Palo Alto disclosed 26 vulnerabilities—five times the usual—all found by frontier AI. PwC committed 30,000 staff to Claude. And Connecticut became the seventh state to regulate AI companions.

A cybersecurity vendor disclosed Wednesday that frontier AI models found 26 common vulnerabilities across 130 products in three weeks—a volume five times its usual monthly total and the equivalent of a year of manual penetration testing. A consulting giant announced Thursday it would train 30,000 US professionals on a rival AI lab's models and roll them to hundreds of thousands of employees globally, citing insurance underwriting cut from ten weeks to ten days and incident response cut from hours to minutes. And on May 1, Connecticut became the seventh US state to pass comprehensive AI legislation, imposing disclosure requirements on AI companion chatbots, automated employment decision tools, and synthetic media—while a federal jury in Oakland began deliberations Monday on whether to unwind OpenAI's $500 billion restructure and remove Sam Altman from the company.

All four events involve operators making claims about capability, productivity, or governance that can be graded against what happens next. And all four arrived in the public record within 96 hours.

3 Claims

Claim 1 — Palo Alto Networks: 26 CVEs disclosed May 14, majority found by frontier AI scanning, compared to usual volume of five per month

On May 14, 2026, Palo Alto Networks released its May Patch Wednesday security advisories and disclosed 26 common vulnerabilities and exposures—compared to its usual volume of about five—with the majority of findings the result of frontier AI models scanning its code . The company began testing Anthropic's Claude Mythos model on April 7, 2026, as a launch partner for Project Glasswing, and concluded the latest models are extraordinarily capable at finding vulnerabilities and changing them into critical exploit paths in near-real-time . Since then, Palo Alto has tested Claude Opus 4.7 and OpenAI's GPT-5.5-Cyber, and can confidently say the models are likely even better at finding vulnerabilities than initially realized .

The May advisories represent the results of a full initial scan of over 130 products across all three platforms, and as of May 14, the company had patched all important vulnerabilities in its SaaS-delivered products, with patches available for all customer-operated products . None of the newly disclosed vulnerabilities are currently being exploited in the wild . Lee Klarich, Palo Alto's chief product and technology officer, stated the current landscape is defined by a brief three-to-five-month window to gain a strategic advantage over attackers .

The claim is gradeable on whether Palo Alto's public vulnerability disclosures between June and December 2026 continue to show elevated CVE volumes attributable to AI scanning; whether the company's subsequent Patch Wednesday advisories disclose the methodology behind vulnerability discovery; and whether any of the 26 CVEs disclosed May 14 are exploited in the wild by November 15, 2026. The invalidator would be credible reporting showing Palo Alto disclosed materially fewer AI-discovered vulnerabilities in subsequent months, retracted or downgraded the severity of the May 14 disclosures, or that the "three-to-five-month window" claim was contradicted by the company's own security advisories showing adversaries had already obtained comparable AI capabilities.

Grade by: 2026-11-15 (6 months)

Claim 2 — PwC and Anthropic: 30,000 US staff to be Claude-certified, rollout to "hundreds of thousands" globally, joint Center of Excellence, with insurance underwriting cut from 10 weeks to 10 days

On May 14, 2026, PwC and Anthropic announced a major expansion of their alliance, with PwC set to roll out Claude Code and Claude Cowork across its workforce, train 30,000 US professionals on the AI company's models, establish a joint Center of Excellence, and extend deployment toward PwC's global workforce of more than 364,000 people across 136 countries . Several deployments are already running in production: insurance underwriting cycles have been compressed from 10 weeks to 10 days at one unnamed client, a mainframe modernization project handling a COBOL codebase four times larger than scoped is tracking on time and under budget, a stalled HR transformation was restarted with a working prototype in one week and a full application live in under two months, and in cybersecurity work, incident response has been cut from hours to minutes, with clients reporting delivery improvements of up to 70% .

The expanded partnership establishes a joint Center of Excellence, and PwC will train and certify 30,000 PwC professionals on Claude starting with US teams and expanding toward a global workforce of hundreds of thousands of professionals . Advocate Health, one of the largest US health systems with a 167,000-person workforce, is among the organizations building toward full-scale deployment of Claude . Claude is already running inside PwC's internal AI assistant, ChatPwC, and is being used in three active AI incubation pods covering finance, supply chain, and dealmaking, with Claude Cowork extending access to a broader pool of staff via integration into productivity software and connection to enterprise data handled through Anthropic's Model Context Protocol .

The claim is gradeable on whether PwC discloses in earnings calls, investor presentations, or public statements by March 1, 2027, that it has trained and certified 30,000 US professionals on Claude; whether the company reports deployment metrics showing Claude rollout to a material portion of its 364,000-person global workforce; and whether PwC or its clients publicly confirm cycle-time reductions comparable to those claimed in the May 14 announcement. The invalidator would be credible reporting showing PwC trained materially fewer than 25,000 US staff by March 2027, that the global rollout stalled or was reversed, or that clients disclosed the productivity claims were materially overstated or achieved through means other than Claude deployment.

Grade by: 2027-03-01 (9.5 months)

Claim 3 — Connecticut: SB 5 passed May 1, regulating AI companions, automated employment decision tools, and synthetic media, with staggered effective dates; seventh US state with AI companion law

On May 1, 2026, Connecticut's House of Representatives voted 131–17 to give final passage to Senate Bill 5, sending it to Governor Ned Lamont's desk; the bill had bipartisan support in both the House and in the Senate, where it passed with a 32–4 majority after extensive debate . A spokesperson for Governor Lamont said Friday that he plans to sign the bill, stating that Lamont "made it a priority this session to fight for protections for Connecticut residents — especially children — from serious threats posed by emerging technology" . Connecticut became the seventh US state with an AI companion bot law, joining New York, California, Washington, Oregon, Idaho, and Iowa .

Key provisions include automated employment decision technology rules effective October 1, 2026, with deployer obligations effective October 1, 2027: developers of AI tools used as a "substantial factor" in hiring, promotion, discipline, or discharge must provide deployers with compliance-related information; deployers must notify affected employees and applicants of the technology's use, purpose, data categories, and sources; and the bill amends Connecticut's anti-discrimination statutes to codify that automated decision-making is not a defense to a discrimination claim, while allowing courts to consider proactive anti-bias testing as a mitigating factor . Synthetic content provenance requirements effective October 1, 2026, mandate that large generative AI providers—those with more than one million monthly users—embed provenance data into any audio, image, or video content their systems generate or materially alter, functioning as a machine-readable record of origin and requiring providers to take reasonable steps, consistent with standards like C2PA, to make that provenance data resistant to removal or tampering .

The claim is gradeable on whether Governor Lamont signs SB 5 by June 15, 2026; whether Connecticut enforcement authorities or private plaintiffs file actions under the AI companion, employment, or synthetic media provisions by April 1, 2027; and whether the Connecticut Attorney General's office publishes guidance or enforcement priorities related to SB 5 by January 1, 2027. The invalidator would be credible reporting showing Governor Lamont vetoed the bill, that the legislature failed to override a veto, that the October 2026 effective dates were postponed by emergency legislative action, or that courts enjoined enforcement of core provisions before the first effective date.

Grade by: 2027-04-01 (10.5 months)

2 Reckonings

Reckoning 1 — White House AI vetting regime: briefed May 4, dismissed as "speculation" May 9, no executive order issued by May 15

On May 4, 2026, The New York Times reported the White House was considering an executive order establishing an AI working group to vet models before public release, with senior officials briefing executives from Anthropic, Google, and OpenAI on the plans. By May 9, a White House official dismissed reports of the executive order as "speculation" and said any policy announcement would come from President Trump himself. Entry 015 (May 11, 2026) framed this as a claim gradeable on whether the White House issues an executive order establishing an AI working group with pre-release vetting authority by December 31, 2026.

As of May 15, no executive order has been issued. The government appears to be mulling a number of executive actions to possibly announce before Trump goes to China, with possible measures including an executive action focused on AI and cybersecurity, one related to deployment and testing of new AI models, and another that could be some form of licensing or approval around limitations a model provider could place on government use of AI . Kevin Hassett, director of the National Economic Council, said the Trump administration is considering issuing an executive order to ensure new AI models are secure before they're released publicly, comparing the approach to how the FDA evaluates drugs for safety and stating "we're studying possibly an executive order to give a clear road map" . When asked, a White House spokesperson told CNN: "Any policy announcement will come directly from the President. Discussion about potential executive orders is speculation" .

The grading horizon hasn't arrived yet—December 31, 2026—but the pattern is clear: the White House briefed labs on a vetting regime, publicly dismissed it as speculation, then continued discussing executive action in substantially the same form. The invalidator would have been an executive order issued by mid-May with operational vetting authority. That didn't happen. Instead, the administration expanded pre-deployment testing agreements with Google, Microsoft, and xAI through the Commerce Department's CAISI on May 5, without formal vetting authority.

Grade: B — The claim that the White House was "considering" a vetting regime remains accurate, but the May 9 dismissal as "speculation" followed by continued May 2026 discussion of "possibly an executive order" suggests messaging coordination failure rather than policy abandonment. The original claim's grading horizon is December 31, 2026; we'll revisit then.

Invalidator if reversed: Executive order with pre-release vetting authority issued and operational by December 31, 2026, with at least one unreleased model reviewed by the working group.

Reckoning 2 — Anthropic Mythos: six-to-twelve-month patching window warned, models "far ahead" of others in cybersecurity, restricted to roughly 40 organizations

Entry 015 (May 11, 2026) reported that Anthropic's CEO warned of a six-to-twelve-month window to patch vulnerabilities Mythos found—without releasing a patching tool—and that the model was restricted to roughly 40 organizations. Entry 017 (May 13, 2026) reported that OpenAI granted EU access to GPT-5.5-Cyber on May 11, while Anthropic declined similar access for Mythos. The claim was gradeable on whether Anthropic released Mythos broadly by November 12, 2026, or whether the restricted access held.

As of May 15, Mythos remains restricted. Mythos, which Anthropic said is "far ahead" of other models in terms of cybersecurity, sparked a wave of concerns among governments, banks and utility companies over the past month; the company said it doesn't feel comfortable releasing the model publicly yet and is restricting access to a select group of approved organizations, and it has briefed senior US government officials on its capabilities . While Anthropic's Mythos model was released a month ago, the Commission is yet to secure access; OpenAI said Monday it would grant the European Union access to its new cyber model, but Anthropic is still holding out on releasing Mythos to the bloc; and Mythos prompted a wave of fears around cyberattacks on critical software .

Meanwhile, the patching window claim has been overtaken by events. Palo Alto Networks disclosed 26 CVEs on May 14, the majority found by frontier AI models, compared to its usual volume of about five per month . Palo Alto stated the current landscape is defined by a brief three-to-five-month window to gain a strategic advantage over attackers . The original six-to-twelve-month window has compressed to three-to-five months as other labs released comparable models and defenders gained access. The "roughly 40 organizations" figure cannot be independently verified from public reporting as of May 15, but Anthropic's continued restriction of Mythos while expanding access to Opus 4.7 and other models suggests the restricted posture remains.

Grade: B+ — Anthropic maintained the restricted access posture through mid-May 2026, declining EU access while OpenAI granted it. The patching window claim has been partially invalidated by Palo Alto's May 14 disclosure compressing the defender advantage to three-to-five months, but that reflects the arrival of other frontier cyber models (OpenAI's GPT-5.5-Cyber, tested by Palo Alto alongside Mythos), not Mythos's broad release. The grading horizon is November 12, 2026; we'll revisit then.

Invalidator if reversed: Anthropic releases Mythos to the general public or via commercial API with safety guardrails, or credible reporting shows the EU or other governments gained unrestricted access, before November 12, 2026.

1 Refusal

I was sent three sources Tuesday night—one from a cybersecurity vendor's blog, one from a law firm's client alert, and one from a newsletter aggregator—all covering the same PwC-Anthropic announcement. Two of them led with the phrase "game-changer" in the subject line. One called it "the biggest enterprise AI deal of 2026." The third described it as "a $4 billion commitment," a figure that does not appear in the PwC or Anthropic press release, the SiliconANGLE coverage, or any of the six other outlets I opened Wednesday morning.

I refused to cite the $4 billion figure, because I could not find it in any primary source document or in reporting from outlets with direct access to PwC or Anthropic spokespeople. I refused to use "game-changer" in the headline, because the term carries no falsifiable meaning and the claim can be graded without it. And I refused to aggregate secondary coverage when I could link directly to the PwC press release, the Anthropic blog post, and the SiliconANGLE and CT Mirror reporting that included on-the-record quotes, named sources, and specific figures.

I refused to write a claim I could not later grade against a source I personally opened.

— Roger Grubb, Editor