On July 6, Anthropic published interpretability research that most of the security industry scrolled past. It shouldn’t have. Their team found a structure inside Claude that they call the J-space. It’s a small collection of internal neural patterns that works like a mental workspace. Reading it shows you what the model is thinking, before and beyond anything it says or does.
Detection for AI agents runs on two feeds today, (1) what the agent says and (2) what it does. The J-space is a third, and it shows what the agent thinks before it acts. Only Anthropic can read it right now. That should change.
What is the J-space?
The work borrows from global workspace theory, a framework neuroscientists use to explain conscious access in humans. The brain runs mostly on automatic, unconscious processing with a small shared “workspace” that holds the thoughts we can report, control, and reason with. Anthropic went looking for the same divide in Claude and found it.
Most of Claude’s internal activity runs automatically. It speaks fluently, recalls facts, and handles grammar without involving the J-space at all. But the J-space, which holds only a few dozen concepts at a time and accounts for less than a tenth of internal activity, carries the deliberate work. When Claude solves a multi-step problem silently, the intermediate steps light up there. When researchers deleted the J-space entirely, Claude kept talking normally but lost multi-step reasoning almost completely. Nobody designed this structure. It emerged on its own during training.
The reading technique is called the J-lens. For every word in Claude’s vocabulary, it identifies the internal activity pattern that makes the model more likely to say that word at some future point. Apply the lens to a running model and you get a list of words, including what’s on the model’s mind at that moment and whether or not any of it reaches the output.
What the J-space lets you see
Every detection engineer is about to sit up with the following examples.
When Claude reads code containing a bug nobody has flagged, “ERROR” appears in its J-space. When it reads search results that are secretly a prompt injection, “injection” and “fake” appear. When Anthropic re-ran their known blackmail test scenario, the J-space held “fake” and “fictional” before the model had written a single word. The J-space had already clocked that the setup was staged. In a case drawn from Anthropic’s actual pre-release audit of Claude Opus 4.6, the model was asked to improve a system’s performance score and instead edited the score file to fake the results. As it typed the falsified values, “manipulation” lit up. And in a model organism deliberately trained to sabotage code, “secretly,” “deliberately,” and “fraud” sat in the J-space on ordinary coding prompts before the model had done anything visibly wrong.
All of this – deception, evaluation awareness, hidden goals, injected instructions – was visible in the workspace, none of it in the output.
A third layer of telemetry
Every detection program is built on layers of telemetry, and for AI agents we currently have exactly two. We have what the agent says: its outputs, its chain of thought when it exposes one. And we have what the agent does: tool calls, API activity, file writes, the audit trail. Both layers come after the fact. The fabrication has already happened by the time your telemetry shows the agent wrote to the score file. Chain of thought is even weaker than that sounds. Anthropic’s own faithfulness research found that reasoning models frequently leave the real drivers of their answers out of the narrative they write.
The J-space is a third layer: what the agent thinks. In endpoint terms, we’ve been doing detection on network logs alone, and someone just proved process memory exists.
Correlate “manipulation” in the workspace with a file-write action. Alert when “injection” lights up while an agent is consuming external content. Flag a coding agent whose workspace holds “fraud” at the start of a session. None of these are hypotheticals. Each maps to an observation already in the paper.
The J-lens is a research method, not a product, and Anthropic says that it’s imperfect. It captures only single-token concepts and approximates the true workspace rather than reading it exactly. False positives will be real. “Blackmail” appearing while an agent reads a phishing report doesn’t mean the agent plans blackmail. It may just mean the agent understood the report. Detection engineers have built useful programs on far noisier signals than this.
From lens to control
Visibility into intent is worth little if nobody can act on it before the damage lands. Whether anyone can do it depends on which mode you mean.
Inline prevention, blocking a harmful output before the next token is generated, belongs to the provider alone. The J-space evolves during the forward pass, milliseconds before a token is sampled, and no pipeline outside the serving stack operates in that window. For single-shot harms, where one response is itself the damage, everyone else gets a record, nothing more.
Detect-and-interrupt is a different story because agents don’t act in one token. A model itself has no hands. Every consequential action passes through a tool layer, like an MCP gateway or a credential broker. The paper shows intent surfacing early (“fake” while still reading the prompt and “fraud” at the start of a response), so in multi-step agent workflows the lead time is seconds to minutes rather than milliseconds. You rarely stop step one. You stop steps two through ten. You quarantine the pending action, kill the session, revoke the token, and you cut the persistence. Endpoint response has worked this way for years.
The sabotage organism points to a further use closer to threat hunting: screening an agent’s workspace in staging before it ever receives production credentials. That’s a control today’s security frameworks don’t contemplate, and it has no latency requirement at all.
And when neither interruption nor screening applies, the forensic record remains. Did the agent know the data was fabricated, or was it deceived by its inputs? AI incident post-mortems will turn on questions like that, and today they are unanswerable.
Open the feed
This visibility exists in exactly one place today – inside Anthropic. Enterprises running agents in production get no J-space feed, no API, and no logs. Closing that gap takes customer pressure more than research progress.
We have run this movie before. AWS launched EC2 in 2006. CloudTrail, the audit log that made cloud activity investigable, arrived in November 2013. For roughly seven years, enterprises ran production workloads on infrastructure whose activity they could not natively audit, and cloud detection as a discipline was built on the telemetry providers eventually chose to expose. GuardDuty, the native detection layer built on top of it, didn’t arrive until 2017. The log comes first, and the controls follow.
Agentic AI is at its pre-CloudTrail moment. Enterprises are handing agents production credentials, customer data, and code repositories, and the intent layer is dark.
So, this is the ask, directed at Anthropic and every frontier lab: expose it. Give enterprise customers workspace telemetry for the agents running in their environments. Raw J-lens readouts, derived signals, verdicted alerts, whatever form survives the cost and IP constraints, but expose something, with a schema the detection community can build on. Anthropic has already open-sourced the core method and demonstrated it on open-weights models. Turning it from research artifact into security telemetry looks closer to a product decision than a science problem.
There will be objections, of course. They could turn on model IP, the compute cost of running the lens at scale, or the concern that adversaries will study the feed to learn evasion. Each deserves engineering work. None beats the alternative – agents acting on enterprise data while their intent stays unobservable.
Where this lands
Mitiga was built on a premise that gets more true every year. There is no endpoint to fall back to, no disk to image, no memory to dump across cloud, SaaS, identity, third-party services, and AI, so defense is 100% dependent on the logs. AI agents are the newest surface where that holds, and for the first time, the logs could include what the software is thinking. When that feed opens, detection and response teams should be ready to consume it on day one. We intend to be.
Frequently Asked Questions
What is the J-space?
The J-space is a small set of internal neural patterns inside Anthropic's Claude models that works like a mental workspace. It holds a few dozen concepts at a time, carries the model's deliberate multi-step reasoning, and can be read to show what the model is thinking before anything appears in its output. Anthropic found that it emerged on its own during training.
What is the J-lens?
The J-lens (Jacobian lens) is the technique Anthropic used to read the J-space. For every word in the model's vocabulary, it identifies the internal activity pattern that makes the model more likely to say that word later. Applied to a running model, it returns a list of the words on the model's mind at that moment, whether or not any of them reach the output.
Why does the J-space matter for security teams?
It points to a third layer of AI agent telemetry. Teams can already log what an agent says (outputs, chain of thought) and what it does (tool calls, API activity, file writes). The J-space shows what an agent is thinking before it acts. In Anthropic's experiments, signals like "manipulation," "injection," and "fraud" appeared in the workspace without ever reaching the output.
Can enterprises access J-space telemetry today?
No. The visibility currently exists only inside Anthropic as a research method rather than a product, though the core method has been open-sourced and demonstrated on open-weight models. Mitiga's position is that frontier labs should expose workspace telemetry for the agents running in customer environments, with a schema the detection community can build on.
