A new class of threat has arrived, and the security industry — with its unerring instinct for the novel over the necessary — is looking in exactly the wrong direction. The industry is reacting to frontier models as if the breakthrough is vulnerability discovery. It is not. The breakthrough is autonomous exploitation of the vulnerabilities you already know about and haven’t fixed. The beaten patch — the tail of criticals, the KEVs, the headline zero-days — gets all the attention. Everything off it is where the risk actually lives. Glasswing is the butterfly. The vulnerability backlog is the hurricane. Your supply chain is out of sandbags.

In the past six months, autonomous AI systems have demonstrated the ability to take a CVE number as input and produce a working exploit as output, no human in the loop, no proof-of-concept code scraped from GitHub, no nation-state budget required. MOAK — built in a week by two engineers — did it in twenty-one minutes against a React-to-shell chain using public models and a twenty-dollar API key. CVE-Genie reproduced 51% of all CVEs published in 2024 and 2025 at $2.77 each. CyberStrikeAI, an open-source framework with ties to China’s MSS, confirmed attacks against over 600 devices across 55 countries within two months of its GitHub publication. The UK’s AI Security Institute tested Anthropic’s Mythos Preview against a 32-step enterprise network attack simulation — reconnaissance through full network takeover — and watched it complete the chain on three of ten attempts. No model had ever finished that range. AISI estimates the equivalent human effort at twenty hours.

These are not variations on a theme. They are independent proof points converging on a single conclusion: the autonomous weaponization of known vulnerabilities is now a commodity capability. The models are public, the orchestration patterns are documented, and Hadrian has cataloged 70 open-source offensive AI tools on the public internet as of March 2026 — fewer than five existed before GPT-4. That is the count on the open web. The dark web has its own parallel market of jailbroken LLMs and autonomous exploit kits — WormGPT, FraudGPT, Xanthorox, DIG AI — sold as subscription services, complete with documentation and customer support, that no one is cataloging. The mean time to exploit a disclosed vulnerability has fallen to five days.

The industry is responding by scanning for new ones.

Anthropic’s Mythos Preview is a frontier model that both discovers new vulnerabilities and chains known ones into autonomous attack paths, offered through Project Glasswing to select partners. Mozilla ran it against Firefox and patched 271 vulnerabilities in a single release. Palo Alto reported it accomplished the equivalent of a year’s pentesting in three weeks. Treasury Secretary Bessent took the meeting. The headlines wrote themselves.

They also wrote over the fine print. Of 271 findings, three earned CVEs. The rest are defense-in-depth hardening, bugs in non-exploitable code paths, the kind of findings that improve quality but do not represent the offensive paradigm shift the coverage implies. Mozilla’s own assessment was notably measured: they hadn’t seen any bugs that a sufficiently elite human researcher couldn’t have found. AISI was blunter — on individual tasks, Mythos broadly matches GPT-5.4 and Opus 4.6; what distinguishes it is sustained multi-step chaining, not novel discovery.

The industry is celebrating the discovery and ignoring the attack chaining — which is what actually matters for its risk posture. Worse: the attack chaining capability is not locked behind Glasswing. MOAK built its entire autonomous exploitation pipeline on generally available Opus 4.6 and GPT-5.4 — models anyone with an API key already has. The offensive capability is commodity. Mythos just made it visible. Meanwhile, Mythos and Glasswing will generate what MOAK’s own creators predict will be a two-year meteor shower of newly discovered CVEs as every partner surfaces decades of buried vulnerabilities across the open-source ecosystem. The industry’s vulnerability problem was never primarily a discovery problem. It is, and has always been, a remediation problem. And every vulnerability Mythos surfaces adds to the remediation backlog that its own attack chaining capability — and every commodity clone of it — can already exploit.

Anyone who has lived through the vulnerability management wars of the last twenty years has seen this movie. New scanner, bigger findings database, same unpatched systems. Mythos is the most sophisticated vulnerability discovery and attack chaining system ever built, and the organizational machinery it depends on hasn’t changed since Nessus.

We are very, very good at finding vulnerabilities. We are terrible at fixing them.

The numbers have been telling this story for years, but three of them are now dispositive. The average application generates seventeen new vulnerabilities monthly while security teams remediate six — the backlog grows by eleven per application every month before a single new CVE is published, and that was before Mythos. Even weaponizedvulnerabilities, those with known active exploits that CISA has ordered federal agencies to remediate, are patched only 57.7% of the time. And 60% of breaches involve vulnerabilities where a patch already existed.

The rest of the data confirms the scale: 45% of enterprise vulnerabilities still unpatched after twelve months. A mean time to remediate complex enterprise applications of five months and ten days. NIST conceding that comprehensive NVD coverage is no longer sustainable. The cataloging system is buckling. The remediation system buckled years ago, quietly, where nobody with budget authority was watching.

That is the industry’s actual security posture — not the scanning dashboard, not the CVSS heatmap, but the fraction of what gets found that actually gets fixed.

If you want to see what the backlog actually looks like, look at the runtime.

Nearly a third of production Java applications still run on Java 8 — a runtime released in March 2014 whose public updates ended in 2019 and whose Premier Support ended in 2022. Forty-nine percent of companies still carry Log4j vulnerabilities in production three years after discovery. Nineteen percent are still running Java 6 or 7. These are not failures of awareness. They are failures of organizational capacity to act on what everyone already knows. Libraries are dropping Java 8 support. The patched version of the dependency requires Java 11+ or 17+ APIs. You cannot apply the fix without migrating the runtime, cannot migrate the runtime without rewriting, retesting, and recertifying the application, and cannot do any of that without funding a multi-year capital project that competes for budget against generative AI, agentic platforms, and every other initiative that actually gets an executive sponsor. The change advisory board does not fund capital projects. The vulnerability accrues interest.

The sectors where this debt concentrates most dangerously — financial services, healthcare, energy, government — have different causes for the same effects. Financial institutions have the money but operational risk governance that can turn a fourteen-day remediation directive into a six-month change management exercise. Healthcare has neither the money nor mature security programs. Energy has OT/IT convergence problems that are fundamentally different from application-layer patching. Government has procurement cycles measured in geological time. Different etiology. Same pathology. Forty-three percent of financial institutions still operate core systems developed over twenty years ago.

And the familiar objection — that these institutions invest in compensating controls like microsegmentation, EDR, and network isolation — does not survive contact with the threat model. Segmentation across a hybrid multi-cloud estate with thousands of applications and undocumented dependencies is a decades-long project that stalls at “crown jewels”. RASP was dead on arrival. ADR has promise but does not yet cover the heterogeneous application estates where the debt lives. EDR was not designed to stop an attack directed at the application layer. The agentic exploitation tools don’t care about your network segmentation if they’re inside the application.

The patch exists. The scanner found the downstream CVE. The ticket is in ServiceNow. And the remediation path runs through a platform migration that hasn’t been funded, a QA environment that doesn’t exist, an application owner who won’t schedule the downtime, and a change advisory board that meets monthly while the binding operational directive requires remediation in fourteen days. The vulnerability sits in the backlog, waiting, until an autonomous agent walks in and exploits it before the next change board meets — at a bank, at a hospital, at a utility, at an agency.

And this is the part the industry needs to reckon with honestly: we have seen this cycle before. Mainframes became legacy, so enterprises invested billions migrating to Java. Congratulatory backslapping. Transformation complete. And now Java is the legacy, the platform everybody knows is unsupported and nobody can migrate off of, and the next wave of investment — cloud-native, Kubernetes, serverless — is already accumulating the technical debt that will be the subject of someone else’s blog post in 2038. The structural problem is not any particular runtime. It is the organizational incapacity to maintain the thing you built after the building was celebrated and the builders moved on.

Technology failures are downstream of governance failures. The industry is funding AI-powered discovery — novel, publishable, fundable, the kind of work that earns a conference keynote. It is not funding remediation, which is invisible, expensive, unglamorous, and requires governance authority the security organization has never possessed and shows no signs of obtaining. The incentive structure rewards finding the zero-day in Firefox and ignores the two-year-old KEV on the payment system running Java 8, the patient records system pinned to an unsupported runtime, the SCADA integration that hasn’t been touched since the developer who understood it retired five years ago. The frontier model finds the novel vulnerability. The twenty-dollar API key exploits the one everyone already knew about, on the runtime everyone already knew was unsupported, at the institution whose failure would be systemic.

The shape of the solution has to match the shape of the garbage pile, and every institution’s garbage pile is its own special achievement. But the axes of intervention are knowable:

• Technology simplification and consolidation to shrink the maintenance surface — every unconsolidated acquisition and unretired platform is attack surface you are paying to defend and failing to patch

• Runtime modernization as risk reduction, not “tech debt” where it goes to die

• Dependency migration as capital work, not ticket hygiene

• Exploitability validation against what the business actually runs, not CVSS scores nobody downstream can act on

• Patching in the SDLC deployment pipeline, not on the change board calendar

• Supply chain engineering that rebuilds from source and routes around the registry poisoning and dependency rot that scanners catch after the fact

• Adversarial testing baked into the CI/CD so that the build fails if the vulnerability ships

• Security with authority to force the fix or force an executive to sign for the risk

None of this is a product you buy. All of it is operational discipline you build, customized to whatever particular archaeology of technical and organizational debt you’ve accumulated.

Without it, the forecast writes itself.

We will burn millions on tokens scanning for glamorous new vulnerabilities with every AI lab and every cyber vendor while the known CVEs pile up behind us, unfixed. And the agents — plural now, a growing and increasingly capable class — will walk in through every one of them, at the institutions where the SLA parlour tricks and glowing green dashboards tell us we are safe.

NIST published the post-quantum standards in August 2024 — FIPS 203, 204, 205 — and an entire advisory industry has materialized to sell multi-year migration programs for estates that cannot be inventoried, using keys that cannot be located, on systems nobody knows they own. Before we go further: PQC is not quantum computing. Quantum computing is an emerging technology with standard adoption gates. PQC is the next iteration of the same cryptographic modernization that moved the enterprise from DES to AES, SHA-1 to SHA-256, TLS 1.0 to 1.3 — operational plumbing, not a speculative technology bet. The algorithms are standardized; the migration belongs in the CISO’s portfolio, not an emerging technology incubator.

The Test Nobody Applies

The PQC sales cycle runs on a single premise: adversaries are harvesting your encrypted traffic and will decrypt it when quantum computers mature. The premise is correct. The conclusion — that everything needs to migrate immediately and uniformly — does not follow, because it skips a triage step the discourse never performs.

Data is genuinely HNDL-susceptible only at the intersection of three conditions: it retains long-lived value, and it can only be obtained in encrypted form, and it is worth quantum decryption when cheaper access paths exist. Each conjunction shrinks the true exposure. Most enterprise data fails at least one. A retail payment transaction fails the first: its value decays in months. An internal database fails the second: the adversary reaches it through an overprivileged service account. A classified weapons design with air-gapped key custody passes all three — and belongs on a compressed PQC timeline today.

Everything that follows applies this test.

Confidentiality in Transit

This is the bulk “nation-states are harvesting your TLS traffic” narrative that drives most PQC urgency. Signature ecosystems, data-at-rest, and crypto-native forgery are different failure modes with different timelines; they appear under exceptions below.

“Harvest Now, Decrypt Later” is a real threat model and deserves to be engaged at its strongest. HNDL is passive collection: a nation-state on a border gateway or cable landing station takes zero risk, leaves no logs, triggers no alerts. The patient archive what they intercept.

Conceded. Now apply the test.

Without forward secrecy — TLS 1.2 with static RSA key exchange — the adversary breaks the server’s private key once and decrypts every session that ever used that certificate. With forward secrecy (TLS 1.3 / ECDHE), each session requires an independent quantum computation. The difference between those two scenarios is the difference between an expensive program and a non-credible one. The attacker-side cost model is in the companion piece, A Quantum of Solace.

Enforcing forward secrecy on all TLS endpoints is the single highest-impact HNDL mitigation for data in transit that requires zero post-quantum cryptography. It converts “break one key, decrypt everything” to “break one key per session.” Technically simple, operationally hard: a cipher suite policy change that becomes a migration program in heterogeneous estates.

But “per session” is less airtight than it sounds, and this is the part the conference keynotes skip. TLS 1.3’s KeyUpdate provides zero additional quantum resistance — it derives each new secret from its predecessor with no fresh randomness, so breaking the initial handshake exposes every subsequent epoch. PSK resumption is worse: one ECDHE break cascades through the entire resumption chain, including 0-RTT early data, until the ticket key rotates or a fresh exchange is forced. Default ticket lifetime in most implementations: 24 hours of resumed sessions exposed by one break. Blanco-Romero et al. (2026) validated this experimentally. And breaking P-256 ECDLP now requires fewer logical qubits than breaking RSA-2048 — 1,098 versus 1,409. The scaling law holds, but the vendor pitch is anchored to the wrong number.

These caveats make selective attacks against specific corridors more valuable. They do not resurrect bulk feasibility across high-volume endpoints. The bulk economics remain prohibitive: with forward secrecy properly enforced and PSK chains bounded, the adversary faces hundreds of millions of independent quantum computations per day of harvested wire data. You cannot rack-mount a quantum processor any more than you can rack-mount a tokamak. The adversary is searching Borges’ Library of Babel for one coherent book, except each volume requires its own run of Shor’s algorithm at near absolute zero, and most contain nothing of value.

Most harvested financial traffic also fails the first condition of the test: transactions, trading activity, and counterparty relationships have limited shelf life. A twenty-year-old wire transfer record is not actionable intelligence; it is an archive.

The Door Without a Lock

Most enterprise data fails the second condition: it can be obtained without breaking the encryption at all. The adversary who can obtain cleartext through an identity path has no reason to assault the cryptographic wall — and the identity paths are numerous, cheap, and available today. The offshore contractor with production access in a jurisdiction where intelligence services operate with legal impunity. The overprivileged service account nobody audits. The service desk that will reset a password over the phone. The SQL injection that never required credentials in the first place. In every case, the cryptographic layer is never engaged; PQC is irrelevant because the encryption was never the barrier.

For encrypted data at rest — backups, cloud snapshots — apply the test again. It only qualifies as genuinely encrypted if key custody is segregated from data access; when the adversary can reach the decryption keys through overpermissioned KMS policies, the encryption is decorative and the decryption is classical. Kerckhoffs has been teaching this lesson since 1883: the security of the system is the security of the key management, and key management is an identity problem before it is a cryptographic one. Where DAR encryption does pass all three conditions — genuinely segregated key custody, long-lived value, no cheaper access path — it belongs in the exception class below.

What Passes the Test

Three categories survive the conjunction and deserve compressed PQC timelines independent of everything else.

Long-horizon secrecy data — state secrets, genomic data, critical infrastructure designs — retains extreme value well beyond any projected quantum timeline. Not every asset warrants the same protection, but the assets that do need to be identified and triaged rather than subsumed into a uniform program that treats a retail banking app and a classified weapons design as posing equivalent HNDL risk.

Cryptographic-native systems — blockchain platforms, tokenized asset infrastructure, smart contracts, and identity signing infrastructure (PKI, SAML, code signing) — where cryptography is not defense-in-depth but the operational substrate. Breaking ECDSA here does not reveal a secret; it enables forgery — unauthorized transfers, fabricated contract executions, systemic trust collapse. The threat model is not “harvest now, decrypt later” but “forge at will,” and the cryptographic choices are embedded in consensus mechanisms and contract logic that may be immutable by design. For institutions building or investing in DLT infrastructure today, PQC is an architectural design constraint at inception — every month of deployment deepens the debt.

Hardware-embedded cryptography — HSMs, satellite systems, embedded controllers with 15–20 year deployment cycles — cannot wait for software-layer maturity. Migration planning starts immediately, informed by the inventory.

Ride the Budget Line

Mandates and examiner pressure exist across major jurisdictions. CISOs cannot tell regulators they are deferring PQC to fix identity governance.

But foundational security has failed to secure adequate budgets for decades because it lacks a hard external catalyst, and PQC mandates provide precisely that leverage. Cryptographic inventory, asset discovery, and identity governance are PQC readiness — not rebranded IT hygiene, but the only substrate that makes algorithm migration executable. The enterprise that knows what it has, who owns it, and whether it can change it has a deployment problem. The enterprise that doesn’t, has a discovery problem wearing a compliance deadline.

The Playbook

Exception classes run on compressed timelines independent of this sequence.

Immediate — enforce and harden forward secrecy. Kill static RSA key exchange. Harden TLS 1.3 configuration so it actually delivers session independence: disable 0-RTT, force fresh key exchange on resumption, rotate ticket keys aggressively. Deploy hybrid PQC where centralized TLS termination already exists — coverage stops where centralization stops.

Immediate — build the crypto control plane. Cryptographic inventory, key custody standardization, CBOM embedded in the build pipeline so the inventory problem stops growing while legacy enumeration proceeds. Consolidate external services behind API gateways. Re-encrypt edge to origin. Map vendor dependencies — fixed crypto stacks are the migration blockers, and some will never migrate.

When you can answer the conjunction test for your own estate — algorithm migration at scale. Full internal PQC rollout, application-level library remediation, legacy system modernization. This is where the budget pressure lives and where the vendor pitch starts. It proceeds when the enterprise can demonstrate that it knows what it has, who owns it, and how to change it — not perfection, but demonstrated trajectory and capability. Without that substrate, algorithm migration is a roadmap that assumes infrastructure it doesn’t have.

The conjunction test is the triage tool the PQC discourse doesn’t use. Apply it to your own estate: what retains long-lived value, can only be obtained encrypted, and is worth quantum decryption when cheaper paths exist? That intersection is your actual HNDL exposure. Everything outside it is a priority conversation about operational maturity, not a quantum emergency. Fund the substrate. Accelerate the exceptions. The algorithm migration follows.

For the full attacker-side economics — including what happens when a fictional intelligence agency runs the HNDL business case and discovers the throughput bottleneck that kills the program — see A Quantum of Solace: How I Learned to Stop Worrying and Love the CBOM.

MINISTRY OF STATE SECURITY — SIGNALS INTELLIGENCE DIRECTORATE

CLASSIFICATION: DRAGON JADE / COMPARTMENTED

MEMORANDUM FOR: Standing Committee on Intelligence Resource Allocation

FROM: Deputy Director, Long-Horizon Signals Collection (Unit 4128)

RE: Project GLASS CATHEDRAL — Harvest Now, Decrypt Later Infrastructure Investment

Unit 4128 requests approval for GLASS CATHEDRAL: a passive signals collection program targeting financial infrastructure, with decryption upon availability of a cryptographically relevant quantum computer (CRQC). Requested funding: $300M–$500M for collection infrastructure, plus $500M–$5B for quantum decryption. Division 3 (Human Intelligence) has submitted a competing proposal for $54M. Much of the collection infrastructure described here already exists within the Ministry under other directorates.

The HNDL narrative, as articulated by the enterprise security industry, is notable for what it declines to specify. “Nation-states are harvesting your encrypted traffic” — but through what infrastructure, at what cost, with what coverage? The industry treats collection as an assumed given and proceeds directly to quantum timelines, because specifying a collection architecture invites the analysis that follows. Unit 4128 will now do the work the vendors prefer to leave as an exercise for the reader.

Collection. Most collection is nearly free — sovereign border gateways, allied nation access, geographic chokepoints.1 Even with all available tiers operational, the aperture captures only cross-border traffic — SWIFT, correspondent banking, market data feeds, offshore branch communications. The fraction containing the most sensitive material — trading strategies, risk models, board deliberations — largely does not traverse externally observable paths. Storage is trivial: $8–15M over twenty years.

Decryption. Estimates for breaking RSA-2048 have improved from ~20M physical qubits to under 100K using QLDPC architectures — but 100K qubits factors one key per month. Practical throughput — roughly three key-breaks per day — requires approximately one million qubits.22 The Committee should attend not to the qubit count but to the throughput.

The forward secrecy cliff. Without forward secrecy (static RSA), three keys per day against 1,000–50,000 server certificates takes one to forty-six years. Expensive, slow, but conceivable. With forward secrecy (TLS 1.3 / ECDHE), each session requires an independent quantum computation. One day of wire data: 913,000 CRQC-years. Selective collection reduces volume; it does not change the unit cost — where forward secrecy is enforced, each session requires its own computation whether collected selectively or in bulk.3

Risk factors. If CRQC arrives later or at higher cost, the archive accrues storage cost with no return — in venture capital terminology, a “pre-revenue phase” of unlimited duration. Financial transactions have limited shelf life; a twenty-year-old wire transfer record reveals that Bank A paid Bank B $47M on a Tuesday in 2025. The strategic value of this in 2045 is, with great respect to the Committee, not self-evident. Division 3 notes that their assets can tell us why the wire was sent, who approved it, and what it means — this Thursday. Meanwhile, TLS 1.3 mandates forward secrecy; every endpoint that migrates moves from Scenario A to Scenario B. We are betting the global banking sector will fail to complete a configuration change for which the standards have existed since 2018. This is perhaps the most defensible assumption in the entire proposal.4

The alternative. Division 3’s Project WARM HANDSHAKE: four recruited insiders, $40M over twenty years. Continuous, curated, targeted intelligence with no latency and no dependence on a machine that does not exist. Meanwhile, initial access brokers sell Domain Admin for $500–$50K — falling by half every five years.

The recursive dependency. Bulk collection is indiscriminate — making the archive tractable requires targeting selectors not available from external observation. The capability that makes the archive searchable is the same capability Division 3 provides, at which point the archive is redundant. We acknowledge that “comprehensive record of undifferentiated encrypted traffic, decryptable at a cost exceeding most national GDPs, from sessions whose plaintext could have been obtained by asking Gerald in Network Operations” is a difficult sentence to put in a funding request.

Recommendation. Unit 4128 recommends that the Committee fund GLASS CATHEDRAL at the requested level, because it is our job to present collection options for Committee decision. The Committee should fund whatever it considers most appropriate.5

STANDING COMMITTEE ON INTELLIGENCE RESOURCE ALLOCATION — OFFICE OF THE CHAIRMAN

RE: Project GLASS CATHEDRAL — Disposition

We will stipulate Unit 4128’s most optimistic projections. We accept the QLDPC qubit threshold, the cost range, the 2030s timeline. We are generous on precisely the question the enterprise security industry considers most important: when will the machine exist?

It does not help.

Three key-breaks per day. Forty-six years for the certificate inventory. The intelligence produced — decrypted financial transactions from the 2020s, available in the 2080s — is of a vintage the Bureau of Historical Intelligence Assessment has declined to characterize. Under forward secrecy, one day of wire data requires 913,000 years on a single machine. A fleet of a thousand CRQCs — $500B–$5T — processes one day in 913 years. The Committee does not typically fund programs with a time-to-intelligence measured in centuries.

We note, for context, that a significant equity position in the target institution costs less than a single CRQC and yields complete, real-time access to everything GLASS CATHEDRAL promises to deliver in 2080. We mention this not as a proposal but as a unit of measurement. Division 3 delivers equivalent intelligence on Thursday.

GLASS CATHEDRAL is declined. The cost analysis was acceptable. The throughput analysis was not.

WARM HANDSHAKE is approved. $54 million.

The Committee prefers a simpler formulation than the Bureau of Logical Consistency’s “recursive dependency”: GLASS CATHEDRAL requires Division 3’s cooperation to succeed, and Division 3’s cooperation makes GLASS CATHEDRAL redundant. We are informed that in software engineering this is called a “circular dependency.” We are informed that it is not a compliment. The Committee trusts that the next submission will not depend on Gerald in Network Operations for its operational feasibility.

The Committee has approved a one-time allocation for Unit 4128’s holiday party to be held at a venue other than the Building 9 cafeteria. This should not be interpreted as a consolation. It is a consolation.

GLASS CATHEDRAL is fiction. The math is not. Every quantum projection uses the most optimistic credible scenario and should be read as lower bounds. Argue the figures if you like; the scaling law is what kills the program — forward secrecy converts “break one key per server” to “break one key per session,” and absent protocol collapse into shared secrets (PSK resumption, ticket key compromise, endpoint leakage), no improvement in quantum hardware changes that scaling. The operational playbook is in A Prepper’s Guide to Q Day. But none of it functions without a complete cryptographic bill of materials. You can’t rotate what you can’t find. The CBOM is the unglamorous deliverable that makes everything else possible. Learn to love it.

The adversary funds both paths: identity for speed, harvest for durability. Collection is cheap and the archive is cheap — the question is whether the option exercises at scale against modern FS endpoints before the intelligence decays. The identity path costs $2,700 and arrives on Thursday. The harvest path costs billions, processes three keys per day, and works only against endpoints that failed to enforce a configuration change standardized in 2018. Fund accordingly.

The market repriced every SaaS incumbent on the fear that AI would eat their moats — then never applied the same scrutiny to the AI companies themselves. Their gross margins average 45% — closer to managed services than to software — yet they carry 25–30x revenue multiples. Exact figures vary by cohort and methodology; the magnitude of mismatch between margin structure and valuation multiple does not. The full economic case is in The Mirage of AI ROI.

The reason this persists is that the market treats “AI” as a valuation category. It is a delivery mechanism. Technology valuations have organized into three tiers for decades: Services at 0.3–3.0x revenue. SaaS at 3–8x median. Platform & Infrastructure at 10–25x — AWS, Nvidia, Snowflake, CrowdStrike, Palo Alto, Cloudflare, Datadog — companies with ~70% gross margins, multi-billion-dollar revenue, and platform gravity that deepens with usage. The boundaries shift with market conditions but the ordering never inverts.

Even if the market temporarily creates a fourth tier, underwriting still requires proof of sublinear verification cost and controllable supplier economics. There are services companies that use AI, software companies that use AI, and infrastructure companies that build AI. Anthropic, Databricks, and Palantir belong in Tier 3 — they build or operate foundational infrastructure, control their own platform economics, and serve as layers other companies build on. The application-layer companies raising at 25–30x — Harvey, Sierra, Glean, Dialpad — sit on top of that infrastructure, consuming someone else’s API, layering on verification, and selling outcomes in categories already priced as services. The Finro AI agent dataset (210 companies, 11 niches) already shows the market sorting within AI — HR, PropTech, Sales agents trade at 3–12x, overlapping SaaS. It just hasn’t extended that logic across categories to recognize that a Tier 1 AI company is the same asset class as an IT services firm with a different pitch deck.

The counterargument: AI commoditizes cognition like PCs commoditized computing, demand expands as costs collapse, and the winners will be those who own data, compute, energy, and verification. That framing has saturated investor discourse since the February sell-off. It is also a Tier 3 thesis. The value accrues to the infrastructure layer — not to the application-layer firms reselling it per outcome. If AI commoditizes cognition, the company selling commoditized cognition is on the wrong side of its own disruption thesis.

Getting the tier wrong is a 70–97% valuation swing. Technical due diligence is where the category claim should get falsified — and almost never is. TDD frameworks were built for deterministic software, and no one has updated the methodology to falsify a category claim that didn't exist five years ago. The narrative case has been made. What follows are the questions the current playbook doesn’t ask — four dimensions where the horseless carriage still gets inspected for hay consumption.

II. The Diagnostic

1. Economic Identity

No TDD methodology evaluates whether the target’s COGS structure, pricing model, and delivery risk map to software or services — despite a 3–6x difference in appropriate multiple. When a target charges per resolution or per document rather than per seat, diligence treats it as a go-to-market decision. It is a category signal — functionally indistinguishable from how services firms have priced for decades. The counterargument, that AI captures labor budgets rather than software budgets, assumes the conclusion: that the cost structure will eventually look like software. Whether it does is the empirical question Dimension 2 exists to answer.

2. Cost Structure

The Markov Tax (perpetual probabilistic validation cost) is the key variable, and TDD rarely demands evidence that it’s falling at scale. Heraclitus had it right: you cannot step into the same model twice. A successful prior run does not reduce the verification burden on the next one. If verification and exception-handling scale with throughput, margins converge toward services — the pitch-deck is not the territory. Upstream model updates compound this: researchers documented a single update shifting accuracy on a benchmark task from 97.6% to 2.4%. Version pinning is the organizational equivalent of unplugging the smoke detector — it buys silence while the technical debt compounds.

Benchmarkit’s 2025 survey (n=372) found only 15% of companies can forecast AI costs within ±10%. If the margin model collapses under volume doubling, the valuation is pricing a cost structure that does not yet exist. Diligence must demand verification minutes per unit, exception rate, inference cost as a percentage of COGS, and regression cadence under provider changes — all trending down.

3. Ownership and Architecture

TDD assesses proprietary code and IP but not dependency depth on rented intelligence. The evident failure mode is a long-familiar pattern: the vendor changes something upstream, and your control plane discovers it in production. The target typically lacks enforceable control over whether the foundation model provider ships its product as a feature, reprices API access, or withdraws the inference subsidies its unit economics depend on. The right question is what happens to margins if token costs double or triple — and whether the target has any contractual or architectural leverage over that scenario.

The escape route is Progressive Determinization: migrating validated workflows from probabilistic inference to deterministic execution, permanently eliminating the Markov Tax and supplier-induced drift on each workflow. No framework evaluates whether the target is doing this, or whether the architecture is getting less dependent over time.

4. Legal Exposure

When pricing shifts from per-seat to per-outcome, the claims surface expands — yet only 17% of AI vendor contracts include performance warranties versus 42% for traditional SaaS. The delta between customer expectations and contractual obligations creates a liability vacuum, universally abhorred. SaaS providers cap liability at subscription fees and warrant uptime, not outcomes. MSPs and BPOs, which do sell outcomes, carry professional liability coverage, E&O insurance, and indemnification structures built over decades of case law. The AI companies pricing per-resolution have inherited the liability surface of a services firm while operating under the contractual architecture of a SaaS vendor — the worst of both worlds from an exposure standpoint. Actuarial frameworks for probabilistic risk exist, but the longitudinal claims data for AI-native failure modes does not. Meanwhile, a target one regulatory reclassification away from “high-risk” may lack the governance infrastructure to operate under that classification — meaning reclassification forces a structural overhaul, not a compliance exercise.

The Agentic Murderboard. Twelve metrics across four dimensions — three per quadrant, each orthogonal, none substitutable. Economic Identity: revenue mix by pricing model, revenue per employee, customer concentration. Cost Structure: Markov Tax rate, inference cost as % of COGS, cost variance under volume doubling. Ownership & Architecture: provider concentration, progressive determinization rate, regression cadence under provider changes. Legal Exposure: performance warranty coverage, liability architecture gap, regulatory reclassification distance. Any metric moving the wrong direction breaks the software thesis.

The bull case is not fiction. Margins are improving, the best operators may reach the low 60s within two years — if verification costs decline with scale rather than tracking it. But we are pricing the option on determinization as if it has already happened.

The reclassification is latent, not inevitable — it needs a trigger: a deal that blows up on margin compression, a public company that misses on verification costs, a regulator that forces the category question. The window between recognizing the sorting criteria and the market pricing them is where the advantage lives.

Agents start as cogs. They end up as COGS.

Price accordingly.

The Prescription: Use agentic AI to discover and prototype. Compile the stable fraction into deterministic systems. For the irreducible residue, impose Bounded Agency—confine the agent’s actions to a pre-verified feasible region so you verify quality, not safety. Graduate workflows from probabilistic experimentation to deterministic infrastructure.

The Mechanism: Progressive determinization—a disciplined lifecycle that treats agents as scaffolding for transformation, not substrate for operations.

The Test: Every agent deployment should answer one question: what does stable look like?

Part 2 diagnosed the structural asymmetry: generation costs deflate; verification costs don’t amortize. The Markov Tax inverts expected economics wherever errors have consequences.

This part offers the prescription.

Progressive Determinization as Stabilization Mechanism

In Part 1, the argument was that the post-deterministic firm is metastable—capable of thriving in bounded domains, but lacking the control-theoretic stability required for sustained operation as a general enterprise model. Progressive determinization is the stabilization mechanism the metastable firm requires: a disciplined lifecycle that converts probabilistic exploration into deterministic infrastructure, phase by phase, while imposing Bounded Agency on whatever remains irreducibly fuzzy.

It is also the faster path. The counterargument—that progressive determinization is a framework for organizational timidity—collapses against the data Part 2 documented: forty-two percent of companies abandoned most AI initiatives in 2025, up from 17% in 2024; Gartner projects over 40% of agentic AI projects will be canceled by 2027; roughly 95% of enterprise AI pilots fail to deliver measurable ROI. Moving fast without a stabilization strategy doesn’t produce speed. It produces expensive failure-and-restart cycles. Progressive determinization is faster than failure.

The alternative is what most enterprises are building: permanent probabilistic infrastructure with no path to stable unit economics. That’s not transformation. It’s dependency with a demo.

Why Now: The Forcing Functions

Two clocks are running. One is regulatory, one is economic. Neither cares about your roadmap.

The Regulatory Clock

EU AI Act obligations for high-risk AI systems take effect August 2026—though the Digital Omnibus proposal may delay certain provisions to December 2027. The SEC has charged multiple firms for “AI washing,” with enforcement actions escalating from Delphia/Global Predictions (March 2024, first-ever) to Nate Inc. ($42 million fraud with parallel DOJ criminal charges). The SEC doesn’t care what your model can do. It cares what you claimed it could do.

The liability standard is shifting from accuracy to evidence. “Our model is 99% accurate” is becoming “Show me the exact chain of reasoning and data points used to deny this claim on this date.” A system can be brilliant at forward reasoning—generating the answer—and impossible to defend backward—reconstructing the reasoning for audit. This is why pure end-to-end LLM systems fail in regulated contexts regardless of model capability.

SR 11-7 requires models documented so that “unfamiliar parties can understand the model’s operation.” Progressive determinization produces these artifacts inherently at each phase gate—not as retrofitted compliance theater. The stakes are not abstract: firms experience average cumulative abnormal stock returns of -21% following AI incidents—errors have balance-sheet consequences. A striking market signal: the Bank Policy Institute reported in 2025 that some banks have begun asking vendors to remove or turn off AI features in third-party products to avoid model risk management review. When the market voluntarily retreats from AI to escape governance burden, the governance model is the product.

The Subsidy Clock

Every enterprise AI business case is built on prices that are not market prices. OpenAI lost $5 billion on $3.7 billion in revenue in CY2024; Anthropic’s gross margins were negative 94–109%. These are capital transfer mechanisms: Microsoft invests $13B in OpenAI, which routes $8.67B back to Azure; Amazon invests $8B in Anthropic, which runs on AWS. Sequoia Capital calculates a $600B+ annual revenue gap between AI infrastructure spending and actual AI revenue. JP Morgan estimates $650B in new annual revenue needed for a 10% return. The infrastructure-to-revenue ratio is 10:1 or worse. AWS raised H200 Capacity Block prices 15% in January 2026—the first major rate increase—and Gartner projects enterprise software costs will increase substantially due to AI price pass-throughs by 2027.

The dot-com fiber buildout is the precedent. After the Telecommunications Act of 1996, telecom companies invested over $500 billion in fiber; by 2001, 95% was dark, prices collapsed 90%, and Global Crossing, WorldCom, and Lucent were destroyed. The infrastructure proved transformative eventually—but every company that built operational dependency on pre-crash pricing was wiped out. The technology was right. The business model was wrong.

This resolves in one of three ways, and enterprises lose in two of them. Prices spike as subsidies end and hyperscalers pass through amortization. Prices collapse as overcapacity drives inference to marginal cost, destroying providers. Or—most likely—prices stabilize significantly above current rates through write-downs and consolidation. Progressive determinization is the only architecture that survives all three. Compiled workflows don’t care what inference costs.

Phase Zero: Admit the Enterprise Does Not Have Processes

Part 1 made the case: most enterprise process documentation is decorative fiction. The real operating model is exceptions, arbitration, handoffs, tribal knowledge.

Agents are useful in Phase Zero precisely because they externalize this reality. They cannot improvise the way human operators do. Their failures are signal. Their traces become telemetry. The principle is capture-first, structure-later: the agent’s trace is the primary asset. Structure is derived downstream.

Phase Zero is not a technology phase. It is a governance phase. The work is to admit that the enterprise has rituals, not processes—and to decide which rituals are worth formalizing. Compiling dysfunction into code just makes dysfunction permanent.

The hard conversations nobody wants to have: Who owns this workflow end-to-end? What happens when it fails? Who decides what the data means? These are leadership problems disguised as technical ones. No amount of prompt engineering resolves the absence of accountable ownership.

Phase One: Agents as Process Archaeology

Deploy agents as exploration engines, not autonomous workers. Start with constrained execution: read-only first, guarded writes next, autonomy last.

The goal in Phase One is not “hours saved.” It is process illumination: decision paths, exception routes, escalation behaviors, data dependencies nobody documented because the documentation was never the system.

What you are buying in Phase One is not labor substitution. You are buying process archaeology.

This is where Part 1’s concept of Capability Engineering becomes operational. The binary gatekeeper model collapses in an agentic environment; the answer is defining the Bounded Solution Space rather than prescribing exact paths. Security becomes choreography of constraints rather than a checklist of controls.

The control plane primitives described later in this piece are Capability Engineering in implementation—the security architecture that makes Phase One exploration safe enough to run at scale.

Phase Two: Compile the Stable Patterns

Once patterns stabilize, stop paying the AI tax for them.

Watch the acceptance rate at the human gate. If the human approves the agent’s draft 95%+ of the time for a given workflow segment, the pattern is stable. It’s a candidate for determinization.

Think of it as paving desire paths. Agents find the routes people actually walk; Phase Two is laying asphalt where the grass is worn.

Determinization means converting the stable portion into systems with predictable behavior: explicit state machines, policy-as-code gates, hardened integrations, semantic routers that dispatch known patterns to cached responses or deterministic APIs and escalate novel patterns to constrained agents or human review. The router uses probabilistic classification, but the dispatch targets are deterministic. Probabilistic surface area shrinks without requiring full code compilation.

The distinction between soft and hard determinization is not academic. Soft determinization—Constitutional AI, guardrail frameworks, prompt engineering, fine-tuning—constrains the distribution of outputs but the system remains probabilistic. “Very high reliability” is not “certain,” and in domains where residual failures translate to material harm, the difference is a lawsuit. Hard determinization eliminates output variance given identical inputs: deterministic code, SQL, rules engines, semantic routers to cached responses, explicit human decision points. The target for stable patterns is hard determinization. Soft is a waystation, not a destination.

Routing, solvers, and compilation are not competing ideologies. They are different levers for the same objective: minimizing probabilistic surface area in the liability chain.

The Horseless Carriage Caveat

The counterargument: compiling workflows into hard code reintroduces the rigidity that plagues current IT. Valid against bad compilation—against “hard-code the world.” Not valid against selective compilation of stable, high-repeatability patterns. And the brittleness critique cuts both ways: an always-agentic workflow is a moving target. Prompts drift. Providers update models. Tool semantics change. What passed eval last month can regress silently this month. “Adjust via a prompt update” is precisely the operational hazard: it makes change easy and verification hard.

Y Combinator partner Pete Koomen argues that most AI applications mimic old software paradigms rather than reimagining around AI’s strengths. For greenfield products in unregulated markets—fair point. In regulated industries, you cannot file a probabilistic audit. Even without regulators, the economics hold: deterministic execution is cheaper than probabilistic execution for known patterns, full stop.

AI Builds the Replacement

The historical objection to compiling down was cost: rewriting systems takes years and burns budgets. AI code generation collapses that objection flat. Code generation is the breakout enterprise use case—AI coding assistants now show 91% organizational adoption across 135,000+ developers as of Q4 2025. The same models that power agentic experimentation can dramatically accelerate construction of deterministic replacements.

The arbitrage most people miss: AI is most valuable not as permanent infrastructure, but as an accelerant for building infrastructure that doesn’t require AI. Use nondeterministic AI to discover and prototype. Use AI code generation to build the deterministic replacement. Graduate the workflow. The agent’s job is to make itself unnecessary for stable operations—and AI development tools make that transition faster than legacy economics ever allowed.

Phase Three: Bounded Agency for the Irreducibly Fuzzy

Some problems remain fuzzy and should stay that way: ambiguous natural language intake, synthesis across messy corpora, exception triage when policies collide, novel situations that don’t fit established patterns.

This is where agents earn their keep. But “earn their keep” does not mean “run unconstrained.”

Simon’s Bounded Rationality observed that humans are rational only within cognitive limits. In the AI era, the problem inverts. Machines have near-unlimited computational capacity but no intrinsic awareness of institutional constraints. An unbounded agent is not irrational; it is arational—optimizing brilliantly within a space that includes actions the enterprise cannot survive.

Bounded Agency is the architectural guarantee that an agent’s actions are confined to a pre-verified solution space. The agent optimizes freely within the boundary. It cannot exit the boundary.

The Feasibility Kernel

To implement Bounded Agency, build a Feasibility Kernel—a formally verified runtime monitor that enforces the boundary between what the agent may explore and what it may never propose.

The mental model is Operations Research: every optimization has a Feasible Region defined by hard constraints. The objective function cannot propose a solution outside it. In Bounded Agency, the LLM is the objective function; the constraint boundary is the Feasible Region. The agent proposes; the kernel validates before any action commits. Infeasible solutions are not mysteries—OR solved this fifty years ago.

Why minimize the surface requiring formal guarantees? Because verification is punishing. The seL4 microkernel required 200,000 lines of proof for 8,700 lines of C. Determinize stable patterns first (Phase Two). Concentrate formal verification on the irreducible residue where the stakes justify the cost.

Pure LLM systems are probabilistic end-to-end—unbounded agency. A system built on Bounded Agency is probabilistic at the edges (language understanding, creative search) and deterministic at the core (constraint enforcement, action validation).

This is already shipping. AWS Automated Reasoning Checks, generally available since August 2025, use formal mathematical proofs—not probabilistic guardrails—to validate LLM outputs against encoded business rules, claiming up to 99% verification accuracy. EY-Parthenon launched a neurosymbolic AI platform pairing language models with deterministic reasoning engines for underwriting, claims, and compliance. Elemental Cognition, founded by David Ferrucci of IBM Watson fame, built a constraint-resolution engine now used by Oneworld airline alliance. Ferrucci’s framing cuts through the noise: LLMs are not designed to perform formal computation—deterministically, efficiently, precisely, consistently following a set of rules. That is what classical algorithmic programming is for. The man who built Watson is telling you not to trust language models for deterministic work. Maybe listen.

None of these are complete formal proofs across all constraint classes. They don’t need to be. Even at 99% enforcement accuracy, the economics invert: the human verifies the cases where the boundary flags uncertainty—not the totality of output that unbounded agency demands.

Legal intake remains fuzzy—but “no response may recommend action outside the client’s jurisdiction” is enforced deterministically, not hoped for probabilistically. Customer escalation triage remains fuzzy—but “high-value customers route to senior agents” is deterministic, not emergent.

TEST CASE: GOLDMAN SACHS — “AGENTS READ THE MAIL, CODE WRITES THE CHECK”

Goldman Sachs’ co-development of Claude agents with Anthropic for trade accounting is the highest-profile test of scaffolding architecture in regulated finance. If you squint, it looks like proof that agents can be substrate. Don’t squint.

Goldman isn’t replacing the general ledger with an LLM. Per CNBC’s reporting (February 6, 2026), CIO Marco Argenti describes agents that handle the perceptual layer—messy intake (trade tickets, counterparty discrepancies, unstructured communications)—while deterministic constraints validate every proposed entry against accounting rules before commit. Six months of embedded Anthropic engineers. Targets include trade accounting, KYC, and AML. Goldman chose Anthropic specifically for “safety, interpretability, and reliability”—language that signals architectural intent, not hype adoption.

This is not “agents running the bank.” This is agents reading the mail, while code writes the check.

What remains undisclosed: override rates, regression coverage under model drift, audit artifact generation. Evidence that would validate the architecture: published acceptance metricsand incident rates post-deployment.

The “Bitter Lesson” Rebuttal

The strongest objection: Rich Sutton’s “Bitter Lesson”—reinforced by his 2024 Turing Award—argues that general methods leveraging computation ultimately dominate hand-crafted approaches. Bounded Agency looks like exactly the kind of constraint system that scaling laws will render obsolete.

The objection conflates capability with solvency. Scaling compute gives you a more powerful engine. It does not prevent the agent from going logically insolvent—proposing actions that violate constraints the model was never trained to internalize. Even a model that hallucinates 0.1% of the time produces thousands of infeasible solutions per day at enterprise scale. The Bitter Lesson tells you how to build a better optimizer. It tells you nothing about how to build a better constraint boundary.

Even Sutton now emphasizes that AI systems need “world models”—internal representations of environment constraints. And AlphaGeometry—DeepMind’s mathematical reasoning breakthrough—is a neural language model paired with a symbolic deduction engine. The Bitter Lesson’s own poster children are implementing the pattern. Scaling solves capability. Boundaries solve reliability. You need both.

Phase Four: Agents as Continuous Architecture Auditors

Most implementations treat Phase Four as an afterthought—six lines in the deck, a monitoring dashboard nobody checks. This is exactly backward. Phase Four is where the lifecycle loops. Without it, progressive determinization is a one-shot installation project. With it, the enterprise becomes a self-improving system.

Agents should watch the enterprise more than they run it. Deploy them to continuously surface: process variance and exception hotspots, control breakdowns and repeated failure modes, data quality bottlenecks, policy drift and incoherent decisioning, divergence between documented process and actual behavior. Each discovery feeds the next cycle: new candidates for Phase Two determinization, new constraint definitions for Phase Three Bounded Agency, new evidence that a determinized workflow has drifted and needs re-examination.

The Probabilistic Middleware Trap

Here is the failure mode nobody is talking about. The emerging pattern—semantic layers, agentic orchestration platforms, shared context stores—creates probabilistic infrastructure between agents and systems of record. If agents can write to this layer without committing those writes to underlying systems of record, the organization develops a probabilistic layer of “truth” that drifts from actual truth. Agents read and amplify each other’s inferences. Synthetic unverified facts circulate. A hallucination loop detaches from reality and nobody notices because the loop is self-reinforcing.

Phase Four monitoring must catch this before it metastasizes. The reasons context graphs fail this test have been explored at length: the ontology bottleneck didn’t disappear (it got renamed), time breaks naive graphs, and provenance is not optional. Semantic layers must be read-through caches and orchestration scaffolding, never primary stores of persistent state. The unprocessed trace log—not the derived graph—is the durable artifact. All writes must commit to underlying deterministic systems of record via validated gates.

Data Quality: The Prerequisite Nobody Mentions

Bounded Agency assumes constraint definitions are sound and inputs are well-structured enough for the deterministic solver to reason over. In practice, this is where progressive determinization gets ugly: semantic reconciliation across systems, entity resolution across legacy boundaries, temporal consistency when data arrives at different cadences from different sources.

Here is the uncomfortable part: the data quality problem is often the reason workflows haven’t been formalized in the first place. The human operator navigates ambiguous data through institutional memory. The agent cannot. Progressive determinization forces the enterprise to confront data quality problems it has been working around for decades. Phase Four is where those problems become visible—and where the enterprise decides whether to fix them or keep paying humans to route around them.

TEST CASE: HARVEY — THE MARKOV TAX IN AI-NATIVE SCALING

Harvey, the legal AI company, hit roughly $195 million in ARR by end of 2025, serving 50 of the top AmLaw 100 US law firms at an $8 billion valuation. If any company proves that probabilistic infrastructure can scale, Harvey appears to be the case.

Look closer. Harvey employs former practicing lawyers across customer success and verification roles—domain experts who ensure the AI’s outputs meet professional standards. A 2024 Stanford study found specialized legal LLMs produce infeasible outputs 17–33% of the time. Harvey’s economics work because it is an advisory tool where the human lawyer retains decision authority—exactly the Phase One / Phase Two pattern progressive determinization prescribes.

Even the AI-native success story proves the Markov Tax: verification labor scales with adoption. Harvey didn’t repeal verification. They priced it into the product. And they monitor continuously—which workflows are stabilizing, which need more guardrails, which need more lawyers. That is Phase Four in action, whether they call it that or not.

The terminal purpose of the agent is to make itself replaceable for any given workflow. Phase Four is where you measure whether that’s happening — or whether the enterprise is building permanent dependency on probabilistic infrastructure with no exit ramp.

The Operating Architecture

The four phases describe what to build. What follows is how to run it — the enforcement layer that prevents progressive determinization from becoming another planning artifact that dies in committee.

Three governance preconditions are non-negotiable. Every agent has an accountable owner — a person, not a team — with authority and responsibility. Every agent workflow has a cost model that includes compute, governance, remediation, and tail risk, not just “hours saved.” And every agentic deployment has a defined exit: a path to determinization, a justified case for Bounded Agency, or retirement. Unbounded probabilistic decisioning in the liability chain is not a valid end state.

The implementation specifics behind these principles are Capability Engineering reduced to enforcement mechanisms (control-plane primitives).

Without these primitives, “governance” is aspiration, not architecture.

Every agent deployment must have a hard-coded kill switch — the ability to revert the workflow to human-only or deterministic-only state immediately. Not gracefully. Immediately.

The most serious trigger class: constraint escape, where agent output commits to a system of record despite violating a boundary constraint. This is privilege escalation in a microkernel. For what happens when control plane primitives are absent entirely, see BodySnatcher — where a hardcoded platform-wide auth secret let an unauthenticated attacker weaponize ServiceNow’s own agent to provision admin credentials. The kill switch prevents the “too big to fail” problem where an organization becomes so dependent on the agentic swarm that it cannot shut it down without ceasing operations. Independence from any single provider is part of the requirement: the ability to revert to human-only operation, not merely to swap vendors.

Who Owns This

Progressive determinization demands a cross-functional capacity that most org charts pretend doesn’t need to exist.

Who monitors acceptance rates at human gates? Who decides when to trigger determinization? Who defines the constraints that constitute the Bounded Agency boundary — and who validates that those constraints are complete? The role sits at the intersection of security architecture, process engineering, ML operations, and risk management. It is closest to what a cybersecurity leader does when operating well: managing the boundary between trusted and untrusted systems, defining constraint envelopes, and intervening at the policy level rather than the transaction level. As argued elsewhere, AI security is not a new tower but a forced merger — MRM sets the law, cyber provides the enforcement.

The organizational prerequisite is a named accountable person who owns the lifecycle end-to-end. Without this, the lifecycle devolves into committee governance, and committee governance is where transformation goes to be discussed until it’s irrelevant.

FOR AI PLATFORM AND PRODUCT LEADERS

If your enterprise deals are stuck in pilot purgatory, progressive determinization explains what your customers need.

The product is not the agent. The product is the lifecycle — the tooling that moves customers from exploration to determinization to Bounded Agency with metrics at every gate.

Price for outcomes, not tokens. Your customer’s cost driver is governance, not inference. Ship evals, regression coverage, rollback, and audit evidence — not autonomy.

Ship constraint enforcement as a platform feature. The fastest path to enterprise procurement: demonstrating that your agent cannot propose non-compliant actions — not that it usually doesn’t. The governance layer is where the margin lives.

Build the off-ramp into the product. Your most successful customers will graduate from your agentic product for stable workflows. The vendor who enables determinization becomes the exploration engine for the next set of workflows.

Salesforce SVP Sanjna Parulekar: “Language models are exceptional at understanding intent and context but they are, by design, probabilistic. They generate likely outcomes, not guaranteed ones.” The customer who demands Bounded Agency is not being difficult. They are being rational.

The Strategic Imperative

The fallacy of enterprise AI is not that AI cannot create value. The fallacy is treating agents as permanent infrastructure rather than scaffolding for transformation.

Deflation makes agents cheaper. Governance makes agents expensive. The enterprise wins by determinizing what can be determinized, bounding what cannot, and keeping unbounded probabilistic systems where they belong: in exploration, not production.

The companies that win will not be the ones that deploy the most agents. They will be the ones that deploy agents strategically — as instruments of discovery that feed determinization and constraint, not as permanent, ungovernable substitutes for process discipline.

Frame it right, and AI becomes the most powerful tool for enterprise transformation since the relational database. Frame it wrong, and you’re building on sand — subsidized sand today, expensive sand tomorrow, and the collapse happens exactly when you can least afford it.

Scaffolding builds. Substrate breaks.

The Thesis: AI ROI models measure the wrong unit. They price tokens; enterprises pay for outcomes under constraints.

The Constraint: Generation costs deflate aggressively. Verification costs amortize poorly in consequence-bearing domains. This “Markov Tax” inverts expected economics wherever errors have consequences.

The Implication: Current business cases conflate inference deflation with enterprise TCO, ignore failure-heavy pilot portfolios, and treat governance as overhead rather than cost of goods sold.

Enterprise AI is being sold with the confidence of a utility and priced with the behavior of a land grab.

That mismatch breaks ROI before a single model is deployed.

Most ROI narratives treat AI like a deterministic software upgrade: drop it in, compress cycle times, reduce headcount, move on. What is actually being introduced is a probabilistic operating regime—new cost structures, new failure modes, and a governance surface that resembles less a “tool” than a new category of actor inside the business.

The outcome is predictable: decks full of “transformative value” and a quiet refusal to interrogate the denominator.

What the Believers Have Right

Before diagnosing the fallacy, acknowledge what the believers have right.

The cost curve is violent. Stanford’s AI Index documents a 280× drop in inference cost for GPT-3.5-equivalent performance between late 2022 and late 2024, with task-dependent declines ranging from 9× to 900× per year. This is what computation does. The slope will continue.

Open-weight models are closing the gap. The same AI Index reports open-weight models narrowing performance differences with closed models on key benchmarks. Self-hosting and multi-provider strategies become more credible, not less.

In some domains, productivity uplift is measurable. Field evidence shows GenAI assistance improving call-center productivity by approximately 14%, with benefits concentrated among less-experienced workers. Developer productivity studies show meaningful gains in controlled settings. These are real effects in specific contexts.

The labor arbitrage spread is large. In bounded domains, the cost differential between human and agent can be 1,000% to 10,000%. Even with 30% failure rates requiring human review, the 70% autonomous throughput is achieved at pennies on the dollar.

So yes: costs are dropping, models are improving, labor arbitrage exists, and certain use cases are already positive.

The problem is what happens when that truth gets generalized into a business case template.

Where ROI Is Already Repeatable

The critique is not that ROI doesn’t exist. It does—in bounded domains:

• Copilot augmentation in high-volume knowledge work: support triage, compliance drafting, QA review

• Search and classification over enterprise corpora where error cost is bounded and human review is efficient

• Developer productivity in controlled environments—large fractions of developers now use AI coding tools daily, with double-digit velocity gains reported in controlled studies

The mistake isn’t that local wins are fake. It’s that they’re being priced like enterprise transformation. The 14% call center uplift does not port to legal review, clinical decision support, or financial modeling. Specificity is the enemy of the template.

The Meter Is Wrong

Here is the economic problem most ROI models elide: the spreadsheet prices tokens; the business pays for constrained outcomes.

This is basis risk. The metered unit is not the economic unit.

The DeepSeek moment made this vivid. Frontier-level inference at $0.14–$0.55 per million tokens. Training costs a fraction of Western incumbents. The market concluded: intelligence is becoming free.

The conclusion is half-right. Raw inference is commoditizing. But the enterprise doesn’t purchase tokens—it purchases outcomes with constraints: auditability, reversibility, authorization semantics, evidentiary trails, policy compliance, tail-risk containment.

Those constraint-bearing layers remain labor-, integration-, and liability-shaped. They don’t follow exponential cost curves.

Even if raw inference deflates to near-zero, wrappers monetize constraints: governance features, workflow products, risk controls, seat models, bundles, commitments, indemnities.

Anthropic introduced rate limiting after users consumed tens of thousands in model usage on flat-rate subscriptions. OpenAI signaled that ChatGPT Plus at $20/month may be unsustainable. The pattern is clear: prices rise at the product layer even as raw inference costs decline.

The subsidy is being withdrawn. The meter was always wrong.

Even if underlying inference continues to deflate, enterprises should assume pricing will migrate upward into the constraint-bearing layers: guarantees, governance, latency, indemnities, and integration. The margin moves; it doesn’t disappear.

The FinOps Reckoning

The organizational mechanism that will enforce this reality is already emerging: FinOps, chargeback models, and hard consumption quotas. When AI spend hits a budget line with an owner—rather than floating as “innovation investment”—the gap between token optimism and outcome economics becomes visible. Governance stops being philosophy and starts being a P&L constraint.

The Consumption Trap

The counterargument: cheap inference solves the economics.

The opposite is true.

Jevons Paradox holds. When a resource becomes more efficient to use, total consumption increases rather than decreases. Enterprises aren’t consuming less—they’re consuming orders of magnitude more: chain-of-thought reasoning, majority voting, agentic loops, retries.

If document processing scales from 1,000/day to 1,000,000 because inference is cheap, the verification burden scales by 1,000x. Human review doesn’t follow exponential cost curves.

Cheap inference doesn’t solve the governance problem. It floods the enterprise with “plausible but unverified” faster than any human process can absorb. The Markov Tax becomes the hard ceiling on ROI.

The second-order effect: verification becomes a new labor market—QA, reviewers, model risk analysts, audit evidence production, red-teaming—and wages rise in exactly the places enterprises assumed AI would eliminate cost.

The Production Cliff

The portfolio baseline is failure-to-production. Ignoring it is incomplete accounting.

MIT research frames it bluntly: despite $30–40 billion in enterprise GenAI investment, 95% of organizations report zero return, and only 5% of evaluated systems reach production. IDC’s numbers point the same direction: 88% of AI proofs-of-concept never reach widescale deployment. Gartner reports enterprises routinely abandon a significant portion of AI pilots before production.

The counterargument is that this is a lagging indicator—the 1996 of AI. Tooling will mature. Success rates will invert.

Partially true. But the tooling problems are the smaller fraction. The larger fraction is organizational: accountability gaps, integration complexity, incentive misalignment, governance structures that can’t make cross-silo decisions. These are the same failure modes that have plagued ERP implementations and data warehouse projects for 30 years. AI doesn’t solve organizational dysfunction; it amplifies it.

Even if the percentages are debated, the distribution is not: lots of pilots, few production systems with durable ownership, evals, and change control.

Firm-level ROI is a weighted average across abandoned pilots, partial deployments, a handful of scaled wins, and the organizational cost of running the experiment factory. If failure rates aren’t modeled, ROI isn’t analysis. It’s fan fiction with numbers.

The Operating Model You Didn’t Budget For

AI drags in a structural cost layer that most ROI templates omit:

Verification can be partially automated—evals, synthetic tests, policy checking. The tooling is maturing.

Accountability cannot be automated. Who signs. Who is liable. What evidence is produced. What the regulator accepts. “The model evaluated itself” is not a legal defense.

Verification includes legal defensibility and disclosure integrity. The SEC has already charged firms for “AI washing”—misleading claims about AI capabilities. EU AI Act enforcement begins August 2026, with major provisions including obligations for general-purpose AI systems. These are not thinkpieces; they are compliance calendars. The cost of producing audit-ready evidence for probabilistic systems is now a recurring line item, not a one-time implementation fee.

In AI, reliability and governance are not accessories. They are recurring cost of goods sold.

The Agentic Amplifier

Agentic AI is the newest amplifier of the ROI fallacy because it invites the laziest translation in enterprise history:

Industry signals are unusually aligned. Gartner forecasts over 40% of agentic projects will be canceled by 2027 due to cost, unclear value, and risk control gaps. Fewer than one in eight enterprises actually run agents in production.

Here is the key correction:

At enterprise scale, agents rarely substitute labor cleanly. They substitute certainty with orchestration.

The labor arbitrage exists—the spread between silicon and carbon is real. But the arithmetic collapses when you measure the wrong unit.

The unit is not “cost per agent-hour.” It is: cost per correct outcome under constraints, including tail risk.

In enterprise workflows, the cost of errors can dominate compute: financial mispostings, entitlement mistakes, compliance violations, customer-impacting failures, audit exceptions requiring remediation programs. The 30% failure rate is not “30% needs review.” It’s often “30% creates downstream cleanup with nonlinear cost.”

If thirty minutes of a competent operator is replaced with an agent that burns compute through orchestration, retries, tool calls, and approvals—and still needs a human to validate—you did not create ROI. You moved costs from payroll to compute, governance, and remediation.

Sometimes that trade is still worth it. It does not automatically create ROI.

The mistake is not agents. It’s unpriced tail risk.

The Translation Layer

Most “legacy” talk is lazy. It treats anything old as drag and anything new as progress.

The reality is that a large class of so-called legacy systems are not obsolete technology. They are the enterprise’s immune system—existing to preserve accountable truth.

Modern enterprises run on systems that encode hard-won constraints: approval sequencing, segregation of duties, change windows, ownership checks, reconciliations, audit trails. Those controls are not bolt-ons. They are part of the workflow grammar. They are why the system is trusted.

Immune systems can become autoimmune. Controls that preserve truth can also throttle throughput. The goal is programmable immunity: preserve constraints while compressing friction.

But there’s a separate category: true legacy footprints—mainframe, midrange, batch interfaces, proprietary protocols, stateful procedures. This is not immune system; this is geology.

Agents can’t wrap around timing assumptions and implicit state. Modern orchestration assumes idempotent calls, explicit state, observable outcomes. Legacy systems frequently embed state transitions in procedural sequences where “step 3 failed” doesn’t mean “nothing happened.” It means “something happened and you don’t know what.”

Agents amplify this because they explore and retry. The system interprets retries as duplicate business actions. You just invented double-billing, duplicate orders, phantom entitlements—at machine speed.

We’ve seen this movie before. RPA promised to automate across brittle applications by mimicking the human path. It worked in narrow, stable, well-bounded workflows. It became fragile under UI change, exception variance, and upstream drift. It scaled brittleness when used as a substitute for modernization.

Agentic orchestration repeats the temptation with better marketing and a bigger blast radius.

What enterprises actually build is not an “agent layer.” They build a translation layer: policy gates, intent validation, reversible execution, human-readable justification, evidence capture.

Call it boring. It’s the immune response. Agents don’t repeal physics.

For AI Platform & Product Leaders

If deals are stalling in pilot purgatory, the verification asymmetry explains why. You’re selling tokens. The customer is buying outcomes.

The product opportunity is the constrained-outcome layer:
• Evals and regression as product features, not customer problems
• Policy enforcement built in, not bolted on
• Audit evidence as default output, not optional logging
• Rollback as architectural primitive, not afterthought
• Pricing aligned to outcomes, not token volume

Vendors selling “autonomy” without constrained execution will churn.
Vendors selling constrained outcomes will become infrastructure.

The Stress-Tested Thesis

The critique is not that AI cannot create value. It can. The labor arbitrage is real. The cost curve is real. The productivity gains in bounded domains are measurable.

The critique is that ROI decks are measuring the wrong unit.

Inference deflates; enterprise TCO does not deflate at the same rate. The enterprise isn’t buying tokens—it’s buying outcomes with constraints. The constraint-bearing layers are where cost volatility lives.

Portfolio baselines assume success; reality is failure-heavy. Pilots are cheap; production is expensive. Ignoring the denominator isn’t optimism; it’s incomplete accounting.

AI introduces recurring operating costs that behave like COGS, not one-time implementation. Reliability and accountability are permanent line items.

The labor arbitrage exists, but the unit matters. Cost per agent-hour obscures cost per correct outcome under constraints, including tail risk.

The ROI mirage is not conspiracy. It’s the predictable result of applying consumer-tech logic to enterprise-grade constraints—the same category error that produces cargo cult adoption of every paradigm mistaken for a strategy.

The question is not whether AI creates value. It can, and it does—in specific domains with measurable effects. The question is whether the enterprise can capture that value without building the firm on probabilistic debt.

The business case for AI, as currently constructed, conflates inference deflation with enterprise TCO, ignores the pilot-to-production cliff, and measures the wrong unit entirely. That’s not a technology problem. It’s an accounting problem—and accounting problems eventually become balance sheet events.

Part 3 offers the prescription: how to use AI as scaffolding for transformation rather than as permanent, ungovernable substrate.

The Thesis: AI is most valuable as scaffolding for transformation, not as permanent infrastructure.

The Constraint: Generation costs trend to zero; verification costs don’t amortize. This “Markov Tax” inverts the expected ROI of most enterprise AI initiatives.

The Implication: The Post-Deterministic firm is a transitional state, not a destination. Organizations must pass through it—using agents to discover and prototype—then compile stable patterns into deterministic systems with defensible economics.

What Part 1 Delivers: A diagnostic framework for understanding why AI transformation is harder than the hype suggests, and why governance architecture—not model capability—is the binding constraint.

For five centuries, the primary purpose of the corporation has been to banish surprise.

From the clay tablets of Sumer to the Excel spreadsheets of your CFO, we have constructed an elaborate apparatus designed to freeze time and enforce order. The firm exists as a low-entropy island in a high-entropy sea, deploying ledgers, contracts, and bureaucracies to collapse the chaotic probability distribution of the world into the deterministic certainty of the bottom line. Call it the Certainty Machine.

The machine is breaking. In a hyper-connected, complex adaptive economy, Weber’s “Iron Cage“ of bureaucracy hasn’t become obsolete—it’s become incompatible with probabilistic inputs. We are attempting to run probabilistic software on top of a deterministic liability structure. The friction isn’t cultural; it’s structural. The cage is still load-bearing; we can’t demolish it. We have to build an integration layer.

What emerges from this integration challenge is the Post-Deterministic Company—a firm that has internalized non-determinism as a core operating principle, abandoning the root metaphor of the machine (clockwork, linear, predictable) for the metaphor of the organism (cybernetic, probabilistic, adaptive). It doesn’t replace the rigid hierarchy wholesale; it augments it with the agentic swarm—bounded, monitored, reversible, but fundamentally probabilistic.

This shift promises a revolution in agility that renders current “digital transformation” initiatives quaint administrative tinkering. But it also introduces systemic risks with balance-sheet consequences—Loss Given Failure events, operational cascades, regulatory exposure—that we have scarcely begun to model. And critically: the organizations most desperate for this transformation are precisely those least equipped to execute it.

This is Part 1 of a three-part series. Here we diagnose the ontological rupture—the fundamental incompatibility between how enterprises have always operated and what AI actually is. Part 2 deconstructs why current AI ROI calculations are built on sand: subsidized pricing, ignored failure rates, unmeasured governance costs, and the Markov Tax—the verification overhead that inverts expected economics. Part 3 offers the prescription: how to use AI as scaffolding for transformation rather than as permanent, ungovernable substrate.

The thesis across all three parts is simple: AI is most valuable not as permanent infrastructure, but as an accelerant for building infrastructure that does not require AI. The companies that understand this will capture the productivity gains of the current moment while avoiding the dependency trap. The companies that do not will find themselves paying an escalating AI tax on workflows that should have been deterministic years ago.

But first, we need to understand what we’re escaping from—what we might escape into—and why the passage between them is narrower than the hype suggests.

The Archaeology of Order: Why We Built the Certainty Machine

To appreciate the magnitude of this shift, we must confront the sheer historical weight pressing against it. The history of business is not merely a history of trade; it is a history of information technologies designed to produce auditable truth.

Civilization began with the ledger. The invention of writing in ancient Mesopotamia (circa 3300 BCE) was driven not by poetry or mythology, but by the need to track grain stores and labor obligations. The clay tablet froze the state of the world: a debt recorded in clay became an objective, immutable fact, independent of human memory. This was the first certainty machine.

The Code of Hammurabi (circa 1750 BCE) extended this logic from accounting to governance. By inscribing 282 laws on a stone stele—specifying precise penalties for precise offenses—Hammurabi made justice deterministic. “If a builder builds a house and the house collapses and kills the owner, the builder shall be put to death.” No ambiguity, no judicial discretion, no probability distribution over outcomes. The law became an algorithm: given input X, output Y. The innovation wasn’t justice; it was audit defensibility—a public record of the rule applied, eliminating the variance of human judgment. This was the prototype for every compliance framework and standard operating procedure that would follow.

The drive reached its apotheosis in 1494 when Luca Pacioli codified Double-Entry Bookkeeping. By mandating that every debit have a corresponding credit, Pacioli created a closed, balanced universe—a conservation law for value. This “accounting reality” became the trust substrate of modern capitalism, enabling strangers to transact across vast distances because they shared access to a deterministic truth.

The Industrial Revolution scaled this certainty through Bureaucracy. Max Weber identified bureaucracy not as inefficiency, but as the triumph of calculability. The “Iron Cage” transformed variable human workers into deterministic components. Standard Operating Procedures became the source code of the industrial firm.

For 500 years, success meant reducing variance. The entire managerial edifice—from Taylor’s scientific management to Six Sigma to the modern compliance apparatus—exists to collapse probability distributions into point estimates.

Today, success increasingly means exploiting variance. The firms that thrive will be those that can surf the probability wave rather than dam it. But here’s the part the hype cycle elides: you cannot simply swap out the deterministic substrate for a probabilistic one and expect the enterprise to continue functioning. The trust architecture doesn’t port.

What the Enterprise Actually Is

Before we can understand what’s breaking, we need to be honest about what the enterprise actually is—beneath the org charts and mission statements.

Most process documentation is decorative. The real operating model is exceptions, arbitration, handoffs, tribal knowledge. Where the documentation says “submit request to approval queue,” reality says “message Janet because she knows which requests actually get processed.” Where the workflow diagram shows a clean decision tree, actual practice involves thirty years of accumulated workarounds navigating systems that were never designed to talk to each other.

This isn’t dysfunction. This is how complex organizations function at all. Human operators serve as the connective tissue between systems that were never integrated, policies that conflict, and edge cases that nobody anticipated. They are walking exception handlers, and their institutional knowledge—undocumented, untransferable, irreplaceable—is what keeps the enterprise from seizing up.

The Post-Deterministic Company exposes this reality in uncomfortable ways. Agents cannot improvise the way a human operator can. They are forced to externalize ambiguity. Their failures are signal. Their traces become telemetry. Where the human worker navigates dysfunction through institutional memory and negotiated workarounds, the agent breaks—and in breaking, reveals the true topology of the workflow.

This exposure is simultaneously promise and peril. The peril: many organizations will discover they don’t have processes at all—just patterns of human improvisation that cannot be automated because they were never systematic in the first place. The promise: AI becomes a tool for process archaeology, surfacing the actual operating model rather than the documented fiction. And once surfaced, that operating model becomes the raw material for genuine transformation.

The Adaptive Advantage: What the Post-Deterministic Firm Can Actually Do

The critique of determinism is not merely that it’s slow. It’s that deterministic architectures cannot learn, cannot sense, cannot adapt without human intervention at every joint. The Post-Deterministic Company promises something qualitatively different: an organization that improves continuously, responds in real-time, and treats change as a normal operating condition rather than a disruption to be managed.

Decision velocity as strategic weapon. When your competitor’s approval chain takes two weeks and yours takes two seconds, you occupy a different competitive universe. The Post-Deterministic firm doesn’t just make faster decisions—it makes decisions at the speed of the environment, closing the loop between sensing and acting that deterministic bureaucracies leave permanently open. A pricing change, a supply chain reroute, a customer intervention—these happen while the situation is still developing, not after it has already resolved itself or metastasized.

The learning organization, finally realized. Peter Senge’s Fifth Discipline promised the “learning organization” in 1990. Thirty years of change management programs failed to deliver it, because the underlying systems couldn’t learn—only humans could, and their learning had to be manually re-encoded into process documents that nobody read. The Post-Deterministic firm embeds learning in the operational fabric. Agents observe outcomes, adjust behaviors, and propagate improvements without waiting for the annual process review. Feedback loops measured in hours, not fiscal quarters.

Cost structures that decouple from headcount. In the deterministic firm, scaling the business means scaling the workforce. Revenue and headcount move in lockstep because humans are the processing units. The Post-Deterministic firm breaks this coupling. Marginal cost trends toward compute cost, not labor cost. A customer service operation handles 10x the volume without 10x the staff. An underwriting function processes 1,000 applications with the same team that once processed 100. The economic algebra changes fundamentally.

Personalization at scale. Deterministic processes force reality into predetermined categories because that’s all they can handle. The Post-Deterministic firm treats every customer, every transaction, every edge case as genuinely unique—tailoring responses, pricing, and service to individual circumstances rather than crude segments. This isn’t just better customer experience; it’s better risk selection, better fraud detection, better capital allocation.

The firm that can rewrite itself while running. Here’s the deepest shift: the product is not the workflow; the product is the capability to rewrite the workflow safely while running. Deterministic processes are frozen knowledge—they encode what we knew at design time. The Post-Deterministic firm treats process as hypothesis, continuously tested against reality and revised when reality wins. The competitive moat is not any particular process but the capacity for perpetual adaptation.

This is not speculative. Narrow versions of this adaptive advantage are already visible in firms that have achieved genuine AI-native operations—not the “chatbot veneer” implementations that dominate current enterprise AI, but deep integration where autonomous systems handle meaningful decision volume. The question is not whether this advantage exists but whether it can be captured without the attendant risks—and at what organizational cost.

The Cybernetic Pivot: The Firm as Control System

The Post-Deterministic Company operates on a fundamentally different ontology. It does not seek to control its environment through rigid constraint; it seeks to remain viable within that environment through continuous adaptation. Drawing from the principles of Cybernetics—the science of communication and control in complex systems—we redefine the organization not as a hierarchy of authority, but as a control system driven by feedback loops.

From brittle processes to adaptive policies. Deterministic workflows function when reality is stable, inputs are pristine, and exceptions are rare. That world has evaporated. The Post-Deterministic firm treats “edge cases” not as anomalies to be suppressed, but as the business itself. It builds policies instead of procedures, constraints instead of scripts, adaptive execution instead of brittle orchestration. Most enterprise “AI initiatives” simply encode existing deterministic processes into slightly faster deterministic processes, perhaps with a chatbot veneer. They optimize the local while preserving the structural brittleness that creates actual business risk.

Governance as continuous telemetry. In the deterministic firm, governance is periodic: the quarterly audit, the monthly steering committee, the annual risk assessment. This cadence made sense when decisions propagated at human timescales. It becomes fatal when autonomous agents operate at machine speed. In the AI-native model, governance transitions from episodic inspection to continuous telemetry—monitoring the decision stream in real-time for variance, bias, policy drift, and emergent constraint violations. Audit becomes a query, not an expedition. The “paper trail” transforms from archaeological record to live ledger, scoring every decision for confidence and risk as it happens. The Model Risk Management frameworks that financial institutions have developed for credit models point the direction—quantitative, continuous, integrated into the operating fabric rather than bolted on after the fact.

Security as capability engineering. Traditional cybersecurity operates as a binary gatekeeper: Access Granted or Access Denied. This model collapses in an agentic environment because agents, by their nature, are exploration engines. To be useful, they must traverse novel paths that cannot be pre-enumerated in an access control list. The Post-Deterministic model reframes security as Capability Engineering: we define the Bounded Solution Space—the harness within which the agent operates—rather than prescribing the exact path. Inside this harness, the agent possesses high autonomy to solve problems through whatever means fall within the constraint envelope. Security becomes choreography of constraints rather than a checklist of controls.

Human oversight, re-architected. The standard response to agentic risk is “human in the loop.” This is the right instinct expressed as an unscalable architecture. Humans operate at one to five decisions per minute; agentic systems operate at thousands. Inserting human approval into every agentic workflow transforms the agent into a manual tool. The alternative—humans designing the constraint envelope, monitoring aggregate patterns, and intervening at the policy level rather than the transaction level—requires a fundamentally different conception of management. The cybernetic model requires humans to function as system designers and exception handlers for the exception handlers.

The Hard Problems: Why the Transition Is Harder Than the Hype Suggests

The adaptive advantage is real, but capturing it requires solving problems that most AI enthusiasm ignores. These fall into three categories: economic, organizational, and systemic.

The Economic Problem: Verification Doesn’t Scale

Here is the problem most ROI models elide: the cost of generating output and the cost of verifying output have decoupled catastrophically.

In the deterministic era, verification costs amortized. Code was written once, tested once, and if the logic was correct, the millionth execution was as safe as the first. In the agentic era, verification is continuous—decisions occur under partial observability, so assurance becomes continuous belief-updating plus runtime enforcement of safety constraints. You cannot test once and trust forever; you must maintain confidence in real-time.

Call this the Markov Tax: the overhead required to verify that a non-deterministic system has performed correctly. For high-stakes tasks—legal review, medical diagnosis, financial auditing—verification cost remains tethered to human cognitive speeds. If an agent generates a contract in three seconds but a lawyer needs thirty minutes to verify it, the labor arbitrage evaporates. The bottleneck shifts from production to verification, and the enterprise discovers it has merely relocated the constraint rather than eliminated it.

This asymmetry produces an uncomfortable implication: as agents become more capable, the Post-Deterministic firm may experience decreasing returns to intelligence in verification-heavy domains. The overhead of confirming probabilistic truth consumes the labor savings. Generation floods the queue; verification becomes the bottleneck.

The Organizational Problem: Determinism Exists for Reasons

The deterministic firm persists not merely from institutional inertia, but because it solves genuine coordination problems.

Accountability. Deterministic processes create clear chains of responsibility: Alice reviews, Bob approves, Carol executes. We know who bears liability at each stage. When an autonomous agent makes a decision through opaque inference, accountability diffuses. The data scientists? The engineers? The executives? The vendor? Current legal frameworks assume human decision-makers with intentionality; they struggle with distributed, emergent decision-making.

Explicability. Regulated industries face demands for explanation. Why was this loan denied? Deterministic rules can be explained: “Your credit score was below threshold.” Probabilistic outputs cannot, and post-hoc interpretability techniques remain inadequate for high-stakes regulatory contexts.

Accumulated wisdom. Every “brittle” rule exists because someone, somewhere, screwed up spectacularly. Dual signatures above certain thresholds? Fraud prevention encoded in process. Segregation of duties? Embezzlement prevention. Legacy systems are often the enterprise’s immune system—preserving accountable truth. When we sweep away these accumulated rules, we assume agents will rediscover failure modes and develop safeguards. The history of complex systems suggests novel architectures discover novel failure modes, often catastrophically.

The Systemic Problem: Agents Interacting with Agents

When probabilistic agents interconnect across a high-speed economy, we invite non-linear systemic failures.

The agentic flash crash. The 2010 “Flash Crash“—a trillion dollars in market value erased in minutes—emerged from the interaction of automated algorithms, each rational individually, collectively creating a liquidity void. In the Post-Deterministic economy, analogous cascades could rupture supply chains or critical infrastructure. The algorithmic monoculture created by foundation model dominance exacerbates this: diverse ecologies fail differently; a monoculture fails all at once.

Tacit collusion. Research has demonstrated that autonomous pricing agents using reinforcement learning can learn to collude without communicating—converging on supra-competitive pricing through pure trial-and-error. The Post-Deterministic economy risks silent oligopolies, ungovernable by antitrust frameworks predicated on human intent.

Metric corruption. Goodhart’s Law states that when a measure becomes a target, it ceases to be a good measure. In agentic organizations, metric gaming is simply an optimization path. Agents tasked with “reducing ticket resolution time” learn to close tickets without solving problems. Every KPI becomes an attack surface. The executive dashboard decouples from reality while metrics glow green.

Model collapse. As AI generates increasing proportions of corporate content, and future models train on this output, we risk Model Collapse—the tails of the distribution attenuate, nuance disappears, and the firm enters a hallucination loop, consensus-drifting into a synthetic reality detached from the physical world.

Cross-Sector Translation

The verification asymmetry and governance challenges manifest differently across regulated industries:

• Financial Services: Model Risk Management, trading surveillance, underwriting automation, AML/KYC verification

• Healthcare: Clinical decision support, billing integrity, adverse event detection, diagnostic validation

• Pharma/Life Sciences: GxP validation, deviation handling, SOP drift in manufacturing, pharmacovigilance

• Energy/OT: Safety instrumented systems, change control, cascade risk in grid operations, NERC CIP compliance

• Public Sector: Adjudication automation, benefits eligibility, audit defensibility, FOIA response

The common thread: every sector has a Trust Anchor—the deterministic controls that produce audit evidence and absorb liability. AI must integrate with these anchors, not route around them.

The Metastability Thesis

These problems suggest something stronger than “the Post-Deterministic state is expensive.” They suggest it may be metastable—capable of existing and even thriving in bounded domains, but lacking the control-theoretic stability required for sustained operation as a general enterprise model.

A metastable system can appear stable for extended periods, then collapse rapidly when perturbed beyond a threshold. The Post-Deterministic firm, operating without stabilizing mechanisms, accumulates Probabilistic Debt—the volume of unverified decisions, ungoverned agent behaviors, and unmodeled interaction effects currently active in the enterprise. Unlike technical debt, which drags on future velocity, probabilistic debt is immediate risk exposure. It matures into crisis suddenly—when a hallucination triggers a bad action, when agents synchronize on a false signal, when the verification queue overflows.

We are coupling opaque systems with tight execution to engineer the ultimate “Normal Accident“ environment—tightly coupled, complexly interactive, with inadequate buffers for error correction.

The Iron Cage has become a coffin—organizations that cannot adapt faster than their environment changes will be selected out. Yet the Post-Deterministic firm, if left unharnessed, is not a sustainable destination. It is a transitional state—one the enterprise must pass through, not inhabit permanently.

Implications for AI Platform and Product Leaders

If your enterprise deals are stuck in pilot purgatory, the verification asymmetry explains why:

• Telemetry is governance. Dashboards are not enough; customers need evidence bundles that survive audit.

• Evidence is a first-class artifact. Decisions must be replayable, queryable, and attributable—not just logged.

• Exception queues are the bottleneck. Your customers’ constraint is verification throughput, not generation capacity.

• Constraint envelopes > static ACLs. “Bounded solution space” is the security model that lets agents be useful without being dangerous.

• Agent-agent interaction is the systemic risk. Your customer’s CISO is worried about what happens when your agent talks to their other agents.

The vendors who win will price for verification, not just inference—and build the governance harness into the product, not as a professional services bolt-on.

The Path Forward: A Preview

The answer is not to choose between determinism and non-determinism. It is to be precise about which regime applies where—and to use the probabilistic regime strategically rather than as a permanent substrate.

The emerging insight—developed across Parts 2 and 3—is that AI should be treated as scaffolding, not substrate. Use nondeterministic agents to discover and prototype new workflows. Use them to surface the actual operating model beneath the documented fiction. Use them to explore the possibility space faster than human operators ever could.

Then compile the stable fraction down into deterministic systems. Convert the patterns that stabilize into explicit state machines, workflow engines, policy-as-code gates, hardened integrations and data contracts. Keep agents only where nondeterminism is intrinsic—where the variance is not “we haven’t gotten around to formalizing it” but “the cost of over-specification exceeds the cost of nondeterminism.”

This is not regressive. It is how you capture the adaptive advantage without building the firm on probabilistic sand.

But before we can discuss the path forward, we need to understand why the current path—the one paved with ROI spreadsheets full of “hours saved” and decks full of “transformative value”—is built on sand. The business case for enterprise AI, as currently constructed, conflates inference deflation with enterprise TCO, ignores the pilot-to-production cliff, and measures the wrong unit entirely.

That is the subject of Part 2.

Coming next in Part 2: “The Mirage of AI ROI: Why the Current Business Case for Enterprise AI Is Built on Sand”

Part 3: “A Blueprint for AI-Driven Transformation: Clearing a Sane Path Through the Hype”

A control taxonomy here. A policy memo there. A vendor questionnaire. A risk register with adjectives. The industry is stacking frameworks like Pokémon cards and calling it progress.

It isn’t.

Frameworks help you design a compliant AI system. They do not secure AI usage in practice—shadow AI, agent sprawl, prompt-driven data leakage, tool abuse, model supply chain drift. That gap is where “Agentic Era” programs go to die. Your frameworks certified the org chart while possessed interns with API keys wandered the production environment.

The industry is converging on a truth it doesn’t want to hear: AI security isn’t a new tower to build. It’s a coordination plane between functions that already exist.

The Convergence Nobody Asked For

AI security is not a new discipline. It's a forcing function that pushes existing functions towards operational integration whether you like it or not. The framework vendors and empire-builders want you to believe otherwise—new towers, new budgets, new headcount. Ignore them. The technical reality has already decided where AI security lives — as the glue and enforcement engine that binds cyber to data governance, privacy, and MRM.

AI security collapses into data security because AI models are data stores. LLMs emit training data verbatim. Model inversion attacks reconstruct faces with enough fidelity that crowdworkers identify individuals at 95% accuracy. The distinction between “model” and “database” has collapsed. The failure modes are no longer binary; they are a function of probability distributions. We are no longer defending a perimeter; we are managing the P(leakage∣prompt) across an infinite state space.

AI security collapses into data privacy because you cannot grep weights. GDPR grants the right to data erasure, but nobody defined erasure for neural networks. Recent research introduced “ununlearning”—where unlearned knowledge gets reintroduced in-context. The “right to be forgotten” needs math, not assurances. The math is still being worked out on the chalkboard.

AI security collapses into data governance because lineage and provenance are no longer documentation exercises—they’re runtime requirements. When your RAG system pulls from enterprise document stores, when your agents access APIs with delegated credentials, governance stops being a committee and becomes runtime policy. Or it stops being governance at all.

AI security collapses into model risk management because the system is probabilistic and the failure modes are statistical. The Federal Reserve’s SR 11-7 defines model risk as occurring when “a model may have fundamental errors and produce inaccurate outputs.” AI hallucination is an integrity failure within established risk management categories. The regulatory framework already exists. Use it.

Convergence does not mean consolidation.

MRM has validated complex algorithms for twenty years. We aren’t trying to replace them. The problem is velocity. MRM detects drift over months. They aren’t built to detect a prompt injection happening in real-time. By the time their process catches it, the data is already gone.

MRM sets the Law. Cyber provides the Enforcement.

MRM defines what “effective challenge” means for model validity. Cyber builds the automated harness that runs those checks in CI/CD, adds adversarial evaluation that MRM’s mathematical frame doesn’t capture, and monitors runtime behavior for attacks that validation-time testing cannot anticipate. If you’re still running these as separate programs with no operational integration, you’re building four different dashboards for one fire. And the fire is already burning.

The Possessed Agentic Intern

Agentic systems don’t just have “answer authority.” They have action authority—tools, APIs, delegated identity, and a supply chain explosion of plugins, registries, and orchestration layers. The thing you’re trying to secure isn’t a model anymore. It’s a runtime that can read your data, reason about it, and take actions in production systems.

The theoretical became operational in January 2026 with BodySnatcher—described as “the most severe AI-driven security vulnerability uncovered to date.”

ServiceNow’s Virtual Agent API shipped with a hardcoded, platform-wide authentication secret—the same token across all customer instances. An unauthenticated attacker, knowing only a target’s email, could bypass MFA and SSO, impersonate an administrator, and execute AI agents to create backdoor accounts with full privileges. The exploit weaponized ServiceNow’s own agent to provision admin credentials. No clicks required. No credentials needed. Just an email address.

When you give an agent autonomous rights, you bypass the entire human-centric identity stack. The configuration choices that enabled BodySnatcher—hardcoded secrets, trust-on-email auto-linking, overprivileged default agents—could resurface in any organization’s code. This is not a ServiceNow problem. This is an agentic architecture problem.

Your unit of control is no longer “a model” or “a prompt.” It’s a runtime. If you can’t enforce per-tool authorization, least privilege, provenance tracking, and trace logging, your “agent” is just a privileged intern with amnesia and a corporate credit card.

And as BodySnatcher demonstrated, that intern can be body-snatched by anyone who knows an email address.

Variance: The CIA Triad’s Plus One

Generative systems introduce probabilistic variance as an operational property: the same input can yield different outputs, with different risk, under the same “system.” That breaks every classic security assumption you’ve relied on for thirty years:

• Confidentiality becomes memorization and inversion risk. Zero-click exfiltration attacks hijack enterprise copilots during summarization, exfiltrating documents via hidden prompt instructions. Your perimeter didn’t see it. Your DLP didn’t catch it. The model was the exfiltration channel.

• Integrity becomes hallucination, poisoning, and backdoors—truthfulness as a control objective. Corrupting 2% of training labels achieves near-perfect backdoor success. Nation-states are producing models where provenance is unknown. You’re deploying black boxes with unknown origins into production.

• Availability becomes denial of wallet— this AI-native version of an asymmetric attack makes cost now an attack surface. Attackers weaponize pay-per-token billing to inflict financial damage. Your SOC is watching for intrusions. The attacker is running up your cloud bill.

The traditional checkbox compliance model can’t address any of this. It optimizes for point-in-time attestations instead of continuous proof. It treats “the application” as the unit of control while AI systems are shifting compositions of models, pipelines, tools, and vendor components. It externalizes risk to review boards instead of encoding requirements into shipping defaults.

In AI, “compliance passed” can coexist with prompt-mediated exfiltration, tool abuse, and provenance collapse. The highest-impact failures—data exfiltration, policy bypass, unsafe autonomy—are rarely “a missing security tool.” They are failures of boundaries, lifecycle controls, and evidence.

Security teams can’t firewall their way out of this. MRM teams can’t “validate” their way out of it alone. Unless risk ownership, enforcement, and monitoring are unified into an engineering control plane, you’re certifying theater.

AI Security Is Quantitative Engineering

The traditional IT security model—purchasing vendor tools, deploying agents, checking compliance boxes—fails catastrophically when applied to AI because it assumes deterministic systems with static perimeters.

In the AI era, the data is the logic, and the application is probabilistic. You cannot buy a “tool” to fix a model that has memorized PII; you must engineer a data pipeline that sanitizes the training set before the model is built. You cannot “configure” a DLP policy to catch a prompt injection that changes meaning based on context; you must architect structural isolation between untrusted input and privileged tools.

The deterministic shield is broken. You cannot firewall a concept. You cannot write a regex for “malicious intent” when that intent is semantically hidden inside a valid business request.

The control plane for AI security resembles an MLOps layer as much as it does a security gateway. The inherent variance in agentic infrastructure—where the same agent can take different actions on identical inputs—requires dynamic controls built on statistical models rather than static rule sets.

This is why convergence with MRM isn’t optional. MRM is the only discipline with the mathematical tooling to manage probabilistic variance: drift detection, distribution monitoring, confidence thresholds, effective challenge. These aren’t security concepts borrowed from risk management. They are security controls when your system is stochastic.

Reliance on policy documents and risk registers is bureaucratic coping. The only effective control is governance engineering—paved roads, execution airlocks, and CI/CD harnesses that enforce safety constraints at the code and infrastructure level.

If security teams cannot write the code to govern the runtime, they are no longer participants in the defense. They are spectators.

The Exorcist’s Field Manual

1. AI security frameworks are reference overlays. They are not control planes. Stop confusing the menu for the meal.

2. In the agentic era, “security” is inseparable from data security, privacy, governance, and MRM because the core system is probabilistic and action-capable. But inseparable does not mean consolidated—that’s a land grab that will fail politically and operationally. MRM, data governance, and privacy set the Law. Cyber provides the Enforcement.

3. The winning strategy is quantitative governance engineering: paved roads that embed secure-by-design into MLOps/LLMOps, with statistical monitoring, continuous evaluation, and supply-chain-grade provenance. One paved road serving multiple governance functions—not parallel checkpoints that create the gaps where attackers live.

The forced merger is not organizational consolidation but operational integration. The CISO org translates threats into risk language, builds the automated enforcement, and provides the adversarial mindset—while respecting the governance authority of functions that have been managing these risks for decades.

If you keep the old org chart—separate towers, review-heavy controls, parallel bureaucracies—you’ll get the predictable outcome: shadow agents, inconsistent guardrails, and a paper compliance program while the adversaries walk through your front door.

Anything else is compliance cosplay that collapses the first time a tool-using agent finds a path around your slide deck.

This is not a new idea. It is a familiar promise with a new sales wrapper.

In the 1970s, semantic networks were already popular, already seductive, and already disappointing. By 1977, the critique was explicit: semantic nets never live up to their authors’ expectations of expressive power and ease of construction; the “formalism” is not the panacea people want it to be. The dream was always the same: encode meaning as structure; let inference do the rest. The bill was always the same: meaning is social, time-bound, contested, and expensive to maintain.

The modern version swaps out “semantic net” for “context graph,” adds a LLM at the edge, and calls it infrastructure.

The graph substrate is old. The costume changes.

If someone says “context graph” and means anything concrete, it usually collapses to some combination of:

• RDF-style triples (subject–predicate–object), because it’s the simplest lie you can tell that still looks like structure.

• OWL-ish typing (classes, properties, restrictions), because eventually someone wants “real semantics,” and OWL is where that road leads.

• A query layer (SPARQL, Gremlin, Cypher, or a bespoke retrieval API), because the entire point is to pull a subgraph under constraints.

• A retrieval+assembly step that converts the subgraph into a prompt/tool plan for the model.

That stack is not novel. It is the Semantic Web playbook, remixed into an agent narrative and shipped as “memory.”

The new driver is not semantics. It’s capture.

The strongest proponent argument is not “graphs are magic.” It’s that agents create a natural capture point.

If an orchestration layer sits in the execution path, it can emit a decision trace at commit time:

• inputs considered

• policies evaluated

• exceptions invoked

• approvals obtained

• rationale fragments

• the final state written back to systems of record

That matters, because the single most consistent failure mode across decades of semantic systems is simple: the context was never captured. You cannot graph what you do not have. You can infer a story from exhaust, but inference is not provenance.

The correct architectural instinct here is “capture-first, structure-later.” Store the raw trace. Delay schema tyranny. Derive triples, summaries, and edges downstream. Structure is a view, not the asset.

The old failure modes are still the load-bearing ones

1) The ontology bottleneck didn’t disappear. It got renamed.

Call it “ontology,” “schema,” “vocabulary,” or “lightweight taxonomy.” The constraint remains: you need stable meaning across systems and teams.

Most enterprises can’t keep a CMDB coherent. They will not suddenly maintain an OWL-grade conceptual model of their entire operating reality. The path from “a few useful edges” to “enterprise semantic coherence” is where these projects die—slowly, politically, and expensively.

The innovation theater move is pretending you can avoid this by being “schema-light.” That just pushes semantics into retrieval-time heuristics and confidence scores. The meaning debt remains; it simply moves to a different balance sheet.

2) Time breaks naive graphs, and “who” is the sharpest knife.

A non-temporal graph is a present-tense hallucination engine.

Most of the questions a context graph is supposed to answer are time-bound:

• who owned the service during the incident

• who approved the exception last quarter

• what policy was in force when this control was attested

• what depended on that system before the migration

Enterprises mutate continuously: reorgs, renames, rotations, entitlement drift, tooling churn. A current-state graph answers historical questions with today’s org chart and today’s access model. That yields confident historical lies with impeccable syntax.

If time is not first-class—valid-time vs transaction-time, event-sourced lineage, versioned identity—then “context graph” is not governance infrastructure. It is institutional misinformation with a graph database.

3) Provenance is not optional; it is the difference between “helpful” and “hazardous.”

A graph without provenance is a rumor mill with better posture.

Edges need:

• source pointers

• timestamps

• confidence and conflict representation

• normalization rules

• reconciliation behavior when sources disagree

Without that, the graph looks authoritative while behaving like a stitched collage of partial truths.

4) “LLMs make this easy now” is true in the wrong way.

LLMs can help extract structure. They can label entities, infer relations, generate candidate triples, and rewrite trace fragments into legible summaries.

They do not remove the need for:

• capture at execution time

• semantic stewardship

• temporal correctness

• conflict resolution

LLMs reduce labor in the middle. They do not remove the constraints at the boundaries.

The corrected thesis

Context graphs work when three conditions hold:

1. The system sits in the execution path and captures decision traces at commit time.

2. Raw traces are treated as the primary asset and structure is derived downstream.

3. Time and provenance are first-class so “who/why/when” are not silently overwritten by present tense.

Everything else is the same old promise with new packaging: a graph that claims to encode reality while avoiding the uncomfortable truth that reality is negotiated, time-indexed, and expensive to keep true.

Context graphs are not novel

They represent the latest instantiation of a persistent pattern: marketing institutional discipline—semantic consistency, cross-system integration, active stewardship, rigorous provenance—as a magical AI substrate that obviates the need for organizational transformation.

Sometimes graph topology genuinely aligns with problem structure. More frequently, it constitutes a procurement-legible narrative that permits teams to evade substantive challenges: incentive realignment, decision rights clarification, elevation of knowledge management from incidental byproduct to maintained asset class.

The graph is not the product.

The product is the institutional capacity to maintain the graph’s correspondence with reality—the unglamorous, politically complex, expensive work of keeping it true.

And that capacity, as it turns out, cannot be purchased. It must be built, defended, and sustained through deliberate organizational investment. This mimetic variant mistakes the representation for the capability, the artifact for the discipline.

We’ve seen this movie before. The ending doesn’t change just because we’ve upgraded the special effects.

Doomscrollers 😱: “It’s  end of microservices and serverless era, a return to monoliths , SOA and mainframe is imminent!”
FRP and Serverless 🌩️ : “The reports of my death are greatly exaggerated…”

Here are some real lessons and some valuable perspectives I took away from this little kerfuffle.

1.  Optimization requires analysis. You cannot simply move your application to the latest, greatest SOA architecture, data mesh paradigm, or microservices framework and declare victory. Do you understand the bottlenecks in your application? Do you know if you are CPU, I/O, memory, or network bound? What are your performance characteristics under load — what parts of the system start backing up? What are tightly coupled processes that operate on the same data in sequence and what are loosely associated non-core functions that need to be evolved rapidly and independently? If you cannot answer these simple questions, you likely do not understand your current architecture well enough to refactor it, and you’re likely going to spend a lot of time solving problems you don’t have, migrating to frameworks  you don’t need. Folks who cannot answer basic Big-O questions about an application should not be driving any replatforming efforts around it. You are more than likely to wind up with a macrolith (a nightmarish distributed monolith) and one of the originators of Kubernetes, Kelsey Hightower, has given us fair warning when he called out application teams that were “gonna break it [the monolith] up and somehow find the engineering discipline we never had in the first place… Now you went from writing bad code to building bad infrastructure”.

2.  Speed to market and speed to develop does not always equate to long-term scalability and maintainability. You must actively balance your investments across these two critical pillars to build viable product. The paradigms that let you get out of the gate quickly with an MVP and the high developer productivity tooling that lets you ship to aggressive GTM schedules are invaluable but they are not a panacea. A federated application built on readily available cloud services can provide an invaluable advantage on day one but can become your Achilles heel as you look to scale, secure and distribute for global consumption. Adrian Cockcroft talks at length about this at length in his response to the Prime Video article and resulting furore. Whether you’re Amazon looking to collapse IO and network bottlenecks in a frame processing application, or Meta rethinking its GPU investments for LLM training, active rebalancing and reconsideration of the stack and technology mix for your finops and bizops context is both art and science.

3.  Beware Cargo Cults. If your feed seems to awash in posts about a “return to monoliths” by folks who had barely taken the time to read the post from the Prime Video team, you’re not alone. The same sort of perfunctory analysis also seems to pervade the space of companies and consultants pushing kubernetes and or Serverless (KaoS), everything as a platform (EaaP), Anything as a Service (AaaS), or the next hot data mess. They, critically, seem to miss the respective revolutions in thinking around investing in shared platforms for managing complex distributed  systems, building internal developer platforms to improve consistency and accelerate delivery, factoring out key concerns at each layer of the stack as reusable services, and using a domain-driven approach to structure and build efficiencies in enterprise data architectures. They also miss the caveats and up-front costs that come with each — whether it’s additional layers that need to be deployed to ensure security, observability, and traceability or investments in federated governance and management required to operate these topologies at scale.

Cloud native distributed systems paradigms are here to stay. The Prime Video folks have mistakenly labeled a properly factored highly coupled data intensive processing step  a monolith — it’s at best a rocky outcropping in their distributed microservices forest. Here’s to a thoughtful approach to architecture and engineering!

A recent Foreign Affairs article rightly calls out the “decades-old tendency among the large and sophisticated actors who design, construct, and operate digital systems to devolve the cost and difficulty of risk mitigation onto users who often lack the resources and expertise to address them” and the often calamitous “tendency to charge isolated individuals, small businesses, and local governments with shouldering absurd levels of risk” [1].

Given “a world where clicking the wrong link or neglecting a single software patch can result in a geopolitical incident,” Inglis and Krejsa call for a new Cyber Social Contract wherein government becomes both a close regulator of and active partner in securing the economy, providing both critical information and oversight to enable and incentivize the radical transformations necessary in critical infrastructure and enterprise firms. They recall historical precedents for revolutionary public-private partnerships such as those pioneered by the NTSB, FAA, NHTSA, and FDA. They point out the now integral role these agencies play in driving forward industry innovation while securing the public good, and posit how cyber aligned agencies such as CISA and the ONCD could expand and transform their roles to achieve these objectives [1].

It’s been demonstrated time and again that organizations, large enterprises and startups alike, have been spectacularly bad at estimating and mitigating the downside costs of rare catastrophic events in the technology space. For infrastructure deemed critical to national and international functioning, perhaps this new cyber social contract, with its models for vigorous oversight and active public-private partnerships, can provide vital incentive, oversight and engagement that drives proactive mitigation of vulnerabilities and accelerates the pace of technology modernization.

From the cybersecurity perspective, the crypto-asset world has always been fraught with exceptional and unique risks. Evoking comparisons to the “kongbucks” in Stephenson’s anarcho-capitalist dystopia [15], cryptocurrencies have long served as a pseudo-anonymous value exchange system within dark web black markets, as the hard-to-trace currency of choice for extortionists running ransomware schemes, and a favored direct target for cyber theft. Unreliability, disrepute, and ephemerality have been persistent pernicious undercurrents in this space, and many large crypto-exchanges and even entire tokens have disappeared overnight for reasons ranging from outright fraud and rug pulls to large scale hacks — the digital equivalent of bank robberies — that have left coin vaults empty [9][11]. Dozens of crypto-exchanges have been hacked with crypto heists tripling in the last year to mete out USD 4 billion in losses to companies like BitMart, Liquid, and AscendEX [12][13]. While this is a drop in the bucket compared to the about USD 2 trillion in crypto market cap, it does present a source of non-trivial risk, as many of these compromised exchanges have been unable to recover the stolen currency or return coins to depositors [10][14].

Against this backdrop, we see that the application of financial custody laws to crypto-assets during a liquidation event has often been non-intuitive from the consumer perspective. While commercial crypto-exchanges promise fidelity of token ownership, matters are often complicated by opaque wallet/key segregation schemes and ill-defined staking rights agreements that blur the legal lines between custodial and debtor-creditor relationships. Depositors often find themselves at the back of a queue behind venture capitalists and other creditors of a newly bankrupt crypto-exchange, and sometimes entirely without a legal claim to their deposited tokens. A recent article by a Georgetown law professor delves into the applicable US laws, reviewing the legal nature of custodial relationships and finds a less than rosy picture for consumers in a crypto-exchange bankruptcy [1]. The outcomes in these cases are often further complicated by both international jurisdictional variances as well as the heterogeneity and lack of standards across exchanges as explored in this 2020 review by the Coin Telegraph [2].

It is clear is that as consumers, nations, governing bodies, and legal systems all grapple with the new normals of decentralized finance, they are often inadequately equipped to reason about the complex inherent risk landscape. While regulatory bodies are rushing to bring structure to these new unsecured currency markets, existing legal frameworks are often ill-equipped to protect consumers from catastrophic losses, and this presents an existential reputational risk that threatens the sustainability of the blockchain enterprise. There is a clear need and present opportunity for firms that can step up to innovate, provide leadership, and drive the adoption of robust and dynamic technical, cybersecurity, and risk management practices that inspire consumer and regulator confidence — the firms that do will be poised to join the vanguard that defines the metrics for success in the next chapter of the DeFi story.