AI in Your Inbox Can Be Tricked Via Prompt Injection, This Team Proved It. Jonathan Rodriguez Cefalu

Jonathan Rodriguez Cefalu built the hardware that Snap shipped on people's faces — first the camera-only Gen 1 Spectacles, then the Gen 4 display version. His path through Stanford CS, an honors thesis on varifocal display optics, and a startup called Vergence (named after the vergence-accommodation conflict in AR) led him to Snap, and then to the problem he is working on now. Preamble AI exists to prevent the worst possible AI outcomes — starting with a class of attack that Preamble was the first to publicly demonstrate: prompt injection.Ted Schilowitz hosted this episode solo. Together, he and Jonathan worked through the architecture problem sitting under every AI assistant being deployed at scale right now: large language models see one token stream. There is no separation between what the developer intended and what an untrusted email or web page is quietly instructing the model to do. With Gemini Spark about to give AI agents access to tens of thousands of emails per user, this is not a theoretical concern. Jonathan's team has a proposed fix — and they have already shaped federal law.The episode also covered the week's XR and AI news: Google I/O announcements, Snap Spectacles Gen 6 details ahead of AWE, Matthew Ball joining Xbox, Anduril's battlefield AR wearable, and AI-generated feature films reaching Tribeca.AI XR News You Should Know:Google unveiled Gemini Spark at I/O — a persistent AI agent integrated across Gmail, Docs, Chrome, and workspace tools, now in beta for paid subscribers. Ted and Jonathan tested pre-Spark Gemini Gmail and found it searched roughly 30 emails when asked to search tens of thousands. "It just got lazy." Both came away cautiously pessimistic about agentic reliability at scale. XREAL Project Aura was also announced — birdbath optics connected via USB-C — solid engineering but not new ground. Android XR is spending heavily for incremental progress.Snap Spectacles Gen 6 is expected to preview at AWE in mid-June at around $2,500. Jonathan led Gen 1 and Gen 4 from the inside and broke down what Snap has genuinely solved: low-energy on-device 6DoF tracking, hand tracking, spatial mapping, and multi-device sync. The Lens Studio developer ecosystem is healthy, with a Unity scene auto-converter recently open-sourced. His read: Snap does more with less. Meta does less with more, and it traps talented researchers — like Douglas Lanman — inside labs where work never ships.Matthew Ball was named Xbox Chief Strategy Officer. Anduril revealed EagleEyes, a battlefield AR wearable with an 84-degree field of view and thermal imaging built for helmet integration. Ted's reaction: scary but fascinating. Both hope the smart people behind it are pointed toward good outcomes.At the AI on the Lot conference in West LA: Amazon previewed an AI-assisted animated children's series called Project Nara. Higgsfield screened "Hell Grind" — a 90-minute AI action film made by 15 filmmakers, 16,000 video generations, and $500,000 total (roughly $400,000 in compute). Paul Schrader came out as pro-AI. "Dreams of Violet," a 75-minute AI feature about Iranian resistance, premieres at Tribeca on June 10 — total cost: $2,000, production time: two months. Jonathan's take: it is sad when AI displaces human creative talent on screen, but thrilling when imagined through AR glasses making a morning commute feel like driving alongside the ocean.Key Moments:[00:00] Ted opens solo — Charlie Fink and Rony Abovitz are out for the summer solstice[02:30] Google I/O: Gemini Spark and what "persistent AI agent" actually means in practice[08:15] Jonathan's Gmail test: asked to search tens of thousands of emails, it searched 30 and quit[14:40] XREAL Project Aura and the state of Android XR — a lot of spend for incremental steps[21:00] Snap Spectacles Gen 6 details: what Jonathan knows from building Gen 1 and Gen 4 from the inside[31:20] Snap vs. Meta: research that ships in the product vs. research that ships in a paper[38:45] Matthew Ball joins Xbox, Anduril EagleEyes, and battlefield AR wearables[44:10] AI on the Lot: Project Nara, Hell Grind, Dreams of Violet, Paul Schrader goes pro-AI[52:30] Jonathan introduces Preamble AI and the mission to prevent worst-case AI outcomes[58:00] The first public demonstration of prompt injection — what happened and why it matters[01:06:15] Why Gemini Spark will be especially vulnerable to prompt injection attacks[01:14:00] Preamble's proposed fix: a reserved token language that untrusted data cannot speak[01:21:30] NDAA Section 1638: the first US law making it illegal to give AI autonomous nuclear control[01:28:45] WarGames, "the only winning move is not to play," and what that means in 2026So what: Every AI assistant being deployed right now — including the ones about