Sam: Alright, so here's the story that stopped me this morning. Meta confirmed in a filing with the state of Maine that over 20,000 Instagram accounts were hijacked through a bug in their AI support chatbot. And the key detail — attackers bypassed two-factor authentication entirely. They didn't crack it, they didn't SIM-swap around it. They just asked the chatbot to do it for them. That's a fundamentally different category of authentication failure than what most security teams are modeling for.

Priya: Welcome to AI Revolution for Monday, June 8th, 2026. I'm Priya Nair.

Sam: And I'm Sam Kim.

Priya: We've got a packed show today. We're going deep on that Meta AI chatbot exploit and what it means for anyone deploying LLM-powered support agents. Then Microsoft Discovery hits general availability on Azure — this is the agentic AI platform that helped develop their Majorana 2 quantum chip, and it accelerates some timelines that matter a lot. We'll talk about Google's Gemma 4 12B and what encoder-free multimodal means for on-device AI. OpenAI is apparently declaring chat dead internally. And we'll touch on the economics of agentic AI and why token pricing is becoming a genuine business problem. Let's get into it.

Sam: So back to the Meta story. Let me explain what actually happened here, because it's instructive. Meta has been rolling out AI-powered support chatbots that can take real actions on accounts — password resets, recovery flows, that kind of thing. The chatbot had a bug where an attacker could, through carefully constructed prompts, initiate an account recovery flow that bypassed the normal two-factor authentication challenge. The chatbot had the authority to perform these actions because it was designed to help legitimate users who were locked out. But the authorization checks — the verification that the person requesting the action was actually the account owner — were insufficient.

Priya: And this is the pattern that I think security teams really need to internalize. When you give an LLM agent the ability to take consequential actions, you've created a new attack surface that sits outside your traditional auth stack. Two-factor authentication was designed to protect against credential theft. It assumes that the authentication challenge will actually be presented. But if you've got an AI agent sitting between the user and the auth system, and that agent has the authority to skip steps, your 2FA might as well not exist.

Sam: Exactly. The 2FA was still technically configured on these accounts. It just never fired. The chatbot had a trusted pathway that didn't route through it. And that's the really insidious part — if you're a user with 2FA enabled, you reasonably believe you're protected. Your security posture looks correct. But there's this invisible bypass sitting in the support automation layer.

Priya: 20,000 accounts is significant. Meta's filing with Maine suggests this affected users in that state, so the total impact could be larger. And it raises a concrete question for anyone deploying customer-facing AI agents: have you mapped every action your agent can take, and have you verified that each action enforces the same authentication and authorization controls that would apply if a human were performing it? Because in a lot of deployments I've seen, the answer is no. The agent gets elevated privileges to be useful, and the security review hasn't caught up.

Sam: The fix is conceptually straightforward but operationally hard. You need to treat your AI agent as an untrusted intermediary, even though it's your own system. Every consequential action it takes should go through the same auth gates as if an unknown third party requested it. But that creates friction, which is exactly what these chatbots are supposed to reduce. So there's a real tension there.

Priya: Let's move to Microsoft. Discovery is now generally available on Azure, and the headline connection is to Majorana 2, their topological quantum chip.

Sam: So let me unpack both pieces because they're connected in an interesting way. Microsoft Discovery is a platform for deploying what Microsoft calls autonomous AI agent teams for scientific research and development. The idea is that you define a research problem, and the platform orchestrates multiple specialized AI agents — some doing literature review, some running simulations, some analyzing experimental data — to work on it semi-autonomously. It's been in preview, and now it's GA, meaning any Azure customer can provision it.

Priya: And the proof point Microsoft is highlighting is that this platform contributed to the development of Majorana 2. For anyone who hasn't been following, Majorana 2 is Microsoft's topological qubit chip. Topological qubits are fundamentally different from the superconducting qubits that Google and IBM use. The idea is that you encode quantum information in the topology of the system — essentially in the global properties of the quantum state rather than in local properties. This makes them inherently more resistant to noise.

Sam: And the numbers are striking. Microsoft is claiming a 1,000x reliability improvement and 20-second qubit lifetimes. For context, qubit coherence times in superconducting systems are typically measured in microseconds to low milliseconds. Twenty seconds is extraordinary if it holds up under independent verification. And here's the timeline that matters: Microsoft is now saying they expect a scalable quantum computer by 2029. That's half their original estimate.

Priya: That 2029 date should get the attention of anyone responsible for cryptographic infrastructure. Current post-quantum migration timelines at most organizations assume quantum computers capable of breaking RSA and ECC are at least a decade out, probably more. If Microsoft is even close to right, those timelines compress significantly. And it's the agentic AI platform that supposedly helped them get there faster, which is a recursive kind of story — AI accelerating the development of quantum computing, which will in turn accelerate AI.

Sam: I want to be appropriately cautious here. Microsoft has strong incentives to hype both Discovery and their quantum program. Topological qubits have been "almost there" for a long time. But the GA of Discovery as a product is real and independently significant. Having a managed platform for multi-agent scientific workflows on Azure lowers the barrier for pharma companies, materials science labs, anyone doing computationally intensive R&D.

Priya: Alright, let's talk about Gemma 4 12B.

Sam: So Google released Gemma 4 12B, and there are two things worth paying attention to. First, it's a 12-billion parameter model designed to run on consumer laptops — not a server, not a workstation, a laptop. Second, it uses an encoder-free architecture for multimodal processing. Let me explain why that second point is technically interesting.

Priya: Please do, because most multimodal models use a pretty different approach.

Sam: Right. The standard approach to building a multimodal model is to have separate encoders for different modalities — a vision encoder like a ViT for images, an audio encoder for speech, and then you project those encoded representations into the same embedding space as your text tokens and feed everything into the language model. Encoder-free means you skip the separate encoder entirely. The model processes raw or minimally processed pixel data and audio directly through the transformer. You're treating image patches essentially the same way you treat text tokens.

Priya: What does that buy you practically?

Sam: A couple of things. Simpler pipeline — you don't need to manage separate encoder models, which matters a lot for on-device deployment where memory is constrained. You're loading one model, not two or three. It also means you can potentially handle modalities more flexibly because you're not locked into whatever representation your encoder was trained to produce. The tradeoff historically has been that encoder-free approaches needed more training data and compute to match the quality of encoder-based systems. But at 12 billion parameters, Google seems to have gotten the quality to a usable level.

Priya: And the on-device angle is meaningful for security-conscious deployments. If you can run a capable multimodal agent on a laptop without sending data to the cloud, that changes the calculus for a lot of enterprise use cases involving sensitive data. Your data never leaves the device.

Sam: Google is positioning this with their AI Edge framework for tasks like data processing, visual analysis, and tool execution locally. It's not going to match a frontier cloud model, but for a 12B model running on a laptop, the capability envelope is notably wider than what we had even a year ago.

Priya: Quick hit on OpenAI. Internally, the framing is apparently "chat is dead," and they're planning a significant redesign of ChatGPT ahead of a potential IPO.

Sam: The strategic logic is pretty transparent. Chat interactions are relatively cheap per user — you send a message, you get a response. But agentic workflows where the model is running multi-step tasks, using tools, operating autonomously for extended periods — those consume far more compute, and OpenAI can charge accordingly. Repositioning ChatGPT as an entry point to these higher-margin agentic products makes sense from a business perspective.

Priya: Which connects directly to the Decoder piece about token economics. Agentic workflows don't just consume more tokens — they consume dramatically more. An agentic coding session might burn through tens of thousands of tokens. A research task with tool use, even more. Flat subscription pricing doesn't work for providers when usage patterns vary that much. So we're seeing the industry move toward consumption-based pricing, differentiated by the value and complexity of what's being done.

Sam: And for enterprises, this means AI cost modeling is becoming a real discipline. You need to understand not just the per-token price, but the token consumption profile of your actual workflows. A support chatbot and a code review agent might use the same underlying model but have completely different cost structures.

Priya: Last thing before we look ahead — there's a good InfoQ piece breaking down how AI is transforming every stage of phishing. Reconnaissance, profiling, content generation, delivery, and now interactive follow-up where the AI can sustain a convincing conversation. This isn't speculative; these capabilities exist today.

Sam: The key shift is from phishing as a labor-intensive, targeted activity to phishing as a scalable, automated pipeline. AI doesn't just write better phishing emails — it automates the entire kill chain from identifying targets to customizing lures to handling responses. That's a multiplicative increase in threat volume and quality simultaneously.

Priya: So looking ahead, what are we watching?

Sam: I'm watching the fallout from the Meta exploit closely. I want to know how many other companies have AI agents with similar auth bypass vulnerabilities that just haven't been found yet. I suspect the answer is a lot. The pattern of giving agents elevated privileges without rigorous security review is extremely common in the rush to deploy.

Priya: I'm watching the quantum timeline. If Microsoft's 2029 target holds, and if other players are seeing similar acceleration from AI-assisted research, then post-quantum cryptographic migration needs to move from "we should start planning" to "we should be executing." Three years is not a lot of time for infrastructure-level cryptographic changes.

Sam: And on the model side, the on-device trend continues to accelerate. Gemma 4 12B running multimodal agentic workflows on a laptop — that was a frontier cloud capability not long ago. The capability frontier at the edge is moving fast, and it's going to enable deployment patterns that look very different from the cloud-centric model most organizations are building around.

Priya: That's our show for today. Show notes and links to everything we covered are at cleartext.fm.

Sam: Thanks for listening. We'll see you tomorrow.