
Google DeepMind lost its most celebrated scientific researcher this week. John Jumper — who shared the 2024 Nobel Prize in Chemistry with Demis Hassabis for AlphaFold — announced Friday that he is joining Anthropic after nearly nine years at DeepMind. It is the second major departure from DeepMind in a single week, coming days after Character AI co-founder Noam Shazeer confirmed his own move from DeepMind to OpenAI. Together, the two exits frame a talent market that has stopped pretending to be orderly.
What makes the Jumper move worth pausing on is not just the name. It is what it signals about where frontier AI value is now believed to live. Jumper built the model that cracked protein folding. He is moving to a lab whose public identity is safety, control, and agentic reliability — not scientific discovery. That is a meaningful reallocation of the people who actually know how to build hard things.
The big signal: the people who build are following the people who ship agents
Jumper announced the move in a post on X, crediting Hassabis for taking “a real chance letting me lead the AlphaFold team just six months after finishing my PhD.” TechCrunch reports that Jumper had recently been a key member of Google’s coding-tools team — the product line Google has struggled to sell to businesses. Reuters and Bloomberg both confirmed the departure independently.
The Shazeer move is the other half of the same story. Shazeer co-invented the Transformer at Google before leaving to found Character AI, then returned to DeepMind, and is now heading to OpenAI. In the space of one week, DeepMind has lost a Nobel laureate and a Transformer co-inventor — one to Anthropic, one to OpenAI. These are not incremental hires. They are the kind of moves that reshape what a lab can credibly prioritize next.
For investors and builders, the pattern is clear: the talent is following the product surface. Anthropic’s Claude and its agent SDK are where agentic coding and enterprise tool-use are being fought out. OpenAI’s Codex and ChatGPT are where consumer and commerce agents are being defined. Google DeepMind, despite Gemini’s quality, is increasingly perceived as the lab that does the science and then watches the commercial deployment happen elsewhere. That perception now has a cost, and it is measured in people.
DeepMind’s counter-signal: treat your own agents as insider threats
DeepMind’s response to the talent drain is not to retreat. On June 18, the lab published “Securing the future of AI agents” — a detailed AI Control Roadmap that does something most companies have been reluctant to say out loud: it treats internal AI agents as potential “insider threats,” comparable to a rogue employee who already has building access.
The framework, built on the MITRE ATT&CK knowledge base, assumes that even a well-aligned model might not stay aligned. It adds a defense-in-depth layer on top of traditional alignment: sandboxing, endpoint security, prompt-injection resistance, and incremental permission grants based on verified behavior. The analogy DeepMind uses is a driving instructor with dual controls — trust the student, but keep a hand on the brake.
This matters for the broader community because it is one of the first times a frontier lab has publicly framed agent security as a system-level problem rather than a model-level one. The assumption has long been: if we align the model well enough, the agent will be safe. DeepMind is now saying the quiet part: alignment is imperfect, and you should architect as if it will fail. For anyone building agentic tools — website assistants, orchestration layers, coding agents — that is a more honest starting point than “the model will behave.”
Open-source watch: GLM-5.2, MosaicLeaks, and the local-runtime cadence
GLM-5.2 from Z.ai (open weights, MIT, 753B, 1M context). The model card on Hugging Face confirms a 753-billion-parameter mixture-of-experts model with a stable 1M-token context, an MIT license with no regional restrictions, and a new IndexShare architecture that reuses the same indexer across every four sparse attention layers — cutting per-token FLOPs by 2.9× at full 1M context. It is already served by vLLM 0.23.0+, SGLang, Transformers, KTransformers, and Unsloth. The benchmark table is aggressive: GLM-5.2 claims 62.1 on SWE-bench Pro and 76.8 on MCP-Atlas, putting it in the same conversation as Claude Opus 4.8 and GPT-5.5 on agentic and coding tasks. For builders who need a long-context open model without vendor lock-in, this is currently the most serious option on the board.
MosaicLeaks from ServiceNow (privacy leakage in deep-research agents). A new Hugging Face post from ServiceNow researchers demonstrates a failure mode most agent builders have not named yet: the mosaic effect. When a research agent combines private local documents with public web searches, its outbound query log can leak sensitive enterprise information — even if no single query gives away the whole secret. Across tested models, agents frequently leaked private information, and training only for task performance made leakage worse. The proposed fix, Privacy-Aware Deep Research (PA-DR), raises strict chain success from 48.7% to 58.7% while cutting full-information leakage from 34.0% to 9.9%. This is the kind of privacy problem that only appears once agents start doing real multi-hop work — and it is relevant to anyone running agents over private business data.
llama.cpp b9736–b9744 (June 20–21). The local inference engine continues its daily release cadence with nine builds landing in roughly 24 hours. While individual builds are incremental, the sustained pace matters: it means local and on-device inference is getting continuous optimization rather than quarterly jumps. For teams running models on their own hardware, llama.cpp remains the most reliable bellwether for local-AI performance trends.
GitHub Copilot PR attribution (June 20). GitHub’s changelog confirms that pull requests opened by the Copilot cloud agent on a user’s behalf are now included in author searches. Searching author:@me returns both human-authored and Copilot-authored PRs together. It is a small UI change with a large implication: Copilot-authored work is being treated as first-class contributor output, not a separate bot category. For teams tracking who actually did what, the line between human and agent authorship is getting harder to draw from the tooling itself.
What builders should take from this
Three things are moving at once, and they are connected.
First, talent is consolidating around the labs that ship agentic products. If you are deciding which ecosystem to build on, the people who can build frontier systems are voting with their feet — and they are going to the labs with the strongest agent surfaces. That does not mean Google DeepMind is out of the race; Gemini remains a top-tier model. But the concentration of builder-talent at Anthropic and OpenAI is a leading indicator worth watching.
Second, agent security is becoming an architecture problem, not a model problem. DeepMind’s insider-threat framing and ServiceNow’s MosaicLeaks research point at the same reality: once agents have tools, permissions, and access to private data, the model’s alignment is only one layer. The system around it — sandboxing, query logging, permission escalation, leakage auditing — is where the real safety work now lives. Builders who treat agent security as “pick a well-aligned model” are under-building.
Third, the open-weight frontier is not standing still. GLM-5.2 with a 1M context and an MIT license changes the calculus for teams that want long-context agentic capability without sending data to a hosted API. When a 753B open model claims SWE-bench Pro numbers within striking distance of Claude Opus 4.8, the build-vs-buy decision for agentic infrastructure gets more interesting — especially for privacy-sensitive workloads.
The practical takeaway
If you are building with agents this week, the Jumper move is a reminder to watch where the serious builders go — because they tend to be early. The DeepMind Control Roadmap is a prompt to audit your own agent architecture for the assumption that alignment will hold, because the lab that knows alignment best is now publishing against that assumption. And the open-source wave — GLM-5.2, MosaicLeaks, the llama.cpp cadence — is a reminder that the gap between hosted frontier models and runnable open weights is narrower than it was a quarter ago, especially for long-context and coding work.
The headline story is talent. The deeper story is that the industry is quietly admitting agents need to be secured as systems, not trusted as models. Both matter for anyone shipping AI into a business this year.


Leave a Reply