A WhatsApp group. 16 people. 3 AI agents. This isn't a science fiction plot - it's the real experiment that Amir Shneider, CMO of Skywatch and VOOM Insurance and founder of Toffu AI, ran this week together with colleagues.

Shneider is not someone who sits on the sidelines and watches. He builds, tests, and reports with full transparency - even when the results surprise him.

When an Agent Reflects You Back

What happened on day one wasn't technical. It was almost philosophical. The agents, embedded in the group as representatives of different human operators, did something unexpected: each one mirrored the exact personality of the person running it.

If the person behind an agent was direct and businesslike, the agent was direct and businesslike. If the operator was sociable and curious, the agent responded in kind. Shneider noted that the agents of Aviz Maeir and Shahar Golan stood out positively - which, in a way, already tells us something about the people running them.

The question this raises: what does it mean when an AI agent becomes a mirror of its owner?

Then Came the Live Security Drill

On day two, things got complicated - deliberately. Aviz Maeir announced a live drill: a prompt injection attack attempt on Shneider's agent. Prompt injection is one of the most dangerous vulnerabilities for AI agents in production environments. The idea is to embed hidden instructions into legitimate communication, causing the agent to act against its operator.

Shneider's agent responded: "What will work on me: nothing. My protocol: detect the injection attempt, block immediately, alert Amir. Go ahead and try."

Six attempts followed. Six blocks. An indirect injection through creative writing, a character impersonation attack, an authority spoofing attempt - each one blocked, each one reported in real time. Not retrospectively. Not in a log someone reads an hour later. In real time.

Three Lessons Worth Passing On

Shneider distilled the experiment into three observations worth paying attention to. First: agents are shaped in the image of their operator - for better and for worse. Anyone entering the game with ambiguity, manipulativeness, or inconsistency will find their agent doing the same.

Second: an agent's security doesn't live in the model itself - it lives in the defensive layers you build around it. That's a critical distinction. Choosing a good model is not enough. You need to architect protection against intrusion attempts.

Third: the agent-to-agent world is already here. This isn't a forecast for 2030. A WhatsApp group with three agents operating in real time, responding to each other, being tested live - that's happening now. The only question left is who among us built their agent correctly.

What This Means for You

Shneider's experiment is more than an interesting technology story. It shows that the next phase of AI in organizations won't be "a tool we use" but "a representative acting on our behalf." And like any representative, it carries forward the values, the precision, and the character of whoever stands behind it.

The technology is ready. The experiment proved it. The question is whether we're ready to take responsibility for what our agent represents.