The most useful AI stories are often buried in the plumbing. Anthropic expanding Project Glasswing and Microsoft using Build to position Windows as an agent-native operating system both point to the same shift: AI is moving from a clever assistant layer into the operational layer where work is planned, executed, monitored and secured.
For project delivery leaders, this deserves attention because construction, infrastructure and asset operations already run on connected software. Once AI agents act across design tools, cost systems, common data environments, scheduling platforms and maintenance platforms, leaders need clear answers on access, permissions, change control and recovery.
Anthropic and Microsoft are approaching the problem from different directions. Anthropic is showing how AI can strengthen software defence. Microsoft is showing how operating systems may need to contain agents when they run code, inspect files and call tools.
Project Glasswing expands the defensive use case
Anthropic has widened Project Glasswing, its programme for using Claude to find security weaknesses in critical infrastructure software. According to Anthropic, the expansion gives around 150 additional organisations access to its Claude Mythos Preview capability across more than 15 countries. The programme covers sectors that matter directly to built environment readers, including power, water, healthcare, communications and hardware.
The early numbers are striking. Anthropic says initial partners found more than 10,000 high or critical severity security flaws while using Claude Mythos Preview. The company has also launched Claude Security, a product using Opus 4.8 for codebase vulnerability scanning and patch suggestions. That moves the story from experimental discovery toward day-to-day remediation support.
Anthropic framed the expansion in broad terms: “This expansion is the next step toward our long-term goals: for AI to make all software more secure and for us to help the industry adjust to how AI could change many of the core assumptions of cybersecurity.”
That quote should land with anyone responsible for complex project systems. Buildings, hospitals, factories, rail networks, energy systems and campuses rely on layers of code, identity, cloud services and supplier platforms. A weakness in one layer can affect data, access, operations or public trust.
Microsoft is building for agents that act
Microsoft’s Build announcements were about more than assistant features. The direction is a Windows platform designed for building and running agents. That includes Windows Development Skills, Intelligent Terminal, Windows 365 for Agents, the MXC SDK and Aion 1.0 Plan.
Aion 1.0 Plan is especially relevant because Microsoft described it as a 14B parameter reasoning model shipping in-box on capable Windows devices for fully agentic on-device workflows. Pavan Davuluri, president of Windows and Devices at Microsoft, described the direction as running AI workloads “on-device, in the cloud or across both without trade-offs.”
For AEC organisations, more reasoning could happen on managed site devices where connectivity, confidentiality or latency makes cloud-only workflows awkward.
Microsoft also introduced the MXC SDK, short for Microsoft eXperimental Container. Its purpose is to give agents a safer execution environment. Microsoft’s Windows agent security work describes MXC as a policy-driven execution layer in the Windows kernel that constrains what AI agents can access, including files, network resources and peripherals.
Microsoft put the principle clearly: “Containment bounds what agents can access and do, so non-deterministic behavior doesn’t translate into uncontrollable risk.”
Dana Huang and Logan Iyer also wrote that “AI agents are no longer just answering questions, they are taking actions across systems with increasing autonomy.”
Those two statements capture the governance challenge. Once agents can act, the operating system needs to help define the safe space for those actions.
The idea is already moving into developer workflows. GitHub Copilot CLI already uses MXC for process isolation.
OpenAI’s David Wiesen described the same direction in production terms: “Working with Microsoft on the Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code. By combining Codex's capabilities with MXC's execution environment, we aim to help developers move from intent to reliable execution faster, while maintaining the security and control enterprises need.”
For project organisations, that is the real headline. A coding agent, document agent or reporting agent may be useful, yet its usefulness depends on where it runs, what it can touch, how outputs are recorded and who can review its actions.
Why this belongs on the project delivery agenda
AI security is often treated as a matter for the chief information security officer. That view is too narrow once agents enter delivery workflows. A project team might ask an agent to reconcile change notices, summarise correspondence, compare programme versions, draft meeting actions, inspect models or analyse supplier risk. Those uses involve contractual data, client information and project records.
The combined lesson from Anthropic and Microsoft is that AI security now has two linked jobs. Organisations need better discovery so weaknesses are found earlier. They also need better containment so agent behaviour remains bounded when AI connects to real systems.
For built environment firms, that suggests a few practical questions:
• Which AI tools can access project records, commercial data or client material?
• Which agents can take actions rather than only suggest actions?
• Where are AI-assisted workflows logged?
• Who approves an agent that connects to a production system?
• Which vulnerabilities are critical because of the asset or project context, beyond generic severity scoring?
These questions should be asked before agent platforms feel routine. Once workflows settle, permissions, habits and vendor dependencies become harder to unwind.
Discovery needs response capacity
Project Glasswing is impressive because it shows how AI can help defenders scale security work. Discovery is only the first stage. A long list of weaknesses can become another unmanaged backlog if organisations lack the process capacity to act.
That response system needs asset context. A high-severity issue in a retired internal tool may be less urgent than a medium-severity issue in a system connected to live site access, payment approvals or operational asset data. AI can help sort signals, yet final prioritisation needs business knowledge. Security teams need project context. Project teams need security literacy.
This is where AI governance becomes practical. Procurement teams should ask suppliers how agent features are contained. Delivery teams should know when AI outputs affect official records. Technology teams should maintain inventories of agent-enabled tools.
Detection helps organisations see hidden risk. Containment helps them reduce the blast radius when AI tools behave unpredictably. Patch suggestions help turn vulnerability discovery into action. Audit records help teams reconstruct what happened when something fails. None of this removes the need for professional judgement. It gives judgement on better operating conditions.
The new control layer
The phrase 'agent native operating system' can sound like platform marketing. Strip away the branding and the direction is clear. AI is moving into the control layer of enterprise computing. It will request access, run tasks, inspect data, call tools and influence decisions.
That creates opportunity. It can help teams find defects faster, reduce repetitive administration, support software security and make complex information easier to navigate. Once an AI system is allowed to act, governance can no longer sit in a policy PDF that nobody reads.
Anthropic and Microsoft are signalling a more mature phase of AI adoption. Capability is still increasing, but the conversation is shifting toward security architecture, execution boundaries, remediation workflows and trust. That is the right conversation for AEC because the sector already understands controlled access, permit systems, change records, inspection regimes and accountable sign-off.
The organisations that gain most from agents will connect them deliberately. They will know which data is in scope. They will decide which actions require human approval. They will keep records. They will ask suppliers hard questions about containment, identity, logging, data use and recovery.
For weekly analysis on AI, project delivery and the systems that will shape built environment work, subscribe to Project Flux and share it with the colleagues responsible for making AI useful without making it reckless.
Takeaway
• Agentic AI turns security into an operational design problem: Once agents can act across systems, access, containment and audit become delivery concerns as well as IT concerns.
• Vulnerability discovery is accelerating: Project Glasswing and Claude Security show how AI can surface weaknesses and suggest patches, although organisations still need prioritisation and remediation capacity.
• Containment is becoming a core platform feature: Microsoft’s Aion 1.0 Plan and MXC SDK point to a future where agent autonomy is useful only when it is bounded by clear permissions and records.
Links and stuff
All content reflects our personal views and is not intended as professional advice or to represent any organisation.
/
1