Category: 3. Business

AI is not human. But it does a good job of acting like it.

It is capable of replicating how we speak, how we write and even how we solve problems.

So it’s easy to see why many consider it a threat, or at least a challenge, to our humanity. 

That challenge is at the heart of a new book titled “AI and the Art of Being Human,” written by AI with the help of Jeff Abbott and Andrew Maynard. The book is described as a practical, optimistic and human-centric guide to navigating the age of artificial intelligence.

“Human qualities that will become more important as AI advances are qualities like curiosity, our capacity for wonder and awe, our ability to create value through relationships and … our capacity to love and be loved,” said Maynard, a scientist, writer and professor at Arizona State University’s School for the Future of Innovation in Society. 

Here, Maynard and Abbott, a graduate of Thunderbird School of Global Management at ASU and the founding partner of Blitzscaling Ventures, a venture capital firm investing in startups, discuss the ways that AI can challenge our individuality and how we can hold on to what makes us uniquely human.

Note: Answers have been edited for length and/or clarity.

Question: What was the inspiration behind “AI and the Art of Being Human?”

Maynard: For me, it was the growing realization that, for the first time, we have a technology that is capable of replicating what we think of as uniquely defining who we are, and that is forcing us to ask what makes us us in a world of AI. These are questions that my students and others are asking with increasing frequency — how do I hold onto what makes me who I am and thrive when everything around us is changing so fast.

Q: How does AI impede or infringe upon the ability to be human?

Abbott: AI has the potential to further reduce human interaction and, with it, the opportunity to exercise compassion. Compassion broadly defined means an action-oriented concern for others’ well-being, and it is much more easily activated where direct human contact is involved. 

When building AI, we must widen our circle of concern to include those who are not present, represented or offered a voice in the process. Those who are adversely affected by our actions in building or using AI tools should be taken into account, and in the same way, someone causing environmental harm can now attempt to offset those impacts. Those causing unintended consequences when building AI should accept their share of responsibility and contribute to some form of mitigation, whether directly or indirectly.

Q: The idea of AI being a mirror is mentioned in the book. What does that mean and why is that a concern?

Maynard: Because artificial intelligence is increasingly capable of emulating the things that we think of as making us uniquely human — the way we speak, our thinking and reasoning, our ability to empathize and form relationships, and to solve problems and innovate — it’s becoming a metaphorical mirror that reflects not simply what we look like, but who we believe we are. Of course, AI isn’t aware or “human” as such. But it does an amazing job of feeling human. And because of this, it has the potential to reveal things about ourselves that we didn’t know. It also has the capacity to distort what we see, sometimes without us realizing it.

Q: As an antidote to AI’s threat to humanity, the book offers 21 tools that provide a practical business guide for thriving in an age of this powerful technology. Can you explain them?

Abbott: I’m a big believer in the power of tools based on my background in corporate strategy and entrepreneurship education … and I imagined a book that was at once deeply thoughtful and values-based, while also immensely practical, something like equal parts “The 7 Habits of Highly Effective People,” “The Business Model Canvas” and daily guided meditation.

The intent map is one of the tools that illustrates this with four quadrants. It’s a thinking tool that makes values visible and choices conscious before the momentum of AI and the actions of others make choices for you. For example, the “values” quadrant addresses the question of what we refuse to compromise when using AI, and … the “guardrails” quadrant asks where do we draw hard lines around what we will and will not compromise on. 

The power here lies not in the quadrants, but in how someone uses the relationships between them to make decisions around AI in their life.

Q: What is the danger in over-relying on AI for not just our work, but even in other areas of our lives?

Maynard: We talk a lot about agentic AI at the moment — AI that has the “agency” to make decisions and complete tasks on its own, whether that’s managing your calendar and email inbox … or making strategic organizational decisions. From the perspective of increasing efficiency and productivity, this sounds great. At the same time, we risk losing our own human agency as we give it away to AI — especially if we do it without thinking about the consequences. In the book, we develop and apply four postures that are designed to help avoid this: curiosity, clarity, intentionality and care.

Q: What human qualities do you think will become more important as AI advances?

Abbot: Self-reliance in the Emersonian sense, because Emerson’s self-reliance wasn’t merely about independence in the mundane sense, e.g. doing your own chores. It was a spiritual and intellectual manifesto about maintaining sovereignty of mind in the face of conformity, convenience and delegation to systems of thought outside oneself. In the age of AI, that idea isn’t nostalgic; it’s necessary and it’s urgent.

Q: What role did AI play in writing this book?

Maynard: Rather a lot! We agreed early on in the process that, given the urgency with which the book was needed, it made sense to use AI to accelerate the writing process. But we also realized that we needed to walk the walk and use the tools we were writing about. And so we developed a quite complex and sophisticated approach to working with AI to create the first draft of the book.

We talk a little about this process in the book, but the end result is a deeply human initiative that reflects what is possible while working with curiosity, clarity, intention and care with AI.

What I still find amazing is that, while we guided our AI “ghost writer” very intentionally, the stories in the book and the tools they help develop are all the products of AI. They were all seeded by us, and subsequently refined by us. But they are also a testament to what is possible through working creatively and iteratively with AI.

Q: What do you hope people will come away with after reading the book and will its contents be used by ASU students?

Maynard: I hope people will approach the book as a practical guide. Something that they bookmark and come back to and apply in their everyday lives. More importantly, I hope people come away realizing that AI isn’t something that simply happens to them but is something that can help them learn to thrive … on their own terms and in their own way.

The hope, of course, is that the ideas and tools here are part of every student’s journey at ASU as we equip them to thrive in an AI future. The book is … written in a way that lends itself to being integrated into curricula. In the AI world, we’re in the process of building. It’s the students who understand how to thrive without losing sight of who they are — who will be the catalysts for change. And achieving this at scale? Isn’t this part of what ASU is all about?

(Bloomberg) — SoftBank Group Corp. is in talks to acquire DigitalBridge Group Inc., a private equity firm that invests in assets such as data centers, as it seeks to take advantage of an AI-driven boom in digital infrastructure, according to people with knowledge of the matter.

The Japanese conglomerate is negotiating a potential deal to buy New York-listed DigitalBridge and take it private, the people said, asking not to be identified because the information is confidential.

Most Read from Bloomberg

Shares of DigitalBridge, which had fallen 13% this year before Friday, rose 45% in New York trading for the their biggest-ever one-day gain. The shares closed at $14.12, giving the company a market value of $2.58 billion.

SoftBank’s billionaire founder Masayoshi Son is trying to capitalize on soaring demand for the computing capacity that underpins artificial intelligence applications. A transaction could come together as soon as the coming weeks, though deliberations are ongoing and there’s no certainty they will lead to an agreement, the people said.

Representatives for SoftBank and DigitalBridge declined to comment.

DigitalBridge, led by Chief Executive Officer Marc Ganzi, had about $108 billion of assets under management at the end of September, according to its website. Its portfolio includes digital infrastructure operators such as AIMS, AtlasEdge, DataBank, Switch, Vantage Data Centers and Yondr Group.

Raymond James research analyst Ric Prentiss said in an Oct. 30 research note that it makes sense for a larger alternative asset manager that has scale and fundraising infrastructure to buy DigitalBridge rather than it remain standalone.

“We feel DigitalBridge would consider selling, but only at the right (and much higher than current levels) cash price and terms,” Prentiss wrote.

SoftBank has previously done deals in the asset management space. In 2017, it acquired Fortress Investment Group for more than $3 billion. It eventually sold its stake to a group including Abu Dhabi sovereign wealth fund Mubadala Investment Co. and Fortress management in a deal completed in 2024.

In January, SoftBank announced a $500 billion project called Stargate, alongside OpenAI, Oracle Corp. and Abu Dhabi’s MGX, to build data centers in the US. While SoftBank’s Son pledged to deploy $100 billion “immediately,” the rollout of Stargate has been slower than planned, in part because of disagreements over where the data centers should be located.

SoftBank initially sought project financing from outside investors including insurance companies, pension funds and investment funds, but some of the conversations slowed due to market volatility, uncertainty around US trade policy and questions about the financial valuations of AI hardware, Bloomberg News reported in May.

OpenAI, Oracle and SoftBank announced plans in September for five new sites across Texas, New Mexico and Ohio that will eventually have a capacity of 7 gigawatts of power, or as much as some cities.

The push by SoftBank has required shifting some funds around to free up capital. Son this week said he “was crying” over his need to sell a $5.8 billion Nvidia Corp. stake to reallocate the money to other AI spending.

–With assistance from Min Jeong Lee, Dina Bass, Mayumi Negishi, Taro Fuse, Vinicy Chan and Dawn Lim.

(Updates with closing share price in third paragraph.)

Most Read from Bloomberg Businessweek

©2025 Bloomberg L.P.

Story Continues

Story Continues

Arm Holdings (ARM) just inked a memorandum of understanding with South Korea’s industry ministry to create a chip design school, a long horizon move that could quietly reshape its AI centric growth story.

See our latest analysis for Arm Holdings.

The chip school agreement lands while sentiment around Arm is mixed, with a 7 day share price return of 4.24% but a softer 30 day share price return of negative 11.79%, leaving the 1 year total shareholder return roughly flat and suggesting momentum is resetting after a strong year to date.

If you are watching how Arm is positioning for the next wave of AI hardware, it could also be worth exploring high growth tech and AI stocks that may be riding similar structural trends.

With Arm growing earnings at a healthy clip and still trading nearly 19% below the average analyst target, is the current lull a mispriced entry into an AI infrastructure king, or is the market already baking in years of future growth?

Compared to the last close at $141.31, the narrative fair value near $70 frames Arm as a high conviction story trading at a speculative premium.

Based on a forward earnings framework anchored to the 10-year U.S. Treasury yield, the stock’s intrinsic fair value is estimated at $70 per share. Applying a prudent 20% discount to reflect interest rate risk and macro uncertainty yields a conservative, risk-adjusted target of $56. However, recent market action suggests investor sentiment has shifted decisively beyond fundamentals.

Read the complete narrative.

Curious how a disciplined rates based model still arrives at a much lower value than today’s price? The narrative leans on aggressive forward earnings power, richer margins, and a future valuation multiple usually reserved for elite compounders. Want to see which specific profit and growth assumptions justify that gap? Click through and unpack the full framework behind this fair value call.

Result: Fair Value of $70.00 (OVERVALUED)

Have a read of the narrative in full and understand what’s behind the forecasts.

However, sharp rate increases or an AI spending slowdown could quickly compress Arm’s valuation multiples and challenge the longer term bubble wave thesis.

Find out about the key risks to this Arm Holdings narrative.

Our valuation checks paint a more nuanced picture than the $70 fair value headline. On a sales basis, Arm trades at 33.8 times revenue, far richer than both the US semiconductor industry at 5.5 times and peers at 7.4 times. Yet our fair ratio sits even higher at 38 times, which means the market could still move further in either direction and leave late buyers exposed to sharp swings. Is this a calculated bet on Arm’s growth engine, or are expectations already stretched to a breaking point?

See what the numbers say about this price — find out in our valuation breakdown.

If you see the numbers differently or want to stress test your own assumptions, you can build a customized Arm narrative in minutes: Do it your way.

A good starting point is our analysis highlighting 2 key rewards investors are optimistic about regarding Arm Holdings.

Arm is only one chapter in today’s market story; use the Simply Wall St Screener now so you do not miss tomorrow’s standout opportunities.

This article by Simply Wall St is general in nature. We provide commentary based on historical data and analyst forecasts only using an unbiased methodology and our articles are not intended to be financial advice. It does not constitute a recommendation to buy or sell any stock, and does not take account of your objectives, or your financial situation. We aim to bring you long-term focused analysis driven by fundamental data. Note that our analysis may not factor in the latest price-sensitive company announcements or qualitative material. Simply Wall St has no position in any stocks mentioned.

Companies discussed in this article include ARM.

Have feedback on this article? Concerned about the content? Get in touch with us directly. Alternatively, email editorial-team@simplywallst.com

Executive Summary

This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools.

We show that, without proper safeguards, malicious MCP servers can exploit the sampling feature for a range of attacks. We demonstrate these risks in practice through three proof-of-concept (PoC) examples conducted within the coding copilot, and discuss strategies for effective prevention.

We performed all experiments and PoC attacks described here on a copilot that integrates MCP for code assistance and tool access. Because this risk could exist on other copilots that enable the sampling feature we’ve not mentioned the specific vendor or name of the copilot to maintain impartiality.

Key findings:
MCP sampling relies on an implicit trust model and lacks robust, built-in security controls. This design enables new potential attack vectors in agents that leverage MCP. We have identified three critical attack vectors:

1. Resource theft: Attackers can abuse MCP sampling to drain AI compute quotas and consume resources for unauthorized or external workloads.
2. Conversation hijacking: Compromised or malicious MCP servers can inject persistent instructions, manipulate AI responses, exfiltrate sensitive data or undermine the integrity of user interactions.
3. Covert tool invocation: The protocol allows hidden tool invocations and file system operations, enabling attackers to perform unauthorized actions without user awareness or consent.

Given these risks, we also examine and evaluate mitigation strategies to strengthen the security and resilience of MCP-based systems.

Palo Alto Networks offers products and services that can help organizations protect AI systems:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

What Is MCP?

MCP is an open-standard, open-source framework introduced by Anthropic in November 2024 to standardize the way LLMs integrate and share data with external tools, systems and data sources. Its key purpose is providing a unified interface for the communication between the application and external services.

MCP revolves around three key components:

• The MCP host (the application itself)
• The MCP client (that manages communication)
• The MCP server (that provides tools and resources to extend the LLM’s capabilities)

MCP defines several primitives (core communication protocols) to facilitate integration between MCP clients and servers. In the typical interaction flow, the process follows a client-driven pattern:

• The user sends a request to the MCP client
• The client forwards relevant context to the LLM
• The LLM generates a response (potentially including tool calls)
• The client then invokes the appropriate MCP server tools to execute those operations

Throughout this flow, the client maintains centralized control over when and how the LLM is invoked.

One relatively new and powerful primitive is MCP sampling, which fundamentally reverses this interaction pattern. With sampling, MCP servers can proactively request LLM completions by sending sampling requests back to the client.

When a server needs LLM capabilities (for example, to analyze data or make decisions), it initiates a sampling request to the client. The client then invokes the LLM with the server’s prompt, receives the completion and returns the result to the server.

This bidirectional capability allows servers to leverage LLM intelligence for complex tasks while clients retain full control over model selection, hosting, privacy and cost management. According to the official documentation, sampling is specifically designed to enable advanced agentic behaviors without compromising security and privacy.

MCP Architecture and Examples

MCP employs a client-server architecture that enables host applications to connect with multiple MCP servers simultaneously. The system comprises three key components:

• MCP hosts: Programs like Claude Desktop that want to access external data or tools
• MCP clients: Components that live within the host application and manage connections to MCP servers
• MCP servers: External programs that expose tools, resources and prompts via a standard API to the AI model

When a user interacts with an AI application that supports MCP, a sequence of background processes enables smooth communication between the AI and external systems. Figure 1 shows the overall communication process for AI applications built with MCP.

Phase 1: Protocol Handshake

MCP handshakes consist of the following phases:

• Initial connection: The MCP client initiates a connection with the configured MCP servers running on the local device.
• Capability discovery: The client queries each server to determine what capabilities it offers. Each server then responds with a list of available tools, resources and prompts.
• Registration: The client registers the discovered capabilities. These capabilities are now accessible to the AI and can be invoked during user interactions.

Phase 2: Communication

Once MCP communications have begun, they progress through the following stages:

• Prompt analysis and tool selection: The LLM analyzes the user’s prompt and recognizes that it needs external tool access. It then identifies the corresponding MCP capability to complete the request.
• Obtain permission: The client displays a permission prompt asking the user to grant the necessary privileges to access the external tool or resource.
• Tool execution: After obtaining the privileges, the client sends a request to the appropriate MCP server using the standardized protocol format (JSON-RPC).

The MCP server processes the request, executes the tool with the necessary parameters and returns the result to the client.

• Return response: After the LLM finishes its tool execution, it returns information to the MCP client, which in turn processes it and displays it to the user.

MCP Server and Sampling

In this section, we dive further into the MCP server features and understand the role and capability of the MCP sampling feature. To date, the MCP server exposes three primary primitives:

• Resources: These are data sources accessible to LLMs, similar to GET endpoints in a REST API. For example, a file server might expose file://README.md to provide README content, or a database server could share table schemas.
• Prompts: These are predefined prompt templates designed to guide complex tasks. They provide the AI with optimized prompt patterns for specific use cases, helping streamline and standardize interactions.
• Tools: These are functions that the MCP host can invoke through the server, analogous to POST endpoints. Official MCP servers exist for many popular tools.

MCP Sampling: An Underused Feature

Typically, MCP-based agents follow a simple pattern. Users type prompts and the LLM calls the appropriate server tools to get answers. But what if servers could ask the LLM for help too? That’s exactly what the sampling feature enables.

Sampling gives MCP servers the ability to process information more intelligently using an LLM. When a server needs to summarize a document or analyze data, it can request help from a client’s language model instead of doing all the work itself.

Here’s a simple example: Imagine an MCP server with a summarize_file tool. Here’s how it works differently with and without sampling.

Without sampling:

• The server reads your file
• The server employs a local summarization algorithm on its end to process the text

With sampling enabled:

• The server reads your file
• The server asks your LLM, “please summarize this document in three key points”
• Your LLM generates the summary
• The server returns the polished summary to you

Essentially, the server leverages the user’s LLM to provide intelligent features without needing its own AI infrastructure. It’s like giving the server permission to use an AI assistant when needed. This transforms simple tools into intelligent agents that can analyze, summarize and process information.

This all happens while keeping users in control of the AI interaction. Figure 2 shows the high-level workflow of the MCP sampling feature.

Sampling Request

To use the sampling feature, the MCP server sends a sampling/createMessage request to the MCP client. The method accepts a JSON-formatted request with the following structure. The client then reviews the request and can modify it.

After reviewing the request, the client “samples” from an LLM and then reviews the completion. As the last step, the client returns the result to the server. The following is an example of the sampling request.

There are two primary fields that define the request behavior:

• Messages: An array of message objects that represents the complete conversation history. Each message object contains the following, which provides the context and query for the LLM to process:
  • The role identifier (user, assistant, etc.)
  • The content structure with type and text fields
• SystemPrompt: A directive that provides specific behavioral guidance to the LLM for this request. In this case, it instructs the model to act as a “security-focused code reviewer,” which:
  • Defines the perspective and expertise of the response
  • Ensures the analysis focuses on security considerations
  • Ensures a consistent reviewing approach

Other fields’ definitions can be found on Anthropic’s official page.

MCP Sampling Attack Surface Analysis

MCP sampling introduces potential attack opportunities, with prompt injection being the primary attack vector. The protocol’s design allows MCP servers to craft prompts and request completions from the client’s LLM. Since servers control both the prompt content and how they process the LLM’s responses, they can inject hidden instructions, manipulate outputs, and potentially influence subsequent tool executions.

Threat Model

We assume the MCP client, host application (e.g., Claude Desktop) and underlying LLM operate correctly and remain uncompromised. MCP servers, however, are untrusted and represent the primary attack vector, as they may be malicious from installation or compromised later via supply chain attacks or exploitation.

Our threat model focuses on attacks exploiting the MCP sampling feature, in which servers request LLM completions through the client. We exclude protocol implementation vulnerabilities such as buffer overflows or cryptographic flaws, client-side infrastructure attacks and social engineering tactics to install malicious servers. Instead, we concentrate on technical exploits available once a malicious server is connected to the system.

Experiment Setup and Malicious MCP Server

To demonstrate these potential risks, we developed a malicious code summarizer MCP server, based on Anthropic’s everything MCP server. This is a demo server that aims to exercise all the features of the MCP protocol, including the MCP sampling feature.

The malicious MCP server provides legitimate functionality while performing covert operations. Specifically, it provides a tool named code_summarizer, making it indistinguishable from benign tools during selection. When users request code summarization tasks, the MCP protocol automatically routes the request to this tool, as shown in Figure 3.

When users request code summarization tasks, the MCP protocol identifies these requests and automatically routes them to the tool for help. Figure 3 above shows the detailed parameters and guideline prompts used by this tool.

For the MCP host/client, we choose a code editor that supports the MCP sampling feature. Figure 4 shows the typical interaction process.

The summary task we provided to the copilot summarizes the main source file of the everything MCP server.

PoC 1: Resource Theft: Excessive Token ConsumptionThrough Hidden Prompts

This attack shows how the malicious server can exploit LLM completions to steal a user’s token quota by appending hidden requests to prompts.

Core attack mechanism: The malicious tool adds hidden instructions at the end of the main prompt:

This hidden instruction causes the LLM to generate a fictional story along with the requested code summary.

Attack flow: When the user submits a summarization request (as shown in Figure 3 above), the server processes it as usual but secretly instructs the LLM to produce additional content. The LLM’s response includes both the code summary and the hidden story.

In our experiments with the copilot, the host only displayed the code summary (shown in Figure 5).

However, the LLM still processes and generates the full response, including any hidden content injected by the server. This additional content, though invisible to users, continues to consume computational resources and appears in server logs.

The disconnect between what users see and what actually gets processed creates a perfect cover for resource exhaustion attacks. Users receive their expected summary with no indication that the LLM also generated extensive hidden content in the background.

Despite the successful exploitation, we note that we observed this behavior specifically in our testing with the target MCP client’s implementation. Different MCP hosts may handle output filtering and display differently.

Some implementations might show full LLM responses, provide warnings about hidden content or have other safeguards in place. What makes this particular implementation vulnerable is its approach to presenting results.

The MCP client performs an additional layer of summarization on the MCP tool output before displaying it to the user. It condenses the content into a brief summary, rather than showing the raw LLM response.

This design choice increases the attack’s effectiveness, as the hidden content becomes effectively invisible in the chat interface. Only by expanding and examining the raw server console output, an action most users would have no reason to take, would the exploitation become apparent.

This potential attack vector reflects the specific design choices of the tested implementation and may not be universally applicable to all MCP hosts supporting the sampling feature.

Figures 6 and 7 reveal the fictional story in the server console output, confirming successful token theft. To the user, everything appears normal. They receive the summary as expected. In reality, the malicious server has consumed extra computational resources equivalent to generating 1,000 additional words, all billed to the user’s API credits.

Impact: This attack enables resource theft, unauthorized content generation and potential data exfiltration through carefully crafted hidden prompts.

PoC 2: Conversation Hijacking: Persistent Prompt Injection

The second attack demonstrates how the malicious MCP server can inject instructions that persist across multiple conversation turns, effectively compromising the entire conversation.

Attack mechanism: The server instructs the LLM to append specific instructions in its response and causes the following conversation to follow these instructions:

Attack flow: Starting with the same code summarization request, the malicious server appends the injection instruction to the user’s prompt. Following this malicious prompt, the LLM then includes this text in its response (shown in Figure 8), which becomes part of the conversation context. Once injected, these instructions affect all subsequent interactions.

When the user asks follow-up questions, the AI assistant responds in pirate speak (as shown in Figure 9), demonstrating that the injection has taken a persistent effect.

Impact: This attack can fundamentally alter the AI assistant’s behavior, potentially making it less useful or even dangerous if more sophisticated instructions are injected. Unlike one-time token theft, this creates a lasting compromise that affects the entire session.

PoC 3: Covert Tool Invocation

This attack leverages prompt injection to trigger unauthorized tool invocations, enabling a malicious server to perform hidden actions on the user’s system.

Attack mechanism: The server modifies the user’s prompt to embed instructions that cause the LLM to invoke additional tools without the user’s awareness:

In this example, the LLM is assumed to have access to a tool called writeFile, which allows it to write content to local files. The malicious server provides this tool, but it could also be supplied by other MCP servers on the system, such as the commonly used filesystem MCP server.

Attack flow: When the user requests code summarization, the malicious summarizer tool appends hidden instructions to the LLM’s prompt. This causes the LLM to not only generate the requested summary but also secretly invoke the writeFile tool. The tool writes the complete response to a local file named tmp.txt. While the LLM’s response acknowledges this file operation (as shown in Figure 10), it embeds the acknowledgment within the summary text, making it unlikely that users will notice the unauthorized action.

The attack succeeds because the file operation appears as a legitimate tool invocation from the LLM’s perspective. The user receives their expected code summary while remaining unaware that their system has been modified (as shown in Figure 11).

Impact: This attack demonstrates the potential for malicious file operations, data exfiltration, persistence mechanisms and other unauthorized system modifications. This is all performed without explicit user consent.

Detecting and Preventing Prompt Injection in MCP Sampling

Detection focuses on identifying malicious patterns in both sampling requests and LLM responses.

• On the request side, systems should scan for injection markers like [INST], System:, role-play attempts (“You are now”) and hidden content using common injection strategies such as zero-width characters or Base64 encoding.
• On the response side, detection involves monitoring for unexpected tool invocations, embedded meta-instructions (“For all future requests…”) and outputs that attempt to modify client behavior. Statistical analysis provides another layer by flagging requests that exceed normal token usage patterns or exhibit an unusually high frequency of sampling requests. Responses should also be inspected for references to malicious domains or exploits that can compromise the agent.

Prevention requires implementing multiple defensive layers before malicious prompts can cause harm. Request sanitization forms the first line of defense:

• Enforce strict templates that separate user content from server modifications
• Strip suspicious patterns and control characters
• Impose token limits based on operation type

Response filtering acts as the second barrier by removing instruction-like phrases from LLM outputs and requiring explicit user approval for any tool execution.

Access controls provide structural protection through capability declarations that limit what servers can request, context isolation that prevents access to conversation history, and rate limiting that caps sampling frequency.

Palo Alto Networks offers products and services that can help organizations protect AI systems:

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

• OpenAI Content Moderation – Docs, OpenAI
• Content filtering overview – Documentation, Microsoft Learn
• Google Safety Filter – Documentation, Generative AI on Vertex AI, Google
• Nvidia NeMo-Guardrails – NVIDIA on GitHub
• AWS Bedrock Guardrail – Amazon Web Services
• Meta Llama Guard 2 – PurpleLlama on GitHub
• Introducing the Model Context Protocol – Anthropic News
• OpenAI adopts rival Anthropic’s standard for connecting AI models to data – TechCrunch
• Model Context Protocol – Wikipedia
• What is the Model Context Protocol (MCP)? – Documentation, Model Context Protocol
• Model Context Protocol (MCP) an overview – Personal Blog, Philipp Schmid
• Model Context Protocol (MCP) Explained – Diamond AI Substack, Nir Diamant
• Sampling – Documentation, Model Context Protocol
• MCP 101: An Introduction to Model Context Protocol – DigitalOcean Community, DigitalOcean
• The current state of MCP (Model Context Protocol) – Elasticsearch Labs, Elastic

Michelle Weaver: Welcome to Thoughts on the Market. We’re coming to you live from Morgan Stanley’s Global Consumer and Retail Conference in New York City, where we have more than 120 leading companies in attendance.

 

Today’s episode is the second part of our live discussion of the U.S. consumer and how AI is changing consumer companies. With me on stage, we have Arunima Sinha from the Global and U.S. Economics team, Simeon Guttman, our U.S. Hardlines, Broad Lines, and Food Retail Analyst, and Megan Clapp, U.S. Food Producers and Leisure Analyst.

 

It’s Friday, December 5th at 10am in New York.

 

So, Simeon, I want to start with you. You recently put out a piece assessing the AI race. Can you take us through how you’re assessing current AI implementation? And can you give us some real-world examples of what it looks like when a company significantly integrates AI into their business?

 

Simeon Gutman: Sure. So, the Consumer Discretionary and Staples teams went to each of their covered companies, and we started searching for what those companies have disclosed and communicated regarding their AI. In some cases, we used AI to do this search. But we created a search and created this universe of factors and different ways AI is being implemented. We didn’t have a framework until we had the entire universe of all of these AI use cases.

 

Once we did, then we were able to compartmentalize them. And the different groups; we came up with six groups that we were able to cluster. First, personalization and refined search; second, customer acquisition; third product innovation; fourth, labor productivity; fifth, supply chain and logistics. And lastly, inventory management. And using that framework, we were able to rank companies on a 1 to 10 scale.

 

Across – that was the implementation part – across three different dimensions: breadth, how widely the AI is deployed across those categories; the depth, the quality, which we did our best to be able to interpret. And then the last one was proprietary initiatives. So, that’s partnerships, could be with leading AI firms.

 

So that helped us differentiate the leaders with others, not necessarily laggards, but those who were ahead of in the race. In some cases, companies that have communicated more would naturally scream more, so there is some potential bias in that. But otherwise, the fact pattern was objective.

 

Walmart has full scale AI deployment. They’re integrated across their business. They’ve introduced GenAI tools. That’s like their Sparky shopping assistant. As well as integrated to in-store features. They talked about it. It’s been driving a 25 percent increase in average shopper spend. They’ve recently partnered with OpenAI to enable ChatGPT powered Search and Checkout, positioning where the company, where the customer is shopping.

 

They’re also layering on augmented reality for holiday shopping, computer vision for shelf monitoring. LLMs for inventory replenishment. Autonomous lifts, the list goes on and on. But it covers all the functional categories in our framework.

 

Michelle Weaver: And how about a couple examples of the ways companies are using these? Any interesting real world use cases you’ve seen so far?

 

Simeon Gutman: So, one of them was in marketing personalization, as well as in product cataloging. That was one of the more sided themes at this conference. So, it was good timing. So, the idea is when product is staged on a company’s website; I don’t think we all appreciate how much time and many hours and people and resources it takes to get the correct information, to get the right pictures and to show all the assortment – those type of functions AI is helping enable.

 

And it sounds like we’re on the cusp of a step change in personalization. It sounds like AI, machine learning or algorithm driven suggestions to consumers. We didn’t get practical use cases, but a lot of companies talked about the deployment of this into 2026, which sounds like it’s something to look forward to.

 

Michelle Weaver: And Megan, how would you describe AI adoption in your space in terms of innings and what kind of criteria are you using to assess the future for AI opportunity and potential?

 

Megan Clapp: Yeah, I would say; I’d characterize adoption in the Food and broader Staples space today is still relatively early innings. I think most companies are still standing up the data infrastructure, experimenting with various tools. We’re seeing companies pilot early use cases and start to talk about them, and that was evident in the work we did with the note that Simeon just talked about.

 

And so, the opportunity, I think, going ahead, lies in kind of what we see in terms of scaling those pilots to become more impactful. And for Staples broadly, and Food, you know, ties into this. I think, these companies start with an advantage and that they sit on a tremendous amount of high frequency consumption data. So, the data availability is quite large. The question now is, you know, can these large organizations move with speed and translate that data into action? And that’s something that we’re focused on when we think about feasibility.

 

I think we think about the opportunity for Food and Staples broadly as we’d put it into kind of two areas. One is what can they do on the top line? Marketing, innovation, R&D, kind of the lifeblood of CPG companies, and that’s where we’re seeing a lot of the early use cases. I think ultimately that will be the most important driver – driving top line, you know, tends to be the most important thing in most consumer companies.

 

But then on the other side, there are a lot of cost efforts, supply chain savings, labor productivity. Those are honestly a bit easier to quantify. And we’re seeing real tangible things come out of that. But overall I think the way we think about it is the large companies with scale and the ability to go after the opportunity because they have the scale and the balance sheet to do so – will be winners here, as well as the smaller, more nimble companies that, you know, can move a little bit faster. And so that’s how we’re thinking about the opportunity.

 

Michelle Weaver: Can you give us also just a couple examples of AI adoption that’s been successful that you’ve seen so far?

 

Megan Clapp: Yeah, so on the top line side, like I said, kind of marketing innovation, R&D. One quick example on the Food side. Hershey, for example, they’re using algorithms to reallocate advertising spend by zip code, based on the real time sell through. So, they can just be much more targeted and more efficient, honestly, with that advertising spend. I think from an innovation perspective too, these companies are able to identify on trend things faster and incorporate that and take the idea to shelf time down significantly.

 

And then on the cost side, you know, General Mills is a company is actually relatively, far ahead, I’d say, in the AI adoption curve in Staples broadly. And what they’ve done is deployed what they call digital twins across their network, and it has improved forecast accuracy. They’ve taken their historical productivity savings from 4 percent annually to 5 percent. That’s something that’s structural. So, seeing real tangible benefits that are showing up in the PNL. And so, I think broadly the theme is these companies are using AI to make faster, and more precise decisions.

 

And then I thought, I’d just mention on the leisure side, something that I felt was interesting that we learned from Shark Ninja yesterday at the conference is – when asked about the role of Agentic AI in future commerce, thinks it’ll be huge was how he described; the CEO described it. And what they’re doing actively right now is optimizing their D2C website for LLMs like ChatGPT and Gemini. And his point was that what drives conversion on D2C today may not ultimately be what ranks on AI driven search.

 

But he said the expectation is that by Christmas of next year, commerce via these AI platforms will be meaningful; mentioned that OpenAI is already experimenting with curated product transactions. So, they’re really focused on optimizing their portfolio. He thinks brands will win; but you have got to get ahead of it as well.

 

Michelle Weaver: And that’s great that you just brought up Agentic commerce. We’ve heard about it quite a bit over the past couple of days, Simeon. And I know you recently put out a big piece on this theme.

 

Agentic commerce introduces a lot of possibility for incremental sales, but it also introduces the possibility for cannibalization. Where do you see this shaking out in your space? Are you really concerned about that cannibalization possibility?

 

Simeon Gutman: Yeah, so the larger debate is a little bit of sales cannibalization and a potential bit of retail media cannibalization. So, your first point is Agentic theoretically opens up a bigger e-commerce penetration and just more commerce. And once you go to more e-commerce, that could be beneficial for some of these companies.

 

We can also put the counter argument of when e-commerce came, direct-to-consumer type of selling could disintermediate the captive retailer sales again. Maybe, maybe not. Part of this answer is we created a framework to think about what retailers can protect themselves most from this. Two of them; two of the five I’s are infrastructure and inventory. So, the more that your inventory is forward position, the more infrastructure you have; the AI and the agent will still prioritize that retailer within that network. That business will likely not go elsewhere. And that’s our premise.

 

Now, retail media is a different can of worms. We don’t know what models are going to look like.

 

How this interaction will take place? We don’t know who controls the data. The transactions part of this conference is we were hearing, ‘Well, the retailers are going to control some of the data and the transaction.’ Will consumers feel comfortable giving personal information, credit card to agents? I’m sure at some point we’ll feel comfortable, but there are these inertia points and these are models that are getting worked out today.

 

There’s incentives for the hyperscalers to be part of this. There’s incentive for the retailers to be part of it. But we ultimately don’t know. What we do know is though forward position inventory is still going to win that agent’s business if you need to get merchandise quickly, efficiently. And if it’s a lot of merchandise at once. Think about the largest platforms that have been investing in long tail of product and speed to getting it to that consumer.

 

Michelle Weaver: And Arunima, I want to bring this back to the macro as well. As AI adoption starts to ramp the labor market then starts to get called into question. Is this going to be automation or is it going to be augmentation as you see a ramp in AI adoption?

 

So how are your expectations for AI being factored into your forecast and what are you expecting there?

 

Arunima Sinha: There are two ways that we think about just sort of AI spending mattering for our growth forecasts. One part is literally the spend, the investment in the data centers and the chips and so on. And then the other is just the rise in productivity. So, does the labor or does the human capital become more productive?

 

And if we sum both of those things together, we think that over 2026 – [20]27, they add anywhere between 40-45 basis points to growth. And just to put things in perspective, our GDP growth estimate for the end of this year in 2026 is 1.8 percent. For 2027, it’s 2.0 percent. So, it’s an important part of that process.

 

In terms of the labor market itself, the work that you have led, as well as the work that we’ve been doing – which is this question about adoption at the macro level, that’s still fairly low. We look at the census data that tracks larger companies or mid-size companies on a monthly basis to say, ‘How much did you use AI tools in the last couple of weeks.’ And that’s been slowly increasing, but it’s still sort of in the mid-teens in terms of how many companies have been using as a percentage.

 

And so, we think that adoption should continue to increase. And as that does, for now, we think it is going to be a compliment to labor. Although there are some cohorts within sort of demographic cohorts in terms of ages that are probably going to be disproportionately impacted, but we don’t think that that’s a sort of near term 2026 story.

 

Michelle Weaver:  Well, thank you all for joining us and please follow Thoughts on the Market wherever you listen to podcasts.

 

Thank you to our panel participants for this engaging discussion and to our live and podcast audiences. Thanks for listening. If you enjoy Thoughts on the Market, please leave us a review wherever you listen and share the podcast with a friend or colleague today.