Good morning, AI watchers. Anthropic launched a design tool that made Figma's stock drop and its own CPO resign from the company's board -- and that's not even the most surreal thing on the docket today. We've also got the NSA quietly using Anthropic's most dangerous model while the Pentagon sues Anthropic in the same breath, a developer getting a $800 surprise bill for letting AI pick his infrastructure, and the guy who built MCP standing at a podium telling everyone MCP isn't enough. Let's get into it.

📬 Before we dive in: The sharpest AI Brief tips come from readers in the field. If you spot something worth covering today — a launch, a thread, a number that doesn't add up — drop it in the chat. The best ones make tomorrow's edition, credited to you.

Anthropic Launches Claude Design — Figma and Canva Just Had a Bad Week

What happened: Anthropic launched Claude Design on April 17 — a research-preview product that turns a text prompt into a polished website prototype, slide deck, marketing one-pager, or interactive UI. It runs on the new Claude Opus 4.7 model, reads your codebase and brand files during setup, and exports directly to Canva or as PPTX/PDF/URL. Figma shares dropped on the news; Adobe's did too.

Why it matters: Until now, going from idea to something visual meant hiring a designer or learning Figma. Claude Design collapses that step — which means the barrier to shipping a polished product just got much lower for non-designers, small teams, and solo founders.

What everyone's saying: The discourse is split between 'Figma is toast' and 'Figma has a decade head start on multiplayer.' Anthropic admits Claude Design's collaboration is 'basic and not yet fully multiplayer.' Notably, Anthropic's CPO Mike Krieger quietly resigned from Figma's board three days before the launch.

My read between the lines: Companies that are truly complementary don't make their CPO resign from the partner's board first. This is Anthropic betting that owning the design-to-code pipeline is worth more than the partnerships it burns. The 'we complement Canva and Figma' line is what you say when you're not ready to say what you actually mean.

Today's AI Brief is brought to you by MirrorMemory.ai.

The NSA Is Using Anthropic's Most Dangerous Model — Pentagon Blacklist Be Damned

What happened: The NSA is actively using Anthropic's Mythos Preview — the company's most powerful and restricted model — even as the Pentagon formally labeled Anthropic a 'supply chain risk' and cut off the company in February. Two sources confirmed to Axios that Mythos use has spread beyond the NSA to other parts of the Defense Department.

Why it matters: Mythos was restricted to only ~40 organizations worldwide because Anthropic considered its offensive cyber capabilities too dangerous to release widely. The fact that a top intelligence agency found its way in — while the Pentagon simultaneously argues in court that using Anthropic tools threatens national security — is a story where hypocrisy and operational urgency collide head-on.

What everyone's saying: Most coverage frames this as a Pentagon-Anthropic feud, but the subtext is more interesting: organizations with Mythos access are using it primarily to scan their own systems for vulnerabilities. That's defensive cyber — exactly the line Anthropic has been drawing all along.

My read between the lines: Anthropic drew a hard line on mass surveillance and autonomous weapons — and the military went around the front door and knocked on the side. The Pentagon can call Anthropic a 'supply chain risk' in court all it wants; the NSA is still going to use the best tool available. Ideology meets procurement reality, and procurement wins.

Vibe Coding Sent a Developer an $800 Vercel Bill — and Nobody's Talking About the Real Problem

What happened: Developer Matthew Berman let Claude 4.5 pick his tools, configs, and deployment targets during two weeks of 'vibe coding' — and got an $800 Vercel bill. The culprit: Vercel's default 'Turbo' build machine at 12.5 cents per build minute, combined with 'run all builds immediately,' which fired duplicate concurrent deploys dozens of times per day. He cut costs by 99% by switching to the Elastic tier and disabling concurrent builds.

Why it matters: This is the hidden tax that never appears on the AI productivity slide deck. When AI agents pick your infrastructure for speed, not cost, the bill isn't hypothetical — it arrives fast and hard. The fix was simple once Berman knew what to look for. The awareness was the missing piece.

What everyone's saying: The 'vibe coding is dangerous' crowd is using this as exhibit A. Developers on X are trading config tips. Vercel is staying quiet. The Anthropic Claude Code team lead was also quoted in the piece saying 'I don't write any code by hand anymore' — which is either inspiring or terrifying depending on how close you are to your own Vercel bill.

My read between the lines: The real story is GEO — Generative Engine Optimization. AI models are trained on content that recommends Vercel, Resend, and Fly.io, so they keep recommending them. The companies embedded deepest in AI training data are winning market share without buying a single ad. Berman wasn't unlucky — he was marketed to.

MCP's Co-Creator Just Said the Protocol Alone Won't Cut It

What happened: At the MCP Dev Summit in New York, Anthropic engineer and MCP co-creator David Soria Parra told attendees that 2026's question isn't whether MCP works — it's what breaks when you try to scale it. His answer: retries, observability, backpressure, and agent coordination, none of which MCP provides. Tool metadata alone can consume 20%+ of an LLM's context window before the model does any real reasoning.

Why it matters: MCP is the standard that lets AI agents connect to real-world tools — databases, APIs, internal systems. It went from Anthropic project to Linux Foundation-governed industry infrastructure in under two years. The person who built it is now warning that it won't survive production without a lot of scaffolding that doesn't exist yet.

What everyone's saying: Duolingo and Uber both showed up at the summit, and neither is running MCP standalone — both are wrapping it in custom orchestration layers. The consensus: MCP is the right direction, but every team building on it is also building the same infrastructure plumbing from scratch, in parallel, in secret.

My read between the lines: A protocol co-creator giving a public talk titled 'what breaks MCP at scale' is the AI industry's version of someone writing 'considered harmful' about their own invention. It's honest — and it's a signal that the current wave of 'just add MCP' will hit a wall around mid-year when people discover the demos don't reflect the ops burden.

A Design Flaw in MCP Puts 200,000 Servers at Risk — Vendors Say It's Not Their Problem

What happened: Security researchers disclosed a design flaw in Anthropic's official MCP implementation that could expose up to 200,000 servers to complete takeover via zero-click prompt injection. The vulnerability affects AI coding tools including Claude Code, Cursor, Windsurf, Gemini-CLI, and GitHub Copilot. Windsurf got a CVE. Anthropic, Google, and Microsoft said it's a 'known issue' that requires user permission to exploit — and therefore isn't a valid security vulnerability.

Why it matters: MCP is now wired into every serious AI coding workflow. If a flaw in how it handles tool metadata can be weaponized to inject prompts and seize servers, the attack surface is every developer who installed an AI IDE plugin in the past six months — which is essentially every developer working in tech right now.

What everyone's saying: Researchers say design flaw. Vendors say expected behavior. This is the classic security disclosure standoff, and it usually ends with a CVE eventually. The security community isn't buying the 'requires user permission' response — because users click through permission dialogs without reading them, and everyone knows it.

My read between the lines: Read this next to Story 4: the MCP co-creator says the protocol needs more operational scaffolding to scale, and security researchers say the core spec has a design flaw vendors won't own. MCP is having a genuinely rough week — and it also happens to be the week that every team building agentic software is betting their entire architecture on it.

That's your AI Brief for Monday, April 20. If you spotted something we missed — a story, a thread, a chart that made you say 'wait, what?' — share it in the Substack chat. The best tips get featured in tomorrow's edition, with a shoutout to whoever sent them.

—Artificially Intimidating