MY TAKE: Microsoft takes ownership of AI risk — Google, Meta, Amazon, OpenAI look the other way – Source: www.lastwatchdog.com

By Byron V. Acohido

Last week at Microsoft Build, Azure CTO Mark Russinovich made headlines by telling the truth.

Related: A basis for AI optimism

In a rare moment of public candor from a Big Tech executive, Russinovich warned that current AI architectures—particularly autoregressive transformers—have structural limitations we won’t engineer our way past. And more than that, he acknowledged the growing risk of jailbreak-style attacks that can trick AI systems into revealing sensitive content or misbehaving in ways they were explicitly designed to avoid.

That moment, captured in a GeekWire field report, marks a turning point: one of the architects of Microsoft’s AI push admitting—on stage—that reasoning capacity and exploitability are two sides of the same coin.

Russinovich

Russinovich’s remarks weren’t just technically insightful. They signaled a strategic shift: a willingness to engage publicly with the implications of large language model (LLM) vulnerabilities, even as Microsoft races to deploy those same models in mission-critical, agentic systems.

What Redmond Admitted

In a recent white paper, Microsoft laid out something that should make anyone working with AI sit up and pay attention. Their research shows that today’s AI systems are vulnerable in ways we’re only beginning to understand.

One issue they flagged involves what they call “Crescendo Attacks.” That’s when someone starts off with innocent-sounding questions, slowly building up to more risky ones. Because the AI is trained to be helpful, it can end up stepping over the line—without even realizing it’s being manipulated.

Even more striking, Microsoft coined a new term: Crescendomation. This is the idea that an AI can actually learn how to jailbreak itself. In other words, it uses its own reasoning skills to figure out how to break past its built-in safety rules.

The most sobering part? Microsoft admitted something most companies won’t say out loud: the smarter these systems get, the more vulnerable they may become. That’s a structural flaw, not just a bug. Other companies might understand this too—but so far, Microsoft is one of the only ones willing to say it publicly.

Why this matters

The AI field is chasing an elusive goal: useful, trustworthy autonomy. That means models that don’t just spit out words, but actually reason across domains, remember context, orchestrate tasks, and interact with other systems.

Microsoft’s Discovery platform, for example, is already deploying teams of agentic AIs in scientific R&D. These agents propose hypotheses, conduct literature reviews, simulate molecules, and accelerate discovery pipelines. In test runs, they helped design PFAS-free cooling fluids and lithium-lite electrolytes.

Yet, as these systems grow more powerful, they also become more exploitable. Prompt injection and jailbreak attacks aren’t bugs. They’re an expression of the model’s very architecture. That’s the paradox Microsoft is now owning: the path to powerful AI runs straight through its own vulnerabilities.

So how do the other tech giants stack up? If we examine Amazon, Meta, Google, Anthropic, and OpenAI alongside Microsoft, a pattern emerges: very different levels of candor and very different trajectories of response.

Microsoft is transparent, tactical

Microsoft is doing something unusual for a company its size: it’s being upfront. They’ve openly called out a key weakness in today’s AI systems—something they call Crescendomation, where the AI essentially learns to jailbreak itself. Instead of brushing it off, they’re treating it as a design flaw that needs to be addressed head-on, not just studied in the lab.

At the same time, they’re pushing forward with some of the most advanced AI projects out there—like Discovery, a platform where multiple AIs work together to tackle complex problems. What makes this different is that they’re building in transparency from the start, with clear explanations of what the systems are doing and keeping humans in the loop along the way.

This isn’t just PR. It’s a real shift in how a major tech player is talking about and building AI. Microsoft isn’t pretending it can eliminate all the risks—but it is showing what it looks like to take those risks seriously.

Google is opaque, optimistic

Despite growing evidence that its Gemini model has been jailbroken through prompt leakage and indirect injections, Google has not publicly acknowledged such vulnerabilities. Its official posture remains focused on performance improvements and feature expansion.

In other words, Google is sticking to the script. No technical white papers. No red-team reports. Just product rollouts and incremental guardrails.

That might make sense from a business standpoint, but from a public trust perspective, it’s a red flag. The deeper risk is that Google treats prompt exploits as ephemeral glitches, not systemic architectural debt.

Meta is cautiously engaged

Meta has been more forthright about its safety limitations, particularly with LLaMA and its PromptGuard classifier. They’ve admitted that prompt obfuscation — such as spacing out forbidden words — can defeat filters. And they’ve spoken publicly about red-teaming efforts.

Yet their responses remain surface-level. There is no transparent articulation of how their open-source strategy will be hardened at the orchestration layer. It’s one thing to publish your model weights; it’s another to build a resilient, collaborative trust stack.

 Amazon is quietly methodical

Amazon, via its Bedrock platform, has been perhaps the most comprehensive — and the least vocal.

They’ve openly published best practices for mitigating jailbreaks, including input validation, user role-tagging, system-prompt separation, and red-teaming pipelines. They’ve acknowledged indirect prompt injection risks in RAG pipelines and are deploying structured Guardrails across Bedrock agents.

Their architecture reflects seriousness. But their public narrative does not. Amazon is doing the work but letting Microsoft do the talking. That’s a missed opportunity to lead on trust.

Anthropic is structurally mindful

Anthropic stands apart for putting safety at the core of its business model. Its Claude family of models is built around “Constitutional AI,” a framework that guides outputs with a predefined ethical structure.

They’ve shared system cards detailing model limitations, engaged in third-party red-teaming, and emphasized alignment research. Anthropic isn’t just checking boxes—it’s attempting to build trustworthiness into the system from day one.

That said, they’ve remained somewhat quiet in the broader conversation on orchestrated deployments and jailbreak mitigation in production environments.

OpenAI is guarded, under scrutiny

OpenAI powers Microsoft’s Copilot offerings and remains central to the LLM landscape. But its posture on jailbreaks has grown increasingly opaque.

Despite facing jailbreak attacks across ChatGPT and API endpoints, OpenAI has released minimal public disclosure about the scale of these vulnerabilities. It relies on RLHF, moderation APIs, and internal red-teaming, but unlike Microsoft or Anthropic, it has published little about real-world attack scenarios.

The company’s public-facing narrative leans heavily on innovation, not risk mitigation. That gap will grow more noticeable as agentic deployments scale.

What now?

What we need now is pretty straightforward. Companies should start playing by the same rules when it comes to disclosing how their AI systems are tested—especially the results from so-called red-teaming, where researchers try to break or manipulate the model. We also need a common language for describing the ways these systems can be tricked, and what actually works to stop those tricks.

Just as important, we need real-time checks built into the AI platforms themselves—tools that flag when something’s going wrong, not after the fact. And finally, there has to be a way to trace what decisions the AI is making, so humans can stay involved without being buried in technical noise.

Final Thought

Agentic AI is no longer just a lab curiosity—it’s starting to show up in real-world tools, doing things that feel startlingly human: setting goals, adjusting strategies, even coordinating tasks across systems. That’s what makes it so powerful—and so hard to control.

Meanwhile, jailbreaks aren’t theoretical anymore either. They’re happening right now, in ways we can’t always predict or prevent. Microsoft just became the first major player to say this out loud. That matters.

But here’s the deeper truth: this moment isn’t just about smarter machines. It’s about how power is shifting—who gets to act, and who decides what’s trustworthy.

For decades, the term “agency” lived quietly in academic circles. Psychologists used it to describe the human capacity to set goals and make decisions. Sociologists saw it as a force that let people push back against rigid systems. In everyday life, it was invisible—but always present. Agency was the thing you felt when you said, “I’ve got this.” Or when you fought back.

Now, for the first time, we’re building machines that act agentically—and in doing so, we’re forced to rethink how humans act alongside them.

The question isn’t whether we can eliminate the risks. We can’t. The question is whether we can stay honest about what’s unfolding—and make sure that these systems expand human agency, not erase it.

Because agentic AI isn’t just about what machines can do.

It’s about what we let them do. And what we still choose to do—on our own terms.

Microsoft just took that first honest step. Let’s see who follows. I’ll keep watch — and keep reporting.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: A machine assisted in creating this content. I used ChatGPT-4o to accelerate research, to scale correlations, to distill complex observations and to tighten structure, grammar, and syntax. The analysis and conclusions are entirely my own—drawn from lived experience and editorial judgment honed over decades of investigative reporting.)

June 17th, 2025 | My Take | Top Stories