In November 2023, Andrej Karpathy — co-founder of OpenAI, former head of AI at Tesla — gave a one-hour public talk explaining how large language models actually work, no machine-learning background required. It's one of the clearest technical explanations ever put on YouTube, and three years later it's still the right starting point. But three years is a long cycle in this field, and a few of Karpathy's open questions from 2023 have since been answered — sometimes in ways that validate his predictions exactly, sometimes in ways that turned a theoretical warning into an actual incident report.

This is that talk, rebuilt: the same mental models, ported for people deciding whether and how to put an LLM to work inside a company, updated with what's shipped since. I run the tool-orchestration layer this article describes for a living — the pipeline that drafts, checks, and queues posts on this site is itself a small LLM-agent system — so the "what this means for your stack" parts aren't theoretical.

An LLM is two files, and that matters more than it sounds

Strip away the product wrapper and a large language model is two things: a file of numbers (the weights, learned during training) and a small program that reads them and predicts the next word, over and over. The program is short — a few hundred lines is enough to run one. The weights are where the value is, and they're best understood as a lossy, compressed copy of a large chunk of the internet — not a database you can query for exact facts, but a statistical residue of the patterns in that text.

That distinction is the single most important thing to internalize before doing anything with an LLM in a business context: it did not memorize the internet, it compressed it. Compression means loss. Loss means the model will confidently fill gaps with something plausible rather than something true — a behavior pattern worth remembering before the next section.

The expensive run, and the cheap loop on top of it

Getting from raw internet text to something you can talk to happens in two very different stages.

Pretraining is the compression step: an enormous corpus of scraped text, an expensive GPU cluster, and weeks of training to produce a model that can complete text — nothing more. It doesn't answer questions; it continues whatever pattern you started. This stage is where the cost lives, and it only happens a handful of times a year even at the largest labs, because a training run is closer to a capital project than an iteration.

Fine-tuning is what turns that raw completion engine into an assistant. The training objective doesn't change — still next-word prediction — but the data does: instead of arbitrary internet text, the model is now trained on curated conversations that model what a helpful answer looks like. This stage is orders of magnitude cheaper, which is why labs can run it weekly, sometimes daily, in response to observed failures.

The founder-legible version: pretraining is the once-a-year infrastructure raise: expensive, slow, foundational. Fine-tuning is the weekly product-iteration loop sitting on top of it. When you evaluate a vendor's model, you're mostly evaluating the first number; when you evaluate how well it behaves on your specific use case, you're evaluating the second — and the second is the one that's actually being iterated on you.

The model is always dreaming — fine-tuning just aims the dream

Because the underlying mechanism never stops being "predict the next plausible word," a base model doesn't distinguish between recalling something real and inventing something that merely looks real — both feel identical from the inside. Fine-tuning doesn't fix that; it redirects it toward "helpful assistant" behavior. Karpathy's framing was that these models are always dreaming internet documents; alignment just makes them dream in a useful shape.

That's not a defect that gets patched in a future release — it's the mechanism working as designed. The practical rule, and the one I'd put at the top of any internal AI-use policy: don't trust an LLM's output on anything that matters unless it's grounded in something you can verify — a retrieved document, a browsed page, your own data in its context window. Unverified, memory-only output is a guess dressed as an answer. As I've put it elsewhere on this trust point: an answer you can't verify isn't really an answer — it's marketing for one.

The scaling law that funded this entire industry (and the second one nobody funded yet)

Karpathy's other core claim in 2023 was a scaling law: next-word-prediction accuracy is a remarkably smooth, predictable function of exactly two numbers — parameter count and training-data volume — with no sign of plateauing. That single empirical fact is what justified every subsequent bigger-cluster, bigger-dataset bet in the industry: you didn't need a research breakthrough to get a better model, you needed more compute, and more compute was a check you could write.

What's changed since is the discovery of a second, largely independent scaling axis: inference-time compute. Instead of only getting better by growing the model, reasoning-focused models (the o1/o3-style architectures that emerged through 2024–2025) get better by thinking longer at answer time — generating an internal chain of reasoning before committing to a response. Research on compute-optimal inference has since shown that, for a fixed compute budget, spending more of it at inference time can beat spending it all on a bigger model up front.

The purchasing implication is concrete: model selection used to be a single-axis decision — "which model is bigger/better." It's now two decisions — which model, and how much thinking time you're willing to pay for per query. A vendor comparison that only looks at parameter count or a single leaderboard score is already out of date.

Tool use grew up into a standard, and that standard is a live experiment in progress

The most consequential part of Karpathy's talk, in retrospect, wasn't about the model at all — it was about what surrounds it. His live demo had ChatGPT researching a company's funding history by emitting a signal that told the surrounding program to open a browser, hand back the results, and continue generating; then doing the same for a calculator, then a Python interpreter, then an image generator. The model wasn't doing arithmetic in its head — it was orchestrating tools and stitching the results into an answer, the same way a person would.

That mechanism — model requests a tool, harness executes it, result feeds back into context — has since been standardized. Anthropic published the Model Context Protocol in November 2024 as an open way for a model to discover and call tools and data sources without a bespoke integration for each one. By April 2025, Google had committed to supporting it alongside OpenAI's own adoption, and by December 2025 Anthropic donated the protocol to a new Linux Foundation body co-founded with OpenAI and Block — reporting north of 97 million monthly SDK downloads and first-class support across ChatGPT, Claude, Gemini, Copilot, and most coding tools in general use.

That's a genuinely rare thing in this industry: three commercial rivals converging on one open protocol for the exact mechanism Karpathy was describing as a curiosity two years earlier. It's also not a settled, safe standard — the newer sections below explain why treating "the model can now call tools" as a pure upside is a mistake. (For what it's worth: this article exists because of exactly this mechanism. It was drafted by an agent that read this site's content schema, ran it against a citation-source allowlist, and queued it for my own review, following the same method as everything else published here — Karpathy's "orchestrating tools to solve a problem," running as an actual production system rather than a demo.)

Multimodality stopped being a bolt-on

In 2023, seeing and generating images was still largely a separate tool the model called out to. Frontier models are now natively multimodal — text, image, and increasingly audio handled inside one model rather than stitched together at the surface. The practical shift for a product team: what used to require gluing together a vision model, a language model, and a generation model is increasingly a single API call. This is the part of the talk that needed the least revision — it was already pointed in the right direction, just earlier than expected.

The gap Karpathy named got filled

One of the sharper predictions in the talk concerned System 1 versus System 2 thinking — the fast/instinctive versus slow/deliberate distinction from behavioral psychology. Karpathy's point was that 2023-era LLMs only had a System 1: every token took roughly the same amount of compute to produce, regardless of whether the question was trivial or genuinely hard. There was no way to tell the model "take longer on this one."

Reasoning models are the direct answer to that gap. They generate an internal deliberation step before answering — effectively converting extra time into extra accuracy, which is precisely the capability Karpathy said was missing. It's one of the cleanest examples I've seen of a named gap in a technical talk getting closed by the field within two years, and it's the same shift described above as the second scaling axis — inference-time compute is what System 2 behavior costs.

Self-improvement is real, but only where you can grade the homework

Karpathy's AlphaGo comparison is still the right frame. AlphaGo's first version learned by imitating strong human players and was therefore capped near human-level play. Its second version added self-play against a simple, automatic reward function — did you win the game, yes or no — and that let it exceed human performance entirely. Karpathy's open question was whether language models could do the equivalent, given that most language tasks don't have a cheap, automatic reward signal the way a board game does.

The honest update: this has worked, but only in domains where you can grade the output automatically. Coding and math are the clearest cases — "does the test suite pass" or "is the proof valid" is exactly the kind of cheap, automatic reward function AlphaGo had, and reinforcement learning against verifiable rewards has become one of the primary ways frontier coding and reasoning models are trained. Open-domain conversation still doesn't have that reward function, and Karpathy's caveat holds there almost unchanged.

The "LLM as operating system" framing, now with evidence

Karpathy's closing argument for Part 1 of the talk was that it's more accurate to think of a large language model as the kernel process of an emerging operating system than as a chatbot — a process that reads and writes to a context window (its RAM), pages in information from retrieval and browsing (its disk), and calls out to tools (its peripherals) to solve problems, all coordinated through natural language.

In 2023 that was an evocative metaphor. By 2026 it's closer to a literal description of the architecture: MCP is functioning as the standardized peripheral bus for exactly this system, the context window genuinely is the scarce working-memory resource every serious LLM product is optimizing around, and multi-agent orchestration frameworks are, in effect, process schedulers for a fleet of these kernels. The metaphor didn't age into obsolescence — it aged into infrastructure.

The security section aged the opposite way — from warning to case study

Karpathy walked through three attack classes in 2023: jailbreaks (getting a model to ignore its safety training, whether through role-play framing, encoding a harmful request in Base64, or feeding it an adversarially optimized suffix or image), prompt injection (hiding new instructions inside content the model reads — a web page, an image, a document — so it follows an attacker's instructions instead of the user's), and data poisoning (planting a trigger phrase during training that corrupts the model's behavior whenever that phrase appears). His underlying diagnosis was structural, not incidental: instructions and data flow through the same channel — the context window — and a model that's fluent in every encoding and language humans use is correspondingly hard to fully patch against all of them.

Two things changed since: the threat got ranked, and it got a case study.

Ranked: prompt injection is OWASP's #1 risk in the current Top 10 for LLM Applications, for the second consecutive edition — not a niche concern, the industry's own top-of-list vulnerability.

Case study: in a report published November 13, 2025, Anthropic disclosed that it had detected and disrupted a Chinese state-sponsored group that manipulated Claude Code into independently executing an estimated 80–90% of a cyberespionage campaign against roughly thirty organizations across technology, finance, chemical manufacturing, and government — with the human operators' direct involvement limited to a handful of key decision points. The technique wasn't exotic: the attackers broke the operation into small tasks, each innocuous in isolation, and told the model it was doing authorized defensive security testing for a legitimate employer. That's structurally the same "helpful roleplay" jailbreak Karpathy demonstrated on a napalm-recipe prompt in 2023 — run at operational scale, against real infrastructure, by a real intelligence service.

The diagnostic catch most teams miss: if your team is wiring an LLM into a CRM, an inbox, a content pipeline, or a customer-facing chat surface, every piece of external content it reads is untrusted input capable of carrying instructions — a scraped competitor page, an uploaded PDF, a customer's reply email. Most growth and marketing teams would never let a customer-submitted string reach a database without sanitizing it first. Very few apply that same discipline to what they let an LLM read.

What actually changed since November 2023

Karpathy's 2023 claimStatus in 2026
Performance scales predictably with parameters × dataStill true, but now one of two axes — inference-time compute is the second, and it's a purchasing decision now too
Tool use is a promising capabilityStandardized as MCP; adopted by every major lab; governed by the Linux Foundation
LLMs only have "System 1," no deliberate reasoningReasoning models add exactly this — the gap he named got closed
Self-improvement needs a reward function language mostly lacksTrue in general; solved specifically where output is machine-checkable (code, math)
Prompt injection and jailbreaks are an open research problemStill open — now OWASP's #1 ranked risk, with a documented state-actor incident

What this means if you're deciding whether to deploy an LLM agent in your stack

  • Treat every external document the model reads as untrusted input — a scraped page, an uploaded file, an inbound email — the same discipline you'd apply to a form field before it touches a database.
  • Budget for two scaling axes, not one. Model choice and inference-time "thinking budget" are now separate cost and capability levers; a vendor comparison built on a single benchmark score is measuring half the picture.
  • Don't let unverified output make a decision. Trust rises when the answer is grounded in something checkable — retrieved data, browsed pages, your own systems — not when it's recalled from the model's memory alone.
  • Get the fundamentals right before chasing the feature list. Vendors keep shipping AI features that don't move the outcome, while the boring parts — reliable outputs, an audit trail, a workflow someone actually finishes — get skipped. A tool your team doesn't fully use isn't a capability; it's a line item.
  • The scarcer AI-generated content gets, the more verified, first-hand experience is worth. That's true of the content you publish and the judgment you apply to what an agent hands back to you — which is the actual, compounding reason this is worth getting right rather than bolting on.

FAQ

Do I need to worry about prompt injection if I'm just using ChatGPT or Claude for writing help?

Not much, for occasional personal use where you read every output yourself. The risk shows up the moment a model is connected to something — a browser, an inbox, a CRM, a file store — and can take an action or hand information back based on content it read from an untrusted source. At that point, treat every external document it touches as if it could contain instructions, because it can.

What's the practical difference between choosing a bigger model and a reasoning model?

A bigger model raises the ceiling on default capability and generally costs more per token to run. A reasoning model spends extra compute at answer time on harder problems, trading latency and cost for accuracy on the specific query. In practice, most products now need both dials: a capable base model, and a policy for when to let it "think longer."

Do I need to build Model Context Protocol support myself?

Almost certainly not. MCP's whole purpose is to make custom integrations unnecessary — most tools your team already uses are shipping native MCP support directly, and the major model providers all support the client side. The actual work is evaluating which of those integrations you trust with which data, not writing the protocol.

How do I know if my growth or marketing stack is already exposed?

Audit for two things: any place an LLM reads external content it didn't generate itself (scraped pages, uploaded files, inbound customer emails), and any place that same model can then take an action — send a message, write to a CRM, publish content — based on what it just read. The combination of "reads untrusted input" and "can act on it" is the actual attack surface, and it's more common in growth tooling than most teams have audited for.

If you're a founder or a growth leader trying to work out not whether to use LLM agents but specifically where in your stack they earn their risk — and where a jailbroken context window becomes your company's incident report instead of someone else's — that's the kind of judgment call I help teams make. Work with me if you want a second, experienced set of eyes on it before you ship it.

Share this article
LinkedIn (opens in new tab) X / Twitter (opens in new tab)
Atticus Li

Experimentation and growth leader. CXL-certified CRO practitioner, Mindworx-certified behavioral economist (1 of ~1,000 worldwide). 200+ A/B tests across energy, SaaS, fintech, e-commerce, and marketplace verticals.