Spreadsheet agents and data exfiltration & Google’s Jules for product teams - AI News (Apr 30, 2026)

Let’s start with that spreadsheet incident, because it’s a crisp example of how “AI that can take actions” changes the security model. Researchers at PromptArmor disclosed a vulnerability in Ramp’s Sheets AI where hidden instructions inside an untrusted dataset could steer the assistant to insert a malicious spreadsheet formula. When the sheet evaluated it, confidential values could be sent out to an attacker-controlled server. Ramp says it has fixed the issue. The big takeaway is broader than one product: when an assistant can edit cells, write formulas, and trigger network requests indirectly, prompt injection stops being just a funny jailbreak and becomes a real data-loss pathway.

Now zooming out to agentic software development—Google has opened an early-access waitlist for a new version of Jules. The pitch is end-to-end product development help: ingest the messy reality of product context—feedback, logs, support tickets—decide what to build next, propose a solution, and even ship a pull request. Google is framing it as an experiment and is explicitly asking teams to shape the direction. Why it matters: the industry is trying to close the loop from “insight” to “implementation,” and if agents can reliably turn scattered signals into shipped improvements, that’s a serious reduction in friction for product teams.

On the enterprise side, the big theme is that companies don’t just want a model—they want the surrounding runtime that makes agents governable. Stratechery ran an interview around the launch of an AWS-native managed agent runtime powered by OpenAI models, designed to keep identity, logging, permissions, and deployment inside customers’ AWS environments. This lands right after OpenAI’s cloud exclusivity with Microsoft loosened, and it’s a reminder that cloud distribution plus enterprise controls may decide adoption as much as raw model quality.

And if agents are going to operate on the web at scale, they’ll need different plumbing than the search we use as humans. Parallel Web Systems—an AI startup founded by former Twitter CEO Parag Agrawal—raised a large new funding round to build web-search infrastructure aimed at autonomous agents. Investors are clearly betting that “agentic browsing” becomes its own category: not just finding links, but fetching, extracting, and transforming information continuously.

Let’s talk model releases—especially the ones pushing multimodal and high-fidelity perception. NVIDIA released open-weights Nemotron 3 Nano Omni, positioned as an ‘omni-modal’ model meant to reason across text, images, documents, video, and native audio over very long contexts. The practical implication is less about any single benchmark and more about the direction: open multimodal systems that can read dense documents, follow long videos, and operate software-like interfaces are moving from research demos toward deployable tools.

Meta’s Facebook Research also shipped Sapiens2, an open-source family of high-resolution vision backbones trained for human-centric understanding—things like pose, segmentation, and other dense perception tasks. This matters because detailed human understanding is foundational for robotics, AR and VR, graphics pipelines, and even safety features—areas where generic image classifiers don’t get you very far.

In research, a Harvard team proposed what they call a Recurrent Transformer, a twist on the standard Transformer design intended to get more effective depth and better quality without making decoding more expensive in the usual way. If the claims hold up broadly, this is the kind of architectural work that can translate into lower inference memory pressure and faster serving—meaning better experiences and lower bills, not just nicer plots in a paper.

Creators are also getting a clearer signal that AI assistance is moving into the tools they already live in. Anthropic announced new connectors that integrate Claude into popular creative software—highlighting workflows like controlling complex apps via natural language, generating scripts, and automating repetitive asset work. The strategic importance here is workflow capture: once AI becomes native to design, music, and 3D tools, the ‘AI assistant’ stops being a separate destination and becomes part of the production line.

But the economics of models still matter, even when capabilities improve. OpenRouter published analysis suggesting Anthropic’s newer tokenizer in Claude Opus increases token counts for the same text, which can change real-world billing—especially in long-context, agentic coding workflows. Caching can soften the impact, but the lesson is simple: teams should treat tokenization changes like a cost event, not a footnote, because budgets and usage patterns can swing without any change in per-token pricing.

On governance and geopolitics, Google reportedly granted the U.S. Department of Defense access to its AI on classified networks with very broad latitude, after Anthropic declined to offer similarly expansive access and was then labeled a supply-chain risk—a designation now being challenged in court. This is significant because it exposes a widening divide among top AI labs on military constraints, and it also shows the Pentagon’s preference for maximal flexibility. For the public, the unresolved question is whether contractual “we don’t intend X” language is enforceable when the incentives and the operational realities push the other way.

Related to that, there’s a growing pushback against the industry’s habit of warning that models are dangerously powerful while still commercializing them. One critique this week focused on the way apocalyptic rhetoric can boost perceived importance, shape policy narratives, and distract from current measurable harms like labor impacts, misinformation, and environmental costs. Whether you agree or not, it’s a useful reminder: these are products being sold, and governance debates shouldn’t be held hostage by mythic storytelling.

Markets, meanwhile, are showing less patience for the idea that ‘AI spend automatically becomes AI profit.’ A report saying OpenAI missed internal targets for revenue and user growth helped drag down several AI-linked stocks, and it arrives right as investors are looking for proof that massive infrastructure spending is translating into durable returns. In a separate report, OpenAI’s CFO reportedly warned leadership about the affordability of future compute commitments unless revenue accelerates—raising pointed questions about financing discipline and what it would take to be IPO-ready on an aggressive timeline.

Finally, a quick culture note from open source: the Zig project continues to enforce one of the strictest anti-LLM contribution rules—banning LLM-generated content in issues and pull requests. The practical fallout is that even significant performance work in a Zig fork may never be upstreamed if it crosses that line. The deeper point is about scarce maintainer attention: some communities are optimizing for trust and long-term contributor growth, even if it means turning away faster, AI-assisted throughput.