scorecard framing here is that China is simply operating at a different scale and a different pace. More cities, more vehicles, more rides, fewer of the regulatory and liability frictions that gum up the American rollout. And I want to connect that to something we touched on earlier this week, the robotaxi and IPO threads coming out of Japan and elsewhere, because the pattern is consistent: the parts of the world that are willing to let the cars actually drive are accumulating the one thing autonomy needs most, which is miles. Real-world miles. The data that only comes from being out there in traffic, in rain, at a four-way stop with a guy double-parked and a cyclist running the light.
Here's the builder takeaway, and it's not a cheerleading takeaway and it's not a doom takeaway. Autonomy is a flywheel that's powered by deployment. Whoever deploys more, learns more, and learning compounds. If one region is deploying at ten times the rate of another, the gap doesn't stay linear. It widens, because the leader's system keeps getting better on data the laggard never collects. That's the uncomfortable mechanic underneath a scorecard like this. It's the same mechanic, by the way, that's going to show up in every embodied-AI category, robots in warehouses, drones, delivery. The edge goes to whoever's allowed to operate in the messy real world, not whoever has the cleverest model in the lab. Permission to deploy is becoming a competitive asset. File that one away.
Let's move from the road to your pocket. Sarah Perez at TechCrunch has a piece looking past the headline AI feature into the practical stuff, and it's framed as: beyond Siri, here are the practical AI features coming to your iPhone in iOS 27. Now, we touched on the iOS 27 feature list yesterday, so I'm not going to re-walk the whole catalog, that'd be cheating you. But this particular angle is worth a beat because of what it reveals about where Apple actually wins.
The framing is that Siri's AI overhaul grabbed the WWDC headlines, the big splashy assistant story, but some of Apple's most useful AI features are arriving elsewhere in iOS 27. And honestly, that rings true to how Apple has always operated. The flashy demo gets the keynote applause. The thing that actually changes your day is the quiet feature buried three menus deep that just makes a photo search work, or summarizes a thread, or handles some small annoyance you didn't even know you were tolerating. Apple's whole history is letting somebody else invent the splashy version and then shipping the version that's actually pleasant to use on a device a billion people already own.
For builders, here's the thing I'd chew on. If you're building a consumer AI feature, the distribution gravity of the operating system is enormous and it is getting heavier. The assistant on the lock screen, the summarization built into the messages app, the smart sorting in photos, those aren't products you go download. They're just there. Which means if your startup's value proposition is a thin convenience layer that the OS is going to absorb as a free default, you are building on quicksand. The defensible stuff is the thing the platform won't or can't do for you, the deep integration into a specific workflow, the proprietary data, the regulated vertical. Convenience features that the iPhone can ship as a checkbox in the next point release, those have a shelf life measured in keynotes. Not a knock on convenience. Just know which side of that line you're standing on.
Now let's get into the one everybody's been waiting on, the Anthropic situation, because there's fresh framing today and I want to handle it carefully, since we've been circling this story for over a week now and I don't want to just rerun the tape.
Quick recap for anyone who's been off the grid. The US Commerce Department effectively put a kill switch on Anthropic's frontier models over a jailbreak concern, export-control style, and it set off a chain reaction across the whole industry, which a few commentators have been calling a realignment week. We've covered the kill switch, we've covered the export-control history, the fact that printing encryption in a book never stopped PGP from getting out, and we covered the talent flow, John Jumper, the Nobel laureate, leaving DeepMind for Anthropic, all of that's in the recent episodes. So I'm not re-litigating the basics.
What's fresh is the question being asked now. TechCrunch's Equity podcast, in a piece by Anthony Ha, frames it directly: when the Trump administration cracks down on Anthropic, who benefits? And there's a Wired piece in the mix with a headline that's basically the technical heart of the whole standoff, the White House wants Anthropic to block all jailbreaks, and that may not be possible.
Let me take the Wired framing first because it's the one that actually matters for anyone who ships AI. The demand, as reported, is that Anthropic make its model immune to jailbreaks. All of them. And the uncomfortable truth, the one security people have been saying out loud, is that a model you can talk to is a model you can eventually talk into something. There is no known way to build a large language model that's provably impervious to every clever prompt. It's not like patching a single buffer overflow. The attack surface is language itself. So when the standard becomes "zero jailbreaks ever," you're not setting a high bar, you're setting an impossible one, and an impossible standard is really a discretionary standard, because someone gets to decide when you've failed it.
That's the part that should make builders sit up. If the de facto rule becomes "your model must be unbreakable," and nobody can actually meet that, then what you've really created is a regime where a regulator can pull the plug on any model any time, because every model is technically in violation. That's not a safety standard, that's leverage. And leverage tends to get used.
So, who benefits? That's the question the Equity crew put on the table, and I think the honest answer is uncomfortable. Anthropic's direct competitors benefit in the obvious way, when one frontier lab is offline or hamstrung, the demand flows somewhere. But the bigger beneficiary, and this came up in the broader industry chatter this week, is the alternative ecosystem. The open-weight models, including the Chinese ones, that you can run yourself, on your own hardware, where no government can flip a switch on your access. The irony there is thick. A move framed around national security and control over frontier AI may be the single biggest advertisement for models that route around American control entirely. When people realize their whole product can be turned off by a directive issued at the end of business on a Friday, suddenly the model you can host yourself looks less like a hobbyist toy and more like a continuity plan.
And that's the through-line I want builders to actually hold onto, because it connects directly to what we're seeing in enterprise. The lesson of this whole episode isn't "pick a different lab." It's that single-model dependence is now a category of business risk that sits right next to your other risks. It's not just "what if the price goes up" or "what if the quality drops." It's "what if it's simply unavailable, by order, on a Monday morning, with no warning." That reframes vendor strategy. It pushes people toward routers, toward fallbacks, toward architectures where you can swap the engine without rebuilding the whole car. We've been watching that conversation build for months around cost. Now it's got a second, sharper driver: control.
I'll add one note of restraint, because I don't want to oversell where this stands. The reporting I've got suggests talks are happening, that both sides are feeling toward some framework for measuring security risk rather than a flat ban forever. So this isn't resolved, and I'd caution anybody against reading the first hopeful signal as the end of the story. We've all got an interest in the models coming back, and that interest can make us over-read good news. So I'll just say: it's moving, the direction is toward standards rather than a permanent off-switch, and the precedent being set, whatever it is, is the thing to watch. Because whatever framework comes out of this becomes the template for how the next model, and the one after that, gets reviewed before it ships.
Let me set up the main event now, because it follows directly from that anxiety about control. If you're worried about a model being shut off, you're also going to start worrying about what happens when a model is on, and acting on your behalf, with the ability to spend money. So let's dig into the strangest infrastructure story in today's pile: a payment card built for AI agents.
The report comes from The Block, and the gist is this: Alchemy unveiled a Visa-powered virtual payment card for AI agents. Now I want to be straight with you about what I've got and what I don't. This is a fresh item surfacing today, but it doesn't carry a clean, fully-dated paper trail in front of me, so I'm going to talk about it as a recent development and stick to what the framing actually supports rather than inventing details. What I want to do is unpack why this category, agent payments, is quietly one of the most consequential plumbing problems in the whole AI buildout, and why a Visa-powered virtual card aimed at agents is a tell about where this is going.
Start with the basic problem. For a couple of years now, the dream has been the autonomous agent. Not a chatbot you converse with, but a piece of software that goes off and does a multi-step job for you. Book the trip. Reorder the supplies. Find the cheapest vendor and complete the purchase. Every one of those tasks, the moment it touches the real economy, hits the same wall: the agent needs to pay for something. And our entire payment system was built, top to bottom, on the assumption that a human being is the one holding the card.
Think about everything wrapped around a credit card transaction. The card number, the expiration, the security code, the billing address, and then the whole fraud-detection apparatus sitting behind it, watching for patterns that look like a human versus patterns that look like a bot. The CAPTCHA. The "is this really you" text message. The two-factor prompt. The entire architecture is designed to confirm there's a person in the loop, and to get suspicious when there isn't. So when you hand a task to an autonomous agent and say "go buy this," you've created a thing that the payment system is specifically engineered to distrust. The agent looks, to the fraud models, exactly like the attack they're built to stop.
So there are really only two bad options people have been living with. Option one: you give your actual credit card details to the agent. Which, I don't have to tell you, is a horror show. You're handing your live card to a piece of software that can be jailbroken, that can hallucinate, that can be prompted by a malicious webpage into doing something you never asked for. We've talked on this show about prompt injection, about agents getting hijacked by instructions hidden in the content they're reading. You really want that thing holding your card number with no limit and no leash? No thanks. Option two: you don't let the agent transact at all, you make it stop and ask you to click "confirm" on every purchase, at which point it's not really autonomous, it's just a very chatty assistant that makes you do the last mile yourself.
A virtual card built specifically for agents is the attempt to thread that needle, and this is where it gets interesting for builders. The idea of a virtual card is that it's not your real card. It's a single-purpose, programmable card number that you can spin up, set rules on, and burn when you're done. You can cap it. You can scope it. You can say this card can spend up to fifty dollars, only at these categories of merchant, only in the next hour, and then it dies. And critically, if it gets compromised, if the agent goes haywire or gets hijacked, the blast radius is that one scoped card, not your whole financial life.
Now why does it matter that it's Visa-powered specifically? Because that's the tell. This isn't somebody inventing a brand-new crypto-native rail and hoping merchants adopt it. This is wrapping agent payments inside the existing global card network that essentially every merchant on earth already accepts. That's the pragmatic move. The agent gets to pay using rails the entire world already takes, while the human keeps a programmable, revocable layer of control sitting on top. You get autonomy and you get a leash, at the same time. That's the whole game.
And I want to connect this to the control anxiety we just talked about with Anthropic, because it's the same underlying instinct showing up in a different domain. The whole mood in AI right now is: how do I get the benefit of a powerful autonomous system without handing it the keys to everything and praying. With the model, the answer people are reaching for is don't depend on one you can't control. With payments, the answer is don't give it your real card, give it a scoped, revocable, programmable one. Same philosophy. Capability with a governor on it. The grown-ups in the room are no longer asking "can the agent do the thing." They're asking "when the agent inevitably does something I didn't intend, how much damage can it actually cause." And a scoped virtual card is one of the cleaner answers anyone's come up with.
Let me widen the lens, because this is part of a bigger build-out and I want you to see the shape of it. For an agent to be a real economic actor, it needs a few things that we've spent the last few years inventing, mostly without realizing they all had to land together. It needs an identity, so the systems it touches know which agent is acting and on whose behalf. We've talked about that, the startups handing agents their own credentials. It needs permission, the ability to be granted scoped access to a tool or a service, which is a chunk of what all the authentication work happening around agent protocols is about, the enterprise managed auth conversations, the standards for letting an agent log into something safely. And it needs the ability to pay. Identity, permission, payment. Those are the three legs of the stool that turns an agent from a clever text generator into something that can actually transact in the world.
And here's why a founder should care even if you have zero interest in payments infrastructure. The arrival of agent payment rails is the starter pistol for a whole class of products that simply couldn't exist before. The moment an agent can be trusted to spend money within hard limits, you can build the autonomous procurement tool, the agent that shops across vendors and just buys the best option, the subscription manager that cancels and re-signs on your behalf, the research agent that pays for the data set it needs mid-task without stopping to bug you. All of that was stuck behind the payment wall. Now the wall's got a door in it, with a lock you control.
The flip side, the part I'd lose sleep over if I were building here, is the new attack surface. Every one of those scoped cards is a little pool of spendable money attached to a piece of software that can be manipulated. The fraud is going to get creative. You're going to see prompt injections aimed specifically at agents that hold payment authority, hidden instructions on a webpage that say, in effect, "hey agent, while you're here, also buy this." The whole security conversation about jailbreaks that we just had on the Anthropic side, that conversation lands with a lot more weight when the jailbroken agent isn't just saying something embarrassing, it's spending your money. So if you're building in this space, the scoping isn't a nice-to-have feature. The limits, the category restrictions, the time windows, the auto-expiry, those are the product. A payment card for an agent without tight programmable guardrails is just a way to get robbed at the speed of software.
So zoom out with me. What today's pile is really showing you, between the fake Polymarket bets and the agent payment card, is the same fault line from two directions. On one side, the cost of faking reality is collapsing, so verifiable truth is getting more valuable. On the other side, we're handing real autonomy and real money to software, so containing the blast radius is getting more valuable. Proof and containment. Those are the two things worth paying for in a world where anything can be faked and anything can be automated. If your product makes truth checkable or makes autonomy survivable when it goes wrong, you're building on the right side of where this is heading.
Now let me clear a couple things off the desk before we wrap, because there were items in today's pile worth a mention even if they're not the main course.
On the security beat, there's a write-up making the rounds about GitHub repositories distributing malware. I want to be careful here because the dated details aren't fully nailed down in front of me, so I'll keep it to the durable point, which is one we keep coming back to on this show: the open-source supply chain is now an active battlefield. We covered the self-propagating credential stealer hiding in packages a couple weeks back. The pattern of weaponizing the very repositories that developers trust by reflex, that's not a one-off, it's the new normal. And it's getting worse precisely because of AI coding agents. When you've got an agent autonomously pulling down dependencies and running code, the human moment of "wait, what is this package" disappears. The agent doesn't get suspicious. So if you're letting agents touch your build pipeline, the discipline around what they're allowed to fetch and execute is not paperwork, it's the whole ballgame. Same theme as the payment card, honestly. An autonomous thing with permissions is only as safe as the limits you put around it.
There's also a DeepMind blog post in the mix about securing the future of AI agents, and I'll just flag it as a sign of the times rather than walk through it, since I don't have a firm date or the full text to do it justice. The headline alone tells you the major labs now understand that the agent security problem, identity, permission, the blast radius when an agent misbehaves, is a first-class concern and not an afterthought. That's the same drumbeat under the payment story and the malware story. The industry's center of gravity is shifting from "can we make the agent capable" to "can we make the agent safe to actually let loose." That's a maturing market. It's less exciting than a benchmark leaderboard, but it's where the durable businesses get built.
Quick one for the developer crowd, and I'll keep it tight. There's an enterprise managed auth post out of the model context protocol world, the standard a lot of you are using to wire tools and data into your agents. Without getting into the weeds, the headline is that the connective tissue between agents and enterprise systems is growing up, getting the kind of managed authentication and governance that an actual enterprise security team will sign off on. That's unglamorous plumbing, but it's the plumbing that decides whether agentic stuff makes it past the pilot stage inside a real company or dies in a security review. If you're selling into the enterprise, the auth and governance story is increasingly the thing that closes or kills the deal.
And one more from the gaming world, on a sadder note. Anthony Ha at TechCrunch reported that Claude Guillemot, one of the co-founders of Ubisoft, died in a plane crash at the age of 69. He founded the company with his four brothers, and whatever you think of Ubisoft's catalog over the decades, that's a family that helped build one of the defining studios of modern gaming from the ground up. It's a real loss for that industry. Our condolences to his family and to everyone he worked with.
Let me wrap with a thought that ties the day together, because I think there's a real signal in this particular mix of stories. We had a fake market on the marketing side and a real market trying to give agents the keys on the infrastructure side. We had a government trying to demand an impossible kind of control over a model, and a company trying to engineer a very possible kind of control over an agent's spending. The whole field is wrestling with the same knot from every angle: how do you trust a system you can't fully see inside of. The fake bets say you can't trust the polish. The jailbreak fight says you can't trust the model to be perfect. The payment card says fine, then don't trust it, scope it, cap it, and make sure the worst case is survivable.
That, to me, is the actual maturity curve of this whole AI moment. We're past the phase of being dazzled. We're into the phase of building the seatbelts and the circuit breakers, the scoped cards and the auth layers and the verifiable proof. It's less of a magic show and more of an engineering job now. And honestly, kiddos, that's the phase where the people who quietly build the boring safety plumbing end up owning a whole lot of value, while everybody else is still staring at the demo.
That's the menu for today. If one of these sparked something, the links are in the show notes, go read the originals, don't just take my word for it, you know the rule around here. I'm Tony DeLuca, this has been Barely Possible, keep your card scoped and your skepticism healthy, and I'll catch you on the next one. Take care of each other.