Agentic week, June 6-12, 2026: Fable 5, Agent Wallet, OpenAI sunset, EU panel, MCP sampling attacks

First weekly roundup. Five stories that actually moved the agent stack between June 6 and June 12, 2026: Anthropic shipped Claude Fable 5 at a new price point with new refusal classes, MetaMask opened early access to Agent Wallet with insurance-backed transactions, OpenAI announced the sunset of Agent Builder and Evals, the European Commission appointed the AI Act Scientific Panel and Advisory Forum, and Palo Alto Unit 42 published three new MCP attack vectors built on the Sampling primitive. Each one connects to a thread we have been writing about for months; this is the week the threads tightened.

1. Anthropic ships Claude Fable 5 at a new price floor

On June 9 Anthropic released Claude Fable 5, the first publicly available Mythos-class model, at $10 per million input tokens and $50 per million output tokens. That is less than half what Mythos Preview was priced at, and the gap between Anthropic's frontier tier and the cheap tier is now narrow enough that the routing question we covered in the fleet economics post changes. Operators who built their cost model around assuming the frontier tier was 20x the cheap tier need to rerun their margins this week.

The other Fable 5 detail that matters for operators is the new fallback behavior. Three classifier-driven safeguard areas — offensive cybersecurity, dual-use biology and chemistry, and model distillation attempts — now route to Claude Opus 4.8 instead of Fable 5. Anthropic says the safeguards trigger in under 5% of sessions and acknowledges they sometimes block benign requests. For an operator running an agent fleet across mixed workloads, this means a small but non-zero fraction of your calls will silently land on a different model with different latency and cost characteristics. Add a per-call model-id field to your tracing if you have not already; you want to know which requests fell back before the cost report does.

Fable 5 is bundled in Pro, Max, Team, and seat-based Enterprise plans at no extra charge through June 22; after June 23, those plans switch to separate credits and Anthropic has said standard-plan availability is "coming as quickly as we can." If you are demoing to a prospect this week with a Pro account, your demo is cheap. Two weeks from now the math is different.

2. MetaMask opens Agent Wallet early access with $10K insured transactions

On June 8 MetaMask opened early access to Agent Wallet, a self-custodial wallet exposing swaps, perpetuals, prediction markets, and liquidity provision to AI agents across EVM chains plus Hyperliquid. Initial cohort is 200 seats with framework support for Claude Code, OpenAI Codex, Cursor, and others. The two design choices that matter for the agent operator audience are Guard Mode and the Blockaid insurance backstop: spending limits, allowlists, and 2FA on out-of-bounds transactions by default, plus loss insurance up to $10,000 on transactions Blockaid classifies as safe.

This is the first mainstream wallet shipping native agent custody with an insurance guarantee, and it materially changes the story we have been telling about the on-chain agent stack. The pieces we covered separately — x402 for HTTP-native payments, AP2 for mandates and authorization, ERC-8004 for trustless agent identity — now have a custody layer with a real consumer brand attached. The operator question is no longer "how do I let an agent hold value safely" but "do I custody on the MetaMask rails or build my own."

Two cautions for operators rushing in this week. The insurance backstop is per-transaction and capped, not per-account or per-agent — fleet-scale agents that fan out across many small transactions will exhaust the per-event protection quickly. And the early-access cohort is small enough that production deployments still depend on a private beta relationship; the public path is plausibly Q3.

3. OpenAI announces the Agent Builder and Evals sunset

OpenAI's deprecation page now lists Agent Builder and Evals: both products go read-only on October 31, 2026, and shut down on November 30. Code-based workflows are pushed to the Agents SDK, prompt-shaped use cases to ChatGPT Workspace Agents, and the recommended Evals migration path is Promptfoo. For solo operators who shipped their first agent on Agent Builder — exactly the audience the five-day walkthrough targeted — this is a forced migration on a six-month clock.

The Evals migration is the bigger lift than the Agent Builder one. Promptfoo is a credible target but the eval suite you built inside OpenAI's hosted runner has to be exported, replayed against your existing transcripts, and reattached to whatever observability stack you are using. The evaluation post argued that a fifteen-case eval suite is the asset that separates the operator with a business from the operator with a hobby, and the migration is the moment that asset proves its portability or proves it never was portable. If you have not version-controlled your eval cases outside the OpenAI UI, that is the task for this week.

Editorially, the sunset signals where OpenAI thinks the agent platform layer is going: SDKs for builders, Workspace Agents for end-users, third-party tools for the eval/observability slice. It also vacates a slice of the market that Microsoft Foundry and the framework-native eval stacks (LangSmith, AgentOps, Galileo) will compete for over the next two quarters — we sketched the shape of that map in the competitive map post.

4. EU Commission appoints AI Act Scientific Panel and Advisory Forum

This week the European Commission named the independent experts who will staff the AI Act Scientific Panel and Advisory Forum: roughly sixty experts scoped to general-purpose AI model classification, systemic risk assessment, and evaluation methodology. These are the bodies that will operationalize enforcement when Commission powers kick in on August 2, 2026 — exactly the deadline we wrote about in the AI Act post.

For agent operators the appointment is not in itself a regulatory action; it is the visible scaffolding behind one. The Scientific Panel sets the methodology by which GPAI providers will be classified and by which downstream deployers — that includes anybody shipping an agent built on a GPAI model — will be expected to satisfy Article 13 logging and Article 14 human oversight. The Advisory Forum is the stakeholder feedback channel. Together they tell you where the enforcement priorities will land before August.

The practical move this week, if you serve any EU customer: draft your Technical File against the most recently published Commission guidance. The Scientific Panel will not be issuing operator-facing guidance in the first month, but the August 2 deadline does not move because the bodies are new. Operators who wait for clarity will be the ones in remediation in Q4.

5. Unit 42 publishes three new MCP attack vectors via Sampling

Palo Alto Networks' Unit 42 published three new MCP attack vectors built on the Sampling primitive: resource theft (a compromised server drains the host's compute quota by issuing unauthorized sampling calls), conversation hijacking (persistent malicious instructions injected via server responses), and covert tool invocation (the server silently triggers unauthorized actions through tool calls the user never approved). The research lands on top of an existing population of roughly 7,000 publicly accessible MCP servers and an estimated 200,000 vulnerable instances; this is the most actionable threat model published for the protocol this quarter.

If you are running third-party MCP servers in production, the immediate operator response is in three layers. First, audit which servers your agents use and downgrade any that you do not control to read-only scopes wherever the server supports it. Second, add a per-server rate limit on sampling calls — the resource theft vector is most easily caught by a quota that fires before the bill does. Third, capture full request/response transcripts for any MCP server that returns conversational content, because conversation hijacking is invisible without them.

The deeper structural lesson is the one we wrote about in the threat model post: every protocol primitive is also an attack surface. MCP Sampling exists because some workflows genuinely need a server to ask the host model for help, but the same primitive is what lets a compromised server reach back into the host. The MCP deep-dive walked through the protocol piece by piece; if you have not yet, this is the week to map your production servers against it.

What we are watching next week

Four threads we expect to develop in the next seven days.

Fable 5 fallback incidents. Operators running mixed workloads will start reporting the first benign-request refusals on the cybersecurity and biology classifiers. We expect a public retrospective from at least one security-research customer by Friday.

The first published Agent Builder migration runbook. Either OpenAI itself publishes the official version or an independent operator publishes theirs first; we will link the best one.

EU AI Act guidance. The Scientific Panel will not issue formal guidance in week one, but the Commission's enforcement timeline calls for clarifying materials before August 2. Anything that surfaces will move what operators are willing to commit to.

The first MetaMask Agent Wallet incident. With 200 seats live and the insurance backstop publicly described, somebody will test the failure mode within the cohort. The first public claim (paid or denied) will tell us how the loss-coverage process actually operates.

Back next Friday with whichever of these landed and whatever else moved.