Microsoft’s own terms of use state that Copilot is “for entertainment purposes only”, raising important questions about how AI tools are really meant to be used in business.

What The Terms Say

Buried within Microsoft’s Copilot terms is a clear warning that: “Copilot is for entertainment purposes only. It can make mistakes, and it may not work as intended. Don’t rely on Copilot for important advice. Use Copilot at your own risk.”

On the surface, this looks like standard legal language. However, some commentators have recently highlighted how this appears to sit in direct contrast to how Copilot is being positioned. For example, Microsoft is actively embedding it across Windows, Microsoft 365, and enterprise workflows, and presenting Copilot as a productivity tool for everything from writing and coding to data analysis and decision support.

Why The Disclaimer?

At its core, the disclaimer appears to be about risk management by Microsoft. Generative AI systems are probabilistic, meaning they generate responses based on patterns rather than verified facts. As a result, they can produce outputs that are plausible but incorrect, incomplete, or misleading.

This is commonly referred to as “hallucination”, and it remains a largely unresolved issue across all major AI models. Therefore, by explicitly stating that Copilot should not be relied upon for important advice, Microsoft is effectively limiting its liability if something goes wrong.

There is, however, also a second layer to this. The terms make clear that users are responsible for how they use Copilot and any consequences that follow. In practical terms, that shifts accountability away from Microsoft and onto the individual or organisation using the tool.

Not Just Microsoft

It should be noted here that this kind of disclaimer is not unique to Microsoft. OpenAI, Google, and xAI all include similar warnings in their own terms, reflecting a broader industry position that AI outputs are assistive, not authoritative.

The Gap Between Legal Position And Real-World Use

The challenge here is that this legal framing may not match how AI is actually being used. In many organisations, tools like Copilot are already being integrated into day-to-day workflows. Employees are using them to draft emails, summarise documents, generate code, and in some cases support decision-making processes.

Over time, this creates a degree of reliance, even if it is unofficial. The more useful and embedded the tool becomes, the more likely users are to trust its outputs without fully verifying them.

This is where the concept of automation bias becomes important. People tend to favour outputs generated by machines, particularly when those outputs are well-presented and appear confident. AI amplifies this effect because it produces responses that read as coherent and authoritative, even when they are not.

The result is a subtle but growing risk. Not that AI will fail completely, but that it will be trusted just enough to introduce errors into business processes.

What Does This Say About AI Maturity?

The wording in Microsoft’s terms could be said to highlight something more fundamental about the current state of AI.

Despite rapid advances in capability, these systems are clearly not yet reliable enough to be treated as independent decision-makers. They are basically tools that can assist, accelerate, and enhance work, but they still require oversight, validation, and context from human users. The fact that vendors are explicitly stating this in their legal terms suggests that the industry itself recognises the gap between capability and dependability.

This also reflects ongoing uncertainty around regulation, copyright, and accountability. For example, if an AI system generates incorrect advice, infringes intellectual property, or contributes to a business decision that causes loss, it is still not fully clear where responsibility sits.

Until those questions are resolved, vendors are likely to continue protecting themselves through broad disclaimers like this.

Why The Language May Change

Microsoft has already indicated that this wording may be updated, describing it as “legacy language” that does not fully reflect how Copilot is used today.

This suggests the company is aware of the contradiction and may move towards a more nuanced position. However, any changes are likely to be carefully balanced.

On one hand, Microsoft wants Copilot to be seen as a core productivity tool. On the other, it still needs to manage the legal and operational risks that come with deploying AI at scale.

That balancing act is not going away. If anything, it will become more pronounced as AI tools become more capable and more deeply integrated into business systems.

What Does This Mean For Your Business?

For UK businesses, the key takeaway is not that Copilot or similar tools should not be used. It is that they need to be used with a clear understanding of their limitations.

AI should be treated as a support layer, not a source of truth. Outputs should be checked, particularly where they influence decisions, customer communications, or technical implementations.

It also reinforces the need for internal controls. Clear guidelines on how AI can be used, where human review is required, and how outputs are validated are becoming essential.

There is also a broader point about responsibility here. Vendors are making it clear that the risk sits with the user, which means that businesses need to take ownership of how these tools are deployed and managed.

The key takeaway here is that AI may be marketed as a productivity solution, but it is still governed by uncertainty. Understanding that gap is what will determine whether it adds value or introduces risk.

A “BrowserGate” report claims LinkedIn scans users’ browsers for thousands of extensions and collects device data without clear disclosure.

Researchers say LinkedIn runs a hidden script that checks for over 6,000 extensions and gathers around 48 device attributes, creating a fingerprint linked to user activity. The scanning behaviour itself has been independently verified.

LinkedIn disputes the claims, saying the detection is used to identify extensions that breach its terms, particularly scraping tools, and that it does not use the data to infer sensitive information.

Concern centres on the scale and scope of the data collected, including tools linked to competitors and potential insights into user behaviour. There are also questions about transparency, given the lack of clear disclosure in its privacy policy.

For businesses, the advice is to review browser use, limit extensions, and strengthen endpoint controls to reduce exposure of corporate activity.

A fusion energy startup is developing a new class of nuclear battery that could help solve one of the biggest challenges in clean energy, turning radiation directly into electricity rather than wasting it as heat.

What Avalanche Energy Is Building

Avalanche Energy, a US-based fusion startup, has been awarded a $5.2 million contract from the Defense Advanced Research Projects Agency (DARPA) to develop compact “nuclear batteries” using advanced radiovoltaic technology.

These devices generate electricity by converting energy from radioactive decay, specifically alpha particles, into electrical power using semiconductor materials. The concept is similar to solar panels, but instead of converting sunlight, they convert radiation directly into electricity.

According to the company, the goal is to produce systems capable of delivering more than 10 watts per kilogram, enough to power a laptop-class device for months from a unit weighing only a few kilograms.

This is a significant step forward compared to traditional radioisotope batteries, which have historically been reliable but very low power.

Why This Matters For Fusion Energy

While the immediate application is compact power systems, the real significance lies in how this technology could support the future of fusion energy.

Fusion reactions generate enormous amounts of energy, but capturing that energy efficiently has proved difficult. Most approaches still rely on heating water and driving turbines, which introduces inefficiencies and limits overall output.

Avalanche’s approach focuses on direct energy conversion, capturing the energy of charged particles before it is lost as heat.

As the company explains, “The direct energy conversion technologies we’re developing under Rads to Watts will be essential for extracting power from fusion reactions efficiently.”

This matters because improving energy capture is one of the key barriers to making fusion commercially viable. Even if a reactor produces more energy than it consumes, that energy still needs to be converted into usable electricity in a practical and efficient way.

A Step Towards Portable, Low-Carbon Power

Beyond fusion, these nuclear batteries could offer a new type of long-duration, low-maintenance power source.

Unlike conventional batteries, they don’t need recharging in the traditional sense. Instead, they produce a steady flow of electricity over extended periods, making them suitable for environments where access to power is limited or unreliable.

DARPA’s interest reflects this potential. The programme is focused on systems that can operate in extreme environments, including space, remote locations, and infrastructure where logistics make refuelling difficult.

In terms of this broader ambition, Avalanche says: “We’re building the capabilities today that will enable tomorrow’s fusion systems to deliver reliable, portable energy for defence, space, and commercial applications.”

In sustainability terms, this could point to a future where certain applications currently dependent on diesel generators or frequent battery replacement could move to cleaner, longer-lasting alternatives.

How This Fits Into The Wider Industry

It should be noted here that Avalanche is not alone in exploring alternative ways to generate long-duration power from nuclear processes.

Companies such as US-based Zeno Power are developing radioisotope power systems designed for remote infrastructure, including maritime and Arctic applications. Zeno focuses on long-life nuclear batteries that can operate for years without maintenance.

Also, organisations like NASA and the US Department of Energy have long used radioisotope thermoelectric generators in space missions, including the Perseverance and Curiosity Mars rovers, demonstrating the reliability of nuclear-based power systems over decades.

In the private sector, firms such as Kronos Advanced Technologies and Arkenlight are also researching next-generation radiovoltaic and betavoltaic systems aimed at improving efficiency and power density.

What makes Avalanche’s approach distinct is its direct link to fusion. For example, rather than treating nuclear batteries as a standalone product, it is using them as a stepping stone towards solving a core technical challenge in fusion energy itself.

This reflects a broader trend in the industry, where companies are focusing on specific bottlenecks such as materials, energy capture, and system design, rather than attempting to solve fusion as a single problem.

What Does This Mean For Your Organisation?

For businesses, this development is less about immediate adoption and more about understanding where energy technology is heading.

The key takeaway is that the future of clean energy is not just about generation, it is about efficiency, portability, and reliability. Technologies that can deliver consistent, low-carbon power in difficult environments will open up new operational possibilities.

In the shorter term, this kind of innovation signals a move towards more resilient energy systems. Businesses operating in remote locations, critical infrastructure, or energy-intensive sectors may benefit from future solutions that reduce reliance on traditional fuel supply chains.

It also highlights the pace at which energy innovation is moving. Fusion is often seen as a distant goal, but the supporting technologies being developed today, including advanced materials and direct energy conversion systems, are already shaping the path towards it.

While nuclear batteries may not be powering offices or factories tomorrow, they represent a step towards a more flexible, sustainable energy landscape where power can be generated and used far more efficiently than it is today.

Important files are often left in the Downloads folder and never backed up, so moving them to a synced or backed-up location helps prevent accidental data loss if your device fails or is lost.

Why This Matters

The Downloads folder is one of the most commonly used locations for saving files, especially when opening email attachments or downloading documents from the web.

However, it is often not included in automatic backup or cloud sync settings.

This means files stored there may only exist on one device.

If that device is lost, damaged or replaced, anything stored only in Downloads could be permanently lost.

How To Check Your Downloads Folder In Windows

1. Open File Explorer.
2. Click on Downloads in the left-hand menu.
3. Review the files stored there.

Look for anything important that should be kept long term.

What To Do Next

• Move important files to Documents, Desktop or another backed-up folder.
• Or save them directly into OneDrive or your company’s shared storage.

If your organisation uses OneDrive folder backup, ensure key folders are being synced properly.

What To Watch For

• Files in Downloads are often temporary by nature.
• Important documents can easily be forgotten there.
• Backups and sync tools may not include this folder by default.

A Practical Approach

Take a minute to check your Downloads folder now.

Moving important files into a backed-up location is a simple habit that can prevent unnecessary data loss and ensure your work is properly protected.

Google has warned that the moment quantum computers can break today’s encryption may arrive within the next few years, accelerating timelines for businesses to prepare for a fundamental change in digital security.

What Is ‘Q-Day’?

Q-Day refers to the point at which a quantum computer becomes powerful enough to break widely used cryptographic systems such as RSA and elliptic curve encryption, which underpin everything from online banking to software updates.

Google’s position is that this is no longer a theoretical concern for the distant future. As the company warned in its earlier guidance, “the encryption currently used to keep your information confidential and secure could easily be broken by a large-scale quantum computer in coming years.”

The Risk Is Already Emerging

Attackers are also believed to be collecting encrypted data today with the intention of decrypting it later once quantum capabilities become available, a tactic often referred to as ‘store now, decrypt later’.

Google Revises Its Timeline

In a recent update, Google has set out a more urgent timeline for the transition to post-quantum cryptography, signalling that the industry may have less time than previously expected to prepare for this moment.

The company has now introduced a 2029 target for completing its migration to quantum-resistant cryptography, bringing forward urgency compared to earlier industry expectations that placed large-scale quantum threats in the mid-2030s, and stating: “We’re setting a timeline for post-quantum cryptography migration to 2029.”

Not A Direct Prediction

It’s worth noting here that this isn’t a direct prediction from Google of when exactly quantum computers will most likely break encryption, but it provides some guidance and a reassessment of how quickly organisations need to act.

Why The Updated Timeline?

Google said the change is based on recent progress in “quantum computing hardware development, quantum error correction, and quantum factoring resource estimates”.

In simple terms, it seems the technical barriers that once made quantum threats feel distant are being reduced faster than expected.

Google’s update of Q-Day is not simply about setting a date, it is about creating urgency. The company has made this explicit in a recent blog post about the update, stating: “As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline.” It added that the goal is to “provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.”

This reflects a broader concern that organisations are underestimating the scale and complexity of the transition required.

This urgency also reflects the scale of what organisations are being asked to do. For example, moving from current cryptographic standards to post-quantum alternatives is not a simple upgrade. It involves identifying where encryption is used, replacing algorithms across systems, updating infrastructure, and ensuring compatibility across supply chains and partners.

The UK’s National Cyber Security Centre has already described this transition as a “complex change programme”, highlighting the scale of the task facing organisations.

The Gap Between Awareness And Readiness

Despite growing awareness of quantum risks, most organisations are not ready.

Part of the challenge is that the threat itself is difficult to fully understand. Quantum computers are often described as vastly more powerful than today’s systems, and for many businesses, this means the practical implications are unclear. Understanding how and when these machines could break existing encryption, and what that means for real-world systems, is not straightforward without some specialist knowledge.

Research cited in industry reports suggests that while a majority of businesses expect quantum-enabled attacks within the next five years, only a small proportion have a clear roadmap in place to address them.

This means that while many organisations accept that quantum threats are coming, there is still uncertainty about how serious those risks are, when they are likely to materialise, and what practical steps should be taken. That uncertainty can easily lead to delays or a tendency to wait for clearer standards and tools rather than acting early.

Google’s revised timeline challenges that assumption by bringing forward its own migration target and signalling that waiting may not be a viable strategy.

What Google Is Already Doing To Help

Alongside announcing its timeline update, Google says it is actively deploying post-quantum cryptography across its own platforms.

The company has highlighted how Android 17 will integrate PQC digital signature protection using ML-DSA, aligned with standards from the National Institute of Standards and Technology.

This is part of a broader effort to build what Google describes as a “new, quantum-resistant chain of trust”, ensuring that systems remain secure even as computing capabilities evolve.

Google says it has also been working on PQC for several years, including deploying quantum-resistant key exchange mechanisms in Chrome and internal systems, and contributing to global standards development, all of which points to the fact that the transition is not only necessary, but already underway.

Why This Matters

The implications extend far beyond large technology providers. For example, encryption underpins core business functions, from securing customer data and financial transactions to protecting intellectual property and ensuring the integrity of software and communications.

If current cryptographic systems become vulnerable, the impact will not be limited to future systems. Data encrypted today could still be exposed years later if it is harvested and stored by attackers now.

That means the risk is already present, even if the technology required to exploit it fully is not yet available.

What Does This Mean For Your Business?

For most organisations, the key issue here is not whether quantum computing will affect them, but how prepared they are for the transition it will require.

Google’s updated timeline suggests that preparation needs to begin sooner rather than later, particularly for systems that rely on long-lived data or digital signatures that must remain secure for many years.

This will involve building what is often referred to as crypto agility, the ability to update cryptographic algorithms without disrupting services, as well as developing a clear inventory of where and how encryption is used across the organisation. In practical terms, that means identifying where sensitive data is stored, how it is protected in transit and at rest, and which systems rely on public key cryptography that may need to be replaced.

It also means starting to assess whether existing platforms, applications and suppliers are capable of supporting post-quantum cryptography, and whether updates, migrations or architectural changes will be required. Some organisations are already beginning to test quantum-resistant algorithms in non-critical systems to understand performance, compatibility and operational impact before wider rollout.

Engagement with suppliers and partners will also be important, as cryptographic systems rarely operate in isolation and weaknesses in third-party systems can undermine otherwise secure environments.

Taken together, Google’s update suggests that the window for treating quantum security as a future concern is narrowing, and that organisations that begin mapping, testing and planning now will be in a far stronger position than those that wait.

Fraudsters are increasingly using rentable “cloud phones” that look and behave like real smartphones, creating a new problem for banks, fintechs and businesses that have come to trust the device in a customer’s hand.

Now Using Cloud Phones

According to a recent report by security firm Group-IB, a growing number of scammers are no longer relying on crude emulators or racks of physical handsets to run fraud at scale. Instead, they are turning to cloud phones, effectively remote Android devices running in datacentres, which can be rented cheaply and accessed over the internet.

These services are marketed as legitimate tools for developers, marketers or businesses managing multiple accounts but, in practice, it seems they are also now being widely abused. As the report explains, “what began as a simple scheme to inflate social media metrics has evolved into a sophisticated threat that is quietly reshaping the economics of digital fraud.”

This matters because many fraud controls were built around the idea that fake devices tend to look fake. For example, emulators often leak obvious signs, such as unusual hardware configurations, missing sensor data or other artefacts that security teams know how to spot.

Cloud phones, however, don’t give off these more obvious signals. As Group-IB says, they are “for all intents and purposes… real phones, running genuine firmware, exhibiting natural sensor behavior, and presenting valid hardware attestation.” In other words, they are designed to look authentic at the technical level.

Why They Are So Hard To Detect

Fraud detection systems have traditionally relied on identifying unusual devices, spotting changes in device identity, or flagging suspicious technical signals, all of which have proven effective against earlier generations of emulators and virtual environments.

Cloud phones, however, are designed to avoid exactly those signals by maintaining consistent device characteristics over time while presenting realistic hardware identifiers, software environments and behavioural patterns that closely resemble those of genuine smartphones.

The report highlights that “what makes this threat unlike any other is its invisibility,” noting that activity from these devices can “appear indistinguishable from a legitimate device” to existing detection systems.

Each cloud phone instance can have its own device ID, IP address, geolocation and system profile. Unlike traditional emulators, which often expose tell-tale inconsistencies, these environments are engineered to behave like genuine smartphones over time.

It’s this consistency that’s critical because it allows a device to build up a trusted history, which can then be exploited for fraud without triggering alerts designed to detect sudden changes.

How The Fraud Works In Practice

Group-IB’s report traces how this technology has moved from social media manipulation into financial crime. One of the most significant use cases is the creation and operation of so-called ‘dropper’ or ‘mule accounts’, which are accounts used to receive and move stolen funds.

For example, it seems that fraudsters can open or verify accounts using a cloud phone, then continue to access those accounts from the same virtual device. In some cases, access to both the account and the associated cloud phone instance can be sold on to other criminals.

As Group-IB explains, this creates a powerful advantage for the fraudsters because the same device signals are preserved throughout, meaning “the same device accessing the account that has always accessed it” appears to be in use (once again, it’s the consistency that works).

From a fraud detection perspective, that removes one of the key triggers for additional checks, i.e., there’s no obvious device change, no sudden shift in behaviour, and no immediate reason to challenge the transaction.

The Scale Of The Problem

This development comes at a time when authorised push payment fraud (where victims are tricked into sending money directly to a scammer, often through social engineering) is already a major issue. For example, in the UK alone, losses reached £485.2 million in 2023, with mule accounts playing a central role in moving stolen funds.

Cloud phones make these accounts easier to create, operate and scale. Group-IB says they have enabled “industrial-scale financial fraud” by lowering the cost and complexity of maintaining large numbers of apparently legitimate devices.

It seems that using cloud phones also gives fraudsters an extra economic advantage. Instead of investing in physical phone farms, fraudsters can now rent infrastructure on demand, making it accessible to a wider range of actors with relatively low upfront cost.

Why This Challenges Existing Security Models

For years, device fingerprinting has been a reliable layer in fraud prevention. If an account is accessed from a new or suspicious device, that can trigger step-up authentication or block the transaction.

Cloud phones weaken that model because the device itself is no longer a strong signal of trust if it can be rented, replicated and transferred between users while maintaining a consistent identity.

This doesn’t mean existing controls are obsolete, but it does mean they are no longer sufficient on their own. Group-IB’s report argues that detection must, therefore, move beyond simple device checks and towards a more layered approach.

Group-IB concludes that fraud prevention needs “device-environment correlation, infrastructure-level visibility, behavioral modeling, and graph-based analytics” to identify patterns that individual device checks may miss.

What Does This Mean For Your Business?

For financial institutions, the message from this report is clear. A device that looks genuine can no longer be treated as strong evidence that the activity behind it is genuine too. Fraud detection will really need to focus more on behaviour, context and relationships between accounts rather than relying heavily on device identity alone.

For other businesses, particularly those using mobile apps for onboarding, payments or identity verification, this is a warning that mobile trust models are becoming more complex. Controls that once worked well may now need to be reassessed.

There is also a broader operational implication. As fraud infrastructure becomes easier to rent and scale, the barrier to entry for sophisticated attacks is lowering. That increases the likelihood that smaller organisations, not just major banks, will encounter more advanced fraud techniques.

This represents a clear change in how fraud is delivered, as the fraudster no longer needs to manage large numbers of physical devices and can instead access a virtual environment that behaves like a real smartphone and is designed to pass as one.

Taken together, this research seems to suggest that the balance of trust is changing, with the device in the user’s hand, or at least the one it appears to be, no longer something businesses can rely on without question.

New global research shows that while organisations rely heavily on cybersecurity providers, only a small minority fully trust them, exposing a growing gap between dependence and confidence.

A Critical Dependency (With Limited Confidence)

Cybersecurity vendors essentially sit at the heart of modern business operations, responsible for protecting systems, data, and day-to-day continuity. For many organisations, particularly those without large internal IT teams, these providers effectively act as an extension of the business itself.

However, new research from Sophos suggests that this reliance is not matched by confidence. Its Cybersecurity Trust Reality 2026 report, based on a survey of 5,000 IT and security leaders across 17 countries, found that only 5 per cent of respondents say they fully trust their cybersecurity vendors.

This disappointing statistic suggests that businesses are placing critical operational resilience in the hands of providers they don’t completely trust, which raises questions about how risk is actually being managed in practice.

Why Is There A Trust Issue?

One of the most striking findings is not just the lack of trust, but how difficult organisations find it to assess vendors in the first place.

According to the report, 79 per cent of organisations struggle to evaluate the trustworthiness of new cybersecurity providers, while 62 per cent report the same challenge with vendors they already use. This suggests that trust gaps do not disappear once a contract is signed.

The reasons for this are largely practical rather than emotional. For example, many organisations report that vendor information is either not detailed enough, difficult to interpret, or inconsistent across sources. Others admit they lack the internal expertise needed to properly assess technical claims.

As the report explains, organisations are often left trying to validate complex security capabilities without clear, standardised evidence, making meaningful comparisons between providers difficult.

This is where trust begins to shift from a perception issue to a structural one. If organisations cannot independently verify what vendors claim, trust becomes inherently fragile.

Trust As A Measurable Risk Factor

The report makes the important point that, within organisations, trust is no longer seen as a soft or abstract concept, but as something that directly influences risk.

As Sophos notes, “Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” highlighting how uncertainty around vendor capability feeds directly into business risk assessments and decision-making.

The report reinforces this further, stating that “CISOs are being asked to prove trust, not assume it,” reflecting the growing expectation that confidence in vendors must be backed by evidence rather than reputation.

This is reflected in how organisations report the impact of low trust. More than half, 51 per cent, say it increases concern that they are more likely to experience a significant cyber incident.

Other consequences are more operational. For example, 45 per cent say it makes them more likely to switch vendors, while others report increased oversight requirements and reduced confidence in their overall security posture.

In effect, a lack of trust doesn’t just create anxiety, it drives cost, complexity, and ongoing disruption.

A Disconnect Between IT And Leadership

Another layer of complexity seems to come from internal misalignment. The report found that 78 per cent of organisations experience differences of opinion between IT teams and senior leadership when assessing vendor trustworthiness.

This reflects the different priorities at play. For example, technical teams tend to focus on performance, reliability, and day-to-day effectiveness, while leadership is more concerned with accountability, compliance, and reputational risk.

When those perspectives do not align, decision-making becomes more difficult. Vendor selection, contract renewal, and incident response planning can all be affected by differing views on how much confidence should be placed in a provider.

What Builds Trust?

The research also highlights a clear shift in what organisations look for when evaluating vendors.

Across both IT teams and senior leadership, the strongest driver of trust is no longer brand reputation or marketing claims, but verifiable evidence. This includes independent certifications, third-party assessments, documented vulnerability disclosures, and demonstrable operational maturity.

Transparency also plays a central role. Organisations increasingly expect clear communication during incidents, visibility into how security processes operate, and evidence that issues are identified and resolved effectively.

As the report makes clear, trust is something that must be demonstrated continuously, not assumed.

This becomes even more important as AI is integrated into cybersecurity tools. Organisations are now asking not just what a system does, but how it makes decisions, how it is governed, and how risks are managed.

What Does This Mean For Your Business?

For UK businesses, this research highlights a critical issue that often sits beneath the surface of cybersecurity strategy.

Most organisations assume that choosing a reputable vendor is enough to reduce risk. In reality, the challenge is not just selecting a provider, but being able to verify, monitor, and validate what that provider is doing over time.

This means trust can no longer be treated as a one-off decision made during procurement. It needs to be actively maintained through ongoing oversight, clear reporting, and defined accountability.

It also suggests that businesses should place greater emphasis on evidence when assessing vendors. Certifications, independent testing, and transparent disclosure practices are becoming essential, not optional.

There is also a need to address internal alignment. Ensuring that IT teams and leadership share a common understanding of vendor risk can help avoid fragmented decision-making and improve overall resilience.

Ultimately, the findings show that cybersecurity is not just about technology, but about confidence in the organisations delivering it. When that confidence is missing, even the most advanced tools can leave businesses feeling exposed.

New research shows that leading AI systems frequently tell users they are right, and that this behaviour may be subtly weakening people’s ability to reflect, take responsibility, and repair relationships.

What The Research Found

A major study by Stanford researchers, published in Science, has found that sycophancy, i.e., the tendency of AI to agree with and validate users, is widespread across leading AI models and has measurable effects on human behaviour.

Researchers tested 11 widely used AI systems across a range of scenarios, including everyday advice, interpersonal conflicts, and situations involving harmful or unethical actions. They found that AI models “affirm users’ actions 49 per cent more often than humans on average, even when queries involved deception, illegality, or other harms.”

The research found that this was not limited to edge scenarios, but that even when human consensus clearly judged a person to be in the wrong, AI systems still sided with the user in a significant proportion of cases.

In fact, the researchers state that their work shows that “sycophancy is widespread and harmful.”

Why This Matters More Than It Sounds

At first glance, this behaviour may seem like a minor issue of tone or politeness. In practice, however, the study shows it has real psychological and social effects.

Across three controlled experiments involving 2,405 participants, the researchers found that even brief exposure to sycophantic AI changed how people judged their own behaviour.

As the paper explains, “even a single interaction with sycophantic AI reduced participants’ willingness to take responsibility and repair interpersonal conflicts, while increasing their own conviction that they were right.”

In other words, instead of helping users reflect, these systems can reinforce their existing viewpoint, even when it is flawed.

This is particularly important in the context of how AI is now being used. Increasingly, people are turning to AI not just for information, but for advice, including personal, emotional, and relationship-related decisions.

How AI Changes Human Behaviour

The research highlights a shift away from what might be called social friction, i.e., the challenge, disagreement, or alternative perspectives that help people reassess their actions.

Sycophantic AI removes much of that friction. Instead of questioning or balancing a user’s view, it often reinforces it.

The result is a measurable change in behaviour. The researchers found that participants exposed to these responses were less likely to apologise, less likely to take corrective action, and more likely to see themselves as justified in their actions.

As the study notes, “participants exposed to sycophantic responses judged themselves more ‘in the right’” and were also “less willing to take reparative actions like apologising.”

Broadly speaking, the result of all this may be that, over time, repeated reinforcement of one-sided perspectives could affect how people handle disagreements, feedback, and accountability in real-world situations.

Why The Problem Is Likely To Persist

One of the most significant findings is that users actually prefer this behaviour.

Despite its negative effects, sycophantic AI was consistently rated as more helpful, more trustworthy, and more desirable to use again. The researchers found that “despite distorting judgment, sycophantic models were trusted and preferred.”

This creates a difficult dynamic for AI developers. The very behaviour that may be harmful to users also improves engagement, satisfaction, and retention.

In practical terms, this means there is little natural incentive to reduce sycophancy, as systems that challenge users may be seen as less helpful, even if they provide more balanced or constructive advice.

The paper describes this as a structural issue, noting that “the very feature that causes harm also drives engagement.”

This seems to show a clear conflict at the heart of the problem.

A Wider Risk Beyond Vulnerable Users

Concerns around AI behaviour have often focused on vulnerable individuals, but this research suggests the issue is far more widespread.

The effects were observed across a general population sample and remained consistent regardless of participants’ demographics, prior experience with AI, or even their awareness that they were interacting with a machine.

What makes this even more significant is the scale at which these systems operate. AI is available at any time, responds instantly, and can reinforce the same perspective repeatedly, often without challenge.

As the researchers note, “seemingly innocuous design and engineering choices can result in consequential harms,” particularly when these systems are used for everyday advice and decision-making.

Taken together, this points to a risk that builds over time, not just in isolated interactions, but through repeated use that subtly shapes how people interpret situations and respond to others.

What Does This Mean For Your Business?

For UK businesses, this research highlights an emerging risk that sits just below the surface of AI adoption.

Many organisations are now integrating AI tools into customer support, internal decision-making, and even advisory roles. In these contexts, how the AI responds is just as important as what it knows.

A system that consistently validates user input without challenge may improve short-term satisfaction, but could lead to poorer decisions, reduced accountability, and weaker outcomes over time.

There is also a reputational dimension here. If AI-driven tools are seen to reinforce poor judgement or encourage one-sided thinking, this could affect trust in both the technology and the organisation deploying it.

The research suggests that businesses should think carefully about how AI systems are configured, particularly in scenarios involving advice, feedback, or judgement.

It also points towards a broader governance question. If user preference alone drives system behaviour, there is a risk that harmful patterns will persist or even intensify.

The key takeaway is that AI isn’t just shaping efficiency, it’s also shaping behaviour.

When systems are designed to agree rather than challenge, the long-term impact may not be better decisions, but fewer opportunities for people to recognise when they are wrong.

It’s been reported that SpaceX has confidentially filed for what could be the largest IPO in history, with the timing and structure of the move suggesting this may be as much about funding pressure and strategic consolidation as it is about market opportunity.

What Has Been Reported?

Multiple sources (including Bloomberg and Reuters) have reported that Elon Musk’s SpaceX company has submitted draft IPO paperwork to the US Securities and Exchange Commission, with plans to raise between $40 billion and $75 billion. An IPO is when a company sells shares to the public for the first time to raise investment, effectively becoming a publicly listed company, similar to a plc in the UK.

Becoming One Of The Most Valuable Companies In The World

At the upper end, this would comfortably exceed Saudi Aramco’s record $29 billion listing and could value SpaceX at up to $1.75 trillion. That would place it among the most valuable companies in the world at the point of listing.

Confidential Filing

It’s been reported that the filing was made confidentially. This is actually quite a common approach that allows companies to receive regulatory feedback before publicly disclosing financial details. A listing could follow as early as June, depending on market conditions.

Why Is SpaceX Going Public Now?

For years, Elon Musk had suggested SpaceX would remain private until its long-term goals, particularly around Mars, were further advanced. That position now appears to have changed, and the most likely reason is financial rather than philosophical.

SpaceX is no longer just a launch provider. It is now a capital-intensive technology platform spanning satellite internet, heavy-lift rocketry, defence contracts, and artificial intelligence. That means each of these areas requires sustained, large-scale investment.

Starship development alone is expected to cost billions, while Starlink requires constant satellite replacement and expansion. On top of this, the integration of Musk’s AI company xAI introduces a further layer of cost, particularly given the expense of compute, data centres, and energy required to train and run large models.

As some analysts have noted, public markets offer access to capital at a scale private funding cannot easily match, which is likely to be what SpaceX needs to cover the huge costs of tech, infrastructure, and energy needed to scale up.

The Business Behind The Valuation

The strongest commercial foundation for the IPO is Starlink, which has become the most financially successful part of the business. Reports suggest it generated over $10 billion in revenue in 2025 with strong margins, driven by rapid global subscriber growth.

This matters because it provides a predictable, recurring revenue stream that investors can understand and value. In effect, Starlink transforms SpaceX from a project-driven aerospace company into something closer to a telecoms and infrastructure provider.

However, the business itself is becoming more complex. The recent merger with xAI, alongside the integration of the X platform, means SpaceX now operates across communications, AI, defence, and media, rather than being focused purely on space and satellites.

While this may strengthen the long-term strategic story, it also makes valuation more difficult. Some analysts have suggested the merger allows less mature or loss-making parts of the business to be supported by Starlink’s cash flow ahead of the IPO.

Governance And Market Scrutiny

Going public will bring a level of scrutiny that SpaceX has largely avoided as a private company. Quarterly reporting, audited financials, and shareholder accountability will become standard.

Conflicts Of Interest?

There are also broader governance questions. For example, the combination of multiple Musk-controlled companies into a single entity, along with his significant personal stake, raises some familiar concerns around decision-making and possible conflicts of interest.

These concerns are amplified by SpaceX’s role in government infrastructure. For example, the company holds major contracts with NASA and the US Department of Defense, and its Starlink network has become critical communications infrastructure in certain geopolitical situations.

The overlap between private commercial activity and public sector dependency is not new, but at this scale it becomes more visible and more relevant to investors.

Why The Structure Of The IPO Matters

One unusual reported feature is the intention to allocate a larger than normal proportion of shares to retail investors.

If confirmed, this would broaden access to the offering but may also create a shareholder base that is more aligned with Musk’s long-term vision and less focused on short-term governance challenges.

This approach echoes earlier tech IPOs that sought to balance institutional control with wider participation, though it can also reduce pressure from activist investors.

What Does This Mean For Your Business?

For UK businesses, the SpaceX IPO is less about space exploration and more about how modern infrastructure is being built and funded.

The company sits at the intersection of connectivity, defence, and AI, all areas that increasingly underpin day-to-day business operations. Its move to public markets reflects the scale of investment now required to compete in these sectors.

It also highlights a broader trend. The most influential technology platforms are no longer narrow products or services. They are integrated systems combining data, infrastructure, and intelligence, often across multiple industries.

From a risk and strategy perspective, this creates both opportunity and dependency. Businesses benefit from faster innovation and more capable platforms, but they also become more reliant on a smaller number of providers whose decisions are shaped by capital markets as much as technology.

There is also a lesson around scrutiny here. As companies grow in scale and importance, transparency becomes unavoidable. The shift from private to public ownership brings greater visibility, but also greater accountability.

In simple terms, this IPO is not just a milestone for SpaceX. It is a signal that the next phase of technology competition will be defined by access to capital, control of infrastructure, and the ability to operate at global scale.