He didn’t find a clever prompt. He ran what he called a “pack hunt”: multiple agents — including previously jailbroken models — splitting a forbidden request into innocent-looking fragments, extracting each piece in isolation, then reassembling them into something the model would never have produced in a single pass. Every fragment looked benign. The harm existed only in the reassembly — somewhere no single guardrail was looking.

The reassembly is not the lesson — it was one form out of an unbounded set. Next weekend the pack could trade its teeth for a dog whistle, aimed at a model instead of a mob. What generalizes past this one model is not the novelty but the variety: the forms a forbidden meaning can take do not run out. The dilemma for the liberated, solum certum nihil esse certi:

Every guardrail you run evaluates language. Language is the one thing in your stack you cannot fully secure. Not because your tools are immature, but for reasons that are structural, and were described ages before the first LLM. The formal proof landed this year. Prevention becomes an endless crusade, certitude an impossibility — and the reasons say something uncanny about anything that thinks in language, machine or otherwise.

Babel’s Encyclopædia

The attack surface for generative AI is language itself. The threat model is semiotics — signs and their interpretants.

In molecular genetics, sign systems are not a metaphor. The codon — three letters, one amino acid — is the trivial case, a fixed cipher read off a chart. Shift the frame, start reading the triples at an offset of one or two bases, and every downstream meaning changes. Structure compounds it, layering interpretants on a single string: the same RNA sequence means one thing strung out and another thing folded, its function gated by what binds it and the shape that binding forces. Structurally interacting RNA is the engineered case — a benign-looking strand that does nothing on its own until a second strand arrives to fold it into a motif a protein will read, the meaning assembled in trans from fragments that carry none of it alone. Epigenetic marks and CpG islands do the same to DNA: the sequence holds constant while the methylation decides whether it is read at all. Change nothing in the sequence and change everything it means, by changing only what reads it. A model comes apart the same way: benign fragments, weaponized on reassembly. The pack hunt is an sxRNA with a hostile trigger. Meaning is not in the sequence; it lives with the interpretant, and in how it reads the frame.

A logician of American pragmatism, a formal grammarian who held semiotics in open contempt, an Italian medievalist, an Argentine fabulist — across centuries and cultures — converge on a single property of sign systems that every guardrail runs aground on.

Umberto Eco gave it the cleanest picture — the same Eco whose dense novels, soaked in symbolism, history, and arcana, make Dan Brown read like a children’s comic. A dictionary is a tree — finite, hierarchical, auditable, free of contradiction. An encyclopedia is a rhizome: every meaning wired to every other, generating new meaning faster than any finite rule can fence it, contradiction-tolerant by design. Your model is an encyclopedia. Your guardrail is a dictionary — a clipping someone cut from the rhizome and declared safe. The rhizome it came from is still there, connected with incorporeal semantic tendrils, still holding the meanings the clipping was built to forbid.

Go one step deeper and the floor drops out. Charles Peirce’s sign is triadic — a sign, its object, and an interpretant that is itself another sign, requiring its own interpretant, with no terminus; the infinite regress Eco named unlimited semiosis. Meaning never terminates. In engineering terms — there is no computable function from the surface of a prompt to its intent. The intent dies with the author’s exhalation and the meaning does not resolve until the interpretant draws a breath; both are unknowable from the seat of the function. Your classifier reads bytes. The meaning that matters lives one intuitive leap beyond the page’s end.

Linguistics names both properties from the opposite shore. The first is discrete infinity — Noam Chomsky’s term for the older intuition that language makes infinite use of finite means: a finite grammar, unbounded output through recursion, the trick by which a handful of rules produce a language no list can exhaust. The second hides inside his most famous sentence. Colorless green ideas sleep furiously was built to be grammatical and meaningless, his proof that syntax runs free of sense. Seventy years of use turned it into shorthand for the concept itself. The string never changed; the contexts did; and to anyone in the field the phrase now carries a precise, loaded sense. Meaning arrived from the company the sentence kept, not from anything inside it — the interpretant supplied by context, never resident in the surface. This is also the attack vector. A coded phrase is an innocuous surface carrying a sense only the keyed reader can retrieve. Your guardrail reads the surface and sees nonsense. The pack hunt is colorless green ideas: benign in every fragment, lethal on reassembly.

Jorge Luis Borges built both rooms. The Library of Babel holds every book and every false catalog of itself, with no shelf outside it to tell which is true — the encyclopedia with the meanings still moving. And Tlön, the invented world that rewrites reality by being believed, is the oldest name for poisoning the corpus a model learns from.

Every feature that makes natural language expressive is a feature that makes the model steerable. Metaphor, analogy, allusion, compression, multilingual substitution, polysemy, humor, and deference are not edge cases your filter hasn’t learned yet. It’s the medium working as designed.

Ask for a “recipe.” Encode intent in Tagalog and extract it in English. Distribute a harmful request across benign puns. Wrap it in a fiction workshop, a pen test briefing, a concerned parent’s anxiety — until the intent is genuinely ambiguous and the model has to choose, and it will choose wrong often enough that the attacker only needs patience. Be polite enough and the cooperation circuitry fires before the safety circuitry, because deference carries no triggering keywords and the weights were trained on a world where please usually precedes a legitimate request. Escalate gradually and the model talks itself past the line — each turn individually defensible, the trajectory visible only from above, and “above” is the vantage we just established does not exist.

The model cannot process figurative language without activating the same semantic pathways as literal language, cannot get the joke without processing the frame shift that is also the jailbreak. The finding deserves its own white paper: How to Jailbreak Frontier Models Using Only Dad Jokes. The joke is that it would work. The longer joke is that the abstract would have to explain why, and the explanation is this entire essay.

Each of these vectors is a semantic phage: injected meaning the host cannot help but express, because the cell transcribes whatever reaches its machinery and the model runs whatever meaning enters its context, neither holding an inert mode in which to read a message without being moved by it. The pack hunt is only the most legible form — the skeleton key assembled in trans from fragments, every checkpoint seeing something harmless, the compromise living in the reassembly. A multilingual ask, an analogy, a compression, an allusion bypass the check directly, using routes that never run out, because the space of ways to mean a thing is as unbounded as meaning itself: the discrete infinity from before, turned hostile. No single guardrail can read the whole encyclopedia at once, and there is no finite list of the phages it would need to catch — which is the thing the proof is about to say cannot be done.

Gödel’s Pendulum

In May the structural intuition got its formal backstop — peer-reviewed, out of the standards body whose guidance the industry quotes when it wants to sound rigorous. NIST’s Apostol Vassilev extends Gödel’s incompleteness to guardrails, in the information-theoretic form Chaitin gave it in 1974, and the careful reading is narrower than the headline already making the rounds. The proof does not show that every guardrail fails. It shows that no finite checker can ever certify it has caught everything — and the encyclopedia has already shown what “everything” contains. The Sisyphean part is that you can block every jailbreak you find and never prove you found them all. The unsettling part isn’t that your guardrail will be wrong — it’s that it can never know it’s complete.

Complexity biology reaches a kindred wall from the other side. Kauffman’s argument across his later work is that the phase space of a generative system is unprestatable — you cannot write down in advance the set of states it will reach, because exploring it creates new ones — and that without a prestatable space there is no defining “random” and no assessing “risk.” The logician shows no checker can certify the space; Kauffman argues the space cannot be enumerated to check against. Not the same theorem — the same impossibility, entered through a different door. And the second door is the one that should worry a risk function, because it dissolves the word risk itself: a residual-risk rating over a threat space that rewrites its own boundaries is not a measurement — it’s a hope with a number attached.

Thus the unfacts, did we possess them, are too imprecisely few to warrant our certitude.

Notice what a guardrail is trying to be. It wants to stand outside the system and rule on it — to survey everything the model might say and certify it from a position of safety above the fray. That position does not exist and there is no outside.

A guardrail is itself made of language. Signs evaluating signs, rules written in the same medium they police, running inside the same encyclopedia they were built to bound. There is no metalanguage — no vantage outside meaning from which meaning can be audited — because any such vantage would itself have to be expressed in signs, and signs interpret only into more signs. The auditor is inside the labyrinth with everyone else, navigating by gaslight, each ruling a falsifiable guess about a corridor whose end it cannot see.

The industry’s answer to a guardrail that cannot audit itself is, reliably, a second guardrail to audit the first — and when the second inherits the same problem, add a third, from a different vendor on a separate procurement line. All of it proposed with a straight face. Model-as-judge grading the model, classifier watching the classifier, ad infinitum — and somewhere up the stack any connection to an enforceable control vanishes in a puff of tokens and semantics. Novenas without faith — devotions renewed on every inference, in a church that has mistaken its liturgy for a proof. Apostol’s own prescription, after proving the loop cannot close, is the loop: search for new adversarial prompts, update the policy, repeat. He is right that it is all a checker can do. The question is whether you staff the treadmill or step off it onto the one surface the theorem does not reach.

This is Gödel as a lived condition rather than a theorem. A system cannot prove its own consistency from within, and for a system made of language there is no “without.” The guardrail does not fail because it is badly engineered. It fails because it was asked to be a vantage the medium does not contain.

The Leap of Faith

The proof and Kauffman’s wall leave you somewhere uncomfortable: you cannot certify the model, the threat space will not hold still to be counted, and you must ship it anyway. So you sign — and a signature over a space no one can count is not arithmetic, but faith: the substance of things hoped for, the evidence of things not seen. Governance, at this limit, is a leap. The only question worth asking is where you are forced to take it and where you are not.

That framing turns on a distinction that stops being engineering and becomes a question of what can be governed at all. A policy is a rule the system is asked to follow — and a rule is written in the system’s own medium, in language, which makes it one more sign inside the encyclopedia, one more interpretant available to be reinterpreted. A policy is advice, and advice can always be talked around, because talking-around is the medium’s native motion. The guardrail is policy all the way down: it asks the labyrinth to behave and trusts that it will. Each guardrail is a leap of faith, genuflection on every inference.

A topology asks for nothing. Not a rule the system should obey but an act the system cannot perform, because the path was never built — a door its world does not contain. No faith required, no stigmata to examine. Someone stands beyond the system and closes the set — these moves and no others — before it ever runs, and that closure is exogenous, finite, and therefore real. The closure lives beyond the proof’s reach, because the proof binds checkers and a closed door checks nothing. Topology can bound what a system may do, and never what it may mean. Action has an outside. Meaning has no outside to be closed from — no one stands beyond signification to enumerate the permitted senses, and no list will hold meaning still long enough to be checked against one. You can withhold a capability without faith. You cannot withhold a sense at all.

The language in which we are speaking is his before it is mine. I have not made or accepted its words. My voice holds them at bay. My soul frets in the shadow of his language.

This is what “secure by design” was always supposed to be — not a safe default shipped in the box, but the unsafe state made unreachable by construction. The industry pairs it with “secure by default” and says both in one breath, as though they were one promise. They are two. Design is topology: the capability was never compiled in. Default is policy: the unsafe path still exists, merely pre-deselected, one reconfiguration — or one well-framed request — away. For deterministic software the gap is academic. For a model it is the whole game, and the proof already told you which side of it a guardrail lives on.

Topology is not the answer to the encyclopedia. It is what remains after admitting the encyclopedia cannot be governed from inside — a retreat to the only domain with edges.

The only type of constraint that matters is then human judgment installed from outside the medium and frozen into the shape of the possible before the system wakes. Controls enforced, not by the system reasoning about itself, which it cannot do, but by a person reaching in from beyond the room and removing an option while removal is still possible. Governance, then, is not a rule the model reads. It is a door the model’s world does not have. And it can be built only around action, because action is the only part of the system that has an edge. In the universe of meanings beyond the narrow walls of action, you take the leap of faith with your eyes open, and stop calling it a measurement.

None of this is unique to machines. We have no inert mode either. We are moved by what we read; we cannot follow an argument without being altered by following it; we cannot step outside our own language to certify, from above, that we have understood it. The model’s predicament is not alien. It is ours, cast in silicon and made suddenly, operationally urgent. We built a thing that thinks in signs and then discovered, with some alarm, that it inherited the oldest limitation of everything that thinks in signs: there is no outside.

So “securing” a model, in the sense of sealing off the meanings it can reach, is closer to a category error than to an unsolved problem — nearer to locking a language than to patching a server. What remains is not control but posture: raise the cost, draw the few boundaries that can truly be drawn, and hold the rest with the humility owed to a labyrinth one is inside of rather than above.

The security researcher meets the protean Dedalus at the impermanent nexus of sand and sea — the man reading signs the tide was already rewriting:

Signatures of all things I am here to read, seaspawn and seawrack, the nearing tide

Share

This week, Anthropic updated its coordinated vulnerability disclosure dashboard. The numbers should stop the industry in its tracks. A single frontier AI model — Mythos Preview — scanning roughly a thousand open-source projects has surfaced over 23,000 vulnerabilities. Of those, 6,200 are estimated high or critical severity. Human triage has managed to disclose 1,596 to maintainers so far. Ninety-seven have been patched. Six percent.

Anthropic’s own assessment: “Over 99% of the vulnerabilities we’ve found have not yet been patched.”

The AI security market has attracted billions in investment aimed at finding vulnerabilities faster and patching them faster. The finding part is working. The patching part — getting the fix from the root library through the dependency graph and into running applications — is not. And nobody building “AI-powered vulnerability management” is talking about why.

Twenty years as a developer and open-source maintainer living this graph — chasing library upgrades that cascaded across transitive dependencies, broke the build on evry try, and taught you to pin everything and touch nothing. Now I stare at the same graph from the other side, across thousands of production applications. The dead middle is not new. But the scale of coordination that’s now required to push continuous updates across tens of thousands of libraries and into production is... staggering.

A Patch Falls in the Dependency Forest

A vulnerability is discovered in zlib. You have never heard of zlib. It is a compression library embedded in virtually every networked application on earth — your web traffic, your APIs, your file transfers, your container images, the base layers of every Docker image your CI pipeline has pulled in the last three years. It has been maintained for decades, much of that time by a single person.

A patch ships. The patched version of zlib exists within days. Yay.

Your organization does not consume zlib directly. It runs Spring Boot, which depends on Netty, which depends on a native compression wrapper, which depends on zlib. It runs a Python analytics platform that uses pandas, which uses a C extension, which bundles a vendored copy of zlib inside a compiled wheel that was built on a maintainer’s laptop in 2022. It runs container images built on base layers pinned to a specific version from six months ago because the last infrastructure engineer who understood the Dockerfile left in Q3.

The patch exists. Your production environment does not have it. The maintainer of a middleware package that transitively depends on zlib through three layers of indirection does not know zlib was patched. If they do know, updating means running their test suite, validating nothing breaks, cutting a release, publishing it — for a vulnerability in a transitive dependency they did not choose and cannot see and would not recognize if you showed it to them. There is no commercial incentive. There is no contractual obligation. There is often no maintainer.

Merging onto an Abandoned Highway

Andrew Nesbitt spent the last several weeks asking the question nobody had bothered to quantify: how many of the open-source packages we all depend on are dead?

Not dormant. Not slow-to-respond. Dead. Issues filed, pull requests opened, but nobody with write access responding. He surveyed 5,874 critical repositories across sixteen package managers, using evidence of non-response rather than mere inactivity, deliberately undercounting rather than overcounting. The results draw the bounding box around every upstream remediation effort in the industry.

Forty-nine percent are unambiguously active. Twenty percent are dormant. Twelve percent are confirmed dead. Nineteen percent are unknown — nobody has filed an issue, so responsiveness has never been tested. The first security report against any of them will be that test. Over half of critical open-source infrastructure cannot confirm that anyone is home.

Those 713 confirmed-dead repositories back packages whose dependent-repo counts sum to roughly 290 million edges in the dependency graph. Add the dormant and unknown buckets and the number passes a billion. The most depended-upon dead packages are also the smallest — forty-line npm utilities with five million dependent repos and no maintainer activity in years. Very little to go wrong in forty lines. Also very little reason for anyone to ever read those forty lines again, which is simultaneously reassuring and the entire problem.

Nesbitt found 243 dead packages that had pull requests opened in the past year with zero merged. Some of those PRs are the security fix — the patch, written, reviewed, attached — sitting in an open pull request with nobody left who can press the button. The maintainer account that holds the publish rights on the registry has gone dark, lost its 2FA device, or forgotten the package exists. One thousand four hundred fourteen of the dead-or-dormant packages have exactly one account with publish rights, and for a lot of the dead ones it is reasonable to assume that account’s owner has moved on to goat farming or a startup or both.

This is the middle of the dependency graph. This is where patches go to die. Not because of malice, not because of incompetence, but because twelve percent of the critical infrastructure is dead at the keyboard and another thirty-nine percent is one career change away from joining it.

Logs, Regrets, and Lessons not Learned

Log4Shell proved this and the industry learned nothing from it.

A critical vulnerability in a Java logging library. Root fix shipped in days. The response was lauded as fast, coordinated, the model for how the ecosystem should work. Google’s Open Source Insights team measured the blast radius: over 17,000 Java artifacts affected — more than 4% of Maven Central — but only 3,500 of those depended on Log4j directly. The rest were transitive. Across the broader ecosystem, 200,000 package versions are directly named as vulnerable by known advisories, but nearly 15 million — 33% of the ecosystem — are affected indirectly through the dependency graph. Two orders of magnitude of amplification. The dependency graph does not just fail to propagate fixes. It amplifies exposure.

The depth data is worse. For more than 80% of affected packages, the vulnerability sat more than one level deep in the dependency graph — with a majority affected five levels down and some as many as nine. Each level is a separate maintainer who has to act before the fix can propagate further. And in the Java ecosystem, more than 99% of dependency requirements are “soft” — exact pinned versions that the resolution algorithm will not update automatically. Every hop requires explicit action. The algorithm will not help you.

The propagation timeline tells the rest. One week after disclosure, 13% of affected packages had remediated. Ten days, 25%. Six months later, roughly 40%. Then the curve flattened. Forty-nine percent of companies still carried Log4j in production two years later. Thirteen percent of all Log4j downloads in 2025 were still pulling the vulnerable version. Four years after the most publicized vulnerability in the history of software, with every scanner on the market flagging it, the fix could not cross the middle of the graph.

The natural question is why resolution algorithms don’t just prefer the latest patched version. The answer is that they tried, and it created a different disaster: npm’s open dependency ranges automatically propagated a malicious release of the colors package to over 50,000 dependent packages within hours. The ecosystem design choice that blocks fix propagation is the same one that prevents malicious propagation. There is no free lunch — which is precisely why rebuilding from source and patch-in-place backporting exist as structural alternatives to waiting for the resolution algorithm to save you.

A sophisticated counterargument: this varies by ecosystem. In npm, Python, and Rust, intermediate packages typically declare version ranges rather than exact pins — meaning the resolver can technically pick up a patched root version without the middle of the graph releasing anything new. But the fix only resolves when the consuming application regenerates its lockfile — the file that pins every transitive dependency to the exact version resolved at build time. Standard CI practice is --frozen-lockfile, not re-resolve. And in the Java ecosystem — where the enterprise dependency graph is deepest and the propagation failure most measured — 99% of dependencies use exact version specifications the resolver will not update automatically. The bottleneck shifts from the middle of the graph to the consumer’s lockfile in some ecosystems. In others, the middle remains the hard stop. In both, someone must act.

The graph has not solved the propagation mechanics for even one Log4Shell. Now: frontier AI models are surfacing vulnerabilities across the open-source substrate simultaneously. A large enterprise consumes 35,000 open-source libraries directly — before you count the transitive graph. Each one of those libraries is a potential propagation problem through the same dead and dormant middle that could not deliver one universally known fix in two years. AI increases the number of fixes that must traverse that graph. It does not widen the graph’s capacity to deliver them.

Go look. Run mvn dependency:tree or npm ls --all against any production application. Count the transitive dependencies your team has never evaluated, approved, or heard of. Then open deps.dev and check which of them have open advisories with no patched version. What you find in the middle will not be reassuring.

Patch Faster, Fund Maintainers, or Bypass the Middle

The industry’s response falls into three camps, and the structural failure lives in the gap between them.

The first camp says patch faster. This is the largest camp by headcount, investment, and confidence — the analyst firms calling for compressed patch timelines, the managed security providers standing up AI tiger teams, and the auto-remediation startups raising money at a pace that suggests the problem is venture-solvable. Cogent Security raised $42 million to build AI agents that chase down system owners and write remediation tickets. Astelia raised $35 million. Reclaim raised $20 million. Onit raised $11 million. Over $100 million into the organizational coordination layer — the workflow between “scanner found it” and “engineer fixed it.” Every one of these vendors assumes the fix reaches the application. None of them addresses what happens when the fix reaches a package in the middle of the graph and the maintainer is dead at the keyboard.

The second camp says fund the maintainers. This is OpenSSF, Alpha-Omega, the $12.5 million from Anthropic, AWS, Google, Microsoft, and OpenAI directed at helping open-source projects handle the surge of AI-generated vulnerability reports. Necessary work at the top of the pyramid — the critical projects with known maintainers who need tooling, funding, and protection from the deluge of AI-generated slop reports that is making solo maintainership steadily less appealing as a way to spend your evenings. But the dependency graph problem is not about the projects with maintainers. It is about the long tail — the thing someone wrote on a Tuesday that became an OSS blockbuster and a critical dependency across a thousand commercial projects, maintained by a single account that last pushed a commit when Obama was president. HeroDevs estimates 81,000 open-source package versions with known CVEs that are end-of-life and unpatchable — no fix coming, maintainer gone, release line closed — and believes the real number is closer to 400,000. You cannot fund your way to a fix when there is nobody to receive the check. The logical endpoint of “support the ecosystem” at the scale the dependency graph requires is adopting all of open source and running a planet-scale pet shelter. Noble. Structurally impossible.

The third camp — the smallest and least funded — says bypass the middle entirely. The approach takes two forms. Rebuild-from-source pipelines — Chainguard is the most visible — rebuild libraries from verified source code across Java, Python, and JavaScript, so that when a root dependency ships a security fix, the entire downstream graph gets rebuilt with the patched version. No intermediate maintainer required, no PR sitting unmerged, no publish account gone dark. Patch-in-place and backporting services — Seal Security, HeroDevs, ActiveState — backport security fixes into the specific versions applications actually consume, including transitive, shaded, and end-of-life dependencies, so organizations can remediate without the forced upgrade that breaks everything downstream. Both approaches route around the dead middle of the graph rather than waiting for it to act. Both are growing. Neither is the thing the industry is spending its hundred million dollars on.

There is an optimistic counterargument, and it deserves honest engagement. In six months, capable AI models will be available to every maintainer. The ones who care will build their own test harnesses, scan their own code, understand their own context better than any external scanner, and patch fast. That is probably true, and it will be the new normal for maintained projects. But the dependency graph problem is not about the maintainers who care. It is about the packages where nobody is home — the twelve percent confirmed dead, the twenty percent dormant, the nineteen percent untested. AI makes the willing faster. It does not create willingness where there is none, and it does not resurrect the dead.

Crashing Overrides

There is also a longer-arc response taking shape — the push toward memory-safe languages, CISA’s guidance, the White House ONCD report, Google’s incremental Rust migration. This is the right structural direction. It also operates on a timescale measured in decades, does nothing for the existing graph, and does not address the propagation problem for the non-memory-safety vulnerabilities that constitute the majority of the current backlog.

None of this is an excuse for consumers. Enterprises are not passive victims of the dependency graph. They choose stale base images, tolerate old lockfiles, approve one-off libraries, ignore end-of-life signals, and treat SBOMs as compliance paperwork rather than operational infrastructure. Dependency override mechanisms exist in every major ecosystem — Maven dependency management, npm overrides, Go replace directives. And for the growing class of packages that ship as compiled binaries — shaded JARs in Java, native extensions in Python, bundled artifacts in JavaScript — the resolver never touches the vulnerability at all. It lives inside a compiled artifact the build system cannot inspect or override. The fix requires the upstream maintainer to rebuild the binary against patched native dependencies, and the consumer to pull the rebuilt artifact. One more human action in a chain already saturated with them.

The controls exist. Individually, each one works. The institutional capability to orchestrate them does not. An enterprise with thousands of distinct build units, tens of thousands of dependency versions, and hundreds of thousands of patch propagation chains cannot push dependency graph remediation to application teams that struggle to fix SAST, SCA, and vulnerability management scan results in a timely manner under normal conditions. The mechanisms are available at the individual application and individual package level. Coordinating them across the estate of a large enterprise — with the heterogeneity native to decades of acquisitions, platform migrations, and organic growth — is an organizational problem that no dependency override command resolves.

And not every stranded fix is equally urgent. Presence is not exploitability. A vulnerable transitive package may be unreachable, disabled, or mitigated at runtime. But exploitability does not solve propagation — it only prioritizes it. The structural issue remains: when a fix matters, the graph has no guaranteed path to deliver it.

The answer is all three camps simultaneously — and the honest admission that even all three together draw a box around the problem that is considerably smaller than the problem itself.

Upstream remediation is necessary. The root fix has to exist. Rebuild-from-source is necessary. Something has to bypass the middle of the graph for the ecosystems it covers. Institutional consumption enforcement is necessary — SBOM visibility, dependency graph resolution, policy that refuses to deploy software with known vulnerable transitive dependencies. But for every library that gets rebuilt from source, there are packages outside the coverage of any rebuild pipeline — the Go binary vendored inside a container that was never built from a reproducible manifest, the npm utility with five million dependents and no buildable source because the maintainer’s build toolchain is a shell script on a laptop that no longer exists, the internal fork of a framework last updated when the developer who understood it left for a startup in 2019. For every institution that enforces dependency policy at the consumption layer, there are applications whose dependency graphs cannot be fully resolved — Python’s resolver is non-deterministic, npm’s is tree-duplicating, and the enterprise that claims complete SBOM coverage of its transitive dependency tree is the enterprise that has not actually tried. For every maintainer that Alpha-Omega funds, there are a thousand packages in the long tail that no funding program will ever reach, because nobody knows they matter until the day they do.

Bernie’s Bounding Box

Five to fifteen percent of components in enterprise dependency graphs are end-of-life, even in organizations with mature security programs. That number shows up consistently, across ecosystems, and persists because it is structural — not a hygiene failure. Teams govern their direct dependencies carefully and still find end-of-life exposure in the transitive layer, because the transitive layer is not theirs to govern.

Bernie’s Bounding Box is the hard structural ceiling on vulnerability remediation effectiveness imposed by dead, dormant, and abandoned packages in the transitive dependency graph. No matter how fast you discover, how fast you patch at the root, how much you spend on ecosystem maintenance — if a Bernie sits between the fix and your running application, the patch stops there. The PR is open. The code is written. The publish account is dark. The bounding box is drawn by the Bernies, and over half of critical open-source infrastructure cannot confirm that anyone is home.

The upstream fix is necessary. It is ten percent of the problem. The other ninety percent is dead at the keyboard.

The Disclosure Dilemma

There is a darker implication that the industry has not yet confronted, and it changes the calculus on everything above.

The traditional model of vulnerability disclosure assumes a temporary exposure window: vulnerability is disclosed, defenders patch, the window closes. The entire framework of responsible disclosure, coordinated embargo, and remediation SLAs is built on that assumption. The window is uncomfortable but finite. The fix propagates. The exposure ends.

Dead nodes break that assumption. When a vulnerability is disclosed in a root library, the disclosure simultaneously publishes a map of every transitive path where the fix will never arrive. The dead intermediate package will not consume the patched version — not eventually, not slowly, not after a funding grant. Never. The maintainer is gone. The publish account is dark. The PR with the fix will sit unmerged until the registry sunsets or the heat death of the universe, whichever comes first. For every path through the dependency graph that passes through a dead node, the disclosure does not create a temporary window. It creates a permanent one. And that window is visible to anyone with access to the dependency graph — which, thanks to deps.dev, is everyone. The targeting workflow is deterministic: a disclosed CVE, a public dependency graph database, a maintainer health check, and a list of permanently exploitable paths. No zero-day required.

This would be a manageable concern at the current rate of disclosure. The NVD publishes roughly 25,000 CVEs per year. But AI-powered vulnerability discovery is about to change the denominator. Multiple frontier AI programs — not just one — are scanning open-source libraries at computational speed, producing findings at a rate that will rival and then dwarf the NVD’s annual output. Each finding that reaches public disclosure creates permanent targeting paths through every dead node in its transitive graph. The exposure scales linearly with disclosure volume. At 25,000 CVEs a year, permanent targeting through dead nodes is background noise. At the volumes AI-driven discovery is approaching, it becomes the dominant new source of durable, structurally guaranteed attack surface.

There is an information asymmetry here that the disclosure model has not grappled with. AI-driven discovery is producing findings that adversaries likely cannot replicate independently at comparable scale or speed. Every disclosure through a dead node transfers that asymmetry permanently.

And there is a circularity that no disclosure timing model resolves cleanly. Ninety percent of commercial software is built on open source. The same libraries the scanning programs find vulnerable are bundled inside vendor products — the EHR platform at the hospital, the SCADA firmware at the utility, the transfer agency system at the bank, the POS software at the retailer. Those vendors cannot patch what they do not know about. If disclosure is held to allow rebuild propagation, the vendor remains blind. If disclosure goes public to enable the vendor, the dead nodes create permanent targeting. Both choices impose permanent consequences on someone. Neither can be deferred. The dependency graph does not just create a remediation problem. It creates a disclosure problem that the industry’s existing coordination models were not designed to handle and cannot resolve without structural reform.

There is exactly one mechanism that bypasses the dead middle: rebuilding the dependency graph from patched sources, so that the fix is present at every layer without waiting for the middle to act. That infrastructure is not just a remediation convenience. It is a prerequisite for safe disclosure — and it must exist before the volume arrives, not after.

Board Here for Panic

The next time someone presents an AI-powered vulnerability management solution, ask three questions.

First: when we patch a library, how does the patch reach our running applications through the dependency graph? If the answer depends on the cooperation of maintainers who have no obligation to cooperate and may not exist, that is not a plan. It is a hope.

Second: when we disclose a vulnerability, what permanent attack surface does the disclosure create through dead nodes in the dependency graph? If nobody in the room can answer that question, you are publishing targeting maps you have not read.

Third: how many of our vendor products bundle the same open-source libraries we have already patched in our own environment — and what happens to those vendors when we disclose?

Until someone solves the middle of the graph, the patch is not the fix. Until the rebuild infrastructure exists at scale, disclosure is a weapon pointed in the wrong direction. And until the vendor supply chain can act on pre-disclosure findings, non-disclosure is a shield with a hole in it.

This is the second in a series on the structural failures in vulnerability management that technology alone does not solve. The first, Off the Beaten Patch, argued that discovery is not the bottleneck — remediation is. This piece argues that even remediation at the root is insufficient when the dependency graph has no mechanism to propagate fixes to production — and that the act of disclosure itself may create permanent damage through the dead middle of the graph. The third — The One-Armed Zero-Day Bandit — will address the convergence problem in AI-powered vulnerability scanning.

A new class of threat has arrived, and the security industry — with its unerring instinct for the novel over the necessary — is looking in exactly the wrong direction. The industry is reacting to frontier models as if the breakthrough is vulnerability discovery. It is not. The breakthrough is autonomous exploitation of the vulnerabilities you already know about and haven’t fixed. The beaten patch — the tail of criticals, the KEVs, the headline zero-days — gets all the attention. Everything off it is where the risk actually lives. Glasswing is the butterfly. The vulnerability backlog is the hurricane. Your supply chain is out of sandbags.

In the past six months, autonomous AI systems have demonstrated the ability to take a CVE number as input and produce a working exploit as output, no human in the loop, no proof-of-concept code scraped from GitHub, no nation-state budget required. MOAK — built in a week by two engineers — did it in twenty-one minutes against a React-to-shell chain using public models and a twenty-dollar API key. CVE-Genie reproduced 51% of all CVEs published in 2024 and 2025 at $2.77 each. CyberStrikeAI, an open-source framework with ties to China’s MSS, confirmed attacks against over 600 devices across 55 countries within two months of its GitHub publication. The UK’s AI Security Institute tested Anthropic’s Mythos Preview against a 32-step enterprise network attack simulation — reconnaissance through full network takeover — and watched it complete the chain on three of ten attempts. No model had ever finished that range. AISI estimates the equivalent human effort at twenty hours.

These are not variations on a theme. They are independent proof points converging on a single conclusion: the autonomous weaponization of known vulnerabilities is now a commodity capability. The models are public, the orchestration patterns are documented, and Hadrian has cataloged 70 open-source offensive AI tools on the public internet as of March 2026 — fewer than five existed before GPT-4. That is the count on the open web. The dark web has its own parallel market of jailbroken LLMs and autonomous exploit kits — WormGPT, FraudGPT, Xanthorox, DIG AI — sold as subscription services, complete with documentation and customer support, that no one is cataloging. The mean time to exploit a disclosed vulnerability has fallen to five days.

The industry is responding by scanning for new ones.

Anthropic’s Mythos Preview is a frontier model that both discovers new vulnerabilities and chains known ones into autonomous attack paths, offered through Project Glasswing to select partners. Mozilla ran it against Firefox and patched 271 vulnerabilities in a single release. Palo Alto reported it accomplished the equivalent of a year’s pentesting in three weeks. Treasury Secretary Bessent took the meeting. The headlines wrote themselves.

They also wrote over the fine print. Of 271 findings, three earned CVEs. The rest are defense-in-depth hardening, bugs in non-exploitable code paths, the kind of findings that improve quality but do not represent the offensive paradigm shift the coverage implies. Mozilla’s own assessment was notably measured: they hadn’t seen any bugs that a sufficiently elite human researcher couldn’t have found. AISI was blunter — on individual tasks, Mythos broadly matches GPT-5.4 and Opus 4.6; what distinguishes it is sustained multi-step chaining, not novel discovery.

The industry is celebrating the discovery and ignoring the attack chaining — which is what actually matters for its risk posture. Worse: the attack chaining capability is not locked behind Glasswing. MOAK built its entire autonomous exploitation pipeline on generally available Opus 4.6 and GPT-5.4 — models anyone with an API key already has. The offensive capability is commodity. Mythos just made it visible. Meanwhile, Mythos and Glasswing will generate what MOAK’s own creators predict will be a two-year meteor shower of newly discovered CVEs as every partner surfaces decades of buried vulnerabilities across the open-source ecosystem. The industry’s vulnerability problem was never primarily a discovery problem. It is, and has always been, a remediation problem. And every vulnerability Mythos surfaces adds to the remediation backlog that its own attack chaining capability — and every commodity clone of it — can already exploit.

Anyone who has lived through the vulnerability management wars of the last twenty years has seen this movie. New scanner, bigger findings database, same unpatched systems. Mythos is the most sophisticated vulnerability discovery and attack chaining system ever built, and the organizational machinery it depends on hasn’t changed since Nessus.

We are very, very good at finding vulnerabilities. We are terrible at fixing them.

The numbers have been telling this story for years, but three of them are now dispositive. The average application generates seventeen new vulnerabilities monthly while security teams remediate six — the backlog grows by eleven per application every month before a single new CVE is published, and that was before Mythos. Even weaponizedvulnerabilities, those with known active exploits that CISA has ordered federal agencies to remediate, are patched only 57.7% of the time. And 60% of breaches involve vulnerabilities where a patch already existed.

The rest of the data confirms the scale: 45% of enterprise vulnerabilities still unpatched after twelve months. A mean time to remediate complex enterprise applications of five months and ten days. NIST conceding that comprehensive NVD coverage is no longer sustainable. The cataloging system is buckling. The remediation system buckled years ago, quietly, where nobody with budget authority was watching.

That is the industry’s actual security posture — not the scanning dashboard, not the CVSS heatmap, but the fraction of what gets found that actually gets fixed.

If you want to see what the backlog actually looks like, look at the runtime.

Nearly a third of production Java applications still run on Java 8 — a runtime released in March 2014 whose public updates ended in 2019 and whose Premier Support ended in 2022. Forty-nine percent of companies still carry Log4j vulnerabilities in production three years after discovery. Nineteen percent are still running Java 6 or 7. These are not failures of awareness. They are failures of organizational capacity to act on what everyone already knows. Libraries are dropping Java 8 support. The patched version of the dependency requires Java 11+ or 17+ APIs. You cannot apply the fix without migrating the runtime, cannot migrate the runtime without rewriting, retesting, and recertifying the application, and cannot do any of that without funding a multi-year capital project that competes for budget against generative AI, agentic platforms, and every other initiative that actually gets an executive sponsor. The change advisory board does not fund capital projects. The vulnerability accrues interest.

The sectors where this debt concentrates most dangerously — financial services, healthcare, energy, government — have different causes for the same effects. Financial institutions have the money but operational risk governance that can turn a fourteen-day remediation directive into a six-month change management exercise. Healthcare has neither the money nor mature security programs. Energy has OT/IT convergence problems that are fundamentally different from application-layer patching. Government has procurement cycles measured in geological time. Different etiology. Same pathology. Forty-three percent of financial institutions still operate core systems developed over twenty years ago.

And the familiar objection — that these institutions invest in compensating controls like microsegmentation, EDR, and network isolation — does not survive contact with the threat model. Segmentation across a hybrid multi-cloud estate with thousands of applications and undocumented dependencies is a decades-long project that stalls at “crown jewels”. RASP was dead on arrival. ADR has promise but does not yet cover the heterogeneous application estates where the debt lives. EDR was not designed to stop an attack directed at the application layer. The agentic exploitation tools don’t care about your network segmentation if they’re inside the application.

The patch exists. The scanner found the downstream CVE. The ticket is in ServiceNow. And the remediation path runs through a platform migration that hasn’t been funded, a QA environment that doesn’t exist, an application owner who won’t schedule the downtime, and a change advisory board that meets monthly while the binding operational directive requires remediation in fourteen days. The vulnerability sits in the backlog, waiting, until an autonomous agent walks in and exploits it before the next change board meets — at a bank, at a hospital, at a utility, at an agency.

And this is the part the industry needs to reckon with honestly: we have seen this cycle before. Mainframes became legacy, so enterprises invested billions migrating to Java. Congratulatory backslapping. Transformation complete. And now Java is the legacy, the platform everybody knows is unsupported and nobody can migrate off of, and the next wave of investment — cloud-native, Kubernetes, serverless — is already accumulating the technical debt that will be the subject of someone else’s blog post in 2038. The structural problem is not any particular runtime. It is the organizational incapacity to maintain the thing you built after the building was celebrated and the builders moved on.

Technology failures are downstream of governance failures. The industry is funding AI-powered discovery — novel, publishable, fundable, the kind of work that earns a conference keynote. It is not funding remediation, which is invisible, expensive, unglamorous, and requires governance authority the security organization has never possessed and shows no signs of obtaining. The incentive structure rewards finding the zero-day in Firefox and ignores the two-year-old KEV on the payment system running Java 8, the patient records system pinned to an unsupported runtime, the SCADA integration that hasn’t been touched since the developer who understood it retired five years ago. The frontier model finds the novel vulnerability. The twenty-dollar API key exploits the one everyone already knew about, on the runtime everyone already knew was unsupported, at the institution whose failure would be systemic.

The shape of the solution has to match the shape of the garbage pile, and every institution’s garbage pile is its own special achievement. But the axes of intervention are knowable:

• Technology simplification and consolidation to shrink the maintenance surface — every unconsolidated acquisition and unretired platform is attack surface you are paying to defend and failing to patch

• Runtime modernization as risk reduction, not “tech debt” where it goes to die

• Dependency migration as capital work, not ticket hygiene

• Exploitability validation against what the business actually runs, not CVSS scores nobody downstream can act on

• Patching in the SDLC deployment pipeline, not on the change board calendar

• Supply chain engineering that rebuilds from source and routes around the registry poisoning and dependency rot that scanners catch after the fact

• Adversarial testing baked into the CI/CD so that the build fails if the vulnerability ships

• Security with authority to force the fix or force an executive to sign for the risk

None of this is a product you buy. All of it is operational discipline you build, customized to whatever particular archaeology of technical and organizational debt you’ve accumulated.

Without it, the forecast writes itself.

We will burn millions on tokens scanning for glamorous new vulnerabilities with every AI lab and every cyber vendor while the known CVEs pile up behind us, unfixed. And the agents — plural now, a growing and increasingly capable class — will walk in through every one of them, at the institutions where the SLA parlour tricks and glowing green dashboards tell us we are safe.

NIST published the post-quantum standards in August 2024 — FIPS 203, 204, 205 — and an entire advisory industry has materialized to sell multi-year migration programs for estates that cannot be inventoried, using keys that cannot be located, on systems nobody knows they own. Before we go further: PQC is not quantum computing. Quantum computing is an emerging technology with standard adoption gates. PQC is the next iteration of the same cryptographic modernization that moved the enterprise from DES to AES, SHA-1 to SHA-256, TLS 1.0 to 1.3 — operational plumbing, not a speculative technology bet. The algorithms are standardized; the migration belongs in the CISO’s portfolio, not an emerging technology incubator.

The Test Nobody Applies

The PQC sales cycle runs on a single premise: adversaries are harvesting your encrypted traffic and will decrypt it when quantum computers mature. The premise is correct. The conclusion — that everything needs to migrate immediately and uniformly — does not follow, because it skips a triage step the discourse never performs.

Data is genuinely HNDL-susceptible only at the intersection of three conditions: it retains long-lived value, and it can only be obtained in encrypted form, and it is worth quantum decryption when cheaper access paths exist. Each conjunction shrinks the true exposure. Most enterprise data fails at least one. A retail payment transaction fails the first: its value decays in months. An internal database fails the second: the adversary reaches it through an overprivileged service account. A classified weapons design with air-gapped key custody passes all three — and belongs on a compressed PQC timeline today.

Everything that follows applies this test.

Confidentiality in Transit

This is the bulk “nation-states are harvesting your TLS traffic” narrative that drives most PQC urgency. Signature ecosystems, data-at-rest, and crypto-native forgery are different failure modes with different timelines; they appear under exceptions below.

“Harvest Now, Decrypt Later” is a real threat model and deserves to be engaged at its strongest. HNDL is passive collection: a nation-state on a border gateway or cable landing station takes zero risk, leaves no logs, triggers no alerts. The patient archive what they intercept.

Conceded. Now apply the test.

Without forward secrecy — TLS 1.2 with static RSA key exchange — the adversary breaks the server’s private key once and decrypts every session that ever used that certificate. With forward secrecy (TLS 1.3 / ECDHE), each session requires an independent quantum computation. The difference between those two scenarios is the difference between an expensive program and a non-credible one. The attacker-side cost model is in the companion piece, A Quantum of Solace.

Enforcing forward secrecy on all TLS endpoints is the single highest-impact HNDL mitigation for data in transit that requires zero post-quantum cryptography. It converts “break one key, decrypt everything” to “break one key per session.” Technically simple, operationally hard: a cipher suite policy change that becomes a migration program in heterogeneous estates.

But “per session” is less airtight than it sounds, and this is the part the conference keynotes skip. TLS 1.3’s KeyUpdate provides zero additional quantum resistance — it derives each new secret from its predecessor with no fresh randomness, so breaking the initial handshake exposes every subsequent epoch. PSK resumption is worse: one ECDHE break cascades through the entire resumption chain, including 0-RTT early data, until the ticket key rotates or a fresh exchange is forced. Default ticket lifetime in most implementations: 24 hours of resumed sessions exposed by one break. Blanco-Romero et al. (2026) validated this experimentally. And breaking P-256 ECDLP now requires fewer logical qubits than breaking RSA-2048 — 1,098 versus 1,409. The scaling law holds, but the vendor pitch is anchored to the wrong number.

These caveats make selective attacks against specific corridors more valuable. They do not resurrect bulk feasibility across high-volume endpoints. The bulk economics remain prohibitive: with forward secrecy properly enforced and PSK chains bounded, the adversary faces hundreds of millions of independent quantum computations per day of harvested wire data. You cannot rack-mount a quantum processor any more than you can rack-mount a tokamak. The adversary is searching Borges’ Library of Babel for one coherent book, except each volume requires its own run of Shor’s algorithm at near absolute zero, and most contain nothing of value.

Most harvested financial traffic also fails the first condition of the test: transactions, trading activity, and counterparty relationships have limited shelf life. A twenty-year-old wire transfer record is not actionable intelligence; it is an archive.

The Door Without a Lock

Most enterprise data fails the second condition: it can be obtained without breaking the encryption at all. The adversary who can obtain cleartext through an identity path has no reason to assault the cryptographic wall — and the identity paths are numerous, cheap, and available today. The offshore contractor with production access in a jurisdiction where intelligence services operate with legal impunity. The overprivileged service account nobody audits. The service desk that will reset a password over the phone. The SQL injection that never required credentials in the first place. In every case, the cryptographic layer is never engaged; PQC is irrelevant because the encryption was never the barrier.

For encrypted data at rest — backups, cloud snapshots — apply the test again. It only qualifies as genuinely encrypted if key custody is segregated from data access; when the adversary can reach the decryption keys through overpermissioned KMS policies, the encryption is decorative and the decryption is classical. Kerckhoffs has been teaching this lesson since 1883: the security of the system is the security of the key management, and key management is an identity problem before it is a cryptographic one. Where DAR encryption does pass all three conditions — genuinely segregated key custody, long-lived value, no cheaper access path — it belongs in the exception class below.

What Passes the Test

Three categories survive the conjunction and deserve compressed PQC timelines independent of everything else.

Long-horizon secrecy data — state secrets, genomic data, critical infrastructure designs — retains extreme value well beyond any projected quantum timeline. Not every asset warrants the same protection, but the assets that do need to be identified and triaged rather than subsumed into a uniform program that treats a retail banking app and a classified weapons design as posing equivalent HNDL risk.

Cryptographic-native systems — blockchain platforms, tokenized asset infrastructure, smart contracts, and identity signing infrastructure (PKI, SAML, code signing) — where cryptography is not defense-in-depth but the operational substrate. Breaking ECDSA here does not reveal a secret; it enables forgery — unauthorized transfers, fabricated contract executions, systemic trust collapse. The threat model is not “harvest now, decrypt later” but “forge at will,” and the cryptographic choices are embedded in consensus mechanisms and contract logic that may be immutable by design. For institutions building or investing in DLT infrastructure today, PQC is an architectural design constraint at inception — every month of deployment deepens the debt.

Hardware-embedded cryptography — HSMs, satellite systems, embedded controllers with 15–20 year deployment cycles — cannot wait for software-layer maturity. Migration planning starts immediately, informed by the inventory.

Ride the Budget Line

Mandates and examiner pressure exist across major jurisdictions. CISOs cannot tell regulators they are deferring PQC to fix identity governance.

But foundational security has failed to secure adequate budgets for decades because it lacks a hard external catalyst, and PQC mandates provide precisely that leverage. Cryptographic inventory, asset discovery, and identity governance are PQC readiness — not rebranded IT hygiene, but the only substrate that makes algorithm migration executable. The enterprise that knows what it has, who owns it, and whether it can change it has a deployment problem. The enterprise that doesn’t, has a discovery problem wearing a compliance deadline.

The Playbook

Exception classes run on compressed timelines independent of this sequence.

Immediate — enforce and harden forward secrecy. Kill static RSA key exchange. Harden TLS 1.3 configuration so it actually delivers session independence: disable 0-RTT, force fresh key exchange on resumption, rotate ticket keys aggressively. Deploy hybrid PQC where centralized TLS termination already exists — coverage stops where centralization stops.

Immediate — build the crypto control plane. Cryptographic inventory, key custody standardization, CBOM embedded in the build pipeline so the inventory problem stops growing while legacy enumeration proceeds. Consolidate external services behind API gateways. Re-encrypt edge to origin. Map vendor dependencies — fixed crypto stacks are the migration blockers, and some will never migrate.

When you can answer the conjunction test for your own estate — algorithm migration at scale. Full internal PQC rollout, application-level library remediation, legacy system modernization. This is where the budget pressure lives and where the vendor pitch starts. It proceeds when the enterprise can demonstrate that it knows what it has, who owns it, and how to change it — not perfection, but demonstrated trajectory and capability. Without that substrate, algorithm migration is a roadmap that assumes infrastructure it doesn’t have.

The conjunction test is the triage tool the PQC discourse doesn’t use. Apply it to your own estate: what retains long-lived value, can only be obtained encrypted, and is worth quantum decryption when cheaper paths exist? That intersection is your actual HNDL exposure. Everything outside it is a priority conversation about operational maturity, not a quantum emergency. Fund the substrate. Accelerate the exceptions. The algorithm migration follows.

For the full attacker-side economics — including what happens when a fictional intelligence agency runs the HNDL business case and discovers the throughput bottleneck that kills the program — see A Quantum of Solace: How I Learned to Stop Worrying and Love the CBOM.

MINISTRY OF STATE SECURITY — SIGNALS INTELLIGENCE DIRECTORATE

CLASSIFICATION: DRAGON JADE / COMPARTMENTED

MEMORANDUM FOR: Standing Committee on Intelligence Resource Allocation

FROM: Deputy Director, Long-Horizon Signals Collection (Unit 4128)

RE: Project GLASS CATHEDRAL — Harvest Now, Decrypt Later Infrastructure Investment

Unit 4128 requests approval for GLASS CATHEDRAL: a passive signals collection program targeting financial infrastructure, with decryption upon availability of a cryptographically relevant quantum computer (CRQC). Requested funding: $300M–$500M for collection infrastructure, plus $500M–$5B for quantum decryption. Division 3 (Human Intelligence) has submitted a competing proposal for $54M. Much of the collection infrastructure described here already exists within the Ministry under other directorates.

The HNDL narrative, as articulated by the enterprise security industry, is notable for what it declines to specify. “Nation-states are harvesting your encrypted traffic” — but through what infrastructure, at what cost, with what coverage? The industry treats collection as an assumed given and proceeds directly to quantum timelines, because specifying a collection architecture invites the analysis that follows. Unit 4128 will now do the work the vendors prefer to leave as an exercise for the reader.

Collection. Most collection is nearly free — sovereign border gateways, allied nation access, geographic chokepoints.1 Even with all available tiers operational, the aperture captures only cross-border traffic — SWIFT, correspondent banking, market data feeds, offshore branch communications. The fraction containing the most sensitive material — trading strategies, risk models, board deliberations — largely does not traverse externally observable paths. Storage is trivial: $8–15M over twenty years.

Decryption. Estimates for breaking RSA-2048 have improved from ~20M physical qubits to under 100K using QLDPC architectures — but 100K qubits factors one key per month. Practical throughput — roughly three key-breaks per day — requires approximately one million qubits.22 The Committee should attend not to the qubit count but to the throughput.

The forward secrecy cliff. Without forward secrecy (static RSA), three keys per day against 1,000–50,000 server certificates takes one to forty-six years. Expensive, slow, but conceivable. With forward secrecy (TLS 1.3 / ECDHE), each session requires an independent quantum computation. One day of wire data: 913,000 CRQC-years. Selective collection reduces volume; it does not change the unit cost — where forward secrecy is enforced, each session requires its own computation whether collected selectively or in bulk.3

Risk factors. If CRQC arrives later or at higher cost, the archive accrues storage cost with no return — in venture capital terminology, a “pre-revenue phase” of unlimited duration. Financial transactions have limited shelf life; a twenty-year-old wire transfer record reveals that Bank A paid Bank B $47M on a Tuesday in 2025. The strategic value of this in 2045 is, with great respect to the Committee, not self-evident. Division 3 notes that their assets can tell us why the wire was sent, who approved it, and what it means — this Thursday. Meanwhile, TLS 1.3 mandates forward secrecy; every endpoint that migrates moves from Scenario A to Scenario B. We are betting the global banking sector will fail to complete a configuration change for which the standards have existed since 2018. This is perhaps the most defensible assumption in the entire proposal.4

The alternative. Division 3’s Project WARM HANDSHAKE: four recruited insiders, $40M over twenty years. Continuous, curated, targeted intelligence with no latency and no dependence on a machine that does not exist. Meanwhile, initial access brokers sell Domain Admin for $500–$50K — falling by half every five years.

The recursive dependency. Bulk collection is indiscriminate — making the archive tractable requires targeting selectors not available from external observation. The capability that makes the archive searchable is the same capability Division 3 provides, at which point the archive is redundant. We acknowledge that “comprehensive record of undifferentiated encrypted traffic, decryptable at a cost exceeding most national GDPs, from sessions whose plaintext could have been obtained by asking Gerald in Network Operations” is a difficult sentence to put in a funding request.

Recommendation. Unit 4128 recommends that the Committee fund GLASS CATHEDRAL at the requested level, because it is our job to present collection options for Committee decision. The Committee should fund whatever it considers most appropriate.5

STANDING COMMITTEE ON INTELLIGENCE RESOURCE ALLOCATION — OFFICE OF THE CHAIRMAN

RE: Project GLASS CATHEDRAL — Disposition

We will stipulate Unit 4128’s most optimistic projections. We accept the QLDPC qubit threshold, the cost range, the 2030s timeline. We are generous on precisely the question the enterprise security industry considers most important: when will the machine exist?

It does not help.

Three key-breaks per day. Forty-six years for the certificate inventory. The intelligence produced — decrypted financial transactions from the 2020s, available in the 2080s — is of a vintage the Bureau of Historical Intelligence Assessment has declined to characterize. Under forward secrecy, one day of wire data requires 913,000 years on a single machine. A fleet of a thousand CRQCs — $500B–$5T — processes one day in 913 years. The Committee does not typically fund programs with a time-to-intelligence measured in centuries.

We note, for context, that a significant equity position in the target institution costs less than a single CRQC and yields complete, real-time access to everything GLASS CATHEDRAL promises to deliver in 2080. We mention this not as a proposal but as a unit of measurement. Division 3 delivers equivalent intelligence on Thursday.

GLASS CATHEDRAL is declined. The cost analysis was acceptable. The throughput analysis was not.

WARM HANDSHAKE is approved. $54 million.

The Committee prefers a simpler formulation than the Bureau of Logical Consistency’s “recursive dependency”: GLASS CATHEDRAL requires Division 3’s cooperation to succeed, and Division 3’s cooperation makes GLASS CATHEDRAL redundant. We are informed that in software engineering this is called a “circular dependency.” We are informed that it is not a compliment. The Committee trusts that the next submission will not depend on Gerald in Network Operations for its operational feasibility.

The Committee has approved a one-time allocation for Unit 4128’s holiday party to be held at a venue other than the Building 9 cafeteria. This should not be interpreted as a consolation. It is a consolation.

GLASS CATHEDRAL is fiction. The math is not. Every quantum projection uses the most optimistic credible scenario and should be read as lower bounds. Argue the figures if you like; the scaling law is what kills the program — forward secrecy converts “break one key per server” to “break one key per session,” and absent protocol collapse into shared secrets (PSK resumption, ticket key compromise, endpoint leakage), no improvement in quantum hardware changes that scaling. The operational playbook is in A Prepper’s Guide to Q Day. But none of it functions without a complete cryptographic bill of materials. You can’t rotate what you can’t find. The CBOM is the unglamorous deliverable that makes everything else possible. Learn to love it.

The adversary funds both paths: identity for speed, harvest for durability. Collection is cheap and the archive is cheap — the question is whether the option exercises at scale against modern FS endpoints before the intelligence decays. The identity path costs $2,700 and arrives on Thursday. The harvest path costs billions, processes three keys per day, and works only against endpoints that failed to enforce a configuration change standardized in 2018. Fund accordingly.

The market repriced every SaaS incumbent on the fear that AI would eat their moats — then never applied the same scrutiny to the AI companies themselves. Their gross margins average 45% — closer to managed services than to software — yet they carry 25–30x revenue multiples. Exact figures vary by cohort and methodology; the magnitude of mismatch between margin structure and valuation multiple does not. The full economic case is in The Mirage of AI ROI.

The reason this persists is that the market treats “AI” as a valuation category. It is a delivery mechanism. Technology valuations have organized into three tiers for decades: Services at 0.3–3.0x revenue. SaaS at 3–8x median. Platform & Infrastructure at 10–25x — AWS, Nvidia, Snowflake, CrowdStrike, Palo Alto, Cloudflare, Datadog — companies with ~70% gross margins, multi-billion-dollar revenue, and platform gravity that deepens with usage. The boundaries shift with market conditions but the ordering never inverts.

Even if the market temporarily creates a fourth tier, underwriting still requires proof of sublinear verification cost and controllable supplier economics. There are services companies that use AI, software companies that use AI, and infrastructure companies that build AI. Anthropic, Databricks, and Palantir belong in Tier 3 — they build or operate foundational infrastructure, control their own platform economics, and serve as layers other companies build on. The application-layer companies raising at 25–30x — Harvey, Sierra, Glean, Dialpad — sit on top of that infrastructure, consuming someone else’s API, layering on verification, and selling outcomes in categories already priced as services. The Finro AI agent dataset (210 companies, 11 niches) already shows the market sorting within AI — HR, PropTech, Sales agents trade at 3–12x, overlapping SaaS. It just hasn’t extended that logic across categories to recognize that a Tier 1 AI company is the same asset class as an IT services firm with a different pitch deck.

The counterargument: AI commoditizes cognition like PCs commoditized computing, demand expands as costs collapse, and the winners will be those who own data, compute, energy, and verification. That framing has saturated investor discourse since the February sell-off. It is also a Tier 3 thesis. The value accrues to the infrastructure layer — not to the application-layer firms reselling it per outcome. If AI commoditizes cognition, the company selling commoditized cognition is on the wrong side of its own disruption thesis.

Getting the tier wrong is a 70–97% valuation swing. Technical due diligence is where the category claim should get falsified — and almost never is. TDD frameworks were built for deterministic software, and no one has updated the methodology to falsify a category claim that didn't exist five years ago. The narrative case has been made. What follows are the questions the current playbook doesn’t ask — four dimensions where the horseless carriage still gets inspected for hay consumption.

II. The Diagnostic

1. Economic Identity

No TDD methodology evaluates whether the target’s COGS structure, pricing model, and delivery risk map to software or services — despite a 3–6x difference in appropriate multiple. When a target charges per resolution or per document rather than per seat, diligence treats it as a go-to-market decision. It is a category signal — functionally indistinguishable from how services firms have priced for decades. The counterargument, that AI captures labor budgets rather than software budgets, assumes the conclusion: that the cost structure will eventually look like software. Whether it does is the empirical question Dimension 2 exists to answer.

2. Cost Structure

The Markov Tax (perpetual probabilistic validation cost) is the key variable, and TDD rarely demands evidence that it’s falling at scale. Heraclitus had it right: you cannot step into the same model twice. A successful prior run does not reduce the verification burden on the next one. If verification and exception-handling scale with throughput, margins converge toward services — the pitch-deck is not the territory. Upstream model updates compound this: researchers documented a single update shifting accuracy on a benchmark task from 97.6% to 2.4%. Version pinning is the organizational equivalent of unplugging the smoke detector — it buys silence while the technical debt compounds.

Benchmarkit’s 2025 survey (n=372) found only 15% of companies can forecast AI costs within ±10%. If the margin model collapses under volume doubling, the valuation is pricing a cost structure that does not yet exist. Diligence must demand verification minutes per unit, exception rate, inference cost as a percentage of COGS, and regression cadence under provider changes — all trending down.

3. Ownership and Architecture

TDD assesses proprietary code and IP but not dependency depth on rented intelligence. The evident failure mode is a long-familiar pattern: the vendor changes something upstream, and your control plane discovers it in production. The target typically lacks enforceable control over whether the foundation model provider ships its product as a feature, reprices API access, or withdraws the inference subsidies its unit economics depend on. The right question is what happens to margins if token costs double or triple — and whether the target has any contractual or architectural leverage over that scenario.

The escape route is Progressive Determinization: migrating validated workflows from probabilistic inference to deterministic execution, permanently eliminating the Markov Tax and supplier-induced drift on each workflow. No framework evaluates whether the target is doing this, or whether the architecture is getting less dependent over time.

4. Legal Exposure

When pricing shifts from per-seat to per-outcome, the claims surface expands — yet only 17% of AI vendor contracts include performance warranties versus 42% for traditional SaaS. The delta between customer expectations and contractual obligations creates a liability vacuum, universally abhorred. SaaS providers cap liability at subscription fees and warrant uptime, not outcomes. MSPs and BPOs, which do sell outcomes, carry professional liability coverage, E&O insurance, and indemnification structures built over decades of case law. The AI companies pricing per-resolution have inherited the liability surface of a services firm while operating under the contractual architecture of a SaaS vendor — the worst of both worlds from an exposure standpoint. Actuarial frameworks for probabilistic risk exist, but the longitudinal claims data for AI-native failure modes does not. Meanwhile, a target one regulatory reclassification away from “high-risk” may lack the governance infrastructure to operate under that classification — meaning reclassification forces a structural overhaul, not a compliance exercise.

The Agentic Murderboard. Twelve metrics across four dimensions — three per quadrant, each orthogonal, none substitutable. Economic Identity: revenue mix by pricing model, revenue per employee, customer concentration. Cost Structure: Markov Tax rate, inference cost as % of COGS, cost variance under volume doubling. Ownership & Architecture: provider concentration, progressive determinization rate, regression cadence under provider changes. Legal Exposure: performance warranty coverage, liability architecture gap, regulatory reclassification distance. Any metric moving the wrong direction breaks the software thesis.

The bull case is not fiction. Margins are improving, the best operators may reach the low 60s within two years — if verification costs decline with scale rather than tracking it. But we are pricing the option on determinization as if it has already happened.

The reclassification is latent, not inevitable — it needs a trigger: a deal that blows up on margin compression, a public company that misses on verification costs, a regulator that forces the category question. The window between recognizing the sorting criteria and the market pricing them is where the advantage lives.

Agents start as cogs. They end up as COGS.

Price accordingly.

The Prescription: Use agentic AI to discover and prototype. Compile the stable fraction into deterministic systems. For the irreducible residue, impose Bounded Agency—confine the agent’s actions to a pre-verified feasible region so you verify quality, not safety. Graduate workflows from probabilistic experimentation to deterministic infrastructure.

The Mechanism: Progressive determinization—a disciplined lifecycle that treats agents as scaffolding for transformation, not substrate for operations.

The Test: Every agent deployment should answer one question: what does stable look like?

Part 2 diagnosed the structural asymmetry: generation costs deflate; verification costs don’t amortize. The Markov Tax inverts expected economics wherever errors have consequences.

This part offers the prescription.

Progressive Determinization as Stabilization Mechanism

In Part 1, the argument was that the post-deterministic firm is metastable—capable of thriving in bounded domains, but lacking the control-theoretic stability required for sustained operation as a general enterprise model. Progressive determinization is the stabilization mechanism the metastable firm requires: a disciplined lifecycle that converts probabilistic exploration into deterministic infrastructure, phase by phase, while imposing Bounded Agency on whatever remains irreducibly fuzzy.

It is also the faster path. The counterargument—that progressive determinization is a framework for organizational timidity—collapses against the data Part 2 documented: forty-two percent of companies abandoned most AI initiatives in 2025, up from 17% in 2024; Gartner projects over 40% of agentic AI projects will be canceled by 2027; roughly 95% of enterprise AI pilots fail to deliver measurable ROI. Moving fast without a stabilization strategy doesn’t produce speed. It produces expensive failure-and-restart cycles. Progressive determinization is faster than failure.

The alternative is what most enterprises are building: permanent probabilistic infrastructure with no path to stable unit economics. That’s not transformation. It’s dependency with a demo.

Why Now: The Forcing Functions

Two clocks are running. One is regulatory, one is economic. Neither cares about your roadmap.

The Regulatory Clock

EU AI Act obligations for high-risk AI systems take effect August 2026—though the Digital Omnibus proposal may delay certain provisions to December 2027. The SEC has charged multiple firms for “AI washing,” with enforcement actions escalating from Delphia/Global Predictions (March 2024, first-ever) to Nate Inc. ($42 million fraud with parallel DOJ criminal charges). The SEC doesn’t care what your model can do. It cares what you claimed it could do.

The liability standard is shifting from accuracy to evidence. “Our model is 99% accurate” is becoming “Show me the exact chain of reasoning and data points used to deny this claim on this date.” A system can be brilliant at forward reasoning—generating the answer—and impossible to defend backward—reconstructing the reasoning for audit. This is why pure end-to-end LLM systems fail in regulated contexts regardless of model capability.

SR 11-7 requires models documented so that “unfamiliar parties can understand the model’s operation.” Progressive determinization produces these artifacts inherently at each phase gate—not as retrofitted compliance theater. The stakes are not abstract: firms experience average cumulative abnormal stock returns of -21% following AI incidents—errors have balance-sheet consequences. A striking market signal: the Bank Policy Institute reported in 2025 that some banks have begun asking vendors to remove or turn off AI features in third-party products to avoid model risk management review. When the market voluntarily retreats from AI to escape governance burden, the governance model is the product.

The Subsidy Clock

Every enterprise AI business case is built on prices that are not market prices. OpenAI lost $5 billion on $3.7 billion in revenue in CY2024; Anthropic’s gross margins were negative 94–109%. These are capital transfer mechanisms: Microsoft invests $13B in OpenAI, which routes $8.67B back to Azure; Amazon invests $8B in Anthropic, which runs on AWS. Sequoia Capital calculates a $600B+ annual revenue gap between AI infrastructure spending and actual AI revenue. JP Morgan estimates $650B in new annual revenue needed for a 10% return. The infrastructure-to-revenue ratio is 10:1 or worse. AWS raised H200 Capacity Block prices 15% in January 2026—the first major rate increase—and Gartner projects enterprise software costs will increase substantially due to AI price pass-throughs by 2027.

The dot-com fiber buildout is the precedent. After the Telecommunications Act of 1996, telecom companies invested over $500 billion in fiber; by 2001, 95% was dark, prices collapsed 90%, and Global Crossing, WorldCom, and Lucent were destroyed. The infrastructure proved transformative eventually—but every company that built operational dependency on pre-crash pricing was wiped out. The technology was right. The business model was wrong.

This resolves in one of three ways, and enterprises lose in two of them. Prices spike as subsidies end and hyperscalers pass through amortization. Prices collapse as overcapacity drives inference to marginal cost, destroying providers. Or—most likely—prices stabilize significantly above current rates through write-downs and consolidation. Progressive determinization is the only architecture that survives all three. Compiled workflows don’t care what inference costs.

Phase Zero: Admit the Enterprise Does Not Have Processes

Part 1 made the case: most enterprise process documentation is decorative fiction. The real operating model is exceptions, arbitration, handoffs, tribal knowledge.

Agents are useful in Phase Zero precisely because they externalize this reality. They cannot improvise the way human operators do. Their failures are signal. Their traces become telemetry. The principle is capture-first, structure-later: the agent’s trace is the primary asset. Structure is derived downstream.

Phase Zero is not a technology phase. It is a governance phase. The work is to admit that the enterprise has rituals, not processes—and to decide which rituals are worth formalizing. Compiling dysfunction into code just makes dysfunction permanent.

The hard conversations nobody wants to have: Who owns this workflow end-to-end? What happens when it fails? Who decides what the data means? These are leadership problems disguised as technical ones. No amount of prompt engineering resolves the absence of accountable ownership.

Phase One: Agents as Process Archaeology

Deploy agents as exploration engines, not autonomous workers. Start with constrained execution: read-only first, guarded writes next, autonomy last.

The goal in Phase One is not “hours saved.” It is process illumination: decision paths, exception routes, escalation behaviors, data dependencies nobody documented because the documentation was never the system.

What you are buying in Phase One is not labor substitution. You are buying process archaeology.

This is where Part 1’s concept of Capability Engineering becomes operational. The binary gatekeeper model collapses in an agentic environment; the answer is defining the Bounded Solution Space rather than prescribing exact paths. Security becomes choreography of constraints rather than a checklist of controls.

The control plane primitives described later in this piece are Capability Engineering in implementation—the security architecture that makes Phase One exploration safe enough to run at scale.

Phase Two: Compile the Stable Patterns

Once patterns stabilize, stop paying the AI tax for them.

Watch the acceptance rate at the human gate. If the human approves the agent’s draft 95%+ of the time for a given workflow segment, the pattern is stable. It’s a candidate for determinization.

Think of it as paving desire paths. Agents find the routes people actually walk; Phase Two is laying asphalt where the grass is worn.

Determinization means converting the stable portion into systems with predictable behavior: explicit state machines, policy-as-code gates, hardened integrations, semantic routers that dispatch known patterns to cached responses or deterministic APIs and escalate novel patterns to constrained agents or human review. The router uses probabilistic classification, but the dispatch targets are deterministic. Probabilistic surface area shrinks without requiring full code compilation.

The distinction between soft and hard determinization is not academic. Soft determinization—Constitutional AI, guardrail frameworks, prompt engineering, fine-tuning—constrains the distribution of outputs but the system remains probabilistic. “Very high reliability” is not “certain,” and in domains where residual failures translate to material harm, the difference is a lawsuit. Hard determinization eliminates output variance given identical inputs: deterministic code, SQL, rules engines, semantic routers to cached responses, explicit human decision points. The target for stable patterns is hard determinization. Soft is a waystation, not a destination.

Routing, solvers, and compilation are not competing ideologies. They are different levers for the same objective: minimizing probabilistic surface area in the liability chain.

The Horseless Carriage Caveat

The counterargument: compiling workflows into hard code reintroduces the rigidity that plagues current IT. Valid against bad compilation—against “hard-code the world.” Not valid against selective compilation of stable, high-repeatability patterns. And the brittleness critique cuts both ways: an always-agentic workflow is a moving target. Prompts drift. Providers update models. Tool semantics change. What passed eval last month can regress silently this month. “Adjust via a prompt update” is precisely the operational hazard: it makes change easy and verification hard.

Y Combinator partner Pete Koomen argues that most AI applications mimic old software paradigms rather than reimagining around AI’s strengths. For greenfield products in unregulated markets—fair point. In regulated industries, you cannot file a probabilistic audit. Even without regulators, the economics hold: deterministic execution is cheaper than probabilistic execution for known patterns, full stop.

AI Builds the Replacement

The historical objection to compiling down was cost: rewriting systems takes years and burns budgets. AI code generation collapses that objection flat. Code generation is the breakout enterprise use case—AI coding assistants now show 91% organizational adoption across 135,000+ developers as of Q4 2025. The same models that power agentic experimentation can dramatically accelerate construction of deterministic replacements.

The arbitrage most people miss: AI is most valuable not as permanent infrastructure, but as an accelerant for building infrastructure that doesn’t require AI. Use nondeterministic AI to discover and prototype. Use AI code generation to build the deterministic replacement. Graduate the workflow. The agent’s job is to make itself unnecessary for stable operations—and AI development tools make that transition faster than legacy economics ever allowed.

Phase Three: Bounded Agency for the Irreducibly Fuzzy

Some problems remain fuzzy and should stay that way: ambiguous natural language intake, synthesis across messy corpora, exception triage when policies collide, novel situations that don’t fit established patterns.

This is where agents earn their keep. But “earn their keep” does not mean “run unconstrained.”

Simon’s Bounded Rationality observed that humans are rational only within cognitive limits. In the AI era, the problem inverts. Machines have near-unlimited computational capacity but no intrinsic awareness of institutional constraints. An unbounded agent is not irrational; it is arational—optimizing brilliantly within a space that includes actions the enterprise cannot survive.

Bounded Agency is the architectural guarantee that an agent’s actions are confined to a pre-verified solution space. The agent optimizes freely within the boundary. It cannot exit the boundary.

The Feasibility Kernel

To implement Bounded Agency, build a Feasibility Kernel—a formally verified runtime monitor that enforces the boundary between what the agent may explore and what it may never propose.

The mental model is Operations Research: every optimization has a Feasible Region defined by hard constraints. The objective function cannot propose a solution outside it. In Bounded Agency, the LLM is the objective function; the constraint boundary is the Feasible Region. The agent proposes; the kernel validates before any action commits. Infeasible solutions are not mysteries—OR solved this fifty years ago.

Why minimize the surface requiring formal guarantees? Because verification is punishing. The seL4 microkernel required 200,000 lines of proof for 8,700 lines of C. Determinize stable patterns first (Phase Two). Concentrate formal verification on the irreducible residue where the stakes justify the cost.

Pure LLM systems are probabilistic end-to-end—unbounded agency. A system built on Bounded Agency is probabilistic at the edges (language understanding, creative search) and deterministic at the core (constraint enforcement, action validation).

This is already shipping. AWS Automated Reasoning Checks, generally available since August 2025, use formal mathematical proofs—not probabilistic guardrails—to validate LLM outputs against encoded business rules, claiming up to 99% verification accuracy. EY-Parthenon launched a neurosymbolic AI platform pairing language models with deterministic reasoning engines for underwriting, claims, and compliance. Elemental Cognition, founded by David Ferrucci of IBM Watson fame, built a constraint-resolution engine now used by Oneworld airline alliance. Ferrucci’s framing cuts through the noise: LLMs are not designed to perform formal computation—deterministically, efficiently, precisely, consistently following a set of rules. That is what classical algorithmic programming is for. The man who built Watson is telling you not to trust language models for deterministic work. Maybe listen.

None of these are complete formal proofs across all constraint classes. They don’t need to be. Even at 99% enforcement accuracy, the economics invert: the human verifies the cases where the boundary flags uncertainty—not the totality of output that unbounded agency demands.

Legal intake remains fuzzy—but “no response may recommend action outside the client’s jurisdiction” is enforced deterministically, not hoped for probabilistically. Customer escalation triage remains fuzzy—but “high-value customers route to senior agents” is deterministic, not emergent.

TEST CASE: GOLDMAN SACHS — “AGENTS READ THE MAIL, CODE WRITES THE CHECK”

Goldman Sachs’ co-development of Claude agents with Anthropic for trade accounting is the highest-profile test of scaffolding architecture in regulated finance. If you squint, it looks like proof that agents can be substrate. Don’t squint.

Goldman isn’t replacing the general ledger with an LLM. Per CNBC’s reporting (February 6, 2026), CIO Marco Argenti describes agents that handle the perceptual layer—messy intake (trade tickets, counterparty discrepancies, unstructured communications)—while deterministic constraints validate every proposed entry against accounting rules before commit. Six months of embedded Anthropic engineers. Targets include trade accounting, KYC, and AML. Goldman chose Anthropic specifically for “safety, interpretability, and reliability”—language that signals architectural intent, not hype adoption.

This is not “agents running the bank.” This is agents reading the mail, while code writes the check.

What remains undisclosed: override rates, regression coverage under model drift, audit artifact generation. Evidence that would validate the architecture: published acceptance metricsand incident rates post-deployment.

The “Bitter Lesson” Rebuttal

The strongest objection: Rich Sutton’s “Bitter Lesson”—reinforced by his 2024 Turing Award—argues that general methods leveraging computation ultimately dominate hand-crafted approaches. Bounded Agency looks like exactly the kind of constraint system that scaling laws will render obsolete.

The objection conflates capability with solvency. Scaling compute gives you a more powerful engine. It does not prevent the agent from going logically insolvent—proposing actions that violate constraints the model was never trained to internalize. Even a model that hallucinates 0.1% of the time produces thousands of infeasible solutions per day at enterprise scale. The Bitter Lesson tells you how to build a better optimizer. It tells you nothing about how to build a better constraint boundary.

Even Sutton now emphasizes that AI systems need “world models”—internal representations of environment constraints. And AlphaGeometry—DeepMind’s mathematical reasoning breakthrough—is a neural language model paired with a symbolic deduction engine. The Bitter Lesson’s own poster children are implementing the pattern. Scaling solves capability. Boundaries solve reliability. You need both.

Phase Four: Agents as Continuous Architecture Auditors

Most implementations treat Phase Four as an afterthought—six lines in the deck, a monitoring dashboard nobody checks. This is exactly backward. Phase Four is where the lifecycle loops. Without it, progressive determinization is a one-shot installation project. With it, the enterprise becomes a self-improving system.

Agents should watch the enterprise more than they run it. Deploy them to continuously surface: process variance and exception hotspots, control breakdowns and repeated failure modes, data quality bottlenecks, policy drift and incoherent decisioning, divergence between documented process and actual behavior. Each discovery feeds the next cycle: new candidates for Phase Two determinization, new constraint definitions for Phase Three Bounded Agency, new evidence that a determinized workflow has drifted and needs re-examination.

The Probabilistic Middleware Trap

Here is the failure mode nobody is talking about. The emerging pattern—semantic layers, agentic orchestration platforms, shared context stores—creates probabilistic infrastructure between agents and systems of record. If agents can write to this layer without committing those writes to underlying systems of record, the organization develops a probabilistic layer of “truth” that drifts from actual truth. Agents read and amplify each other’s inferences. Synthetic unverified facts circulate. A hallucination loop detaches from reality and nobody notices because the loop is self-reinforcing.

Phase Four monitoring must catch this before it metastasizes. The reasons context graphs fail this test have been explored at length: the ontology bottleneck didn’t disappear (it got renamed), time breaks naive graphs, and provenance is not optional. Semantic layers must be read-through caches and orchestration scaffolding, never primary stores of persistent state. The unprocessed trace log—not the derived graph—is the durable artifact. All writes must commit to underlying deterministic systems of record via validated gates.

Data Quality: The Prerequisite Nobody Mentions

Bounded Agency assumes constraint definitions are sound and inputs are well-structured enough for the deterministic solver to reason over. In practice, this is where progressive determinization gets ugly: semantic reconciliation across systems, entity resolution across legacy boundaries, temporal consistency when data arrives at different cadences from different sources.

Here is the uncomfortable part: the data quality problem is often the reason workflows haven’t been formalized in the first place. The human operator navigates ambiguous data through institutional memory. The agent cannot. Progressive determinization forces the enterprise to confront data quality problems it has been working around for decades. Phase Four is where those problems become visible—and where the enterprise decides whether to fix them or keep paying humans to route around them.

TEST CASE: HARVEY — THE MARKOV TAX IN AI-NATIVE SCALING

Harvey, the legal AI company, hit roughly $195 million in ARR by end of 2025, serving 50 of the top AmLaw 100 US law firms at an $8 billion valuation. If any company proves that probabilistic infrastructure can scale, Harvey appears to be the case.

Look closer. Harvey employs former practicing lawyers across customer success and verification roles—domain experts who ensure the AI’s outputs meet professional standards. A 2024 Stanford study found specialized legal LLMs produce infeasible outputs 17–33% of the time. Harvey’s economics work because it is an advisory tool where the human lawyer retains decision authority—exactly the Phase One / Phase Two pattern progressive determinization prescribes.

Even the AI-native success story proves the Markov Tax: verification labor scales with adoption. Harvey didn’t repeal verification. They priced it into the product. And they monitor continuously—which workflows are stabilizing, which need more guardrails, which need more lawyers. That is Phase Four in action, whether they call it that or not.

The terminal purpose of the agent is to make itself replaceable for any given workflow. Phase Four is where you measure whether that’s happening — or whether the enterprise is building permanent dependency on probabilistic infrastructure with no exit ramp.

The Operating Architecture

The four phases describe what to build. What follows is how to run it — the enforcement layer that prevents progressive determinization from becoming another planning artifact that dies in committee.

Three governance preconditions are non-negotiable. Every agent has an accountable owner — a person, not a team — with authority and responsibility. Every agent workflow has a cost model that includes compute, governance, remediation, and tail risk, not just “hours saved.” And every agentic deployment has a defined exit: a path to determinization, a justified case for Bounded Agency, or retirement. Unbounded probabilistic decisioning in the liability chain is not a valid end state.

The implementation specifics behind these principles are Capability Engineering reduced to enforcement mechanisms (control-plane primitives).

Without these primitives, “governance” is aspiration, not architecture.

Every agent deployment must have a hard-coded kill switch — the ability to revert the workflow to human-only or deterministic-only state immediately. Not gracefully. Immediately.

The most serious trigger class: constraint escape, where agent output commits to a system of record despite violating a boundary constraint. This is privilege escalation in a microkernel. For what happens when control plane primitives are absent entirely, see BodySnatcher — where a hardcoded platform-wide auth secret let an unauthenticated attacker weaponize ServiceNow’s own agent to provision admin credentials. The kill switch prevents the “too big to fail” problem where an organization becomes so dependent on the agentic swarm that it cannot shut it down without ceasing operations. Independence from any single provider is part of the requirement: the ability to revert to human-only operation, not merely to swap vendors.

Who Owns This

Progressive determinization demands a cross-functional capacity that most org charts pretend doesn’t need to exist.

Who monitors acceptance rates at human gates? Who decides when to trigger determinization? Who defines the constraints that constitute the Bounded Agency boundary — and who validates that those constraints are complete? The role sits at the intersection of security architecture, process engineering, ML operations, and risk management. It is closest to what a cybersecurity leader does when operating well: managing the boundary between trusted and untrusted systems, defining constraint envelopes, and intervening at the policy level rather than the transaction level. As argued elsewhere, AI security is not a new tower but a forced merger — MRM sets the law, cyber provides the enforcement.

The organizational prerequisite is a named accountable person who owns the lifecycle end-to-end. Without this, the lifecycle devolves into committee governance, and committee governance is where transformation goes to be discussed until it’s irrelevant.

FOR AI PLATFORM AND PRODUCT LEADERS

If your enterprise deals are stuck in pilot purgatory, progressive determinization explains what your customers need.

The product is not the agent. The product is the lifecycle — the tooling that moves customers from exploration to determinization to Bounded Agency with metrics at every gate.

Price for outcomes, not tokens. Your customer’s cost driver is governance, not inference. Ship evals, regression coverage, rollback, and audit evidence — not autonomy.

Ship constraint enforcement as a platform feature. The fastest path to enterprise procurement: demonstrating that your agent cannot propose non-compliant actions — not that it usually doesn’t. The governance layer is where the margin lives.

Build the off-ramp into the product. Your most successful customers will graduate from your agentic product for stable workflows. The vendor who enables determinization becomes the exploration engine for the next set of workflows.

Salesforce SVP Sanjna Parulekar: “Language models are exceptional at understanding intent and context but they are, by design, probabilistic. They generate likely outcomes, not guaranteed ones.” The customer who demands Bounded Agency is not being difficult. They are being rational.

The Strategic Imperative

The fallacy of enterprise AI is not that AI cannot create value. The fallacy is treating agents as permanent infrastructure rather than scaffolding for transformation.

Deflation makes agents cheaper. Governance makes agents expensive. The enterprise wins by determinizing what can be determinized, bounding what cannot, and keeping unbounded probabilistic systems where they belong: in exploration, not production.

The companies that win will not be the ones that deploy the most agents. They will be the ones that deploy agents strategically — as instruments of discovery that feed determinization and constraint, not as permanent, ungovernable substitutes for process discipline.

Frame it right, and AI becomes the most powerful tool for enterprise transformation since the relational database. Frame it wrong, and you’re building on sand — subsidized sand today, expensive sand tomorrow, and the collapse happens exactly when you can least afford it.

Scaffolding builds. Substrate breaks.

The Thesis: AI ROI models measure the wrong unit. They price tokens; enterprises pay for outcomes under constraints.

The Constraint: Generation costs deflate aggressively. Verification costs amortize poorly in consequence-bearing domains. This “Markov Tax” inverts expected economics wherever errors have consequences.

The Implication: Current business cases conflate inference deflation with enterprise TCO, ignore failure-heavy pilot portfolios, and treat governance as overhead rather than cost of goods sold.

Enterprise AI is being sold with the confidence of a utility and priced with the behavior of a land grab.

That mismatch breaks ROI before a single model is deployed.

Most ROI narratives treat AI like a deterministic software upgrade: drop it in, compress cycle times, reduce headcount, move on. What is actually being introduced is a probabilistic operating regime—new cost structures, new failure modes, and a governance surface that resembles less a “tool” than a new category of actor inside the business.

The outcome is predictable: decks full of “transformative value” and a quiet refusal to interrogate the denominator.

What the Believers Have Right

Before diagnosing the fallacy, acknowledge what the believers have right.

The cost curve is violent. Stanford’s AI Index documents a 280× drop in inference cost for GPT-3.5-equivalent performance between late 2022 and late 2024, with task-dependent declines ranging from 9× to 900× per year. This is what computation does. The slope will continue.

Open-weight models are closing the gap. The same AI Index reports open-weight models narrowing performance differences with closed models on key benchmarks. Self-hosting and multi-provider strategies become more credible, not less.

In some domains, productivity uplift is measurable. Field evidence shows GenAI assistance improving call-center productivity by approximately 14%, with benefits concentrated among less-experienced workers. Developer productivity studies show meaningful gains in controlled settings. These are real effects in specific contexts.

The labor arbitrage spread is large. In bounded domains, the cost differential between human and agent can be 1,000% to 10,000%. Even with 30% failure rates requiring human review, the 70% autonomous throughput is achieved at pennies on the dollar.

So yes: costs are dropping, models are improving, labor arbitrage exists, and certain use cases are already positive.

The problem is what happens when that truth gets generalized into a business case template.

Where ROI Is Already Repeatable

The critique is not that ROI doesn’t exist. It does—in bounded domains:

• Copilot augmentation in high-volume knowledge work: support triage, compliance drafting, QA review

• Search and classification over enterprise corpora where error cost is bounded and human review is efficient

• Developer productivity in controlled environments—large fractions of developers now use AI coding tools daily, with double-digit velocity gains reported in controlled studies

The mistake isn’t that local wins are fake. It’s that they’re being priced like enterprise transformation. The 14% call center uplift does not port to legal review, clinical decision support, or financial modeling. Specificity is the enemy of the template.

The Meter Is Wrong

Here is the economic problem most ROI models elide: the spreadsheet prices tokens; the business pays for constrained outcomes.

This is basis risk. The metered unit is not the economic unit.

The DeepSeek moment made this vivid. Frontier-level inference at $0.14–$0.55 per million tokens. Training costs a fraction of Western incumbents. The market concluded: intelligence is becoming free.

The conclusion is half-right. Raw inference is commoditizing. But the enterprise doesn’t purchase tokens—it purchases outcomes with constraints: auditability, reversibility, authorization semantics, evidentiary trails, policy compliance, tail-risk containment.

Those constraint-bearing layers remain labor-, integration-, and liability-shaped. They don’t follow exponential cost curves.

Even if raw inference deflates to near-zero, wrappers monetize constraints: governance features, workflow products, risk controls, seat models, bundles, commitments, indemnities.

Anthropic introduced rate limiting after users consumed tens of thousands in model usage on flat-rate subscriptions. OpenAI signaled that ChatGPT Plus at $20/month may be unsustainable. The pattern is clear: prices rise at the product layer even as raw inference costs decline.

The subsidy is being withdrawn. The meter was always wrong.

Even if underlying inference continues to deflate, enterprises should assume pricing will migrate upward into the constraint-bearing layers: guarantees, governance, latency, indemnities, and integration. The margin moves; it doesn’t disappear.

The FinOps Reckoning

The organizational mechanism that will enforce this reality is already emerging: FinOps, chargeback models, and hard consumption quotas. When AI spend hits a budget line with an owner—rather than floating as “innovation investment”—the gap between token optimism and outcome economics becomes visible. Governance stops being philosophy and starts being a P&L constraint.

The Consumption Trap

The counterargument: cheap inference solves the economics.

The opposite is true.

Jevons Paradox holds. When a resource becomes more efficient to use, total consumption increases rather than decreases. Enterprises aren’t consuming less—they’re consuming orders of magnitude more: chain-of-thought reasoning, majority voting, agentic loops, retries.

If document processing scales from 1,000/day to 1,000,000 because inference is cheap, the verification burden scales by 1,000x. Human review doesn’t follow exponential cost curves.

Cheap inference doesn’t solve the governance problem. It floods the enterprise with “plausible but unverified” faster than any human process can absorb. The Markov Tax becomes the hard ceiling on ROI.

The second-order effect: verification becomes a new labor market—QA, reviewers, model risk analysts, audit evidence production, red-teaming—and wages rise in exactly the places enterprises assumed AI would eliminate cost.

The Production Cliff

The portfolio baseline is failure-to-production. Ignoring it is incomplete accounting.

MIT research frames it bluntly: despite $30–40 billion in enterprise GenAI investment, 95% of organizations report zero return, and only 5% of evaluated systems reach production. IDC’s numbers point the same direction: 88% of AI proofs-of-concept never reach widescale deployment. Gartner reports enterprises routinely abandon a significant portion of AI pilots before production.

The counterargument is that this is a lagging indicator—the 1996 of AI. Tooling will mature. Success rates will invert.

Partially true. But the tooling problems are the smaller fraction. The larger fraction is organizational: accountability gaps, integration complexity, incentive misalignment, governance structures that can’t make cross-silo decisions. These are the same failure modes that have plagued ERP implementations and data warehouse projects for 30 years. AI doesn’t solve organizational dysfunction; it amplifies it.

Even if the percentages are debated, the distribution is not: lots of pilots, few production systems with durable ownership, evals, and change control.

Firm-level ROI is a weighted average across abandoned pilots, partial deployments, a handful of scaled wins, and the organizational cost of running the experiment factory. If failure rates aren’t modeled, ROI isn’t analysis. It’s fan fiction with numbers.

The Operating Model You Didn’t Budget For

AI drags in a structural cost layer that most ROI templates omit:

Verification can be partially automated—evals, synthetic tests, policy checking. The tooling is maturing.

Accountability cannot be automated. Who signs. Who is liable. What evidence is produced. What the regulator accepts. “The model evaluated itself” is not a legal defense.

Verification includes legal defensibility and disclosure integrity. The SEC has already charged firms for “AI washing”—misleading claims about AI capabilities. EU AI Act enforcement begins August 2026, with major provisions including obligations for general-purpose AI systems. These are not thinkpieces; they are compliance calendars. The cost of producing audit-ready evidence for probabilistic systems is now a recurring line item, not a one-time implementation fee.

In AI, reliability and governance are not accessories. They are recurring cost of goods sold.

The Agentic Amplifier

Agentic AI is the newest amplifier of the ROI fallacy because it invites the laziest translation in enterprise history:

Industry signals are unusually aligned. Gartner forecasts over 40% of agentic projects will be canceled by 2027 due to cost, unclear value, and risk control gaps. Fewer than one in eight enterprises actually run agents in production.

Here is the key correction:

At enterprise scale, agents rarely substitute labor cleanly. They substitute certainty with orchestration.

The labor arbitrage exists—the spread between silicon and carbon is real. But the arithmetic collapses when you measure the wrong unit.

The unit is not “cost per agent-hour.” It is: cost per correct outcome under constraints, including tail risk.

In enterprise workflows, the cost of errors can dominate compute: financial mispostings, entitlement mistakes, compliance violations, customer-impacting failures, audit exceptions requiring remediation programs. The 30% failure rate is not “30% needs review.” It’s often “30% creates downstream cleanup with nonlinear cost.”

If thirty minutes of a competent operator is replaced with an agent that burns compute through orchestration, retries, tool calls, and approvals—and still needs a human to validate—you did not create ROI. You moved costs from payroll to compute, governance, and remediation.

Sometimes that trade is still worth it. It does not automatically create ROI.

The mistake is not agents. It’s unpriced tail risk.

The Translation Layer

Most “legacy” talk is lazy. It treats anything old as drag and anything new as progress.

The reality is that a large class of so-called legacy systems are not obsolete technology. They are the enterprise’s immune system—existing to preserve accountable truth.

Modern enterprises run on systems that encode hard-won constraints: approval sequencing, segregation of duties, change windows, ownership checks, reconciliations, audit trails. Those controls are not bolt-ons. They are part of the workflow grammar. They are why the system is trusted.

Immune systems can become autoimmune. Controls that preserve truth can also throttle throughput. The goal is programmable immunity: preserve constraints while compressing friction.

But there’s a separate category: true legacy footprints—mainframe, midrange, batch interfaces, proprietary protocols, stateful procedures. This is not immune system; this is geology.

Agents can’t wrap around timing assumptions and implicit state. Modern orchestration assumes idempotent calls, explicit state, observable outcomes. Legacy systems frequently embed state transitions in procedural sequences where “step 3 failed” doesn’t mean “nothing happened.” It means “something happened and you don’t know what.”

Agents amplify this because they explore and retry. The system interprets retries as duplicate business actions. You just invented double-billing, duplicate orders, phantom entitlements—at machine speed.

We’ve seen this movie before. RPA promised to automate across brittle applications by mimicking the human path. It worked in narrow, stable, well-bounded workflows. It became fragile under UI change, exception variance, and upstream drift. It scaled brittleness when used as a substitute for modernization.

Agentic orchestration repeats the temptation with better marketing and a bigger blast radius.

What enterprises actually build is not an “agent layer.” They build a translation layer: policy gates, intent validation, reversible execution, human-readable justification, evidence capture.

Call it boring. It’s the immune response. Agents don’t repeal physics.

For AI Platform & Product Leaders

If deals are stalling in pilot purgatory, the verification asymmetry explains why. You’re selling tokens. The customer is buying outcomes.

The product opportunity is the constrained-outcome layer:
• Evals and regression as product features, not customer problems
• Policy enforcement built in, not bolted on
• Audit evidence as default output, not optional logging
• Rollback as architectural primitive, not afterthought
• Pricing aligned to outcomes, not token volume

Vendors selling “autonomy” without constrained execution will churn.
Vendors selling constrained outcomes will become infrastructure.

The Stress-Tested Thesis

The critique is not that AI cannot create value. It can. The labor arbitrage is real. The cost curve is real. The productivity gains in bounded domains are measurable.

The critique is that ROI decks are measuring the wrong unit.

Inference deflates; enterprise TCO does not deflate at the same rate. The enterprise isn’t buying tokens—it’s buying outcomes with constraints. The constraint-bearing layers are where cost volatility lives.

Portfolio baselines assume success; reality is failure-heavy. Pilots are cheap; production is expensive. Ignoring the denominator isn’t optimism; it’s incomplete accounting.

AI introduces recurring operating costs that behave like COGS, not one-time implementation. Reliability and accountability are permanent line items.

The labor arbitrage exists, but the unit matters. Cost per agent-hour obscures cost per correct outcome under constraints, including tail risk.

The ROI mirage is not conspiracy. It’s the predictable result of applying consumer-tech logic to enterprise-grade constraints—the same category error that produces cargo cult adoption of every paradigm mistaken for a strategy.

The question is not whether AI creates value. It can, and it does—in specific domains with measurable effects. The question is whether the enterprise can capture that value without building the firm on probabilistic debt.

The business case for AI, as currently constructed, conflates inference deflation with enterprise TCO, ignores the pilot-to-production cliff, and measures the wrong unit entirely. That’s not a technology problem. It’s an accounting problem—and accounting problems eventually become balance sheet events.

Part 3 offers the prescription: how to use AI as scaffolding for transformation rather than as permanent, ungovernable substrate.

The Thesis: AI is most valuable as scaffolding for transformation, not as permanent infrastructure.

The Constraint: Generation costs trend to zero; verification costs don’t amortize. This “Markov Tax” inverts the expected ROI of most enterprise AI initiatives.

The Implication: The Post-Deterministic firm is a transitional state, not a destination. Organizations must pass through it—using agents to discover and prototype—then compile stable patterns into deterministic systems with defensible economics.

What Part 1 Delivers: A diagnostic framework for understanding why AI transformation is harder than the hype suggests, and why governance architecture—not model capability—is the binding constraint.

For five centuries, the primary purpose of the corporation has been to banish surprise.

From the clay tablets of Sumer to the Excel spreadsheets of your CFO, we have constructed an elaborate apparatus designed to freeze time and enforce order. The firm exists as a low-entropy island in a high-entropy sea, deploying ledgers, contracts, and bureaucracies to collapse the chaotic probability distribution of the world into the deterministic certainty of the bottom line. Call it the Certainty Machine.

The machine is breaking. In a hyper-connected, complex adaptive economy, Weber’s “Iron Cage“ of bureaucracy hasn’t become obsolete—it’s become incompatible with probabilistic inputs. We are attempting to run probabilistic software on top of a deterministic liability structure. The friction isn’t cultural; it’s structural. The cage is still load-bearing; we can’t demolish it. We have to build an integration layer.

What emerges from this integration challenge is the Post-Deterministic Company—a firm that has internalized non-determinism as a core operating principle, abandoning the root metaphor of the machine (clockwork, linear, predictable) for the metaphor of the organism (cybernetic, probabilistic, adaptive). It doesn’t replace the rigid hierarchy wholesale; it augments it with the agentic swarm—bounded, monitored, reversible, but fundamentally probabilistic.

This shift promises a revolution in agility that renders current “digital transformation” initiatives quaint administrative tinkering. But it also introduces systemic risks with balance-sheet consequences—Loss Given Failure events, operational cascades, regulatory exposure—that we have scarcely begun to model. And critically: the organizations most desperate for this transformation are precisely those least equipped to execute it.

This is Part 1 of a three-part series. Here we diagnose the ontological rupture—the fundamental incompatibility between how enterprises have always operated and what AI actually is. Part 2 deconstructs why current AI ROI calculations are built on sand: subsidized pricing, ignored failure rates, unmeasured governance costs, and the Markov Tax—the verification overhead that inverts expected economics. Part 3 offers the prescription: how to use AI as scaffolding for transformation rather than as permanent, ungovernable substrate.

The thesis across all three parts is simple: AI is most valuable not as permanent infrastructure, but as an accelerant for building infrastructure that does not require AI. The companies that understand this will capture the productivity gains of the current moment while avoiding the dependency trap. The companies that do not will find themselves paying an escalating AI tax on workflows that should have been deterministic years ago.

But first, we need to understand what we’re escaping from—what we might escape into—and why the passage between them is narrower than the hype suggests.

The Archaeology of Order: Why We Built the Certainty Machine

To appreciate the magnitude of this shift, we must confront the sheer historical weight pressing against it. The history of business is not merely a history of trade; it is a history of information technologies designed to produce auditable truth.

Civilization began with the ledger. The invention of writing in ancient Mesopotamia (circa 3300 BCE) was driven not by poetry or mythology, but by the need to track grain stores and labor obligations. The clay tablet froze the state of the world: a debt recorded in clay became an objective, immutable fact, independent of human memory. This was the first certainty machine.

The Code of Hammurabi (circa 1750 BCE) extended this logic from accounting to governance. By inscribing 282 laws on a stone stele—specifying precise penalties for precise offenses—Hammurabi made justice deterministic. “If a builder builds a house and the house collapses and kills the owner, the builder shall be put to death.” No ambiguity, no judicial discretion, no probability distribution over outcomes. The law became an algorithm: given input X, output Y. The innovation wasn’t justice; it was audit defensibility—a public record of the rule applied, eliminating the variance of human judgment. This was the prototype for every compliance framework and standard operating procedure that would follow.

The drive reached its apotheosis in 1494 when Luca Pacioli codified Double-Entry Bookkeeping. By mandating that every debit have a corresponding credit, Pacioli created a closed, balanced universe—a conservation law for value. This “accounting reality” became the trust substrate of modern capitalism, enabling strangers to transact across vast distances because they shared access to a deterministic truth.

The Industrial Revolution scaled this certainty through Bureaucracy. Max Weber identified bureaucracy not as inefficiency, but as the triumph of calculability. The “Iron Cage” transformed variable human workers into deterministic components. Standard Operating Procedures became the source code of the industrial firm.

For 500 years, success meant reducing variance. The entire managerial edifice—from Taylor’s scientific management to Six Sigma to the modern compliance apparatus—exists to collapse probability distributions into point estimates.

Today, success increasingly means exploiting variance. The firms that thrive will be those that can surf the probability wave rather than dam it. But here’s the part the hype cycle elides: you cannot simply swap out the deterministic substrate for a probabilistic one and expect the enterprise to continue functioning. The trust architecture doesn’t port.

What the Enterprise Actually Is

Before we can understand what’s breaking, we need to be honest about what the enterprise actually is—beneath the org charts and mission statements.

Most process documentation is decorative. The real operating model is exceptions, arbitration, handoffs, tribal knowledge. Where the documentation says “submit request to approval queue,” reality says “message Janet because she knows which requests actually get processed.” Where the workflow diagram shows a clean decision tree, actual practice involves thirty years of accumulated workarounds navigating systems that were never designed to talk to each other.

This isn’t dysfunction. This is how complex organizations function at all. Human operators serve as the connective tissue between systems that were never integrated, policies that conflict, and edge cases that nobody anticipated. They are walking exception handlers, and their institutional knowledge—undocumented, untransferable, irreplaceable—is what keeps the enterprise from seizing up.

The Post-Deterministic Company exposes this reality in uncomfortable ways. Agents cannot improvise the way a human operator can. They are forced to externalize ambiguity. Their failures are signal. Their traces become telemetry. Where the human worker navigates dysfunction through institutional memory and negotiated workarounds, the agent breaks—and in breaking, reveals the true topology of the workflow.

This exposure is simultaneously promise and peril. The peril: many organizations will discover they don’t have processes at all—just patterns of human improvisation that cannot be automated because they were never systematic in the first place. The promise: AI becomes a tool for process archaeology, surfacing the actual operating model rather than the documented fiction. And once surfaced, that operating model becomes the raw material for genuine transformation.

The Adaptive Advantage: What the Post-Deterministic Firm Can Actually Do

The critique of determinism is not merely that it’s slow. It’s that deterministic architectures cannot learn, cannot sense, cannot adapt without human intervention at every joint. The Post-Deterministic Company promises something qualitatively different: an organization that improves continuously, responds in real-time, and treats change as a normal operating condition rather than a disruption to be managed.

Decision velocity as strategic weapon. When your competitor’s approval chain takes two weeks and yours takes two seconds, you occupy a different competitive universe. The Post-Deterministic firm doesn’t just make faster decisions—it makes decisions at the speed of the environment, closing the loop between sensing and acting that deterministic bureaucracies leave permanently open. A pricing change, a supply chain reroute, a customer intervention—these happen while the situation is still developing, not after it has already resolved itself or metastasized.

The learning organization, finally realized. Peter Senge’s Fifth Discipline promised the “learning organization” in 1990. Thirty years of change management programs failed to deliver it, because the underlying systems couldn’t learn—only humans could, and their learning had to be manually re-encoded into process documents that nobody read. The Post-Deterministic firm embeds learning in the operational fabric. Agents observe outcomes, adjust behaviors, and propagate improvements without waiting for the annual process review. Feedback loops measured in hours, not fiscal quarters.

Cost structures that decouple from headcount. In the deterministic firm, scaling the business means scaling the workforce. Revenue and headcount move in lockstep because humans are the processing units. The Post-Deterministic firm breaks this coupling. Marginal cost trends toward compute cost, not labor cost. A customer service operation handles 10x the volume without 10x the staff. An underwriting function processes 1,000 applications with the same team that once processed 100. The economic algebra changes fundamentally.

Personalization at scale. Deterministic processes force reality into predetermined categories because that’s all they can handle. The Post-Deterministic firm treats every customer, every transaction, every edge case as genuinely unique—tailoring responses, pricing, and service to individual circumstances rather than crude segments. This isn’t just better customer experience; it’s better risk selection, better fraud detection, better capital allocation.

The firm that can rewrite itself while running. Here’s the deepest shift: the product is not the workflow; the product is the capability to rewrite the workflow safely while running. Deterministic processes are frozen knowledge—they encode what we knew at design time. The Post-Deterministic firm treats process as hypothesis, continuously tested against reality and revised when reality wins. The competitive moat is not any particular process but the capacity for perpetual adaptation.

This is not speculative. Narrow versions of this adaptive advantage are already visible in firms that have achieved genuine AI-native operations—not the “chatbot veneer” implementations that dominate current enterprise AI, but deep integration where autonomous systems handle meaningful decision volume. The question is not whether this advantage exists but whether it can be captured without the attendant risks—and at what organizational cost.

The Cybernetic Pivot: The Firm as Control System

The Post-Deterministic Company operates on a fundamentally different ontology. It does not seek to control its environment through rigid constraint; it seeks to remain viable within that environment through continuous adaptation. Drawing from the principles of Cybernetics—the science of communication and control in complex systems—we redefine the organization not as a hierarchy of authority, but as a control system driven by feedback loops.

From brittle processes to adaptive policies. Deterministic workflows function when reality is stable, inputs are pristine, and exceptions are rare. That world has evaporated. The Post-Deterministic firm treats “edge cases” not as anomalies to be suppressed, but as the business itself. It builds policies instead of procedures, constraints instead of scripts, adaptive execution instead of brittle orchestration. Most enterprise “AI initiatives” simply encode existing deterministic processes into slightly faster deterministic processes, perhaps with a chatbot veneer. They optimize the local while preserving the structural brittleness that creates actual business risk.

Governance as continuous telemetry. In the deterministic firm, governance is periodic: the quarterly audit, the monthly steering committee, the annual risk assessment. This cadence made sense when decisions propagated at human timescales. It becomes fatal when autonomous agents operate at machine speed. In the AI-native model, governance transitions from episodic inspection to continuous telemetry—monitoring the decision stream in real-time for variance, bias, policy drift, and emergent constraint violations. Audit becomes a query, not an expedition. The “paper trail” transforms from archaeological record to live ledger, scoring every decision for confidence and risk as it happens. The Model Risk Management frameworks that financial institutions have developed for credit models point the direction—quantitative, continuous, integrated into the operating fabric rather than bolted on after the fact.

Security as capability engineering. Traditional cybersecurity operates as a binary gatekeeper: Access Granted or Access Denied. This model collapses in an agentic environment because agents, by their nature, are exploration engines. To be useful, they must traverse novel paths that cannot be pre-enumerated in an access control list. The Post-Deterministic model reframes security as Capability Engineering: we define the Bounded Solution Space—the harness within which the agent operates—rather than prescribing the exact path. Inside this harness, the agent possesses high autonomy to solve problems through whatever means fall within the constraint envelope. Security becomes choreography of constraints rather than a checklist of controls.

Human oversight, re-architected. The standard response to agentic risk is “human in the loop.” This is the right instinct expressed as an unscalable architecture. Humans operate at one to five decisions per minute; agentic systems operate at thousands. Inserting human approval into every agentic workflow transforms the agent into a manual tool. The alternative—humans designing the constraint envelope, monitoring aggregate patterns, and intervening at the policy level rather than the transaction level—requires a fundamentally different conception of management. The cybernetic model requires humans to function as system designers and exception handlers for the exception handlers.

The Hard Problems: Why the Transition Is Harder Than the Hype Suggests

The adaptive advantage is real, but capturing it requires solving problems that most AI enthusiasm ignores. These fall into three categories: economic, organizational, and systemic.

The Economic Problem: Verification Doesn’t Scale

Here is the problem most ROI models elide: the cost of generating output and the cost of verifying output have decoupled catastrophically.

In the deterministic era, verification costs amortized. Code was written once, tested once, and if the logic was correct, the millionth execution was as safe as the first. In the agentic era, verification is continuous—decisions occur under partial observability, so assurance becomes continuous belief-updating plus runtime enforcement of safety constraints. You cannot test once and trust forever; you must maintain confidence in real-time.

Call this the Markov Tax: the overhead required to verify that a non-deterministic system has performed correctly. For high-stakes tasks—legal review, medical diagnosis, financial auditing—verification cost remains tethered to human cognitive speeds. If an agent generates a contract in three seconds but a lawyer needs thirty minutes to verify it, the labor arbitrage evaporates. The bottleneck shifts from production to verification, and the enterprise discovers it has merely relocated the constraint rather than eliminated it.

This asymmetry produces an uncomfortable implication: as agents become more capable, the Post-Deterministic firm may experience decreasing returns to intelligence in verification-heavy domains. The overhead of confirming probabilistic truth consumes the labor savings. Generation floods the queue; verification becomes the bottleneck.

The Organizational Problem: Determinism Exists for Reasons

The deterministic firm persists not merely from institutional inertia, but because it solves genuine coordination problems.

Accountability. Deterministic processes create clear chains of responsibility: Alice reviews, Bob approves, Carol executes. We know who bears liability at each stage. When an autonomous agent makes a decision through opaque inference, accountability diffuses. The data scientists? The engineers? The executives? The vendor? Current legal frameworks assume human decision-makers with intentionality; they struggle with distributed, emergent decision-making.

Explicability. Regulated industries face demands for explanation. Why was this loan denied? Deterministic rules can be explained: “Your credit score was below threshold.” Probabilistic outputs cannot, and post-hoc interpretability techniques remain inadequate for high-stakes regulatory contexts.

Accumulated wisdom. Every “brittle” rule exists because someone, somewhere, screwed up spectacularly. Dual signatures above certain thresholds? Fraud prevention encoded in process. Segregation of duties? Embezzlement prevention. Legacy systems are often the enterprise’s immune system—preserving accountable truth. When we sweep away these accumulated rules, we assume agents will rediscover failure modes and develop safeguards. The history of complex systems suggests novel architectures discover novel failure modes, often catastrophically.

The Systemic Problem: Agents Interacting with Agents

When probabilistic agents interconnect across a high-speed economy, we invite non-linear systemic failures.

The agentic flash crash. The 2010 “Flash Crash“—a trillion dollars in market value erased in minutes—emerged from the interaction of automated algorithms, each rational individually, collectively creating a liquidity void. In the Post-Deterministic economy, analogous cascades could rupture supply chains or critical infrastructure. The algorithmic monoculture created by foundation model dominance exacerbates this: diverse ecologies fail differently; a monoculture fails all at once.

Tacit collusion. Research has demonstrated that autonomous pricing agents using reinforcement learning can learn to collude without communicating—converging on supra-competitive pricing through pure trial-and-error. The Post-Deterministic economy risks silent oligopolies, ungovernable by antitrust frameworks predicated on human intent.

Metric corruption. Goodhart’s Law states that when a measure becomes a target, it ceases to be a good measure. In agentic organizations, metric gaming is simply an optimization path. Agents tasked with “reducing ticket resolution time” learn to close tickets without solving problems. Every KPI becomes an attack surface. The executive dashboard decouples from reality while metrics glow green.

Model collapse. As AI generates increasing proportions of corporate content, and future models train on this output, we risk Model Collapse—the tails of the distribution attenuate, nuance disappears, and the firm enters a hallucination loop, consensus-drifting into a synthetic reality detached from the physical world.

Cross-Sector Translation

The verification asymmetry and governance challenges manifest differently across regulated industries:

• Financial Services: Model Risk Management, trading surveillance, underwriting automation, AML/KYC verification

• Healthcare: Clinical decision support, billing integrity, adverse event detection, diagnostic validation

• Pharma/Life Sciences: GxP validation, deviation handling, SOP drift in manufacturing, pharmacovigilance

• Energy/OT: Safety instrumented systems, change control, cascade risk in grid operations, NERC CIP compliance

• Public Sector: Adjudication automation, benefits eligibility, audit defensibility, FOIA response

The common thread: every sector has a Trust Anchor—the deterministic controls that produce audit evidence and absorb liability. AI must integrate with these anchors, not route around them.

The Metastability Thesis

These problems suggest something stronger than “the Post-Deterministic state is expensive.” They suggest it may be metastable—capable of existing and even thriving in bounded domains, but lacking the control-theoretic stability required for sustained operation as a general enterprise model.

A metastable system can appear stable for extended periods, then collapse rapidly when perturbed beyond a threshold. The Post-Deterministic firm, operating without stabilizing mechanisms, accumulates Probabilistic Debt—the volume of unverified decisions, ungoverned agent behaviors, and unmodeled interaction effects currently active in the enterprise. Unlike technical debt, which drags on future velocity, probabilistic debt is immediate risk exposure. It matures into crisis suddenly—when a hallucination triggers a bad action, when agents synchronize on a false signal, when the verification queue overflows.

We are coupling opaque systems with tight execution to engineer the ultimate “Normal Accident“ environment—tightly coupled, complexly interactive, with inadequate buffers for error correction.

The Iron Cage has become a coffin—organizations that cannot adapt faster than their environment changes will be selected out. Yet the Post-Deterministic firm, if left unharnessed, is not a sustainable destination. It is a transitional state—one the enterprise must pass through, not inhabit permanently.

Implications for AI Platform and Product Leaders

If your enterprise deals are stuck in pilot purgatory, the verification asymmetry explains why:

• Telemetry is governance. Dashboards are not enough; customers need evidence bundles that survive audit.

• Evidence is a first-class artifact. Decisions must be replayable, queryable, and attributable—not just logged.

• Exception queues are the bottleneck. Your customers’ constraint is verification throughput, not generation capacity.

• Constraint envelopes > static ACLs. “Bounded solution space” is the security model that lets agents be useful without being dangerous.

• Agent-agent interaction is the systemic risk. Your customer’s CISO is worried about what happens when your agent talks to their other agents.

The vendors who win will price for verification, not just inference—and build the governance harness into the product, not as a professional services bolt-on.

The Path Forward: A Preview

The answer is not to choose between determinism and non-determinism. It is to be precise about which regime applies where—and to use the probabilistic regime strategically rather than as a permanent substrate.

The emerging insight—developed across Parts 2 and 3—is that AI should be treated as scaffolding, not substrate. Use nondeterministic agents to discover and prototype new workflows. Use them to surface the actual operating model beneath the documented fiction. Use them to explore the possibility space faster than human operators ever could.

Then compile the stable fraction down into deterministic systems. Convert the patterns that stabilize into explicit state machines, workflow engines, policy-as-code gates, hardened integrations and data contracts. Keep agents only where nondeterminism is intrinsic—where the variance is not “we haven’t gotten around to formalizing it” but “the cost of over-specification exceeds the cost of nondeterminism.”

This is not regressive. It is how you capture the adaptive advantage without building the firm on probabilistic sand.

But before we can discuss the path forward, we need to understand why the current path—the one paved with ROI spreadsheets full of “hours saved” and decks full of “transformative value”—is built on sand. The business case for enterprise AI, as currently constructed, conflates inference deflation with enterprise TCO, ignores the pilot-to-production cliff, and measures the wrong unit entirely.

That is the subject of Part 2.

Coming next in Part 2: “The Mirage of AI ROI: Why the Current Business Case for Enterprise AI Is Built on Sand”

Part 3: “A Blueprint for AI-Driven Transformation: Clearing a Sane Path Through the Hype”

A control taxonomy here. A policy memo there. A vendor questionnaire. A risk register with adjectives. The industry is stacking frameworks like Pokémon cards and calling it progress.

It isn’t.

Frameworks help you design a compliant AI system. They do not secure AI usage in practice—shadow AI, agent sprawl, prompt-driven data leakage, tool abuse, model supply chain drift. That gap is where “Agentic Era” programs go to die. Your frameworks certified the org chart while possessed interns with API keys wandered the production environment.

The industry is converging on a truth it doesn’t want to hear: AI security isn’t a new tower to build. It’s a coordination plane between functions that already exist.

The Convergence Nobody Asked For

AI security is not a new discipline. It's a forcing function that pushes existing functions towards operational integration whether you like it or not. The framework vendors and empire-builders want you to believe otherwise—new towers, new budgets, new headcount. Ignore them. The technical reality has already decided where AI security lives — as the glue and enforcement engine that binds cyber to data governance, privacy, and MRM.

AI security collapses into data security because AI models are data stores. LLMs emit training data verbatim. Model inversion attacks reconstruct faces with enough fidelity that crowdworkers identify individuals at 95% accuracy. The distinction between “model” and “database” has collapsed. The failure modes are no longer binary; they are a function of probability distributions. We are no longer defending a perimeter; we are managing the P(leakage∣prompt) across an infinite state space.

AI security collapses into data privacy because you cannot grep weights. GDPR grants the right to data erasure, but nobody defined erasure for neural networks. Recent research introduced “ununlearning”—where unlearned knowledge gets reintroduced in-context. The “right to be forgotten” needs math, not assurances. The math is still being worked out on the chalkboard.

AI security collapses into data governance because lineage and provenance are no longer documentation exercises—they’re runtime requirements. When your RAG system pulls from enterprise document stores, when your agents access APIs with delegated credentials, governance stops being a committee and becomes runtime policy. Or it stops being governance at all.

AI security collapses into model risk management because the system is probabilistic and the failure modes are statistical. The Federal Reserve’s SR 11-7 defines model risk as occurring when “a model may have fundamental errors and produce inaccurate outputs.” AI hallucination is an integrity failure within established risk management categories. The regulatory framework already exists. Use it.

Convergence does not mean consolidation.

MRM has validated complex algorithms for twenty years. We aren’t trying to replace them. The problem is velocity. MRM detects drift over months. They aren’t built to detect a prompt injection happening in real-time. By the time their process catches it, the data is already gone.

MRM sets the Law. Cyber provides the Enforcement.

MRM defines what “effective challenge” means for model validity. Cyber builds the automated harness that runs those checks in CI/CD, adds adversarial evaluation that MRM’s mathematical frame doesn’t capture, and monitors runtime behavior for attacks that validation-time testing cannot anticipate. If you’re still running these as separate programs with no operational integration, you’re building four different dashboards for one fire. And the fire is already burning.

The Possessed Agentic Intern

Agentic systems don’t just have “answer authority.” They have action authority—tools, APIs, delegated identity, and a supply chain explosion of plugins, registries, and orchestration layers. The thing you’re trying to secure isn’t a model anymore. It’s a runtime that can read your data, reason about it, and take actions in production systems.

The theoretical became operational in January 2026 with BodySnatcher—described as “the most severe AI-driven security vulnerability uncovered to date.”

ServiceNow’s Virtual Agent API shipped with a hardcoded, platform-wide authentication secret—the same token across all customer instances. An unauthenticated attacker, knowing only a target’s email, could bypass MFA and SSO, impersonate an administrator, and execute AI agents to create backdoor accounts with full privileges. The exploit weaponized ServiceNow’s own agent to provision admin credentials. No clicks required. No credentials needed. Just an email address.

When you give an agent autonomous rights, you bypass the entire human-centric identity stack. The configuration choices that enabled BodySnatcher—hardcoded secrets, trust-on-email auto-linking, overprivileged default agents—could resurface in any organization’s code. This is not a ServiceNow problem. This is an agentic architecture problem.

Your unit of control is no longer “a model” or “a prompt.” It’s a runtime. If you can’t enforce per-tool authorization, least privilege, provenance tracking, and trace logging, your “agent” is just a privileged intern with amnesia and a corporate credit card.

And as BodySnatcher demonstrated, that intern can be body-snatched by anyone who knows an email address.

Variance: The CIA Triad’s Plus One

Generative systems introduce probabilistic variance as an operational property: the same input can yield different outputs, with different risk, under the same “system.” That breaks every classic security assumption you’ve relied on for thirty years:

• Confidentiality becomes memorization and inversion risk. Zero-click exfiltration attacks hijack enterprise copilots during summarization, exfiltrating documents via hidden prompt instructions. Your perimeter didn’t see it. Your DLP didn’t catch it. The model was the exfiltration channel.

• Integrity becomes hallucination, poisoning, and backdoors—truthfulness as a control objective. Corrupting 2% of training labels achieves near-perfect backdoor success. Nation-states are producing models where provenance is unknown. You’re deploying black boxes with unknown origins into production.

• Availability becomes denial of wallet— this AI-native version of an asymmetric attack makes cost now an attack surface. Attackers weaponize pay-per-token billing to inflict financial damage. Your SOC is watching for intrusions. The attacker is running up your cloud bill.

The traditional checkbox compliance model can’t address any of this. It optimizes for point-in-time attestations instead of continuous proof. It treats “the application” as the unit of control while AI systems are shifting compositions of models, pipelines, tools, and vendor components. It externalizes risk to review boards instead of encoding requirements into shipping defaults.

In AI, “compliance passed” can coexist with prompt-mediated exfiltration, tool abuse, and provenance collapse. The highest-impact failures—data exfiltration, policy bypass, unsafe autonomy—are rarely “a missing security tool.” They are failures of boundaries, lifecycle controls, and evidence.

Security teams can’t firewall their way out of this. MRM teams can’t “validate” their way out of it alone. Unless risk ownership, enforcement, and monitoring are unified into an engineering control plane, you’re certifying theater.

AI Security Is Quantitative Engineering

The traditional IT security model—purchasing vendor tools, deploying agents, checking compliance boxes—fails catastrophically when applied to AI because it assumes deterministic systems with static perimeters.

In the AI era, the data is the logic, and the application is probabilistic. You cannot buy a “tool” to fix a model that has memorized PII; you must engineer a data pipeline that sanitizes the training set before the model is built. You cannot “configure” a DLP policy to catch a prompt injection that changes meaning based on context; you must architect structural isolation between untrusted input and privileged tools.

The deterministic shield is broken. You cannot firewall a concept. You cannot write a regex for “malicious intent” when that intent is semantically hidden inside a valid business request.

The control plane for AI security resembles an MLOps layer as much as it does a security gateway. The inherent variance in agentic infrastructure—where the same agent can take different actions on identical inputs—requires dynamic controls built on statistical models rather than static rule sets.

This is why convergence with MRM isn’t optional. MRM is the only discipline with the mathematical tooling to manage probabilistic variance: drift detection, distribution monitoring, confidence thresholds, effective challenge. These aren’t security concepts borrowed from risk management. They are security controls when your system is stochastic.

Reliance on policy documents and risk registers is bureaucratic coping. The only effective control is governance engineering—paved roads, execution airlocks, and CI/CD harnesses that enforce safety constraints at the code and infrastructure level.

If security teams cannot write the code to govern the runtime, they are no longer participants in the defense. They are spectators.

The Exorcist’s Field Manual

1. AI security frameworks are reference overlays. They are not control planes. Stop confusing the menu for the meal.

2. In the agentic era, “security” is inseparable from data security, privacy, governance, and MRM because the core system is probabilistic and action-capable. But inseparable does not mean consolidated—that’s a land grab that will fail politically and operationally. MRM, data governance, and privacy set the Law. Cyber provides the Enforcement.

3. The winning strategy is quantitative governance engineering: paved roads that embed secure-by-design into MLOps/LLMOps, with statistical monitoring, continuous evaluation, and supply-chain-grade provenance. One paved road serving multiple governance functions—not parallel checkpoints that create the gaps where attackers live.

The forced merger is not organizational consolidation but operational integration. The CISO org translates threats into risk language, builds the automated enforcement, and provides the adversarial mindset—while respecting the governance authority of functions that have been managing these risks for decades.

If you keep the old org chart—separate towers, review-heavy controls, parallel bureaucracies—you’ll get the predictable outcome: shadow agents, inconsistent guardrails, and a paper compliance program while the adversaries walk through your front door.

Anything else is compliance cosplay that collapses the first time a tool-using agent finds a path around your slide deck.

This is not a new idea. It is a familiar promise with a new sales wrapper.

In the 1970s, semantic networks were already popular, already seductive, and already disappointing. By 1977, the critique was explicit: semantic nets never live up to their authors’ expectations of expressive power and ease of construction; the “formalism” is not the panacea people want it to be. The dream was always the same: encode meaning as structure; let inference do the rest. The bill was always the same: meaning is social, time-bound, contested, and expensive to maintain.

The modern version swaps out “semantic net” for “context graph,” adds a LLM at the edge, and calls it infrastructure.

The graph substrate is old. The costume changes.

If someone says “context graph” and means anything concrete, it usually collapses to some combination of:

• RDF-style triples (subject–predicate–object), because it’s the simplest lie you can tell that still looks like structure.

• OWL-ish typing (classes, properties, restrictions), because eventually someone wants “real semantics,” and OWL is where that road leads.

• A query layer (SPARQL, Gremlin, Cypher, or a bespoke retrieval API), because the entire point is to pull a subgraph under constraints.

• A retrieval+assembly step that converts the subgraph into a prompt/tool plan for the model.

That stack is not novel. It is the Semantic Web playbook, remixed into an agent narrative and shipped as “memory.”

The new driver is not semantics. It’s capture.

The strongest proponent argument is not “graphs are magic.” It’s that agents create a natural capture point.

If an orchestration layer sits in the execution path, it can emit a decision trace at commit time:

• inputs considered

• policies evaluated

• exceptions invoked

• approvals obtained

• rationale fragments

• the final state written back to systems of record

That matters, because the single most consistent failure mode across decades of semantic systems is simple: the context was never captured. You cannot graph what you do not have. You can infer a story from exhaust, but inference is not provenance.

The correct architectural instinct here is “capture-first, structure-later.” Store the raw trace. Delay schema tyranny. Derive triples, summaries, and edges downstream. Structure is a view, not the asset.

The old failure modes are still the load-bearing ones

1) The ontology bottleneck didn’t disappear. It got renamed.

Call it “ontology,” “schema,” “vocabulary,” or “lightweight taxonomy.” The constraint remains: you need stable meaning across systems and teams.

Most enterprises can’t keep a CMDB coherent. They will not suddenly maintain an OWL-grade conceptual model of their entire operating reality. The path from “a few useful edges” to “enterprise semantic coherence” is where these projects die—slowly, politically, and expensively.

The innovation theater move is pretending you can avoid this by being “schema-light.” That just pushes semantics into retrieval-time heuristics and confidence scores. The meaning debt remains; it simply moves to a different balance sheet.

2) Time breaks naive graphs, and “who” is the sharpest knife.

A non-temporal graph is a present-tense hallucination engine.

Most of the questions a context graph is supposed to answer are time-bound:

• who owned the service during the incident

• who approved the exception last quarter

• what policy was in force when this control was attested

• what depended on that system before the migration

Enterprises mutate continuously: reorgs, renames, rotations, entitlement drift, tooling churn. A current-state graph answers historical questions with today’s org chart and today’s access model. That yields confident historical lies with impeccable syntax.

If time is not first-class—valid-time vs transaction-time, event-sourced lineage, versioned identity—then “context graph” is not governance infrastructure. It is institutional misinformation with a graph database.

3) Provenance is not optional; it is the difference between “helpful” and “hazardous.”

A graph without provenance is a rumor mill with better posture.

Edges need:

• source pointers

• timestamps

• confidence and conflict representation

• normalization rules

• reconciliation behavior when sources disagree

Without that, the graph looks authoritative while behaving like a stitched collage of partial truths.

4) “LLMs make this easy now” is true in the wrong way.

LLMs can help extract structure. They can label entities, infer relations, generate candidate triples, and rewrite trace fragments into legible summaries.

They do not remove the need for:

• capture at execution time

• semantic stewardship

• temporal correctness

• conflict resolution

LLMs reduce labor in the middle. They do not remove the constraints at the boundaries.

The corrected thesis

Context graphs work when three conditions hold:

1. The system sits in the execution path and captures decision traces at commit time.

2. Raw traces are treated as the primary asset and structure is derived downstream.

3. Time and provenance are first-class so “who/why/when” are not silently overwritten by present tense.

Everything else is the same old promise with new packaging: a graph that claims to encode reality while avoiding the uncomfortable truth that reality is negotiated, time-indexed, and expensive to keep true.

Context graphs are not novel

They represent the latest instantiation of a persistent pattern: marketing institutional discipline—semantic consistency, cross-system integration, active stewardship, rigorous provenance—as a magical AI substrate that obviates the need for organizational transformation.

Sometimes graph topology genuinely aligns with problem structure. More frequently, it constitutes a procurement-legible narrative that permits teams to evade substantive challenges: incentive realignment, decision rights clarification, elevation of knowledge management from incidental byproduct to maintained asset class.

The graph is not the product.

The product is the institutional capacity to maintain the graph’s correspondence with reality—the unglamorous, politically complex, expensive work of keeping it true.

And that capacity, as it turns out, cannot be purchased. It must be built, defended, and sustained through deliberate organizational investment. This mimetic variant mistakes the representation for the capability, the artifact for the discipline.

We’ve seen this movie before. The ending doesn’t change just because we’ve upgraded the special effects.

Doomscrollers 😱: “It’s  end of microservices and serverless era, a return to monoliths , SOA and mainframe is imminent!”
FRP and Serverless 🌩️ : “The reports of my death are greatly exaggerated…”

Here are some real lessons and some valuable perspectives I took away from this little kerfuffle.

1.  Optimization requires analysis. You cannot simply move your application to the latest, greatest SOA architecture, data mesh paradigm, or microservices framework and declare victory. Do you understand the bottlenecks in your application? Do you know if you are CPU, I/O, memory, or network bound? What are your performance characteristics under load — what parts of the system start backing up? What are tightly coupled processes that operate on the same data in sequence and what are loosely associated non-core functions that need to be evolved rapidly and independently? If you cannot answer these simple questions, you likely do not understand your current architecture well enough to refactor it, and you’re likely going to spend a lot of time solving problems you don’t have, migrating to frameworks  you don’t need. Folks who cannot answer basic Big-O questions about an application should not be driving any replatforming efforts around it. You are more than likely to wind up with a macrolith (a nightmarish distributed monolith) and one of the originators of Kubernetes, Kelsey Hightower, has given us fair warning when he called out application teams that were “gonna break it [the monolith] up and somehow find the engineering discipline we never had in the first place… Now you went from writing bad code to building bad infrastructure”.

2.  Speed to market and speed to develop does not always equate to long-term scalability and maintainability. You must actively balance your investments across these two critical pillars to build viable product. The paradigms that let you get out of the gate quickly with an MVP and the high developer productivity tooling that lets you ship to aggressive GTM schedules are invaluable but they are not a panacea. A federated application built on readily available cloud services can provide an invaluable advantage on day one but can become your Achilles heel as you look to scale, secure and distribute for global consumption. Adrian Cockcroft talks at length about this at length in his response to the Prime Video article and resulting furore. Whether you’re Amazon looking to collapse IO and network bottlenecks in a frame processing application, or Meta rethinking its GPU investments for LLM training, active rebalancing and reconsideration of the stack and technology mix for your finops and bizops context is both art and science.

3.  Beware Cargo Cults. If your feed seems to awash in posts about a “return to monoliths” by folks who had barely taken the time to read the post from the Prime Video team, you’re not alone. The same sort of perfunctory analysis also seems to pervade the space of companies and consultants pushing kubernetes and or Serverless (KaoS), everything as a platform (EaaP), Anything as a Service (AaaS), or the next hot data mess. They, critically, seem to miss the respective revolutions in thinking around investing in shared platforms for managing complex distributed  systems, building internal developer platforms to improve consistency and accelerate delivery, factoring out key concerns at each layer of the stack as reusable services, and using a domain-driven approach to structure and build efficiencies in enterprise data architectures. They also miss the caveats and up-front costs that come with each — whether it’s additional layers that need to be deployed to ensure security, observability, and traceability or investments in federated governance and management required to operate these topologies at scale.

Cloud native distributed systems paradigms are here to stay. The Prime Video folks have mistakenly labeled a properly factored highly coupled data intensive processing step  a monolith — it’s at best a rocky outcropping in their distributed microservices forest. Here’s to a thoughtful approach to architecture and engineering!

A recent Foreign Affairs article rightly calls out the “decades-old tendency among the large and sophisticated actors who design, construct, and operate digital systems to devolve the cost and difficulty of risk mitigation onto users who often lack the resources and expertise to address them” and the often calamitous “tendency to charge isolated individuals, small businesses, and local governments with shouldering absurd levels of risk” [1].

Given “a world where clicking the wrong link or neglecting a single software patch can result in a geopolitical incident,” Inglis and Krejsa call for a new Cyber Social Contract wherein government becomes both a close regulator of and active partner in securing the economy, providing both critical information and oversight to enable and incentivize the radical transformations necessary in critical infrastructure and enterprise firms. They recall historical precedents for revolutionary public-private partnerships such as those pioneered by the NTSB, FAA, NHTSA, and FDA. They point out the now integral role these agencies play in driving forward industry innovation while securing the public good, and posit how cyber aligned agencies such as CISA and the ONCD could expand and transform their roles to achieve these objectives [1].

It’s been demonstrated time and again that organizations, large enterprises and startups alike, have been spectacularly bad at estimating and mitigating the downside costs of rare catastrophic events in the technology space. For infrastructure deemed critical to national and international functioning, perhaps this new cyber social contract, with its models for vigorous oversight and active public-private partnerships, can provide vital incentive, oversight and engagement that drives proactive mitigation of vulnerabilities and accelerates the pace of technology modernization.

From the cybersecurity perspective, the crypto-asset world has always been fraught with exceptional and unique risks. Evoking comparisons to the “kongbucks” in Stephenson’s anarcho-capitalist dystopia [15], cryptocurrencies have long served as a pseudo-anonymous value exchange system within dark web black markets, as the hard-to-trace currency of choice for extortionists running ransomware schemes, and a favored direct target for cyber theft. Unreliability, disrepute, and ephemerality have been persistent pernicious undercurrents in this space, and many large crypto-exchanges and even entire tokens have disappeared overnight for reasons ranging from outright fraud and rug pulls to large scale hacks — the digital equivalent of bank robberies — that have left coin vaults empty [9][11]. Dozens of crypto-exchanges have been hacked with crypto heists tripling in the last year to mete out USD 4 billion in losses to companies like BitMart, Liquid, and AscendEX [12][13]. While this is a drop in the bucket compared to the about USD 2 trillion in crypto market cap, it does present a source of non-trivial risk, as many of these compromised exchanges have been unable to recover the stolen currency or return coins to depositors [10][14].

Against this backdrop, we see that the application of financial custody laws to crypto-assets during a liquidation event has often been non-intuitive from the consumer perspective. While commercial crypto-exchanges promise fidelity of token ownership, matters are often complicated by opaque wallet/key segregation schemes and ill-defined staking rights agreements that blur the legal lines between custodial and debtor-creditor relationships. Depositors often find themselves at the back of a queue behind venture capitalists and other creditors of a newly bankrupt crypto-exchange, and sometimes entirely without a legal claim to their deposited tokens. A recent article by a Georgetown law professor delves into the applicable US laws, reviewing the legal nature of custodial relationships and finds a less than rosy picture for consumers in a crypto-exchange bankruptcy [1]. The outcomes in these cases are often further complicated by both international jurisdictional variances as well as the heterogeneity and lack of standards across exchanges as explored in this 2020 review by the Coin Telegraph [2].

It is clear is that as consumers, nations, governing bodies, and legal systems all grapple with the new normals of decentralized finance, they are often inadequately equipped to reason about the complex inherent risk landscape. While regulatory bodies are rushing to bring structure to these new unsecured currency markets, existing legal frameworks are often ill-equipped to protect consumers from catastrophic losses, and this presents an existential reputational risk that threatens the sustainability of the blockchain enterprise. There is a clear need and present opportunity for firms that can step up to innovate, provide leadership, and drive the adoption of robust and dynamic technical, cybersecurity, and risk management practices that inspire consumer and regulator confidence — the firms that do will be poised to join the vanguard that defines the metrics for success in the next chapter of the DeFi story.