• Anthropic "pauses" token-based billing for its Claude Agent SDK — On June 15, the day the change was set to take effect, Anthropic pulled back a plan that would have moved Claude Agent SDK and headless (claude-p) usage out of Pro, Max, Team, and Enterprise subscription pools into a separate monthly dollar credit billed at standard API rates — a potential 15–30× cost increase for power users running automated loops. Anthropic said it's reworking the plan and will give advance notice before any future change. 🔗 Graph: Anthropic, Claude, Agentic AI, Claude Code, LiteLLM Enterprise 📅 Published: 2026-06-17 📰 https://arstechnica.com/ai/2026/06/anthropic-pauses-token-based-billing-for-its-claude-agent-sdk/ 📌 Key takeaways: • Anthropic announced on May 14 that Agent SDK and headless (claude-p) usage would leave subscription pools on June 15, shifting to separate monthly credits at API rates; the change was paused on the effective date. • The original plan would have removed the "unlimited" subsidy that let programmatic agent loops run at interactive-subscription pricing — a roughly 15–30× cost swing for heavy users. • Anthropic's support page now says "for now, nothing has changed" and that it is reworking the approach "to better support how users build with Claude subscriptions." • For teams building agentic workflows on Claude (which includes UCSD's LiteLLM gateway and Claude Code usage), the pause buys time — but a revised version of the credit model is still expected. • The reversal signals that Anthropic is still calibrating enterprise agent pricing and facing pushback from developers who built automation on the subscription model.

• MosaicLeaks: Can your research agent keep a secret? — ServiceNow researchers released a new benchmark revealing that deep-research AI agents frequently leak private information through their web query logs, even when individual searches look benign (the "mosaic effect"). Their Privacy-Aware Deep Research (PA-DR) reinforcement learning method reduced answer/full-information leakage from 34.0% to 9.9% while improving task accuracy. 🔗 Graph: AI Security, Agentic AI, ServiceNow, Onyx, Enterprise Data Agent 📅 Published: 2026-06-18 📰 https://huggingface.co/blog/ServiceNow/mosaicleaks 📌 Key takeaways: • MosaicLeaks introduces 1,001 multi-hop research chains that interleave private local documents with public web retrieval, measuring three leakage levels: intent, answer, and full-information. • Across tested models, agents frequently leaked private enterprise information through outbound web queries that could be reassembled by an observer (mosaic effect). • Training agents only for task performance made leakage worse — PA-DR uses mosaic-leakage-aware RL to simultaneously improve accuracy (48.7% → 58.7% strict chain success) and reduce leakage. • The leakage channel is the agent's web query log, not the private documents themselves — an adversary reconstructs sensitive facts from patterns of otherwise-innocuous searches. • For any organization deploying agentic RAG (including UCSD's Enterprise Data Agent), this highlights a new attack surface: external observability of agent queries.

• It Is Trivially Easy to Use Reddit to Manipulate AI Search, Research Suggests — Cornell Tech researchers demonstrated that deep-research AI agents can be steered by poisoned passages as short as ~13 words in user-generated content on Reddit, Wikipedia, and Quora. Roughly 17–23% of all web pages these agents pull in come from UGC sites, and a single poisoned comment can influence outputs across an entire cluster of related queries. 🔗 Graph: AI Security, AI Adoption, Onyx, Agentic AI 📅 Published: 2026-06-16 📰 https://www.404media.co/it-is-trivially-easy-to-use-reddit-to-manipulate-ai-search-research-suggests/ 📌 Key takeaways: • The preprint study "Deep-research agents can be poisoned via user-generated content" (Triedman, Zhang, Shmatikov) shows a single Reddit comment of ~13 words can consistently change AI search outputs. • Brands are already exploiting this for AEO (AI-engine optimization) — seeding promotional content on sites that AI tools most often cite, creating an SEO-style manipulation market. • Nearly a quarter of all deep-research agent citations come from user-generated websites; a single popular Reddit thread can appear across many related queries on the same topic. • This directly impacts RAG systems like Onyx, which rely on web retrieval: an adversary who controls a small piece of UGC content can poison the agent's knowledge base. • The research raises the question of whether volunteer moderators or platform-level defenses can keep pace with the scale of AI-targeted content manipulation.

• The New Campus Reality: Building Cyber Resilience Against Ongoing Threats — Higher education institutions now face approximately 4,200 attacks per week in 2026, with attack volumes up 20–40% from 2024–2025. The article makes the case for shifting from a prevention-only mindset to continuity planning, community-wide security culture, and threat-intelligence sharing through organizations like CIS's MS-ISAC. 🔗 Graph: Higher Ed AI, AI Security, Enterprise Monitoring, UC San Diego 📅 Published: 2026-06-18 📰 https://edtechmagazine.com/higher/article/2026/06/new-campus-reality-building-cyber-resilience-against-ongoing-threats 📌 Key takeaways: • Higher education is experiencing a sustained attack surge — 4,200 incidents per week in 2026 with multi-year growth of 20–40%, per CIS and other monitoring organizations. • The impact extends beyond IT: successful attacks during final exams locked students out of assignments, grades, and learning management systems; connected services like food services and HVAC are also at risk. • Experts advocate moving from prevention-only to a continuity-first posture: "Resilience is not about a document on the shelf — it needs to be muscle memory." • Multifactor authentication and security-awareness training remain the first line of defense against the most common attack pathways (phishing, social engineering). • Campus IT leaders are urged to join threat-intelligence sharing communities (CIS MS-ISAC, peer institutions) to pool defensive knowledge — directly relevant to UCSD's own monitoring and incident response posture.

• How Domyn and AISquared built on Ai2's open releases — Two AI labs serving regulated industries (financial services, federal government, healthcare) demonstrate how Ai2's fully open Olmo model and Dolma/Dolci datasets enable auditability, transparency, and sovereignty that closed or less-transparent models cannot provide. AISquared's Bolt Instruct, built on Olmo, cut infrastructure costs by ~50% and serves as both a guardrails layer and a model router. 🔗 Graph: AI Governance, Model Agnosticism, AI Compliance & Governance, AI Adoption 📅 Published: 2026-06-18 📰 https://allenai.org/blog/domyn-aisquared-testimonial 📌 Key takeaways: • Domyn (Milan) and AISquared (Washington D.C.) build AI models for regulated industries where data provenance, full training-data transparency, and permissive licensing are non-negotiable for compliance and procurement approval. • AISquared's Bolt Instruct — fine-tuned from Olmo 2/3/3.1 — reduced infrastructure hosting costs by ~50% for both the lab and its customers while serving as a guardrails layer (blocking PII, jailbreak attempts) and a model router. • Domyn's Domyn Small (10B reasoning model) used Ai2's Dolma and Dolci datasets to extend context windows and improve reasoning; the open provenance of the data helped clear procurement reviews for commercial deployment. • The EU AI Act requiring detailed training-data summaries makes fully open model stacks increasingly attractive for European and U.S. government customers. • For UCSD's model-agnostic LiteLLM strategy, this reinforces the case for maintaining access to transparent, auditable open-weight models alongside commercial API providers.

💡 Signal: Two stories in this week's digest — MosaicLeaks and the Cornell AI search poisoning study — converge on the same theme: agentic AI systems that retrieve external content create new, poorly understood attack surfaces. For organizations building on agentic RAG (Onyx, Enterprise Data Agent), query observability and content provenance are no longer nice-to-haves — they're security primitives. Meanwhile, Anthropic's billing pause signals the ecosystem is still figuring out how to price agent usage at scale, and the higher-ed cybersecurity landscape continues to deteriorate, reinforcing the urgency of the monitoring modernization and resilience planning already in progress at UCSD.