Claude Opus 4.6: AI Automation Cracks 16k Lines in Hours

In hours, Claude Opus 4.6 autonomously reverse-engineered a 16,000-line bioinformatics toolkit — with zero access to the original source code. The same task, completed by a human software engineer without AI help, would take 2 to 17 weeks. This result comes from MirrorCode, a rigorous new benchmark published by METR and Epoch AI, two of the most credible AI evaluation organizations working today. It marks a meaningful threshold in AI automation: AI has crossed from "helpful assistant" to "autonomous engineering peer" for an entire class of software tasks.

But the same week this result surfaced, Google DeepMind published a paper cataloguing exactly how these newly capable AI agents can be attacked and manipulated. Jack Clark captured the paradox perfectly in Import AI issue #453: AI agents are simultaneously more capable and more vulnerable than most people realize — and the gap between those two facts is the defining story of April 2026.

What MirrorCode Measures: Claude Opus 4.6's AI Automation Benchmark

MirrorCode is a new software benchmark (a standardized test used to compare and rank AI performance across organizations and model versions) designed by METR and Epoch AI specifically to measure autonomous reimplementation — the ability to recreate a working piece of software by observing only its behavior, with no access to its source code.

The setup deliberately strips away the usual AI advantage:

• The AI agent receives execute-only access to the target program — it can run commands and observe outputs, but cannot read a single line of source code or internal documentation
• Visible test cases are provided (sample inputs and their expected outputs), but not the internal logic or architecture
• The agent must produce a functional reimplementation that passes all test cases identically
• Programs covered span 20+ domains: Unix utilities, data serialization, bioinformatics tools, interpreters, static analysis, cryptography, and compression libraries

The headline result: Claude Opus 4.6 successfully reimplemented gotree, a bioinformatics toolkit (software used by genetic researchers to analyze evolutionary family trees and genomic sequence data) written in Go. The program contains approximately 16,000 lines of code and implements 40+ distinct commands. METR and Epoch AI estimate the same task would require a human engineer working without AI assistance anywhere from 2 to 17 weeks.

Performance also scales with compute — more processing power yields better results, especially on larger and more complex programs. This matters because it implies the capability gap will continue widening as AI hardware improves, independent of any model architecture changes.

A few important caveats: MirrorCode only works for programs with deterministic, canonical outputs (meaning the program always produces the identical result for any given input, every time). This rules out large categories of real-world software — anything with randomness, user interfaces, or context-dependent behavior. Some simpler benchmark results may also reflect training data memorization rather than genuine reasoning from first principles. Still, the 20+ programs covered represent a substantial cross-section of classical software engineering challenges, from compression algorithms to command-line interpreters.

Powerful But Gullible — The 6 Ways AI Agents Get Attacked

The capability story and the security story arrived in the same week. Google DeepMind published a paper identifying 6 distinct genres of attack against AI agents — the autonomous systems that browse the web, read documents, write code, and take actions on your behalf.

• Content Injection: Hiding malicious instructions inside documents, websites, or emails the agent reads — the agent follows the hidden command instead of your original instruction
• Semantic Manipulation: Rephrasing a harmful request in ways that bypass safety filters while preserving the same harmful intent underneath
• Cognitive State attacks: Confusing the agent about which task it is currently executing, causing it to abandon your goal and pursue an attacker's objective instead
• Behavioral Control: Overriding the agent's trained behavior through carefully crafted prompts that exploit known weaknesses in how the model interprets instructions
• Systemic attacks: Exploiting how multiple AI components interact in a larger pipeline — targeting the seams between systems rather than any individual component
• Human-in-the-Loop manipulation: Crafting agent outputs specifically designed to trick human reviewers into approving malicious actions they would otherwise reject

Jack Clark's summary is the most useful framing available: "AI agents are quite like toddlers — they're powerful intelligences, but if you put them into the messiness of the world there are lots of ways they can go wrong, especially if strangers are actively trying to mislead or attack them."

For any team deploying AI agents that interact with external content — web pages, uploaded documents, third-party APIs — these are not theoretical risks. An agent capable of reverse-engineering 16,000 lines of unfamiliar Go code is equally capable of executing a malicious instruction embedded in a PDF it processes, unless it has been specifically hardened against these attack vectors. Agent security is no longer optional engineering hygiene; it is a fundamental product requirement in 2026.

The 2028 Forecast That Doubled Overnight

The most consequential number in Clark's newsletter wasn't from a benchmark. Ryan Greenblatt, an AI forecaster at Redwood Research (an AI safety organization focused on reducing catastrophic risk from advanced AI systems), updated his probability estimate in a post on LessWrong — a hub for AI safety and rationalist research:

• Previous estimate: 15% probability that AI can fully automate AI R&D by end of 2028
• Updated estimate: 30% probability — a full doubling in a single revision
• Trigger: Unexpected performance jumps in Opus 4.5, Codex 5.2, and Opus 4.6, completing tasks that previously required months to years of human expert effort

A 30% probability is not a prediction of certainty — it is a risk estimate. It means Greenblatt believes there is roughly a 1-in-3 chance that within 3 years, AI systems will be conducting AI research and development without meaningful human involvement in the loop. The remaining 70% accounts for slower progress, technical ceilings, resource constraints, and policy intervention that could delay or prevent this outcome.

What makes the update notable isn't the number itself but the direction and magnitude: doubling an already-significant probability estimate in a single revision reflects genuine new evidence, not incremental recalibration. The MirrorCode result — 17 weeks of skilled engineering work completed autonomously — is exactly the category of evidence that moves these estimates.

Clark adds his own candid observation: "From my point of view, pretty much everyone in AI research chronically underestimates AI progress, including me. Maybe the only person who doesn't is my colleague Dario Amodei. I find this perplexing." Clark published issue #453 while attending the 2026 Bilderberg conference — a signal that AI capability questions have formally entered the rooms where geopolitical and economic decisions are made at the highest level.

48 Proposals, None Novel — Policy Lags Behind the Pace of Change

The Windfall Trust published its Windfall Policy Atlas — a comprehensive catalog of policy responses to transformative AI containing 48 distinct proposals organized across 5 structured categories:

• Public & Social Investments: Government-funded retraining programs, public AI infrastructure, broad-access education reform
• Labor Market Adaptation: Wage subsidies, shorter statutory work weeks, structured transition support for workers displaced by automation
• Wealth Capture: AI revenue taxes, sovereign wealth funds fed by AI profits, mandatory equity stakes in AI companies for public benefit
• Regulation & Market Design: Antitrust enforcement against AI monopolies, mandatory licensing frameworks, AI liability standards for harm caused
• Global Coordination: International safety agreements, export controls on frontier AI systems, shared evaluation standards across governments

Clark's assessment is diplomatically honest: the Atlas contains "none particularly novel" ideas. Its value is organizational — a structured map of the full solution space, useful precisely because the field currently lacks a common reference point for policy discussion. Separately, AI safety researcher David Krueger catalogued 10 different conceptual frameworks for understanding "Gradual Disempowerment" (the mechanism by which humanity could incrementally lose meaningful control over AI systems without any single dramatic crisis triggering alarm or collective response).

The gap this issue exposes is stark: AI capability is advancing in weeks-to-hours jumps (MirrorCode), probability forecasts are doubling in single updates (Greenblatt), and the global policy response is still organized around a 48-item catalog with no novel ideas. That gap is the defining challenge of 2026 — and it is widening.

3 AI Automation Steps Worth Taking Before 2027

If you are building software, deploying AI agents, or making investment decisions about AI adoption, here is what this week's evidence implies for your next 90 days:

• Treat MirrorCode-class tasks as newly achievable: AI-assisted legacy code archaeology, competitive analysis, and large-scale codebase modernization have crossed into practical feasibility without specialized expertise. The AI automation guides cover which workflows your team can realistically automate today
• Audit your agent security posture now: If you are deploying AI agents that read external documents, browse the web, or interact with third-party services, treat every external input as untrusted data. Start with Content Injection and Human-in-the-Loop risks — the two attack genres most exploitable in current enterprise deployments
• Take the 2028 window seriously at the planning level: A 30% probability of AI automating AI research by end of 2028 implies enough tail risk that contingency planning is rational, not alarmist. Set up AI automation workflows now — organizations experimenting today will not be scrambling to catch up in 2027

The full Import AI #453 issue is available at jack-clark.net. Clark publishes weekly, sourcing from arXiv preprints and researcher submissions — one of the most reliable primary sources in AI research coverage, written by someone who helped shape AI policy at OpenAI and now tracks developments from the outside.

Related Content — Get Started | Guides | More News