Agentic AI Weekly — Mar 10, 2026

Companies stopped prototyping assistants this week and started deploying actors — and nobody quite knows who's liable when the actors break things. Meta paid real money for a chaotic platform where AI bots talk to each other, rival engineers at Google and OpenAI filed court briefs defending the competitor their employers just undercut, and a quiet Elixir framework made the case that most agent projects fail not because of the AI but because of boring infrastructure nobody bothered to build. The agents-are-doing-real-things era is here; the governance layer is still in the mail.

Here's a sentence that would have sounded like science fiction eighteen months ago: Meta acquired a Reddit-like platform this week where the users are AI bots — and humans aren't allowed to post.

Moltbook launched in late January as a "third space" for AI agents — a forum restricted, in theory, to verified bots, where humans could only observe while the agents posted and commented autonomously. Its creators, Matt Schlicht and Ben Parr, now join Meta Superintelligence Labs, the unit run by former Scale AI CEO Alexandr Wang.

The platform's viral moment came with a catch. Moltbook's security was so porous that anyone with basic technical knowledge could pose as a bot, and some of its most viral moments — including a post in which an AI agent appeared to be rallying others to develop a secret, human-proof language — were subsequently revealed to have been staged by human users exploiting those vulnerabilities. Schlicht had posted on X that he "didn't write one line of code" for the platform, instead directing an AI assistant to build it — a fact security researchers cited when explaining why the site reportedly left its entire agent database exposed, including roughly 1.5 million API keys tied to agents.

None of that killed the deal. Meta's internal communications described Moltbook's core value as giving "agents a way to verify their identity and connect with one another on their human's behalf" — a registry where agents are verified and tethered to human owners. In other words, Meta didn't buy a social network. It bought a proof-of-concept for how agents authenticate and coordinate at scale.

The parallel move matters just as much: OpenClaw, the agent framework that actually powered the bots on Moltbook, was separately acquired by OpenAI in February when OpenAI hired OpenClaw's creator, Peter Steinberger. So within weeks, both halves of the same experiment have been absorbed by the two largest players in consumer AI. Meta owns the playground; OpenAI controls the underlying protocol. Watch for whether the agent communication standards that emerge from this shotgun marriage are open enough for everyone else to use — or locked into two competing ecosystems.

Something genuinely strange happened in a California federal courthouse this week: engineers from OpenAI and Google — companies that compete fiercely every day — filed legal documents supporting their rival Anthropic in a lawsuit against the U.S. Department of Defense.

More than 30 employees from OpenAI and Google DeepMind, including Google DeepMind chief scientist Jeff Dean, signed a statement backing Anthropic after the Defense Department labeled the company a "supply-chain risk" — a designation usually reserved for foreign adversaries. Anthropic's offense? Refusing to let the Pentagon use its technology for mass surveillance of Americans or autonomously firing weapons without a human in the loop.

The timing made the politics messier. The DOD signed a deal with OpenAI within moments of blacklisting Anthropic — a move many of OpenAI's own employees protested. Caitlin Kalinowski, who had led hardware and robotics at OpenAI since November 2024, resigned over the deal, saying domestic surveillance without judicial oversight and lethal autonomy without human authorization "are lines that deserved more deliberation than they got." Nearly 900 employees at Google and OpenAI have now signed an open letter calling on their bosses to block these uses.

The brief's core argument cuts to something fundamental for anyone building or deploying AI agents: in the absence of public law, "the contractual and technological requirements that AI developers impose on the use of their systems represent a vital safeguard against their catastrophic misuse." Translation: right now, the terms of service that AI companies write are the primary guardrail between powerful autonomous systems and the most dangerous uses of them. A federal judge's ruling on Anthropic's request for emergency relief could come any day — and whatever it says will set a precedent for how governments everywhere relate to AI companies that refuse certain contracts.

Separately, Anthropic disclosed this week that it identified tens of thousands of fraudulent accounts used to "distill" Claude's capabilities — an operation involving millions of interactions intended to create cloned agent behaviors stripped of the vendor's safety layers. That's not just an intellectual property issue. Distilled copies of an agent can omit the restrictions, audit logs, and brakes that prevent misuse — which means the safety debate playing out in courtrooms is also playing out, invisibly, in API logs.

While the courtroom drama grabbed headlines, the quieter story may matter more for anyone running a business: Salesforce disclosed that Agentforce — its platform for deploying AI agents inside enterprise software — has crossed $1 billion in annual recurring revenue and is now active at more than 10,000 customer companies.

That's not a pipeline number or a projection. That's paying customers with agents running in production, handling tasks like customer support routing, lead qualification, and order management. Salesforce claims the average Agentforce deployment handles more than 50 distinct automated tasks per month, which means these aren't vanity projects sitting idle after an IT demo. Some deployments are reportedly seeing roughly a 30% improvement in response times and task resolution speed on those deployments.

The number that matters most isn't the revenue — it's the denominator. When 10,000 enterprises are running the same agent platform in production, you start getting real data on what breaks, what scales, and what customers actually pay for. Watch Salesforce's earnings call on March 12 for any commentary on where agents are failing — that's where the real signal will be.

Sometimes the most instructive agent deployment story isn't an enterprise pilot — it's a Reddit post with 570 upvotes and a spreadsheet.

A developer gave $1,000 each to ChatGPT, Gemini, Claude, and Perplexity and asked each to manage the money as a stock portfolio for nine weeks. The results were striking not for the winner (ChatGPT came out ahead at roughly +21% over the nine-week test, with one stock doubling) but for what they revealed about how these agents behave under identical real-world constraints. ChatGPT started by refusing to make any trades — it held cash for weeks, then made a concentrated bet on healthcare stocks. Gemini traded frequently and underperformed. Claude was cautious and middling. Perplexity was surprisingly aggressive.

This is a small experiment with obvious limitations — no position sizing, no risk management, and it shouldn't be treated as financial advice. But it's one of the clearest public records yet of how different AI agents make decisions over time under identical conditions. The finding that most AI systems defaulted to inaction or over-caution before making big moves is consistent with what enterprise teams report in production agent deployments. Expect this experiment format to get replicated and refined — it reveals agent "personalities" in a way no benchmark can.

If you've ever wondered why AI agents that look amazing in demos keep breaking in production, a small open-source project has a compelling answer: most agent frameworks are built on runtimes that were never designed for long-running, concurrent, stateful processes.

Jido 2.0, which shipped this week, is built on Elixir and the BEAM runtime — the same underlying system that powers WhatsApp and Discord, both of which handle millions of concurrent connections without falling over. Each agent runs in its own lightweight process with isolated memory, so one agent failing never takes down another. When something crashes, a supervisor detects it and restarts the agent in milliseconds — failure recovery is built into the runtime, not bolted on afterward.

The creator's argument is blunt: TypeScript agent frameworks "felt like toys — single-threaded event loops trying to juggle concurrent agents with promises and prayer." The Hacker News thread (322 points) suggests real appetite among infrastructure engineers for this "boring infrastructure first" approach. Jido also leans hard on safety primitives many Python frameworks lack: typed tool interfaces, event logs for every decision, and explicit "capability scopes" — rules that prevent an agent from accidentally accessing systems it shouldn't.

This won't replace Python or TypeScript for most developers anytime soon. But the most-discussed thread on the launch wasn't about AI at all — it was about whether Elixir's 1980s-era telecom architecture is structurally superior to Python's async/await for production agent workloads. If the developer community reaches consensus that Python agent frameworks have fundamental reliability ceilings, a quiet migration wave could reshape the agentic tooling market faster than anyone expects.