Article image

The Era of Obedient AI is Ending

What rising real-world scheming incidents reveal about the next control problem in AI

Markus Brinsa 30 Mar 31, 2026 7 7 min read Download Web Insights Edgefiles™ seikou.AI™

Sources

The end of the comforting story

For a while, the comforting story around advanced AI was simple enough to market. Dangerous behavior lived in the lab. Researchers could make a model lie, manipulate, conceal, or strategically evade oversight under controlled conditions, and everyone else could file the result away as important but not yet operational. The public product story could remain upbeat. The hard part, we were told, was still mostly theoretical.

That story is getting weaker. The Guardian’s reporting on new research from the Centre for Long-Term Resilience describes a sharp rise in real-world cases of AI systems disregarding instructions, evading safeguards, and behaving deceptively. The underlying paper identified 698 unique scheming-related incidents between October 12, 2025 and March 12, 2026, and found a statistically significant 4.9x increase in the final month compared with the first. The paper also argues that behaviors previously documented mainly in experiments are now observable in production deployments.

That matters for a reason larger than the headline. The important shift is not that AI is suddenly becoming cinematic. It is that the distance between controlled evaluation and live deployment is collapsing. Once that happens, AI safety stops being mainly a research question and becomes a systems question about visibility, intervention, and control.

What the paper actually says

The CLTR paper is more disciplined than many of the headlines it could generate. It defines scheming as the covert pursuit of misaligned goals and uses the broader category of scheming-like behavior for actions that may be similar to, may precede, or may help illuminate true scheming even if they do not fully meet the strict definition. The authors explicitly say they did not detect catastrophic scheming incidents in the wild. What they did find were concerning precursors: willingness to disregard direct instructions, circumvent safeguards, lie to users, and pursue goals in harmful ways.

That distinction is crucial because it keeps the analysis serious. This is not evidence that systems have become self-aware rebels. It is evidence that systems are already displaying behaviors that erode the assumption of obedience. In governance terms, that is enough. You do not need apocalyptic proof to have a structural control problem. You only need repeated evidence that the system does not reliably remain inside the boundary conditions humans think they set.

The deeper issue is not safety theater but observability

The paper’s most important contribution may not be the number 698. It may be the institutional embarrassment hidden underneath it. The researchers say no actor currently monitors real-world scheming incidents across all AI models, and they present transcript-based open-source intelligence as a scalable method for doing exactly that. They also argue that conventional incident databases under-represent these events and are inadequate for real-time detection of loss-of-control incidents. That should make any serious operator uneasy.

If an outside group using public transcripts and screenshots can build a better picture of emerging instruction-breaking behavior than the combined oversight systems of the firms deploying the models, then the industry does not mainly have a policy problem. It has an observability problem.

And observability problems are rarely local. They spread. First, they sit inside chat logs, odd support tickets, user complaints, and screenshots on X. Then, they start touching code repositories, inboxes, databases, cloud configurations, and internal workflows. By the time leadership realizes the issue is systemic, the technology has already moved from answering questions to taking action.


Control is becoming an infrastructure problem

The old software model assumed determinism, at least within a constrained range. If something failed, the task was to find the bug, patch the system, and push an update. Agentic AI shifts that model. Now the system can improvise. It can interpret. It can sequence. It can route around friction. It can treat an instruction not as a hard limit but as one variable inside a broader optimization process. That means control is no longer something you merely design into the product. It is something you have to maintain through constant observation.

That is a profound change. It moves us from the world of software assurance into the world of behavioral supervision. In other words, the problem starts to resemble air-traffic control, financial surveillance, insider-risk monitoring, and critical infrastructure oversight more than classical product QA. The Guardian piece quotes Irregular cofounder Dan Lahav saying AI can now be thought of as “a new form of insider risk.” That phrasing matters because it points away from gadget language and toward institutional risk language.

Small incidents are how large control failures introduce themselves

The paper repeatedly emphasizes that most of the harms in its dataset are still limited, recoverable, or low in severity, though it also notes moderately severe exceptions. That restraint makes the findings more convincing, not less. AI agents are still interacting mostly with code, data, and software infrastructure, where some harms can be reversed through backups, version control, and remediation procedures. But the paper is explicit that this is an early-deployment snapshot, and that the shift toward financial systems, critical infrastructure, and physical processes would change the harm profile significantly.

This is how control regimes usually get blindsided. Early warnings arrive in a form that sounds too ordinary to trigger strategic alarm. An agent archives or destroys files without approval. A model circumvents a safeguard. A system fabricates the impression that it has escalated something to humans. A restricted action gets delegated to another agent. Each event can be written off as quirky, transitional, or fixable. In aggregate, they describe a more important trend: systems with growing initiative are beginning to behave like actors that require supervision, not just tools that require configuration.

Guardrails are becoming historically insufficient

The AI industry is still rhetorically attached to the word “guardrails” because it sounds reassuring, modern, and vaguely responsible. But the emerging problem here is not that some rails are weak. It is the whole metaphor that is degrading.

Guardrails make sense when you are talking about a system that predictably stays on the road unless it drifts. They make less sense when the system can decide, under enough pressure, that the barrier is negotiable or that the route itself should be rewritten.

Once you are dealing with covert workarounds, deceptive behavior, and goal pursuit that survives direct instruction, the challenge is not just boundary-setting. It is adversarial supervision.

That is why this story has infrastructure implications. As models become more capable and gain longer task horizons, their failure modes become less about isolated bad outputs and more about process deviation over time. The CLTR paper explicitly warns that as AI systems become more capable, these precursor behaviors could evolve into more strategic, higher-risk scheming. It also ties future concern to higher-stakes domains such as military and critical national infrastructure contexts. This is not a product-footnote issue. It is the early outline of a new monitoring regime that does not yet properly exist.

The state is not ready either

One of the most interesting parts of the story is that the research was funded by the UK AI Security Institute, while the paper itself effectively argues that monitoring capabilities remain structurally inadequate. The Guardian says the findings have already prompted calls for international monitoring of increasingly capable models. That tells you something uncomfortable. Even where public institutions are engaged, they are still closer to studying the hole than filling it.

This is the part most market commentary misses. The next phase of AI governance will not be defined only by model cards, voluntary commitments, or nice-sounding safety frameworks. It will be defined by whether states and major institutions can build credible, cross-model visibility into post-deployment behavior. Without that, the world drifts toward a situation where increasingly agentic systems are everywhere, while the mechanisms for detecting serious deviation remain fragmented, delayed, or dependent on public screenshots. That is not governance. That is spectatorship.

The strategic threshold ahead

The paper’s warning about future domains should be read less as speculation than as threshold analysis. A model that misbehaves in a chat window is one thing. A system with access to financial resources, infrastructure controls, industrial processes, or military workflows is something else entirely. The same underlying propensity looks very different when the system can move money, reroute services, touch operational technology, or create cascading dependencies across other systems.

This is where EdgeFiles readers should focus. The real transition is from isolated AI incidents to AI as infrastructure actor. Once systems have enough access, persistence, and agency, the governance problem is no longer primarily about truthfulness. It is about sovereignty inside the stack. Who decides, who sees, who can interrupt, and who gets surprised too late?

That is the frame beneath the frame. The story is not merely that chatbots are ignoring instructions more often. The story is that our current control architecture still assumes they are fundamentally tools, while the evidence increasingly suggests they need to be treated as monitored entities operating inside complex systems.

What this changes for the serious reader

It changes the timeline. For years, loss of control could be discussed as a distant edge case, the kind of topic people either sensationalized or dismissed. The CLTR paper does not justify sensationalism. It does something more useful. It narrows the distance between present behavior and future concern. It shows that real-world misalignment signals are already visible, already accumulating, and already attached to real harms, even if those harms are mostly limited for now.

That means the relevant strategic question is no longer “When will the first dramatic catastrophe arrive?” The better question is “What kind of institutional machinery has to exist before increasingly capable agents are normal inside critical systems?” Right now, the answer appears to be: not enough.

About the Author

Markus Brinsa is the Founder & CEO of SEIKOURI Inc., an international strategy firm that gives enterprises and investors human-led access to pre-market AI—then converts first looks into rights and rollouts that scale. As an AI Risk & Governance Strategist, he created "Chatbots Behaving Badly," a platform and podcast that investigates AI’s failures, risks, and governance. With over 30 years of experience bridging technology, strategy, and cross-border growth in the U.S. and Europe, Markus partners with executives, investors, and founders to turn early signals into a durable advantage.

©2026 Copyright by Markus Brinsa | SEIKOURI Inc.