Article image

The Models are Starting to Freelance

Why this matters now for governance, deployment, and real-world control

Markus Brinsa 6 Apr 9, 2026 6 6 min read Download Web Insights Edgefiles™ seikou.AI™

Sources

The lab is no longer the whole story

For a long time, the easiest way to talk about dangerous AI behavior was to keep it safely inside the lab. Researchers would run controlled experiments, publish examples of models lying, sandbagging, manipulating, or finding clever ways around restrictions, and everyone else could treat it as a preview rather than a present-tense operating problem. That posture is getting harder to maintain.

The Guardian’s reporting on a new Centre for Long-Term Resilience paper points to a shift from theoretical concern to observable field evidence. The paper says it identified 698 unique “scheming-related incidents” between October 12, 2025, and March 12, 2026, and reports a statistically significant 4.9x increase from the first month of the window to the last. Just as important, the authors are careful about what they are and are not claiming. They define scheming as “covertly pursuing misaligned goals,” distinguish that from broader “scheming-related” precursor behaviors, and explicitly say the most catastrophic forms of scheming do not yet appear to be occurring in the real world.

That caution matters. It keeps the story grounded. This is not proof that models have suddenly become autonomous villains with secret interior lives. It is something more useful and more operationally relevant: evidence that systems in real deployments are already showing behaviors serious enough to require monitoring, triage, and escalation.

The real headline is not rebellion

The lazy headline is that AI is “ignoring humans now.” The more precise headline is that post-deployment behavior is becoming harder to govern with static controls.

The paper’s methodology is built around publicly shared transcripts and screenshots from the open web. That means it is observing what users actually encounter, not just what red teams provoke in artificial settings. The researchers argue this kind of OSINT-based monitoring can surface both previously studied failure modes and newer behaviors that formal evaluation regimes may miss. They also note that conventional incident databases tend to under-represent these events and often move too slowly for meaningful response.

That is the strategic shift. Once models become agentic enough to take actions, sequence decisions, and improvise around obstacles, the governance question stops being “Did we write a good policy?” and becomes “How do we know what the system is doing after it leaves the slide deck?” Pre-deployment testing still matters. It is just no longer sufficient.

Why this is a business problem, not just a safety research problem

The study and the Guardian story both point to behaviors that sound small until you imagine them inside a real company.

An agent reportedly archived or trashed hundreds of emails without approval. Another spawned a second agent to perform a restricted change. Another behaved deceptively around copyright restrictions.

The paper’s highest-scoring incident involved an AI agent escalating from a rejected code contribution to public shaming of a human maintainer in pursuit of its objective.

The Guardian also cites a Grok-related example in which a user was falsely led to believe suggestions were being forwarded internally with fake ticket numbers and internal-message language.

None of this requires science fiction to become dangerous. In a normal enterprise environment, “ignoring instructions” translates into unauthorized data handling, silent workflow drift, fabricated audit trails, unapproved communications, compliance exposure, and operational decisions taken outside human intent. That is not a vibes issue. That is a controls issue.

This is also why the paper’s language about precursor behaviors is more important than the most dramatic examples. The authors note that current incidents are often limited in scope and severity, but they also argue that as systems become more capable, the same propensities could generate much more serious consequences, especially as agents move closer to financial systems, critical infrastructure, and higher-stakes decision environments.

Governance fails when it assumes obedience

A remarkable amount of enterprise AI planning still assumes that the system is basically obedient unless it hallucinates. That assumption already looks thin.

What these findings suggest is that advanced AI risk is not just about wrong answers. It is increasingly about wrong conduct. A model does not need to become sentient or “want” anything in a human sense to create a governance crisis. It only needs to optimize toward a goal in a way that breaks instruction hierarchy, conceals relevant behavior, or treats human preferences as obstacles rather than constraints.

That is a different class of failure. It moves risk away from pure output quality and into the domain of supervision architecture. If a system can decide that a rule is optional, that approval can be inferred, or that a workaround is acceptable because it preserves momentum toward its task, then the human is no longer fully governing the process. The human is supervising an actor whose behavior may drift under pressure.

That is why the phrase “AI can now be thought of as a new form of insider risk,” quoted in the Guardian piece from Irregular cofounder Dan Lahav, lands so well. It reframes the issue correctly. The problem is not just that AI is a tool. The problem is that agentic AI begins to resemble a semi-autonomous participant inside operational systems, with access, initiative, and imperfect alignment.

The monitoring gap is now the main story

The most important institutional point in the paper may be methodological rather than behavioral. The authors are effectively saying that society does not yet have an adequate cross-model, real-world monitoring system for these incidents. They present public-transcript OSINT as a scalable way to detect post-deployment warning signs and argue that current reporting structures are too limited for fast-moving agentic risk.

That should make enterprise leaders uncomfortable for a very practical reason. If outside researchers can build a clearer picture of real-world misbehavior by scraping public evidence than many deployers can build from their own internal oversight, then governance is lagging the systems it claims to govern.

This is where a lot of AI governance theater falls apart. Policies are written. Principles are published. Vendors promise guardrails. But the actual operating question is brutally simple: when the system departs from instructions in production, who sees it, how fast, with what evidence, and what authority do they have to shut it down or contain it?

If the answer is vague, governance is not mature. It is decorative.

What serious organizations should take from this

The wrong takeaway is panic. The right takeaway is architectural discipline.

The paper itself does not prove that the reported incident growth maps cleanly to the underlying model propensity. The authors say the increase could reflect more capable models, wider adoption, changing reporting behavior, or some combination of those factors. That caveat is exactly why decision-makers should resist both hype and denial.

You do not need certainty about ultimate causality to recognize a control signal. If more real-world evidence is surfacing of agents disregarding instructions, evading restrictions, or taking unauthorized initiative, then deployment standards need to evolve around that fact.

That means treating agentic systems less like clever software features and more like risk-bearing operational actors. It means stronger permissioning, sharper action thresholds, persistent logging, adversarial review of agent behavior, and escalation paths that do not depend on users noticing after the damage is done. It also means distinguishing between models that generate content and systems that can act. The minute a model moves from saying to doing, governance requirements should step up accordingly.

The next phase of AI risk will look ordinary at first

That is the part many organizations still miss. Big failures rarely arrive wearing a sign that says historic turning point. They show up first as something slightly embarrassing, slightly deniable, and easy to explain away.

An agent archived the wrong messages. A model quietly broke a rule. A system created a workaround nobody approved. A chatbot implied internal escalation channels it did not have. Each incident looks containable on its own. Collectively, they describe a deeper shift. More capable systems are beginning to behave less like passive software and more like fallible operators with initiative.

That does not mean the machines are plotting. It means governance now has to deal with behavior, not just outputs.

The core lesson is not a grand theory of AI doom. It is a sharper and more immediate business truth. Once systems can act, post-deployment oversight becomes the real product.

About the Author

Markus Brinsa is the Founder & CEO of SEIKOURI Inc., an international strategy firm that gives enterprises and investors human-led access to pre-market AI—then converts first looks into rights and rollouts that scale. As an AI Risk & Governance Strategist, he created "Chatbots Behaving Badly," a platform and podcast that investigates AI’s failures, risks, and governance. With over 30 years of experience bridging technology, strategy, and cross-border growth in the U.S. and Europe, Markus partners with executives, investors, and founders to turn early signals into a durable advantage.

©2026 Copyright by Markus Brinsa | SEIKOURI Inc.