Buyers want disciplined AI workflows

A studio can now lose a deal for using artificial intelligence sloppily even if the output looks good. Buyers, insurers, and regulators are asking who touched the work, what model was used, and where a human signed off. (wired.com) That shift showed up this week in two very different OpenAI stories. One was about legal liability in Illinois, and the other was about a software supply chain security issue in OpenAI’s Mac app workflow. (wired.com) (openai.com) In Illinois, OpenAI backed Senate Bill 3444, called the Artificial Intelligence Safety Act. Wired reported that the bill would limit when frontier artificial intelligence developers can be sued for “critical harms” if they did not intentionally or recklessly cause them and if they publish safety and transparency reports. (wired.com) Wired said the bill defines “critical harms” at an extreme scale: death or serious injury of 100 or more people, at least $1 billion in property damage, or chemical, biological, radiological, or nuclear weapon harms. That is a very different threshold from the everyday errors most buyers worry about in media, marketing, or software work. (wired.com) The important detail is not just the shield from lawsuits. The bill ties that shield to paperwork: safety protocols, security protocols, and transparency reports posted publicly. (wired.com) That is the same direction deal diligence is moving in private markets. If a studio says “we use generative tools,” the next question is no longer whether the tools are fast; it is whether the workflow leaves an audit trail like a kitchen that labels every ingredient and every handoff. (wired.com) Then came the security story. On April 10, 2026, OpenAI said a GitHub Actions workflow in its macOS app-signing process downloaded and executed a malicious version of the Axios developer library after Axios was compromised on March 31, 2026 Coordinated Universal Time. (openai.com) OpenAI said the workflow had access to the certificate and notarization material used to sign ChatGPT Desktop, Codex, Codex command line interface, and Atlas for macOS. A signing certificate is the software equivalent of a passport stamp that tells your computer the app really came from the named developer. (openai.com) OpenAI also said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its software was altered. Even so, it revoked and rotated the certificate, and said older Mac app versions will stop receiving updates or support on May 8, 2026. (openai.com) That response is what buyers want to see from companies using generative tools inside production: a named incident, a dated timeline, a specific affected workflow, a documented fix, and a clear cutoff for old versions. “We checked and it seems fine” is no longer enough when a partner has to underwrite legal, security, and brand risk. (openai.com) (wired.com) So the new asset is not just the prompt library or the model stack. It is the binder behind them: source labels, approval gates, version history, vendor lists, and records showing when a human overrode or approved machine output. (wired.com) (openai.com) Studios that can show that binder during diligence will look less like experimental shops and more like controlled businesses. In a market that now prices risk as aggressively as speed, disciplined artificial intelligence workflows are starting to read like acquisition signals. (wired.com)